From dcdbdd9f72873e3a3e2205c7ac50be554a31a8da Mon Sep 17 00:00:00 2001 From: MikelAlejoBR Date: Tue, 26 Jul 2022 10:49:02 +0200 Subject: [PATCH 1/2] chore: bump the "platform-go-middlewares" dependency version Even thought we don't use the library's utility functions to parse and process the identity header, we think it's a good idea to have it up to date just in case, before the official "account number shutdown" arrives. --- go.mod | 2 +- go.sum | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/go.mod b/go.mod index 593d7ca20..5f3d32bd3 100644 --- a/go.mod +++ b/go.mod @@ -25,7 +25,7 @@ require ( github.com/neko-neko/echo-logrus/v2 v2.0.1 github.com/prometheus/client_golang v1.12.1 github.com/redhatinsights/app-common-go v1.6.3 - github.com/redhatinsights/platform-go-middlewares v0.12.0 + github.com/redhatinsights/platform-go-middlewares v0.19.0 github.com/redhatinsights/sources-superkey-worker v0.0.0-20220110114734-d076299a7d68 github.com/segmentio/kafka-go v0.4.25 github.com/sirupsen/logrus v1.8.1 diff --git a/go.sum b/go.sum index 85d8a66a7..b4ff9f4d3 100644 --- a/go.sum +++ b/go.sum @@ -1216,6 +1216,8 @@ github.com/redhatinsights/platform-go-middlewares v0.8.1/go.mod h1:koDaxx4Ht3ZgX github.com/redhatinsights/platform-go-middlewares v0.10.0/go.mod h1:i5gVDZJ/quCQhs5AW5CwkRPXlz1HfDBvyNtXHnlXZfM= github.com/redhatinsights/platform-go-middlewares v0.12.0 h1:gLFgsqupumRqAKDuYtvrYVNQr53iqfhQYc98VJ/cRUs= github.com/redhatinsights/platform-go-middlewares v0.12.0/go.mod h1:i5gVDZJ/quCQhs5AW5CwkRPXlz1HfDBvyNtXHnlXZfM= +github.com/redhatinsights/platform-go-middlewares v0.19.0 h1:KEOVfDTOE0OpOKSb8HeEuYblFa2bpXvXpHRV/6706RM= +github.com/redhatinsights/platform-go-middlewares v0.19.0/go.mod h1:i5gVDZJ/quCQhs5AW5CwkRPXlz1HfDBvyNtXHnlXZfM= github.com/redhatinsights/sources-superkey-worker v0.0.0-20220110114734-d076299a7d68 h1:YOKTWdW6poVAoL0ds7oB5yJSXNQOUIveCjqQRthzJ30= github.com/redhatinsights/sources-superkey-worker v0.0.0-20220110114734-d076299a7d68/go.mod h1:D74VLRhmYd+tGF1eid7+HLUKytgsm9L2dS9CoR+lxXM= github.com/remyoudompheng/bigfft v0.0.0-20190728182440-6a916e37a237/go.mod h1:qqbHyh8v60DhA7CoWK5oRCqLrMHRGoxYCSS9EjAz6Eo= From 7f151db4bf685fc4464c456a72f27a8dced7ae1f Mon Sep 17 00:00:00 2001 From: MikelAlejoBR Date: Tue, 26 Jul 2022 12:49:53 +0200 Subject: [PATCH 2/2] refactor: update the code The code needs a little update to be able to work with the latest "platform-go-middlewares" changes. --- middleware/authorization.go | 11 ++++------- middleware/authorization_test.go | 24 ++++++++++++++++++------ middleware/headers.go | 2 +- 3 files changed, 23 insertions(+), 14 deletions(-) diff --git a/middleware/authorization.go b/middleware/authorization.go index fdbc3802b..a7ac08eaa 100644 --- a/middleware/authorization.go +++ b/middleware/authorization.go @@ -51,7 +51,7 @@ func PermissionCheck(next echo.HandlerFunc) echo.HandlerFunc { // first check the identity (already parsed) to see if it contains // the system key and if it does do some extra checks to authorize // based on some internal rules (operator + satellite) - identity, ok := c.Get(h.PARSED_IDENTITY).(*identity.XRHID) + id, ok := c.Get(h.PARSED_IDENTITY).