ClusterCockpit/cc-backend
1
0
Fork 0
mirror of https://github.com/ClusterCockpit/cc-backend synced 2025-04-21 11:01:43 +02:00
Code Issues Packages Releases Activity

remove separate userapiallowedips config and check

Browse Source
This commit is contained in:
Christoph Kluge 2025-04-14 11:58:42 +02:00
parent 25d3325049
commit 1755a4a7df
2 changed files with 13 additions and 43 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

53
internal/auth/auth.go
View File

@ -329,7 +329,7 @@ func (auth *Authentication) AuthApi(
return return
} }
ipErr := securedCheck(user, "api", r) ipErr := securedCheck(user, r)
if ipErr != nil { if ipErr != nil {
log.Infof("auth api -> secured check failed: %s", err.Error()) log.Infof("auth api -> secured check failed: %s", err.Error())
onfailure(rw, r, ipErr) onfailure(rw, r, ipErr)
@ -372,13 +372,6 @@ func (auth *Authentication) AuthUserApi(
return return
} }
ipErr := securedCheck(user, "userapi", r)
if ipErr != nil {
log.Infof("auth user api -> secured check failed: %s", err.Error())
onfailure(rw, r, ipErr)
return
}
if user != nil { if user != nil {
switch { switch {
case len(user.Roles) == 1: case len(user.Roles) == 1:
@ -466,7 +459,7 @@ func (auth *Authentication) Logout(onsuccess http.Handler) http.Handler {
} }
// Helper Moved To MiddleWare Auth Handlers // Helper Moved To MiddleWare Auth Handlers
func securedCheck(user *schema.User, checkEndpoint string, r *http.Request) error { func securedCheck(user *schema.User, r *http.Request) error {
if user == nil { if user == nil {
return fmt.Errorf("no user for secured check") return fmt.Errorf("no user for secured check")
} }
@ -484,37 +477,17 @@ func securedCheck(user *schema.User, checkEndpoint string, r *http.Request) erro
IPAddress = strings.Split(IPAddress, ":")[0] IPAddress = strings.Split(IPAddress, ":")[0]
} }
// Used for checking TokenAuth'd Requests Only: Remove '== schema.AuthToken'-Condition // If nothing declared in config: deny all request to this api endpoint
if checkEndpoint == "api" { if len(config.Keys.ApiAllowedIPs) == 0 {
// If nothing declared in config: deny all request to this api endpoint return fmt.Errorf("missing configuration key ApiAllowedIPs")
if config.Keys.ApiAllowedIPs == nil || len(config.Keys.ApiAllowedIPs) == 0 { }
return fmt.Errorf("missing configuration key ApiAllowedIPs") // If wildcard declared in config: Continue
} if config.Keys.ApiAllowedIPs[0] == "*" {
// If wildcard declared in config: Continue return nil
if config.Keys.ApiAllowedIPs[0] == "*" { }
return nil // check if IP is allowed
} if !util.Contains(config.Keys.ApiAllowedIPs, IPAddress) {
// check if IP is allowed return fmt.Errorf("unknown ip: %v", IPAddress)
if !util.Contains(config.Keys.ApiAllowedIPs, IPAddress) {
return fmt.Errorf("unknown ip: %v", IPAddress)
}
} else if checkEndpoint == "userapi" {
// If nothing declared in config: deny all request to this api endpoint
if config.Keys.UserApiAllowedIPs == nil || len(config.Keys.UserApiAllowedIPs) == 0 {
return fmt.Errorf("missing configuration key UserApiAllowedIPs")
}
// If wildcard declared in config: Continue
if config.Keys.UserApiAllowedIPs[0] == "*" {
return nil
}
// check if IP is allowed
if !util.Contains(config.Keys.UserApiAllowedIPs, IPAddress) {
return fmt.Errorf("unknown user ip: %v", IPAddress)
}
} else {
return fmt.Errorf("unknown checkEndpoint for secured check")
} }
return nil return nil

3
pkg/schema/config.go
View File

@ -103,9 +103,6 @@ type ProgramConfig struct {
// Addresses from which secured admin API endpoints can be reached, can be wildcard "*" // Addresses from which secured admin API endpoints can be reached, can be wildcard "*"
ApiAllowedIPs []string `json:"apiAllowedIPs"` ApiAllowedIPs []string `json:"apiAllowedIPs"`
// Addresses from which secured admin API endpoints can be reached, can be wildcard "*"
UserApiAllowedIPs []string `json:"userApiAllowedIPs"`
// Drop root permissions once .env was read and the port was taken. // Drop root permissions once .env was read and the port was taken.
User string `json:"user"` User string `json:"user"`
Group string `json:"group"` Group string `json:"group"`