ClusterCockpit/cc-backend
1
0
Fork 0
mirror of https://github.com/ClusterCockpit/cc-backend synced 2025-10-31 07:55:06 +01:00
Code Issues Packages Releases Activity

remove separate userapiallowedips config and check

Browse Source
This commit is contained in:
Christoph Kluge
2025-04-14 11:58:42 +02:00
parent 25d3325049
commit 1755a4a7df
2 changed files with 13 additions and 43 deletions
Download Patch File Download Diff File Expand all files Collapse all files

53
internal/auth/auth.go
View File

@@ -329,7 +329,7 @@ func (auth *Authentication) AuthApi(
return
}
ipErr := securedCheck(user, "api", r)
ipErr := securedCheck(user, r)
if ipErr != nil {
log.Infof("auth api -> secured check failed: %s", err.Error())
onfailure(rw, r, ipErr)
@@ -372,13 +372,6 @@ func (auth *Authentication) AuthUserApi(
return
}
ipErr := securedCheck(user, "userapi", r)
if ipErr != nil {
log.Infof("auth user api -> secured check failed: %s", err.Error())
onfailure(rw, r, ipErr)
return
}
if user != nil {
switch {
case len(user.Roles) == 1:
@@ -466,7 +459,7 @@ func (auth *Authentication) Logout(onsuccess http.Handler) http.Handler {
}
// Helper Moved To MiddleWare Auth Handlers
func securedCheck(user *schema.User, checkEndpoint string, r *http.Request) error {
func securedCheck(user *schema.User, r *http.Request) error {
if user == nil {
return fmt.Errorf("no user for secured check")
}
@@ -484,37 +477,17 @@ func securedCheck(user *schema.User, checkEndpoint string, r *http.Request) erro
IPAddress = strings.Split(IPAddress, ":")[0]
}
// Used for checking TokenAuth'd Requests Only: Remove '== schema.AuthToken'-Condition
if checkEndpoint == "api" {
// If nothing declared in config: deny all request to this api endpoint
if config.Keys.ApiAllowedIPs == nil || len(config.Keys.ApiAllowedIPs) == 0 {
return fmt.Errorf("missing configuration key ApiAllowedIPs")
}
// If wildcard declared in config: Continue
if config.Keys.ApiAllowedIPs[0] == "*" {
return nil
}
// check if IP is allowed
if !util.Contains(config.Keys.ApiAllowedIPs, IPAddress) {
return fmt.Errorf("unknown ip: %v", IPAddress)
}
} else if checkEndpoint == "userapi" {
// If nothing declared in config: deny all request to this api endpoint
if config.Keys.UserApiAllowedIPs == nil || len(config.Keys.UserApiAllowedIPs) == 0 {
return fmt.Errorf("missing configuration key UserApiAllowedIPs")
}
// If wildcard declared in config: Continue
if config.Keys.UserApiAllowedIPs[0] == "*" {
return nil
}
// check if IP is allowed
if !util.Contains(config.Keys.UserApiAllowedIPs, IPAddress) {
return fmt.Errorf("unknown user ip: %v", IPAddress)
}
} else {
return fmt.Errorf("unknown checkEndpoint for secured check")
// If nothing declared in config: deny all request to this api endpoint
if len(config.Keys.ApiAllowedIPs) == 0 {
return fmt.Errorf("missing configuration key ApiAllowedIPs")
}
// If wildcard declared in config: Continue
if config.Keys.ApiAllowedIPs[0] == "*" {
return nil
}
// check if IP is allowed
if !util.Contains(config.Keys.ApiAllowedIPs, IPAddress) {
return fmt.Errorf("unknown ip: %v", IPAddress)
}
return nil

3
pkg/schema/config.go
View File

@@ -103,9 +103,6 @@ type ProgramConfig struct {
// Addresses from which secured admin API endpoints can be reached, can be wildcard "*"
ApiAllowedIPs []string `json:"apiAllowedIPs"`
// Addresses from which secured admin API endpoints can be reached, can be wildcard "*"
UserApiAllowedIPs []string `json:"userApiAllowedIPs"`
// Drop root permissions once .env was read and the port was taken.
User string `json:"user"`
Group string `json:"group"`