Blacklist on account level (cont.)

ibm-functions · Sep 26, 2023 · ed68b4e · ed68b4e
1 parent 7c9ec1b
commit ed68b4e
Showing 1 changed file with 25 additions and 4 deletions.
diff --git a/...er/src/main/scala/org/apache/openwhisk/core/controller/BasicAuthenticationDirective.scala b/...er/src/main/scala/org/apache/openwhisk/core/controller/BasicAuthenticationDirective.scala
@@ -37,6 +37,9 @@ import spray.json.JsString
 
 object BasicAuthenticationDirective extends AuthenticationDirectiveProvider {
 
+  private val allAccounts = sys.env.getOrElse("ALL_ACCOUNTS", "")
+  private val wlAccountPfx = sys.env.getOrElse("WL_ACCOUNT_PFX", "??")
+  private val iamNamespaceRegEx = sys.env.getOrElse("IAM_NAMESPACE_REGEX", "")
   var namespaceBlacklist: Option[NamespaceBlacklist] = None
   def getOrCreateBlacklist()(implicit transid: TransactionId,
                              system: ActorSystem,
@@ -82,9 +85,17 @@ object BasicAuthenticationDirective extends AuthenticationDirectiveProvider {
         logging.info(this, s"authenticate: ${authkey.uuid}")
         val future = Identity.get(authStore, authkey) map { result =>
           val blacklist = getOrCreateBlacklist
+          val account = Try(result.authkey.asInstanceOf[BasicAuthenticationAuthKey].account).getOrElse("")
           val identity =
-            if (!blacklist.isEmpty && blacklist.isBlacklisted(
-                  Try(result.authkey.asInstanceOf[BasicAuthenticationAuthKey].account).getOrElse(""))) {
+            if (blacklist.isBlacklisted(allAccounts) && !blacklist.isBlacklisted(wlAccountPfx + account)) {
+              Identity(
+                subject = result.subject,
+                namespace = result.namespace,
+                authkey = result.authkey,
+                rights = result.rights,
+                limits =
+                  UserLimits(invocationsPerMinute = Some(0), concurrentInvocations = Some(0), firesPerMinute = Some(0)))
+            } else if (blacklist.isBlacklisted(account)) {
               Identity(
                 subject = result.subject,
                 namespace = result.namespace,
@@ -142,10 +153,20 @@ object BasicAuthenticationDirective extends AuthenticationDirectiveProvider {
     //Identity.get(authStore, namespace)
     implicit val ec = authStore.executionContext
     implicit val logging = authStore.logging
+    logging.info(this, s"authentication for namespace $namespace")
     Identity.get(authStore, namespace) map { result =>
       val blacklist = getOrCreateBlacklist
-      if (!blacklist.isEmpty && blacklist.isBlacklisted(
-            Try(result.authkey.asInstanceOf[BasicAuthenticationAuthKey].account).getOrElse(""))) {
+      val account = Try(result.authkey.asInstanceOf[BasicAuthenticationAuthKey].account).getOrElse("")
+      if ((!iamNamespaceRegEx.isEmpty && !namespace.name.matches(iamNamespaceRegEx)) && blacklist.isBlacklisted(
+            allAccounts) && !blacklist
+            .isBlacklisted(wlAccountPfx + account)) {
+        Identity(
+          subject = result.subject,
+          namespace = result.namespace,
+          authkey = result.authkey,
+          rights = result.rights,
+          limits = UserLimits(invocationsPerMinute = Some(0), concurrentInvocations = Some(0), firesPerMinute = Some(0)))
+      } else if (blacklist.isBlacklisted(account)) {
         Identity(
           subject = result.subject,
           namespace = result.namespace,