implementing blocklist to block uploads and new runs from orgids

docker-compose.yml

@@ -22,6 +22,7 @@ services:
       CLOWDER_ENABLED: "false"
       DB_HOST: "db"
       PSK_AUTH_TEST: "xwKhCUzgJ8"
+      BLOCKLIST_ORGIDS: "1337,7331"
     restart: unless-stopped
 
   zookeeper:

internal/api/controllers/private/runsCreate.go

@@ -32,6 +32,10 @@ func (this *controllers) ApiInternalRunsCreate(ctx echo.Context) error {
 			return handleRunCreateError(err)
 		}
 
+		if utils.IsOrgIdBlocklisted(cfg, orgIdString) {
+			return handleRunCreateError(&utils.BlocklistedOrgIdError{OrgID: orgIdString})
+		}
+
 		hosts := parseRunHosts(runInputV1.Hosts)
 
 		context = utils.WithOrgId(context, orgIdString)

internal/api/controllers/private/runsCreateActions.go

@@ -138,6 +138,10 @@ func handleRunCreateError(err error) *RunCreated {
 		return runCreateError(http.StatusNotFound)
 	}
 
+	if _, ok := err.(*utils.BlocklistedOrgIdError); ok {
+		return runCreateError(http.StatusBadRequest)
+	}
+
 	return runCreateError(http.StatusInternalServerError)
 }
 

internal/api/controllers/private/runsCreateV2.go

@@ -4,12 +4,17 @@ import (
 	"net/http"
 	"playbook-dispatcher/internal/api/instrumentation"
 	"playbook-dispatcher/internal/api/middleware"
+	"playbook-dispatcher/internal/common/config"
 	"playbook-dispatcher/internal/common/utils"
 
 	"github.com/google/uuid"
 	"github.com/labstack/echo/v4"
 )
 
+var (
+	cfg = config.Get()
+)
+
 //go:generate fungen -types RunInputV2,*RunCreated -methods PMap -package private -filename utils.v2.gen.go
 func (this *controllers) ApiInternalV2RunsCreate(ctx echo.Context) error {
 	var input RunInputV2List
@@ -33,6 +38,10 @@ func (this *controllers) ApiInternalV2RunsCreate(ctx echo.Context) error {
 		context := utils.WithOrgId(ctx.Request().Context(), string(runInputV2.OrgId))
 		context = utils.WithRequestType(context, getRequestTypeLabel(runInputV2))
 
+		if utils.IsOrgIdBlocklisted(cfg, string(runInputV2.OrgId)) {
+			return handleRunCreateError(&utils.BlocklistedOrgIdError{OrgID: string(runInputV2.OrgId)})
+		}
+
 		recipient := parseValidatedUUID(string(runInputV2.Recipient))
 
 		hosts := parseRunHosts(runInputV2.Hosts)

internal/common/config/config.go

@@ -103,6 +103,8 @@ func Get() *viper.Viper {
 
 	options.SetDefault("db.sslmode", "disable")
 
+	options.SetDefault("blocklist.orgids", "")
+
 	if clowder.IsClowderEnabled() {
 
 		cfg := clowder.LoadedConfig

internal/common/utils/errors.go

@@ -5,6 +5,14 @@ import (
 	"net/http"
 )
 
+type BlocklistedOrgIdError struct {
+	OrgID string
+}
+
 func UnexpectedResponse(res *http.Response) error {
 	return fmt.Errorf(`unexpected status code "%d" or content type "%s"`, res.StatusCode, res.Header.Get("content-type"))
 }
+
+func (this *BlocklistedOrgIdError) Error() string {
+	return fmt.Sprintf("This org_id (%s) is blocklisted.", this.OrgID)
+}

internal/common/utils/misc.go

@@ -109,3 +109,17 @@ func LoadSchemas(cfg *viper.Viper, schemaNames []string) (schemas []*jsonschema.
 	}
 	return
 }
+
+func IsOrgIdBlocklisted(cfg *viper.Viper, orgId string) bool {
+	blocklistedOrgIds := strings.Split(cfg.GetString("blocklist.orgids"), ",")
+
+	if len(blocklistedOrgIds) > 0 {
+		for _, blockedOrgId := range blocklistedOrgIds {
+			if blockedOrgId == orgId {
+				return true
+			}
+		}
+	}
+
+	return false
+}

internal/validator/handler.go

@@ -156,6 +156,10 @@ func (this *handler) validateRequest(request *messageModel.IngressValidationRequ
 		return fmt.Errorf("Rejecting payload due to file size: %d", request.Size)
 	}
 
+	if utils.IsOrgIdBlocklisted(cfg, request.OrgID) {
+		return fmt.Errorf("Rejecting payload because the org_id is blocklisted: %s", request.OrgID)
+	}
+
 	return
 }