particle-os/debian-forge-composer
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Revert "cloudapi: Add x-rh-identity header filter"

Browse source 
This reverts commit 19db3ff1d4.
This commit is contained in:
sanne 2021-07-23 10:15:29 +02:00 committed by Tom Gundersen
parent 7a0ea5b244
commit 5e72636331
4 changed files with 23 additions and 108 deletions
Download patch file Download diff file Expand all files Collapse all files

26
cmd/osbuild-composer/composer.go
View file

@ -104,22 +104,18 @@ func (c *Composer) InitAPI(cert, key string, l net.Listener) error {
c.api = cloudapi.NewServer(c.workers, c.rpm, c.distros) c.api = cloudapi.NewServer(c.workers, c.rpm, c.distros)
c.koji = kojiapi.NewServer(c.logger, c.workers, c.rpm, c.distros) c.koji = kojiapi.NewServer(c.logger, c.workers, c.rpm, c.distros)
if len(c.config.ComposerAPI.IdentityFilter) > 0 { tlsConfig, err := createTLSConfig(&connectionConfig{
c.apiListener = l CACertFile: c.config.Koji.CA,
} else { ServerKeyFile: key,
tlsConfig, err := createTLSConfig(&connectionConfig{ ServerCertFile: cert,
CACertFile: c.config.Koji.CA, AllowedDomains: c.config.Koji.AllowedDomains,
ServerKeyFile: key, })
ServerCertFile: cert, if err != nil {
AllowedDomains: c.config.Koji.AllowedDomains, return fmt.Errorf("Error creating TLS configuration: %v", err)
})
if err != nil {
return fmt.Errorf("Error creating TLS configuration: %v", err)
}
c.apiListener = tls.NewListener(l, tlsConfig)
} }
c.apiListener = tls.NewListener(l, tlsConfig)
return nil return nil
} }
@ -192,7 +188,7 @@ func (c *Composer) Start() error {
// Add a "/" here, because http.ServeMux expects the // Add a "/" here, because http.ServeMux expects the
// trailing slash for rooted subtrees, whereas the // trailing slash for rooted subtrees, whereas the
// handler functions don't. // handler functions don't.
mux.Handle(apiRoute+"/", c.api.Handler(apiRoute, c.config.ComposerAPI.IdentityFilter)) mux.Handle(apiRoute+"/", c.api.Handler(apiRoute))
mux.Handle(kojiRoute+"/", c.koji.Handler(kojiRoute)) mux.Handle(kojiRoute+"/", c.koji.Handler(kojiRoute))
mux.Handle("/metrics", promhttp.Handler().(http.HandlerFunc)) mux.Handle("/metrics", promhttp.Handler().(http.HandlerFunc))

3
cmd/osbuild-composer/config.go
View file

@ -24,9 +24,6 @@ type ComposerConfigFile struct {
PGPassword string `toml:"pg_password" env:"PGPASSWORD"` PGPassword string `toml:"pg_password" env:"PGPASSWORD"`
PGSSLMode string `toml:"pg_ssl_mode" env:"PGSSLMODE"` PGSSLMode string `toml:"pg_ssl_mode" env:"PGSSLMODE"`
} `toml:"worker"` } `toml:"worker"`
ComposerAPI struct {
IdentityFilter []string `toml:"identity_filter"`
} `toml:"composer_api"`
WeldrAPI WeldrAPIConfig `toml:"weldr_api"` WeldrAPI WeldrAPIConfig `toml:"weldr_api"`
} }

