Blacklist on account level (cont.)

ibm-functions · Sep 27, 2023 · cc6d608 · cc6d608
1 parent 7c9ec1b
commit cc6d608
Show file tree

Hide file tree

Showing 2 changed files with 42 additions and 4 deletions.
diff --git a/...er/src/main/scala/org/apache/openwhisk/core/controller/BasicAuthenticationDirective.scala b/...er/src/main/scala/org/apache/openwhisk/core/controller/BasicAuthenticationDirective.scala
@@ -37,7 +37,12 @@ import spray.json.JsString
 
 object BasicAuthenticationDirective extends AuthenticationDirectiveProvider {
 
+  private val systemNamespaces = sys.env.getOrElse("SYSTEM_NAMESPACES", "").split(",").toList
+  private val allAccounts = sys.env.getOrElse("ALL_ACCOUNTS", "")
+  private val wlAccountPfx = sys.env.getOrElse("WL_ACCOUNT_PFX", "??")
+  private val iamNamespaceRegEx = sys.env.getOrElse("IAM_NAMESPACE_REGEX", "")
   var namespaceBlacklist: Option[NamespaceBlacklist] = None
+
   def getOrCreateBlacklist()(implicit transid: TransactionId,
                              system: ActorSystem,
                              ec: ExecutionContext,
@@ -51,6 +56,9 @@ object BasicAuthenticationDirective extends AuthenticationDirectiveProvider {
         val namespaceBlacklist = new NamespaceBlacklist(authStore)
         if (!sys.env.get("CONTROLLER_NAME").getOrElse("").equals("crudcontroller")) {
           logging.info(this, "create background job to update blacklist..")
+          logging.info(
+            this,
+            s"systemNamespaces: $systemNamespaces, allAccounts: $allAccounts, wlAccountPfx: $wlAccountPfx, iamNamespaceRegEx: $iamNamespaceRegEx")
           Scheduler.scheduleWaitAtMost(loadConfigOrThrow[NamespaceBlacklistConfig](ConfigKeys.blacklist).pollInterval) {
             () =>
               logging.debug(this, "running background job to update blacklist")
@@ -81,10 +89,23 @@ object BasicAuthenticationDirective extends AuthenticationDirectiveProvider {
         val authkey = BasicAuthenticationAuthKey(UUID(pw.username), Secret(pw.password))
         logging.info(this, s"authenticate: ${authkey.uuid}")
         val future = Identity.get(authStore, authkey) map { result =>
+          val account = Try(result.authkey.asInstanceOf[BasicAuthenticationAuthKey].account).getOrElse("")
           val blacklist = getOrCreateBlacklist
+          val isSystemNamespace = systemNamespaces.exists(ns => result.namespace.name.name.startsWith(ns))
+          logging.info(
+            this,
+            s"@StR authenticate: account: $account, blacklist: $blacklist, isSystemNamespace: $isSystemNamespace, result: $result")
           val identity =
-            if (!blacklist.isEmpty && blacklist.isBlacklisted(
-                  Try(result.authkey.asInstanceOf[BasicAuthenticationAuthKey].account).getOrElse(""))) {
+            if (!isSystemNamespace && blacklist.isBlacklisted(allAccounts) && !blacklist.isBlacklisted(
+                  wlAccountPfx + account)) {
+              Identity(
+                subject = result.subject,
+                namespace = result.namespace,
+                authkey = result.authkey,
+                rights = result.rights,
+                limits =
+                  UserLimits(invocationsPerMinute = Some(0), concurrentInvocations = Some(0), firesPerMinute = Some(0)))
+            } else if (blacklist.isBlacklisted(account)) {
               Identity(
                 subject = result.subject,
                 namespace = result.namespace,
@@ -142,10 +163,24 @@ object BasicAuthenticationDirective extends AuthenticationDirectiveProvider {
     //Identity.get(authStore, namespace)
     implicit val ec = authStore.executionContext
     implicit val logging = authStore.logging
+    logging.info(this, s"identify by namespace: $namespace")
     Identity.get(authStore, namespace) map { result =>
+      val account = Try(result.authkey.asInstanceOf[BasicAuthenticationAuthKey].account).getOrElse("")
       val blacklist = getOrCreateBlacklist
-      if (!blacklist.isEmpty && blacklist.isBlacklisted(
-            Try(result.authkey.asInstanceOf[BasicAuthenticationAuthKey].account).getOrElse(""))) {
+      val isSystemNamespace = systemNamespaces.exists(ns => namespace.name.startsWith(ns))
+      val isCfNamespace = !iamNamespaceRegEx.isEmpty && !namespace.name.matches(iamNamespaceRegEx)
+      logging.info(
+        this,
+        s"@StR identify by namespace: account: $account, blacklist: ${blacklist.toString}, isSystemNamespace: $isSystemNamespace, isCfNamespace: $isCfNamespace, namespace: $namespace, result: $result")
+      if (!isSystemNamespace && isCfNamespace && blacklist.isBlacklisted(allAccounts) && !blacklist.isBlacklisted(
+            wlAccountPfx + account)) {
+        Identity(
+          subject = result.subject,
+          namespace = result.namespace,
+          authkey = result.authkey,
+          rights = result.rights,
+          limits = UserLimits(invocationsPerMinute = Some(0), concurrentInvocations = Some(0), firesPerMinute = Some(0)))
+      } else if (blacklist.isBlacklisted(account)) {
         Identity(
           subject = result.subject,
           namespace = result.namespace,

diff --git a/core/invoker/src/main/scala/org/apache/openwhisk/core/invoker/NamespaceBlacklist.scala b/core/invoker/src/main/scala/org/apache/openwhisk/core/invoker/NamespaceBlacklist.scala
@@ -81,6 +81,9 @@ class NamespaceBlacklist(authStore: AuthStore) {
         newBlacklist
       }
   }
+
+  /** This is so that we can easily log the blacklist for debugging. */
+  override def toString() = blacklist.toString()
 }
 
 object NamespaceBlacklist {