From cc6d608e8b0490839f5e63f0947d99d31a75972f Mon Sep 17 00:00:00 2001 From: srost Date: Tue, 26 Sep 2023 15:09:44 +0200 Subject: [PATCH] Blacklist on account level (cont.) --- .../BasicAuthenticationDirective.scala | 43 +++++++++++++++++-- .../core/invoker/NamespaceBlacklist.scala | 3 ++ 2 files changed, 42 insertions(+), 4 deletions(-) diff --git a/core/controller/src/main/scala/org/apache/openwhisk/core/controller/BasicAuthenticationDirective.scala b/core/controller/src/main/scala/org/apache/openwhisk/core/controller/BasicAuthenticationDirective.scala index e666b7fd945..00cc4c1682c 100644 --- a/core/controller/src/main/scala/org/apache/openwhisk/core/controller/BasicAuthenticationDirective.scala +++ b/core/controller/src/main/scala/org/apache/openwhisk/core/controller/BasicAuthenticationDirective.scala @@ -37,7 +37,12 @@ import spray.json.JsString object BasicAuthenticationDirective extends AuthenticationDirectiveProvider { + private val systemNamespaces = sys.env.getOrElse("SYSTEM_NAMESPACES", "").split(",").toList + private val allAccounts = sys.env.getOrElse("ALL_ACCOUNTS", "") + private val wlAccountPfx = sys.env.getOrElse("WL_ACCOUNT_PFX", "??") + private val iamNamespaceRegEx = sys.env.getOrElse("IAM_NAMESPACE_REGEX", "") var namespaceBlacklist: Option[NamespaceBlacklist] = None + def getOrCreateBlacklist()(implicit transid: TransactionId, system: ActorSystem, ec: ExecutionContext, @@ -51,6 +56,9 @@ object BasicAuthenticationDirective extends AuthenticationDirectiveProvider { val namespaceBlacklist = new NamespaceBlacklist(authStore) if (!sys.env.get("CONTROLLER_NAME").getOrElse("").equals("crudcontroller")) { logging.info(this, "create background job to update blacklist..") + logging.info( + this, + s"systemNamespaces: $systemNamespaces, allAccounts: $allAccounts, wlAccountPfx: $wlAccountPfx, iamNamespaceRegEx: $iamNamespaceRegEx") Scheduler.scheduleWaitAtMost(loadConfigOrThrow[NamespaceBlacklistConfig](ConfigKeys.blacklist).pollInterval) { () => logging.debug(this, "running background job to update blacklist") @@ -81,10 +89,23 @@ object BasicAuthenticationDirective extends AuthenticationDirectiveProvider { val authkey = BasicAuthenticationAuthKey(UUID(pw.username), Secret(pw.password)) logging.info(this, s"authenticate: ${authkey.uuid}") val future = Identity.get(authStore, authkey) map { result => + val account = Try(result.authkey.asInstanceOf[BasicAuthenticationAuthKey].account).getOrElse("") val blacklist = getOrCreateBlacklist + val isSystemNamespace = systemNamespaces.exists(ns => result.namespace.name.name.startsWith(ns)) + logging.info( + this, + s"@StR authenticate: account: $account, blacklist: $blacklist, isSystemNamespace: $isSystemNamespace, result: $result") val identity = - if (!blacklist.isEmpty && blacklist.isBlacklisted( - Try(result.authkey.asInstanceOf[BasicAuthenticationAuthKey].account).getOrElse(""))) { + if (!isSystemNamespace && blacklist.isBlacklisted(allAccounts) && !blacklist.isBlacklisted( + wlAccountPfx + account)) { + Identity( + subject = result.subject, + namespace = result.namespace, + authkey = result.authkey, + rights = result.rights, + limits = + UserLimits(invocationsPerMinute = Some(0), concurrentInvocations = Some(0), firesPerMinute = Some(0))) + } else if (blacklist.isBlacklisted(account)) { Identity( subject = result.subject, namespace = result.namespace, @@ -142,10 +163,24 @@ object BasicAuthenticationDirective extends AuthenticationDirectiveProvider { //Identity.get(authStore, namespace) implicit val ec = authStore.executionContext implicit val logging = authStore.logging + logging.info(this, s"identify by namespace: $namespace") Identity.get(authStore, namespace) map { result => + val account = Try(result.authkey.asInstanceOf[BasicAuthenticationAuthKey].account).getOrElse("") val blacklist = getOrCreateBlacklist - if (!blacklist.isEmpty && blacklist.isBlacklisted( - Try(result.authkey.asInstanceOf[BasicAuthenticationAuthKey].account).getOrElse(""))) { + val isSystemNamespace = systemNamespaces.exists(ns => namespace.name.startsWith(ns)) + val isCfNamespace = !iamNamespaceRegEx.isEmpty && !namespace.name.matches(iamNamespaceRegEx) + logging.info( + this, + s"@StR identify by namespace: account: $account, blacklist: ${blacklist.toString}, isSystemNamespace: $isSystemNamespace, isCfNamespace: $isCfNamespace, namespace: $namespace, result: $result") + if (!isSystemNamespace && isCfNamespace && blacklist.isBlacklisted(allAccounts) && !blacklist.isBlacklisted( + wlAccountPfx + account)) { + Identity( + subject = result.subject, + namespace = result.namespace, + authkey = result.authkey, + rights = result.rights, + limits = UserLimits(invocationsPerMinute = Some(0), concurrentInvocations = Some(0), firesPerMinute = Some(0))) + } else if (blacklist.isBlacklisted(account)) { Identity( subject = result.subject, namespace = result.namespace, diff --git a/core/invoker/src/main/scala/org/apache/openwhisk/core/invoker/NamespaceBlacklist.scala b/core/invoker/src/main/scala/org/apache/openwhisk/core/invoker/NamespaceBlacklist.scala index f650c4f12cd..9b98aed9703 100644 --- a/core/invoker/src/main/scala/org/apache/openwhisk/core/invoker/NamespaceBlacklist.scala +++ b/core/invoker/src/main/scala/org/apache/openwhisk/core/invoker/NamespaceBlacklist.scala @@ -81,6 +81,9 @@ class NamespaceBlacklist(authStore: AuthStore) { newBlacklist } } + + /** This is so that we can easily log the blacklist for debugging. */ + override def toString() = blacklist.toString() } object NamespaceBlacklist {