(*identity.XRHID) if !ok { return fmt.Errorf("error casting identity to struct: %+v", c.Get("identity")) } @@ -59,7 +59,7 @@ func PermissionCheck(next echo.HandlerFunc) echo.HandlerFunc { // checking to see if we're going to change the results since // system-auth is treated completely differently than // org_admin/rbac/psk - if identity.Identity.System != nil { + if id.Identity.System != (identity.System{}) { // system-auth only allows GET and POST requests. method := c.Request().Method if method != http.MethodGet && method != http.MethodPost && method != http.MethodDelete { @@ -77,12 +77,9 @@ func PermissionCheck(next echo.HandlerFunc) echo.HandlerFunc { // can go through (but only if it's a POST) // // we're returning early because this is easier than a goto. - switch { - case identity.Identity.System["cluster_id"] != nil: + if id.Identity.System.ClusterId != "" || id.Identity.System.CommonName != "" { return next(c) - case identity.Identity.System["cn"] != nil: - return next(c) - default: + } else { return c.JSON(http.StatusUnauthorized, util.ErrorDoc("Unauthorized Action: system authorization only supports cn/cluster_id authorization", "401")) } } diff --git a/middleware/authorization_test.go b/middleware/authorization_test.go index 92e1a4cf6..9b3e09829 100644 --- a/middleware/authorization_test.go +++ b/middleware/authorization_test.go @@ -114,7 +114,9 @@ func TestSystemClusterID(t *testing.T) { "x-rh-identity": "dummy", "identity": &identity.XRHID{ Identity: identity.Identity{ - System: map[string]interface{}{"cluster_id": "test_cluster"}, + System: identity.System{ + ClusterId: "test_cluster", + }, }, }, }, @@ -139,7 +141,9 @@ func TestSystemCN(t *testing.T) { "x-rh-identity": "dummy", "identity": &identity.XRHID{ Identity: identity.Identity{ - System: map[string]interface{}{"cn": "test_cert"}, + System: identity.System{ + CommonName: "test_cert", + }, }, }, }, @@ -164,7 +168,9 @@ func TestSystemPatch(t *testing.T) { "x-rh-identity": "dummy", "identity": &identity.XRHID{ Identity: identity.Identity{ - System: map[string]interface{}{"cn": "test_cert"}, + System: identity.System{ + CommonName: "test_cert", + }, }, }, }, @@ -189,7 +195,9 @@ func TestSystemDelete(t *testing.T) { "x-rh-identity": "dummy", "identity": &identity.XRHID{ Identity: identity.Identity{ - System: map[string]interface{}{"cn": "test_cert"}, + System: identity.System{ + CommonName: "test_cert", + }, }, }, }, @@ -214,7 +222,9 @@ func TestSystemDeleteSource(t *testing.T) { "x-rh-identity": "dummy", "identity": &identity.XRHID{ Identity: identity.Identity{ - System: map[string]interface{}{"cn": "test_cert"}, + System: identity.System{ + CommonName: "test_cert", + }, }, }, }, @@ -239,7 +249,9 @@ func TestSystemDeleteSourceVersioned(t *testing.T) { "x-rh-identity": "dummy", "identity": &identity.XRHID{ Identity: identity.Identity{ - System: map[string]interface{}{"cn": "test_cert"}, + System: identity.System{ + CommonName: "test_cert", + }, }, }, }, diff --git a/middleware/headers.go b/middleware/headers.go index e0a657c8a..a202e9a0c 100644 --- a/middleware/headers.go +++ b/middleware/headers.go @@ -56,7 +56,7 @@ func ParseHeaders(next echo.HandlerFunc) echo.HandlerFunc { c.Set(h.PARSED_IDENTITY, xRhIdentity) // store whether or not this a cert-auth based request - if xRhIdentity.Identity.System != nil && xRhIdentity.Identity.System["cn"] != nil { + if xRhIdentity.Identity.System.CommonName != "" { c.Set("cert-auth", true) } } else {