From 99f7df1e9b95e41f61e5a820d05da778510e3782 Mon Sep 17 00:00:00 2001 From: Tahmid Efaz Date: Fri, 26 Jul 2024 14:54:12 -0400 Subject: [PATCH 01/10] implementing blocklist to block uploads and new runs from orgids --- docker-compose.yml | 1 + internal/api/controllers/private/runsCreate.go | 4 ++++ .../api/controllers/private/runsCreateActions.go | 4 ++++ internal/api/controllers/private/runsCreateV2.go | 9 +++++++++ internal/common/config/config.go | 2 ++ internal/common/utils/errors.go | 8 ++++++++ internal/common/utils/misc.go | 14 ++++++++++++++ internal/validator/handler.go | 4 ++++ 8 files changed, 46 insertions(+) diff --git a/docker-compose.yml b/docker-compose.yml index 93f2c792..0a138fa3 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -22,6 +22,7 @@ services: CLOWDER_ENABLED: "false" DB_HOST: "db" PSK_AUTH_TEST: "xwKhCUzgJ8" + BLOCKLIST_ORGIDS: "1337,7331" restart: unless-stopped zookeeper: diff --git a/internal/api/controllers/private/runsCreate.go b/internal/api/controllers/private/runsCreate.go index 02b83a70..009ad3f1 100644 --- a/internal/api/controllers/private/runsCreate.go +++ b/internal/api/controllers/private/runsCreate.go @@ -32,6 +32,10 @@ func (this *controllers) ApiInternalRunsCreate(ctx echo.Context) error { return handleRunCreateError(err) } + if utils.IsOrgIdBlocklisted(cfg, orgIdString) { + return handleRunCreateError(&utils.BlocklistedOrgIdError{OrgID: orgIdString}) + } + hosts := parseRunHosts(runInputV1.Hosts) context = utils.WithOrgId(context, orgIdString) diff --git a/internal/api/controllers/private/runsCreateActions.go b/internal/api/controllers/private/runsCreateActions.go index 340e57e8..3e44242a 100644 --- a/internal/api/controllers/private/runsCreateActions.go +++ b/internal/api/controllers/private/runsCreateActions.go @@ -138,6 +138,10 @@ func handleRunCreateError(err error) *RunCreated { return runCreateError(http.StatusNotFound) } + if _, ok := err.(*utils.BlocklistedOrgIdError); ok { + return runCreateError(http.StatusBadRequest) + } + return runCreateError(http.StatusInternalServerError) } diff --git a/internal/api/controllers/private/runsCreateV2.go b/internal/api/controllers/private/runsCreateV2.go index 585dce67..648af9f5 100644 --- a/internal/api/controllers/private/runsCreateV2.go +++ b/internal/api/controllers/private/runsCreateV2.go @@ -4,12 +4,17 @@ import ( "net/http" "playbook-dispatcher/internal/api/instrumentation" "playbook-dispatcher/internal/api/middleware" + "playbook-dispatcher/internal/common/config" "playbook-dispatcher/internal/common/utils" "github.com/google/uuid" "github.com/labstack/echo/v4" ) +var ( + cfg = config.Get() +) + //go:generate fungen -types RunInputV2,*RunCreated -methods PMap -package private -filename utils.v2.gen.go func (this *controllers) ApiInternalV2RunsCreate(ctx echo.Context) error { var input RunInputV2List @@ -33,6 +38,10 @@ func (this *controllers) ApiInternalV2RunsCreate(ctx echo.Context) error { context := utils.WithOrgId(ctx.Request().Context(), string(runInputV2.OrgId)) context = utils.WithRequestType(context, getRequestTypeLabel(runInputV2)) + if utils.IsOrgIdBlocklisted(cfg, string(runInputV2.OrgId)) { + return handleRunCreateError(&utils.BlocklistedOrgIdError{OrgID: string(runInputV2.OrgId)}) + } + recipient := parseValidatedUUID(string(runInputV2.Recipient)) hosts := parseRunHosts(runInputV2.Hosts) diff --git