Disable admin user API access when enableApplicationLocalLogin is false #505
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -63,19 +63,19 @@ Options SymLinksIfOwnerMatch | |
| func httpdAuthenticationConf(spec *miqv1alpha1.ManageIQSpec) string { | ||
| switch spec.HttpdAuthenticationType { | ||
| case "openid-connect": | ||
| return httpdOIDCAuthConf(spec.OIDCProviderURL, spec.OIDCOAuthIntrospectionURL, spec.ApplicationDomain, *spec.EnableApplicationLocalLogin) | ||
| case "external": | ||
| return httpdExternalAuthConf(*spec.EnableApplicationLocalLogin) | ||
| case "active-directory": | ||
| return httpdADAuthConf(*spec.EnableApplicationLocalLogin) | ||
| case "saml": | ||
| return httpdSAMLAuthConf() | ||
| default: | ||
| return "" | ||
| } | ||
| } | ||
|
|
||
| func httpdExternalAuthConf(enableLocalLogin bool) string { | ||
| s := ` | ||
| %s | ||
|
|
||
|
|
@@ -111,13 +111,13 @@ func httpdExternalAuthConf() string { | |
| s, | ||
| httpdAuthLoadModulesConf(), | ||
| httpdAuthLoginFormConf(), | ||
| httpdAuthApplicationAPIConf("Basic", "\"External Authentication (httpd) for API\"", apiExtraConfig, enableLocalLogin), | ||
| httpdAuthLookupUserDetailsConf(), | ||
| httpdAuthRemoteUserConf(), | ||
| ) | ||
| } | ||
|
|
||
| func httpdADAuthConf(enableLocalLogin bool) string { | ||
| s := ` | ||
| %s | ||
|
|
||
|
|
@@ -153,7 +153,7 @@ func httpdADAuthConf() string { | |
| s, | ||
| httpdAuthLoadModulesConf(), | ||
| httpdAuthLoginFormConf(), | ||
| httpdAuthApplicationAPIConf("Basic", "\"External Authentication (httpd) for API\"", apiExtraConfig, enableLocalLogin), | ||
| httpdAuthLookupUserDetailsConf(), | ||
| httpdAuthRemoteUserConf(), | ||
| ) | ||
|
|
@@ -202,7 +202,7 @@ LoadModule auth_mellon_module modules/mod_auth_mellon.so | |
| return fmt.Sprintf(s, httpdAuthRemoteUserConf()) | ||
| } | ||
|
|
||
| func httpdOIDCAuthConf(providerURL, introspectionURL, applicationDomain string, enableLocalLogin bool) string { | ||
| // If these are not provided, we should assume that the user provided a full config | ||
| // in a secret, so include the directory for that secret here | ||
| if providerURL == "" || introspectionURL == "" || applicationDomain == "" { | ||
|
|
@@ -250,7 +250,7 @@ RequestHeader set X_REMOTE_USER_DOMAIN %%{OIDC_CLAIM_DOMAIN}e env | |
| providerURL, | ||
| applicationDomain, | ||
| introspectionURL, | ||
| httpdAuthApplicationAPIConf("oauth20", "\"External Authentication (oauth20) for API\"", "", enableLocalLogin), | ||
| ) | ||
| } | ||
|
|
||
|
|
@@ -275,10 +275,9 @@ func httpdAuthLoginFormConf() string { | |
| ` | ||
| } | ||
|
|
||
| func httpdAuthApplicationAPIConf(authType, authName, extraConfig string, enableLocalLogin bool) string { | ||
| s := ` | ||
| <LocationMatch ^/api(?!\/(v[\d\.]+\/)?product_info$)> | ||
| SetEnvIf X-Auth-Token '^.+$' let_api_token_in | ||
| SetEnvIf X-MIQ-Token '^.+$' let_sys_token_in | ||
| SetEnvIf X-CSRF-Token '^.+$' let_csrf_token_in | ||
|
|
@@ -287,17 +286,23 @@ func httpdAuthApplicationAPIConf(authType, authName, extraConfig string) string | |
| AuthName %s | ||
| Require valid-user | ||
| Order Allow,Deny | ||
| Allow from env=let_api_token_in | ||
| Allow from env=let_sys_token_in | ||
| Allow from env=let_csrf_token_in | ||
| Satisfy Any | ||
| %s | ||
|
|
||
| %s | ||
| </LocationMatch> | ||
| ` | ||
| letAdminIn := "" | ||
| if enableLocalLogin { | ||
| letAdminIn = ` | ||
| SetEnvIf Authorization '^Basic +YWRtaW46' let_admin_in | ||
| Allow from env=let_admin_in` | ||
|
There was a problem hiding this comment. Does order matter with respect to these settings (I know it does for some other settings in the conf). This PR changes the order, and I wonder if that's a problem or not. There was a problem hiding this comment. Pretty sure it doesn't. @jvlcek can confirm though There was a problem hiding this comment.
Order does not seem to matter. I just successfully tested with the following segment and it worked fine |
||
| } | ||
|
|
||
| return fmt.Sprintf(s, authType, authName, letAdminIn, extraConfig) | ||
| } | ||
|
|
||
| func httpdAuthLookupUserDetailsConf() string { | ||
|
|
||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not for this PR, but would it make more sense to just pass the spec object in it's entirety and then the methods pull out what they need?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, maybe when we need one more parameter. Originally this method only needed one or two so it made sense to pass them individually. I feel like 5 is my tipping point