51
internal/cloudapi/server.go
View file

@ -4,7 +4,6 @@ package cloudapi
import ( import (
"crypto/rand" "crypto/rand"
"encoding/base64"
"encoding/json" "encoding/json"
"fmt" "fmt"
"math" "math"
@ -28,14 +27,11 @@ import (
// Server represents the state of the cloud Server // Server represents the state of the cloud Server
type Server struct { type Server struct {
workers *worker.Server workers *worker.Server
rpmMetadata rpmmd.RPMMD rpmMetadata rpmmd.RPMMD
distros *distroregistry.Registry distros *distroregistry.Registry
identityFilter []string
} }
type contextKey int
type apiHandlers struct { type apiHandlers struct {
server *Server server *Server
} }
@ -54,14 +50,10 @@ func NewServer(workers *worker.Server, rpmMetadata rpmmd.RPMMD, distros *distror
// Create an http.Handler() for this server, that provides the composer API at // Create an http.Handler() for this server, that provides the composer API at
// the given path. // the given path.
func (server *Server) Handler(path string, identityFilter []string) http.Handler { func (server *Server) Handler(path string) http.Handler {
e := echo.New() e := echo.New()
e.Binder = binder{} e.Binder = binder{}
if len(identityFilter) > 0 {
server.identityFilter = identityFilter
e.Use(server.VerifyIdentityHeader)
}
handler := apiHandlers{ handler := apiHandlers{
server: server, server: server,
} }
@ -83,41 +75,6 @@ func (b binder) Bind(i interface{}, ctx echo.Context) error {
return nil return nil
} }
func (server *Server) VerifyIdentityHeader(next echo.HandlerFunc) echo.HandlerFunc {
return func(c echo.Context) error {
const identityHeaderKey contextKey = iota
type identityHeader struct {
Identity struct {
AccountNumber string `json:"account_number"`
} `json:"identity"`
}
idHeaderB64 := c.Request().Header.Get("X-Rh-Identity")
if idHeaderB64 == "" {
return echo.NewHTTPError(http.StatusNotFound, "Auth header is not present")
}
b64Result, err := base64.StdEncoding.DecodeString(idHeaderB64)
if err != nil {
return echo.NewHTTPError(http.StatusNotFound, "Auth header has incorrect format")
}
var idHeader IdentityHeader
err = json.Unmarshal([]byte(strings.TrimSuffix(fmt.Sprintf("%s", b64Result), "\n")), &idHeader)
if err != nil {
return echo.NewHTTPError(http.StatusNotFound, "Auth header has incorrect format")
}
for _, i := range server.identityFilter {
if idHeader.Identity.AccountNumber == i {
c.Set("IdentityHeader", idHeader)
c.Set("IdentityHeaderKey", identityHeaderKey)
return next(c)
}
}
return echo.NewHTTPError(http.StatusNotFound, "Account not allowed")
}
}
func (s *Server) IncRequests(next echo.HandlerFunc) echo.HandlerFunc { func (s *Server) IncRequests(next echo.HandlerFunc) echo.HandlerFunc {
return func(c echo.Context) error { return func(c echo.Context) error {
prometheus.TotalRequests.Inc() prometheus.TotalRequests.Inc()

