Header x-forwarded-client-cert validation (#48)

XFCC validation apiKey with sha256 hashing service/control_test.go for unit tests on new functions service/control.go NewControl added parameter for db, to allow for unit test sqlite db.
salesforce · Feb 25, 2025 · 575dd06 · 575dd06
1 parent df1d8ce
commit 575dd06
Show file tree

Hide file tree

Showing 8 changed files with 587 additions and 156 deletions.
diff --git a/.gitignore b/.gitignore
@@ -1,2 +1,3 @@
 sprinkler
 .env
+.codegenie
diff --git a/.sprinkler.yaml b/.sprinkler.yaml
@@ -14,7 +14,14 @@ control:
   trustedProxies:
     - "0.0.0.0/0"
     - "::/0"
-  apiKey: "changeme"
+  # leave empty to read from environment variable API_KEY_ENABLED
+  apiKeyEnabled: 
+  # leave empty to read from environment variable XFCC_ENABLED
+  xfccEnabled: 
+  # echo -n changeme | shasum -a 256 | awk '{print $1}'
+  apiKey: "057ba03d6c44104863dc7361fe4578965d1887360f90a0895882e58a6248fc86"
+  xfccHeaderName: "x-forwarded-client-cert"
+  xfccMustContain: "changeme"
 
 scheduler:
   interval: "1s"

diff --git a/cmd/control.go b/cmd/control.go
@@ -10,31 +10,48 @@ import (
 
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
+	"mce.salesforce.com/sprinkler/database"
 	"mce.salesforce.com/sprinkler/service"
 )
 
 var controlAddress string
 
 type ControlCmdOpt struct {
-	Address        string
-	TrustedProxies []string
-	APIKey         string
+	Address         string
+	TrustedProxies  []string
+	APIKeyEnabled   bool
+	APIKey          string
+	XfccEnabled     bool
+	XfccHeaderName  string
+	XfccMustContain string
 }
 
 const (
-	CtrlFlagAPIKey         string = "apiKey"
-	CtrlConfigAPIKey              = "control.apiKey"
-	CtrlFlagTrustedProxy          = "trustedProxy"
-	CtrlConfigTrustedProxy        = "control.trustedProxies"
-	CtrlFlagAddress               = "address"
-	CtrlConfigAddress             = "control.address"
+	CtrlFlagAPIKeyEnabled     string = "apiKeyEnabled"
+	CtrlConfigAPIKeyEnabled   string = "control.apiKeyEnabled"
+	CtrlFlagAPIKey            string = "apiKey"
+	CtrlConfigAPIKey          string = "control.apiKey"
+	CtrlFlagXfccEnabled       string = "xfccEnabled"
+	CtrlConfigXfccEnabled     string = "control.xfccEnabled"
+	CtrlFlagXfccHeaderName    string = "xfccHeaderName"
+	CtrlConfigXfccHeaderName  string = "control.xfccHeaderName"
+	CtrlFlagXfccMustContain   string = "xfccMustContain"
+	CtrlConfigXfccMustContain string = "control.xfccMustContain"
+	CtrlFlagTrustedProxy      string = "trustedProxy"
+	CtrlConfigTrustedProxy    string = "control.trustedProxies"
+	CtrlFlagAddress           string = "address"
+	CtrlConfigAddress         string = "control.address"
 )
 
 func getControlCmdOpt() ControlCmdOpt {
 	return ControlCmdOpt{
-		Address:        viper.GetString(CtrlConfigAddress),
-		TrustedProxies: viper.GetStringSlice(CtrlConfigTrustedProxy),
-		APIKey:         viper.GetString(CtrlConfigAPIKey),
+		Address:         viper.GetString(CtrlConfigAddress),
+		TrustedProxies:  viper.GetStringSlice(CtrlConfigTrustedProxy),
+		APIKeyEnabled:   viper.GetBool(CtrlConfigAPIKeyEnabled),
+		APIKey:          viper.GetString(CtrlConfigAPIKey),
+		XfccEnabled:     viper.GetBool(CtrlConfigXfccEnabled),
+		XfccHeaderName:  viper.GetString(CtrlConfigXfccHeaderName),
+		XfccMustContain: viper.GetString(CtrlConfigXfccMustContain),
 	}
 }
 