a/internal/common/config/config.go b/internal/common/config/config.go index f2745d55..06680fa7 100644 --- a/internal/common/config/config.go +++ b/internal/common/config/config.go @@ -103,6 +103,8 @@ func Get() *viper.Viper { options.SetDefault("db.sslmode", "disable") + options.SetDefault("blocklist.orgids", "") + if clowder.IsClowderEnabled() { cfg := clowder.LoadedConfig diff --git a/internal/common/utils/errors.go b/internal/common/utils/errors.go index 5de54fff..5f2afe68 100644 --- a/internal/common/utils/errors.go +++ b/internal/common/utils/errors.go @@ -5,6 +5,14 @@ import ( "net/http" ) +type BlocklistedOrgIdError struct { + OrgID string +} + func UnexpectedResponse(res *http.Response) error { return fmt.Errorf(`unexpected status code "%d" or content type "%s"`, res.StatusCode, res.Header.Get("content-type")) } + +func (this *BlocklistedOrgIdError) Error() string { + return fmt.Sprintf("This org_id (%s) is blocklisted.", this.OrgID) +} diff --git a/internal/common/utils/misc.go b/internal/common/utils/misc.go index e121ba66..5837f2b3 100644 --- a/internal/common/utils/misc.go +++ b/internal/common/utils/misc.go @@ -109,3 +109,17 @@ func LoadSchemas(cfg *viper.Viper, schemaNames []string) (schemas []*jsonschema. } return } + +func IsOrgIdBlocklisted(cfg *viper.Viper, orgId string) bool { + blocklistedOrgIds := strings.Split(cfg.GetString("blocklist.orgids"), ",") + + if len(blocklistedOrgIds) > 0 { + for _, blockedOrgId := range blocklistedOrgIds { + if blockedOrgId == orgId { + return true + } + } + } + + return false +} diff --git a/internal/validator/handler.go b/internal/validator/handler.go index 5690633e..b6fe9435 100644 --- a/internal/validator/handler.go +++ b/internal/validator/handler.go @@ -156,6 +156,10 @@ func (this *handler) validateRequest(request *messageModel.IngressValidationRequ return fmt.Errorf("Rejecting payload due to file size: %d", request.Size) } + if utils.IsOrgIdBlocklisted(cfg, request.OrgID) { + return fmt.Errorf("Rejecting payload because the org_id is blocklisted: %s", request.OrgID) + } + return } From 25a0a3a4a9dcb3684bcda05b78f7dfb9107fa85b Mon Sep 17 00:00:00 2001 From: Tahmid Efaz Date: Fri, 26 Jul 2024 16:04:06 -0400 Subject: [PATCH 02/10] adding tests --- Makefile | 3 ++ docker-compose.yml | 2 +- .../controllers/private/private_suite_test.go | 30 +++++++++++++++++++ internal/common/utils/misc.go | 1 - internal/validator/handler_test.go | 14 +++++++++ 5 files changed, 48 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index f30afd6a..6bda5187 100644 --- a/Makefile +++ b/Makefile @@ -113,6 +113,9 @@ sample_upload.xz: sample_rhc_sat_upload: curl -v -F "file=@examples/rhcsat-success.jsonl;type=application/vnd.redhat.playbook-sat.v3+jsonl" -H "x-rh-identity: eyJpZGVudGl0eSI6IHsiYWNjb3VudF9udW1iZXIiOiAiMDAwMDAwMSIsICJ0eXBlIjogIlN5c3RlbSIsICJpbnRlcm5hbCI6IHsib3JnX2lkIjogIjAwMDAwMSJ9fX0=" -H "x-rh-request_id: 380b4a04-7eae-4dff-a0b8-6e1af9186df0" http://localhost:8080/api/ingress/v1/upload +sample_blocked_upload: + curl -v -F "file=@examples/events-success.jsonl;type=application/vnd.redhat.playbook.v1+jsonl" -H "x-rh-identity: eyJpZGVudGl0eSI6IHsiYWNjb3VudF9udW1iZXIiOiAiMDAwMDAwMSIsICJ0eXBlIjogIlN5c3RlbSIsICJpbnRlcm5hbCI6IHsib3JnX2lkIjogIjEzMzcifX19" -H "x-rh-request_id: 380b4a04-7eae-4dff-a0b8-6e1af9186df0" http://localhost:8080/api/ingress/v1/upload + sample: sample_request sample_upload