51
test/cases/api.sh
View file

@ -1093,45 +1093,6 @@ function verifyPackageList() {
verifyPackageList verifyPackageList
#
# Verify the identityfilter
#
cat <<EOF | sudo tee "/etc/osbuild-composer/osbuild-composer.toml"
[koji]
allowed_domains = [ "localhost", "client.osbuild.org" ]
ca = "/etc/osbuild-composer/ca-crt.pem"
[worker]
allowed_domains = [ "localhost", "worker.osbuild.org" ]
ca = "/etc/osbuild-composer/ca-crt.pem"
[composer_api]
identity_filter = ["000000"]
EOF
sudo systemctl restart osbuild-composer
# account number 000000
VALIDAUTHSTRING="eyJlbnRpdGxlbWVudHMiOnsiaW5zaWdodHMiOnsiaXNfZW50aXRsZWQiOnRydWV9LCJzbWFydF9tYW5hZ2VtZW50Ijp7ImlzX2VudGl0bGVkIjp0cnVlfSwib3BlbnNoaWZ0Ijp7ImlzX2VudGl0bGVkIjp0cnVlfSwiaHlicmlkIjp7ImlzX2VudGl0bGVkIjp0cnVlfSwibWlncmF0aW9ucyI6eyJpc19lbnRpdGxlZCI6dHJ1ZX0sImFuc2libGUiOnsiaXNfZW50aXRsZWQiOnRydWV9fSwiaWRlbnRpdHkiOnsiYWNjb3VudF9udW1iZXIiOiIwMDAwMDAiLCJ0eXBlIjoiVXNlciIsInVzZXIiOnsidXNlcm5hbWUiOiJ1c2VyIiwiZW1haWwiOiJ1c2VyQHVzZXIudXNlciIsImZpcnN0X25hbWUiOiJ1c2VyIiwibGFzdF9uYW1lIjoidXNlciIsImlzX2FjdGl2ZSI6dHJ1ZSwiaXNfb3JnX2FkbWluIjp0cnVlLCJpc19pbnRlcm5hbCI6dHJ1ZSwibG9jYWxlIjoiZW4tVVMifSwiaW50ZXJuYWwiOnsib3JnX2lkIjoiMDAwMDAwIn19fQ=="
# account number 000001
INVALIDAUTHSTRING="eyJlbnRpdGxlbWVudHMiOnsiaW5zaWdodHMiOnsiaXNfZW50aXRsZWQiOnRydWV9LCJzbWFydF9tYW5hZ2VtZW50Ijp7ImlzX2VudGl0bGVkIjp0cnVlfSwib3BlbnNoaWZ0Ijp7ImlzX2VudGl0bGVkIjp0cnVlfSwiaHlicmlkIjp7ImlzX2VudGl0bGVkIjp0cnVlfSwibWlncmF0aW9ucyI6eyJpc19lbnRpdGxlZCI6dHJ1ZX0sImFuc2libGUiOnsiaXNfZW50aXRsZWQiOnRydWV9fSwiaWRlbnRpdHkiOnsiYWNjb3VudF9udW1iZXIiOiIwMDAwMDMiLCJ0eXBlIjoiVXNlciIsInVzZXIiOnsidXNlcm5hbWUiOiJ1c2VyIiwiZW1haWwiOiJ1c2VyQHVzZXIudXNlciIsImZpcnN0X25hbWUiOiJ1c2VyIiwibGFzdF9uYW1lIjoidXNlciIsImlzX2FjdGl2ZSI6dHJ1ZSwiaXNfb3JnX2FkbWluIjp0cnVlLCJpc19pbnRlcm5hbCI6dHJ1ZSwibG9jYWxlIjoiZW4tVVMifSwiaW50ZXJuYWwiOnsib3JnX2lkIjoiMDAwMDAwIn19fQo="
curl \
--silent \
--show-error \
--header "x-rh-identity: $VALIDAUTHSTRING" \
http://localhost:443/api/composer/v1/version | jq .
#
# Make sure the invalid auth string returns a 404
#
[ "$(curl \
--silent \
--output /dev/null \
--write-out '%{http_code}' \
--header "x-rh-identity: $INVALIDAUTHSTRING" \
http://localhost:443/api/composer/v1/version)" = "404" ]
# #
# Make sure that requesting a non existing paquet returns a 400 error # Make sure that requesting a non existing paquet returns a 400 error
# #
@ -1140,12 +1101,14 @@ jq '.customizations.packages = [ "jesuisunpaquetquinexistepas" ]' "$REQUEST_FILE
[ "$(curl \ [ "$(curl \
--silent \ --silent \
--cacert /etc/osbuild-composer/ca-crt.pem \
--key /etc/osbuild-composer/client-key.pem \
--cert /etc/osbuild-composer/client-crt.pem \
--output /dev/null \ --output /dev/null \
--write-out '%{http_code}' \ --write-out '%{http_code}' \
--header "x-rh-identity: $VALIDAUTHSTRING" \
-H "Content-Type: application/json" \ -H "Content-Type: application/json" \
--data @"$REQUEST_FILE2" \ --data @"$REQUEST_FILE2" \
http://localhost:443/api/composer/v1/compose)" = "400" ] https://localhost/api/composer/v1/compose)" = "400" ]
# #
# Make sure that a request that makes the dnf-json crash returns a 500 error # Make sure that a request that makes the dnf-json crash returns a 500 error
@ -1157,12 +1120,14 @@ raise Exception()
EOF EOF
[ "$(curl \ [ "$(curl \
--silent \ --silent \
--cacert /etc/osbuild-composer/ca-crt.pem \
--key /etc/osbuild-composer/client-key.pem \
--cert /etc/osbuild-composer/client-crt.pem \
--output /dev/null \ --output /dev/null \
--write-out '%{http_code}' \ --write-out '%{http_code}' \
--header "x-rh-identity: $VALIDAUTHSTRING" \
-H "Content-Type: application/json" \ -H "Content-Type: application/json" \
--data @"$REQUEST_FILE2" \ --data @"$REQUEST_FILE2" \
http://localhost:443/api/composer/v1/compose)" = "500" ] https://localhost/api/composer/v1/compose)" = "500" ]
sudo mv -f /usr/libexec/osbuild-composer/dnf-json.bak /usr/libexec/osbuild-composer/dnf-json sudo mv -f /usr/libexec/osbuild-composer/dnf-json.bak /usr/libexec/osbuild-composer/dnf-json