@@ -48,9 +65,14 @@ and run by sprinkler.`,
 		fmt.Println("control called")
 		controlCmdOpt := getControlCmdOpt()
 		ctrl := service.NewControl(
+			database.GetInstance(),
 			controlCmdOpt.Address,
 			controlCmdOpt.TrustedProxies,
+			controlCmdOpt.APIKeyEnabled,
 			controlCmdOpt.APIKey,
+			controlCmdOpt.XfccEnabled,
+			controlCmdOpt.XfccHeaderName,
+			controlCmdOpt.XfccMustContain,
 		)
 		ctrl.Run()
 	},
@@ -69,7 +91,19 @@ func init() {
 	controlCmd.Flags().StringSlice(CtrlFlagTrustedProxy, []string{}, "trusted proxies")
 	viper.BindPFlag(CtrlConfigTrustedProxy, controlCmd.Flags().Lookup(CtrlFlagTrustedProxy))
 
+	controlCmd.Flags().Bool(CtrlFlagAPIKeyEnabled, true, "api key enabled")
+	viper.BindPFlag(CtrlConfigAPIKeyEnabled, controlCmd.Flags().Lookup(CtrlFlagAPIKeyEnabled))
+
 	controlCmd.Flags().String(CtrlFlagAPIKey, "", "api key")
 	viper.BindPFlag(CtrlConfigAPIKey, controlCmd.Flags().Lookup(CtrlFlagAPIKey))
 
+	controlCmd.Flags().Bool(CtrlFlagXfccEnabled, true, "xfcc enabled")
+	viper.BindPFlag(CtrlConfigXfccEnabled, controlCmd.Flags().Lookup(CtrlFlagXfccEnabled))
+
+	controlCmd.Flags().String(CtrlFlagXfccHeaderName, "x-forwarded-client-cert", "xfcc header name")
+	viper.BindPFlag(CtrlConfigXfccHeaderName, controlCmd.Flags().Lookup(CtrlFlagXfccHeaderName))
+
+	controlCmd.Flags().String(CtrlFlagXfccMustContain, "", "xfcc must contain")
+	viper.BindPFlag(CtrlConfigXfccMustContain, controlCmd.Flags().Lookup(CtrlFlagXfccMustContain))
+
 }
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -12,6 +12,8 @@ services:
       AWS_SESSION_TOKEN: "${AWS_SESSION_TOKEN}"
       AWS_DEFAULT_REGION: "${AWS_DEFAULT_REGION}"
       AWS_SESSION_TOKEN_TTL: "${AWS_SESSION_TOKEN_TTL}"
+      API_KEY_ENABLED: true
+      XFCC_ENABLED: true
     ports:
       - 8080:8080
     tty: true

diff --git a/go.mod b/go.mod
@@ -16,7 +16,9 @@ require (
 	github.com/prometheus/client_golang v1.20.5
 	github.com/spf13/cobra v1.8.1
 	github.com/spf13/viper v1.19.0
+	github.com/stretchr/testify v1.10.0
 	gorm.io/driver/postgres v1.5.11
+	gorm.io/driver/sqlite v1.5.7
 	gorm.io/gorm v1.25.12
 )
 
@@ -40,6 +42,7 @@ require (
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/cloudwego/base64x v0.1.4 // indirect
 	github.com/cloudwego/iasm v0.2.0 // indirect
+	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/fsnotify/fsnotify v1.8.0 // indirect
 	github.com/gabriel-vasile/mimetype v1.4.7 // indirect
 	github.com/gin-contrib/sse v0.1.0 // indirect
@@ -61,11 +64,13 @@ require (
 	github.com/leodido/go-urn v1.4.0 // indirect
 	github.com/magiconair/properties v1.8.9 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
+	github.com/mattn/go-sqlite3 v1.14.22 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/pelletier/go-toml/v2 v2.2.3 // indirect
+	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/prometheus/client_model v0.6.1 // indirect
 	github.com/prometheus/common v0.61.0 // indirect
 	github.com/prometheus/procfs v0.15.1 // indirect