connector_create: diff --git a/docker-compose.yml b/docker-compose.yml index 0a138fa3..f582d039 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -78,7 +78,7 @@ services: - '8080:3000' environment: - INGRESS_STAGEBUCKET=insights-upload-perma - - INGRESS_VALIDTOPICS=playbook,playbook-sat + - INGRESS_VALID_UPLOAD_TYPES=playbook,playbook-sat - OPENSHIFT_BUILD_COMMIT=somestring - INGRESS_MAXSIZE=104857600 - INGRESS_MINIODEV=true diff --git a/internal/api/controllers/private/private_suite_test.go b/internal/api/controllers/private/private_suite_test.go index 0ee3520b..3f691d12 100644 --- a/internal/api/controllers/private/private_suite_test.go +++ b/internal/api/controllers/private/private_suite_test.go @@ -7,6 +7,8 @@ import ( . "github.com/onsi/ginkgo" . "github.com/onsi/ginkgo/extensions/table" . "github.com/onsi/gomega" + + "playbook-dispatcher/internal/common/utils" ) func TestConfig(t *testing.T) { @@ -55,3 +57,31 @@ var _ = Describe("Validation", func() { ), ) }) + +var _ = Describe("Blocklisted OrgIDs", func() { + DescribeTable("validateFields", + func(orgID string, result bool) { + cfg.Set("blocklist.orgids", "1337,1234") + + isBlocked := utils.IsOrgIdBlocklisted(cfg, orgID) + + Expect(isBlocked).To(Equal(result)) + }, + + Entry( + "unblocked orgid", + "01234", + false, + ), + Entry( + "blocked org_id - 1", + "1337", + true, + ), + Entry( + "blocked org_id - 2", + "1234", + true, + ), + ) +}) diff --git a/internal/common/utils/misc.go b/internal/common/utils/misc.go index 5837f2b3..7b6e9e35 100644 --- a/internal/common/utils/misc.go +++ b/internal/common/utils/misc.go @@ -112,7 +112,6 @@ func LoadSchemas(cfg *viper.Viper, schemaNames []string) (schemas []*jsonschema. func IsOrgIdBlocklisted(cfg *viper.Viper, orgId string) bool { blocklistedOrgIds := strings.Split(cfg.GetString("blocklist.orgids"), ",") - if len(blocklistedOrgIds) > 0 { for _, blockedOrgId := range blocklistedOrgIds { if blockedOrgId == orgId { diff --git a/internal/validator/handler_test.go b/internal/validator/handler_test.go index 46a0f6fe..883cb51f 100644 --- a/internal/validator/handler_test.go +++ b/internal/validator/handler_test.go @@ -56,6 +56,20 @@ var _ = Describe("Handler", func() { }) }) + Describe("Blocklisted OrgIDs", func() { + It("Rejects archives if org_id is blocklisted", func() { + cfg.Set("blocklist.orgids", "1337") + + req := &messageModel.IngressValidationRequest{ + OrgID: "1337", + Size: 1024, + } + + err := instance.validateRequest(req) + Expect(err).To(HaveOccurred()) + }) + }) + Describe("Validation", func() { DescribeTable("Rejects invalid files", From 17628f57e4f01a1d2df302db640e769fde55e520 Mon Sep 17 00:00:00 2001 From: Derek Horton Date: Wed, 18 Sep 2024 16:13:23 -0500 Subject: [PATCH 03/10] Use the config object that is a member of the controller struct --- internal/api/controllers/private/runsCreate.go | 2 +- internal/api/controllers/private/runsCreateV2.go | 7 +------ 2 files changed, 2 insertions(+), 7 deletions(-) diff --git a/internal/api/controllers/private/runsCreate.go b/internal/api/controllers/private/runsCreate.go index 009ad3f1..dbdc853c 100644 --- a/internal/api/controllers/private/runsCreate.go +++ b/internal/api/controllers/private/runsCreate.go @@ -32,7 +32,7 @@ func (this *controllers) ApiInternalRunsCreate(ctx echo.Context) error { return handleRunCreateError(err) } - if utils.IsOrgIdBlocklisted(cfg, orgIdString) { + if