From aefd4cfd33f4bb60f485313ed5996b29756c8677 Mon Sep 17 00:00:00 2001 From: francois samin Date: Mon, 28 Mar 2022 18:13:52 +0200 Subject: [PATCH] feat(api): check consumer service definition on signin Signed-off-by: francois samin --- engine/api/auth_builtin.go | 39 +++++++++++++++++++--------- engine/api/auth_local.go | 6 +++++ engine/config.go | 52 +++++++++++++++++++------------------- 3 files changed, 59 insertions(+), 38 deletions(-) diff --git a/engine/api/auth_builtin.go b/engine/api/auth_builtin.go index 0c81df489a..6e90546fee 100644 --- a/engine/api/auth_builtin.go +++ b/engine/api/auth_builtin.go @@ -60,6 +60,32 @@ func (api *API) postAuthBuiltinSigninHandler() service.Handler { return sdk.NewError(sdk.ErrForbidden, err) } + // Check if the consumer is associated to a service + srvInput, hasService := req["service"] + var srv sdk.Service + if hasService { + btes, err := json.Marshal(srvInput) + if err != nil { + return sdk.NewError(sdk.ErrWrongRequest, err) + } + if err := sdk.JSONUnmarshal(btes, &srv); err != nil { + return sdk.NewError(sdk.ErrWrongRequest, err) + } + if consumer.ServiceName != nil && *consumer.ServiceName != srv.Name { + return sdk.NewErrorFrom(sdk.ErrForbidden, "service name %q doesn't match with consumer %q", srv.Name, *consumer.ServiceName) + } + if consumer.ServiceType != nil && *consumer.ServiceType != srv.Type { + return sdk.NewErrorFrom(sdk.ErrForbidden, "service type %q doesn't match with consumer %q", srv.Type, *consumer.ServiceType) + } + if consumer.ServiceRegion != nil && *consumer.ServiceRegion != *srv.Region { + return sdk.NewErrorFrom(sdk.ErrForbidden, "service region %q doesn't match with consumer %q", srv.Type, *consumer.ServiceRegion) + } + } else { + if consumer.ServiceName != nil || consumer.ServiceType != nil || consumer.ServiceRegion != nil { + return sdk.NewErrorFrom(sdk.ErrForbidden, "signing request doesn't match with consumer %q service definition. missing service payload", consumer.Name) + } + } + // Generate a new session for consumer session, err := authentication.NewSession(ctx, tx, consumer, driver.GetSessionDuration()) if err != nil { @@ -104,18 +130,7 @@ func (api *API) postAuthBuiltinSigninHandler() service.Handler { ctx = context.WithValue(ctx, contextDriverManifest, driverManifest) // If the Signin has a *service* Payload, we have to perform the service registration - srvInput, has := req["service"] - var srv sdk.Service - if has { - btes, err := json.Marshal(srvInput) - if err != nil { - return sdk.NewError(sdk.ErrWrongRequest, err) - } - - if err := sdk.JSONUnmarshal(btes, &srv); err != nil { - return sdk.NewError(sdk.ErrWrongRequest, err) - } - + if hasService { ctx = context.WithValue(ctx, cdslog.AuthServiceName, srv.Name) SetTracker(w, cdslog.AuthServiceName, srv.Name) diff --git a/engine/api/auth_local.go b/engine/api/auth_local.go index 3406a78e10..62baca4f30 100644 --- a/engine/api/auth_local.go +++ b/engine/api/auth_local.go @@ -134,6 +134,9 @@ func initBuiltinConsumersFromStartupConfig(ctx context.Context, tx gorpmapper.Sq // Create the consumers provided by the startup configuration for _, cfg := range startupConfig.Consumers { + if cfg.Name == "" { + continue + } var scopes sdk.AuthConsumerScopeDetails switch cfg.Type { @@ -153,6 +156,7 @@ func initBuiltinConsumersFromStartupConfig(ctx context.Context, tx gorpmapper.Sq scopes = sdk.NewAuthConsumerScopeDetails(sdk.AuthConsumerScopeService) } + svcType := string(cfg.Type) var c = sdk.AuthConsumer{ ID: cfg.ID, Name: cfg.Name, @@ -164,6 +168,8 @@ func initBuiltinConsumersFromStartupConfig(ctx context.Context, tx gorpmapper.Sq GroupIDs: []int64{group.SharedInfraGroup.ID}, ScopeDetails: scopes, ValidityPeriods: sdk.NewAuthConsumerValidityPeriod(time.Unix(startupConfig.IAT, 0), 2*365*24*time.Hour), // Default validity period is two years + ServiceName: &cfg.Name, + ServiceType: &svcType, } if err := authentication.InsertConsumer(ctx, tx, &c); err != nil { diff --git a/engine/config.go b/engine/config.go index b928dd23a1..b9a4f68fdf 100644 --- a/engine/config.go +++ b/engine/config.go @@ -347,7 +347,7 @@ func configSetStartupData(conf *Configuration) (string, error) { if conf.UI != nil { var cfg = api.StartupConfigConsumer{ ID: sdk.UUID(), - Name: "ui", + Name: conf.UI.Name, Description: "Autogenerated configuration for ui service", Type: api.StartupConfigConsumerTypeUI, } @@ -370,7 +370,7 @@ func configSetStartupData(conf *Configuration) (string, error) { if h.Local != nil { var cfg = api.StartupConfigConsumer{ ID: sdk.UUID(), - Name: "hatchery:local", + Name: h.Local.Name, Description: "Autogenerated configuration for local hatchery", Type: api.StartupConfigConsumerTypeHatchery, } @@ -395,7 +395,7 @@ func configSetStartupData(conf *Configuration) (string, error) { if h.Openstack != nil { var cfg = api.StartupConfigConsumer{ ID: sdk.UUID(), - Name: "hatchery:openstack", + Name: h.Openstack.Name, Description: "Autogenerated configuration for openstack hatchery", Type: api.StartupConfigConsumerTypeHatchery, } @@ -420,7 +420,7 @@ func configSetStartupData(conf *Configuration) (string, error) { if h.VSphere != nil { var cfg = api.StartupConfigConsumer{ ID: sdk.UUID(), - Name: "hatchery:vsphere", + Name: h.VSphere.Name, Description: "Autogenerated configuration for vsphere hatchery", Type: api.StartupConfigConsumerTypeHatchery, } @@ -446,7 +446,7 @@ func configSetStartupData(conf *Configuration) (string, error) { if h.Swarm != nil { var cfg = api.StartupConfigConsumer{ ID: sdk.UUID(), - Name: "hatchery:swarm", + Name: h.Swarm.Name, Description: "Autogenerated configuration for swarm hatchery", Type: api.StartupConfigConsumerTypeHatchery, } @@ -471,7 +471,7 @@ func configSetStartupData(conf *Configuration) (string, error) { if h.Marathon != nil { var cfg = api.StartupConfigConsumer{ ID: sdk.UUID(), - Name: "hatchery:marathon", + Name: h.Marathon.Name, Description: "Autogenerated configuration for marathon hatchery", Type: api.StartupConfigConsumerTypeHatchery, } @@ -496,7 +496,7 @@ func configSetStartupData(conf *Configuration) (string, error) { if h.Kubernetes != nil { var cfg = api.StartupConfigConsumer{ ID: sdk.UUID(), - Name: "hatchery:kubernetes", + Name: h.Kubernetes.Name, Description: "Autogenerated configuration for kubernetes hatchery", Type: api.StartupConfigConsumerTypeHatchery, } @@ -522,7 +522,7 @@ func configSetStartupData(conf *Configuration) (string, error) { if conf.Hooks != nil { var cfg = api.StartupConfigConsumer{ ID: sdk.UUID(), - Name: "hooks", + Name: conf.Hooks.Name, Description: "Autogenerated configuration for hooks service", Type: api.StartupConfigConsumerTypeHooks, } @@ -544,7 +544,7 @@ func configSetStartupData(conf *Configuration) (string, error) { if conf.Repositories != nil { var cfg = api.StartupConfigConsumer{ ID: sdk.UUID(), - Name: "repositories", + Name: conf.Repositories.Name, Description: "Autogenerated configuration for repositories service", Type: api.StartupConfigConsumerTypeRepositories, } @@ -566,7 +566,7 @@ func configSetStartupData(conf *Configuration) (string, error) { if conf.DatabaseMigrate != nil { var cfg = api.StartupConfigConsumer{ ID: sdk.UUID(), - Name: "migrate", + Name: conf.DatabaseMigrate.Name, Description: "Autogenerated configuration for migrate service", Type: api.StartupConfigConsumerTypeDBMigrate, } @@ -588,7 +588,7 @@ func configSetStartupData(conf *Configuration) (string, error) { if conf.VCS != nil { var cfg = api.StartupConfigConsumer{ ID: sdk.UUID(), - Name: "vcs", + Name: conf.VCS.Name, Description: "Autogenerated configuration for vcs service", Type: api.StartupConfigConsumerTypeVCS, } @@ -610,7 +610,7 @@ func configSetStartupData(conf *Configuration) (string, error) { if conf.CDN != nil { var cfg = api.StartupConfigConsumer{ ID: sdk.UUID(), - Name: "cdn", + Name: conf.CDN.Name, Description: "Autogenerated configuration for cdn service", Type: api.StartupConfigConsumerTypeCDN, } @@ -632,7 +632,7 @@ func configSetStartupData(conf *Configuration) (string, error) { if conf.ElasticSearch != nil { var cfg = api.StartupConfigConsumer{ ID: sdk.UUID(), - Name: "elasticsearch", + Name: conf.ElasticSearch.Name, Description: "Autogenerated configuration for elasticSearch service", Type: api.StartupConfigConsumerTypeElasticsearch, } @@ -678,7 +678,7 @@ func getInitTokenFromExistingConfiguration(conf Configuration) (string, error) { } var cfg = api.StartupConfigConsumer{ ID: consumerID, - Name: "ui", + Name: conf.UI.Name, Description: "Autogenerated configuration for ui service", Type: api.StartupConfigConsumerTypeUI, } @@ -696,7 +696,7 @@ func getInitTokenFromExistingConfiguration(conf Configuration) (string, error) { } var cfg = api.StartupConfigConsumer{ ID: consumerID, - Name: "hatchery:local", + Name: h.Local.Name, Description: "Autogenerated configuration for local hatchery", Type: api.StartupConfigConsumerTypeHatchery, } @@ -713,7 +713,7 @@ func getInitTokenFromExistingConfiguration(conf Configuration) (string, error) { } var cfg = api.StartupConfigConsumer{ ID: consumerID, - Name: "hatchery:openstack", + Name: h.Openstack.Name, Description: "Autogenerated configuration for openstack hatchery", Type: api.StartupConfigConsumerTypeHatchery, } @@ -730,7 +730,7 @@ func getInitTokenFromExistingConfiguration(conf Configuration) (string, error) { } var cfg = api.StartupConfigConsumer{ ID: consumerID, - Name: "hatchery:vsphere", + Name: h.VSphere.Name, Description: "Autogenerated configuration for vsphere hatchery", Type: api.StartupConfigConsumerTypeHatchery, } @@ -747,7 +747,7 @@ func getInitTokenFromExistingConfiguration(conf Configuration) (string, error) { } var cfg = api.StartupConfigConsumer{ ID: consumerID, - Name: "hatchery:swarm", + Name: h.Swarm.Name, Description: "Autogenerated configuration for swarm hatchery", Type: api.StartupConfigConsumerTypeHatchery, } @@ -764,7 +764,7 @@ func getInitTokenFromExistingConfiguration(conf Configuration) (string, error) { } var cfg = api.StartupConfigConsumer{ ID: consumerID, - Name: "hatchery:marathon", + Name: h.Marathon.Name, Description: "Autogenerated configuration for marathon hatchery", Type: api.StartupConfigConsumerTypeHatchery, } @@ -781,7 +781,7 @@ func getInitTokenFromExistingConfiguration(conf Configuration) (string, error) { } var cfg = api.StartupConfigConsumer{ ID: consumerID, - Name: "hatchery:kubernetes", + Name: h.Kubernetes.Name, Description: "Autogenerated configuration for kubernetes hatchery", Type: api.StartupConfigConsumerTypeHatchery, } @@ -799,7 +799,7 @@ func getInitTokenFromExistingConfiguration(conf Configuration) (string, error) { } var cfg = api.StartupConfigConsumer{ ID: consumerID, - Name: "hooks", + Name: conf.Hooks.Name, Description: "Autogenerated configuration for hooks service", Type: api.StartupConfigConsumerTypeHooks, } @@ -816,7 +816,7 @@ func getInitTokenFromExistingConfiguration(conf Configuration) (string, error) { } var cfg = api.StartupConfigConsumer{ ID: consumerID, - Name: "repositories", + Name: conf.Repositories.Name, Description: "Autogenerated configuration for repositories service", Type: api.StartupConfigConsumerTypeRepositories, } @@ -833,7 +833,7 @@ func getInitTokenFromExistingConfiguration(conf Configuration) (string, error) { } var cfg = api.StartupConfigConsumer{ ID: consumerID, - Name: "migrate", + Name: conf.DatabaseMigrate.Name, Description: "Autogenerated configuration for migrate service", Type: api.StartupConfigConsumerTypeDBMigrate, } @@ -850,7 +850,7 @@ func getInitTokenFromExistingConfiguration(conf Configuration) (string, error) { } var cfg = api.StartupConfigConsumer{ ID: consumerID, - Name: "vcs", + Name: conf.VCS.Name, Description: "Autogenerated configuration for vcs service", Type: api.StartupConfigConsumerTypeVCS, } @@ -867,7 +867,7 @@ func getInitTokenFromExistingConfiguration(conf Configuration) (string, error) { } var cfg = api.StartupConfigConsumer{ ID: consumerID, - Name: "cdn", + Name: conf.CDN.Name, Description: "Autogenerated configuration for cdn service", Type: api.StartupConfigConsumerTypeCDN, } @@ -884,7 +884,7 @@ func getInitTokenFromExistingConfiguration(conf Configuration) (string, error) { } var cfg = api.StartupConfigConsumer{ ID: consumerID, - Name: "elasticsearch", + Name: conf.ElasticSearch.Name, Description: "Autogenerated configuration for elasticSearch service", Type: api.StartupConfigConsumerTypeElasticsearch, }