From 72013ca545df309fce292501f6211e3ecbccab6a Mon Sep 17 00:00:00 2001
From: srost <srost@de.ibm.com>
Date: Tue, 26 Sep 2023 15:09:44 +0200
Subject: [PATCH] Blacklist on account level (cont.)

---
 .../BasicAuthenticationDirective.scala        | 39 +++++++++++++++++--
 1 file changed, 35 insertions(+), 4 deletions(-)

diff --git a/core/controller/src/main/scala/org/apache/openwhisk/core/controller/BasicAuthenticationDirective.scala b/core/controller/src/main/scala/org/apache/openwhisk/core/controller/BasicAuthenticationDirective.scala
index e666b7fd945..3786ae61f2e 100644
--- a/core/controller/src/main/scala/org/apache/openwhisk/core/controller/BasicAuthenticationDirective.scala
+++ b/core/controller/src/main/scala/org/apache/openwhisk/core/controller/BasicAuthenticationDirective.scala
@@ -37,7 +37,12 @@ import spray.json.JsString
 
 object BasicAuthenticationDirective extends AuthenticationDirectiveProvider {
 
+  private val systemNamespaces = sys.env.getOrElse("SYSTEM_NAMESPACES", "").split(",").toList
+  private val allAccounts = sys.env.getOrElse("ALL_ACCOUNTS", "")
+  private val wlAccountPfx = sys.env.getOrElse("WL_ACCOUNT_PFX", "??")
+  private val iamNamespaceRegEx = sys.env.getOrElse("IAM_NAMESPACE_REGEX", "")
   var namespaceBlacklist: Option[NamespaceBlacklist] = None
+
   def getOrCreateBlacklist()(implicit transid: TransactionId,
                              system: ActorSystem,
                              ec: ExecutionContext,
@@ -51,6 +56,9 @@ object BasicAuthenticationDirective extends AuthenticationDirectiveProvider {
         val namespaceBlacklist = new NamespaceBlacklist(authStore)
         if (!sys.env.get("CONTROLLER_NAME").getOrElse("").equals("crudcontroller")) {
           logging.info(this, "create background job to update blacklist..")
+          logging.info(
+            this,
+            s"systemNamespaces: $systemNamespaces, allAccounts: $allAccounts, wlAccountPfx: $wlAccountPfx, iamNamespaceRegEx: $iamNamespaceRegEx")
           Scheduler.scheduleWaitAtMost(loadConfigOrThrow[NamespaceBlacklistConfig](ConfigKeys.blacklist).pollInterval) {
             () =>
               logging.debug(this, "running background job to update blacklist")
@@ -81,10 +89,21 @@ object BasicAuthenticationDirective extends AuthenticationDirectiveProvider {
         val authkey = BasicAuthenticationAuthKey(UUID(pw.username), Secret(pw.password))
         logging.info(this, s"authenticate: ${authkey.uuid}")
         val future = Identity.get(authStore, authkey) map { result =>
+          val account = Try(result.authkey.asInstanceOf[BasicAuthenticationAuthKey].account).getOrElse("")
           val blacklist = getOrCreateBlacklist
+          val isSystemNamespace = systemNamespaces.contains(result.namespace.name)
+          logging.info(this, s"@StR account: $account, blacklist: $blacklist, isSystemNamespace: $isSystemNamespace, credentials: $credentials, result: $result")
           val identity =
-            if (!blacklist.isEmpty && blacklist.isBlacklisted(
-                  Try(result.authkey.asInstanceOf[BasicAuthenticationAuthKey].account).getOrElse(""))) {
+            if (!isSystemNamespace && blacklist.isBlacklisted(allAccounts) && !blacklist.isBlacklisted(
+                  wlAccountPfx + account)) {
+              Identity(
+                subject = result.subject,
+                namespace = result.namespace,
+                authkey = result.authkey,
+                rights = result.rights,
+                limits =
+                  UserLimits(invocationsPerMinute = Some(0), concurrentInvocations = Some(0), firesPerMinute = Some(0)))
+            } else if (blacklist.isBlacklisted(account)) {
               Identity(
                 subject = result.subject,
                 namespace = result.namespace,
@@ -142,10 +161,22 @@ object BasicAuthenticationDirective extends AuthenticationDirectiveProvider {
     //Identity.get(authStore, namespace)
     implicit val ec = authStore.executionContext
     implicit val logging = authStore.logging
+    logging.info(this, s"identify by namespace: $namespace")
     Identity.get(authStore, namespace) map { result =>
+      val account = Try(result.authkey.asInstanceOf[BasicAuthenticationAuthKey].account).getOrElse("")
       val blacklist = getOrCreateBlacklist
-      if (!blacklist.isEmpty && blacklist.isBlacklisted(
-            Try(result.authkey.asInstanceOf[BasicAuthenticationAuthKey].account).getOrElse(""))) {
+      val isSystemNamespace = systemNamespaces.contains(namespace.name)
+      logging.info(this, s"@StR account: $account, blacklist: $blacklist, isSystemNamespace: $isSystemNamespace, namespace: $namespace, result: $result")
+      if (!isSystemNamespace && (!iamNamespaceRegEx.isEmpty && !namespace.name.matches(iamNamespaceRegEx)) && blacklist
+            .isBlacklisted(allAccounts) && !blacklist
+            .isBlacklisted(wlAccountPfx + account)) {
+        Identity(
+          subject = result.subject,
+          namespace = result.namespace,
+          authkey = result.authkey,
+          rights = result.rights,
+          limits = UserLimits(invocationsPerMinute = Some(0), concurrentInvocations = Some(0), firesPerMinute = Some(0)))
+      } else if (blacklist.isBlacklisted(account)) {
         Identity(
           subject = result.subject,
           namespace = result.namespace,