utils.IsOrgIdBlocklisted(this.config, orgIdString) { return handleRunCreateError(&utils.BlocklistedOrgIdError{OrgID: orgIdString}) } diff --git a/internal/api/controllers/private/runsCreateV2.go b/internal/api/controllers/private/runsCreateV2.go index 648af9f5..9bea5e6a 100644 --- a/internal/api/controllers/private/runsCreateV2.go +++ b/internal/api/controllers/private/runsCreateV2.go @@ -4,17 +4,12 @@ import ( "net/http" "playbook-dispatcher/internal/api/instrumentation" "playbook-dispatcher/internal/api/middleware" - "playbook-dispatcher/internal/common/config" "playbook-dispatcher/internal/common/utils" "github.com/google/uuid" "github.com/labstack/echo/v4" ) -var ( - cfg = config.Get() -) - //go:generate fungen -types RunInputV2,*RunCreated -methods PMap -package private -filename utils.v2.gen.go func (this *controllers) ApiInternalV2RunsCreate(ctx echo.Context) error { var input RunInputV2List @@ -38,7 +33,7 @@ func (this *controllers) ApiInternalV2RunsCreate(ctx echo.Context) error { context := utils.WithOrgId(ctx.Request().Context(), string(runInputV2.OrgId)) context = utils.WithRequestType(context, getRequestTypeLabel(runInputV2)) - if utils.IsOrgIdBlocklisted(cfg, string(runInputV2.OrgId)) { + if utils.IsOrgIdBlocklisted(this.config, string(runInputV2.OrgId)) { return handleRunCreateError(&utils.BlocklistedOrgIdError{OrgID: string(runInputV2.OrgId)}) } From 048aedb8d8cea8740f2bb1a67e510a21c0023549 Mon Sep 17 00:00:00 2001 From: Derek Horton Date: Wed, 18 Sep 2024 16:39:25 -0500 Subject: [PATCH 04/10] Renaming config option --- internal/api/controllers/private/private_suite_test.go | 2 +- internal/common/config/config.go | 2 +- internal/common/utils/misc.go | 2 +- internal/validator/handler_test.go | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/internal/api/controllers/private/private_suite_test.go b/internal/api/controllers/private/private_suite_test.go index 3f691d12..2431862f 100644 --- a/internal/api/controllers/private/private_suite_test.go +++ b/internal/api/controllers/private/private_suite_test.go @@ -61,7 +61,7 @@ var _ = Describe("Validation", func() { var _ = Describe("Blocklisted OrgIDs", func() { DescribeTable("validateFields", func(orgID string, result bool) { - cfg.Set("blocklist.orgids", "1337,1234") + cfg.Set("blocklist.org.ids", "1337,1234") isBlocked := utils.IsOrgIdBlocklisted(cfg, orgID) diff --git a/internal/common/config/config.go b/internal/common/config/config.go index 06680fa7..960a8532 100644 --- a/internal/common/config/config.go +++ b/internal/common/config/config.go @@ -103,7 +103,7 @@ func Get() *viper.Viper { options.SetDefault("db.sslmode", "disable") - options.SetDefault("blocklist.orgids", "") + options.SetDefault("blocklist.org.ids", "") if clowder.IsClowderEnabled() { diff --git a/internal/common/utils/misc.go b/internal/common/utils/misc.go index 7b6e9e35..e0395123 100644 --- a/internal/common/utils/misc.go +++ b/internal/common/utils/misc.go @@ -111,7 +111,7 @@ func LoadSchemas(cfg *viper.Viper, schemaNames []string) (schemas []*jsonschema. } func IsOrgIdBlocklisted(cfg *viper.Viper, orgId string) bool { - blocklistedOrgIds := strings.Split(cfg.GetString("blocklist.orgids"), ",") + blocklistedOrgIds := cfg.GetStringSlice("blocklist.org.ids") if len(blocklistedOrgIds) > 0 { for _, blockedOrgId := range blocklistedOrgIds { if blockedOrgId == orgId { diff --git a/internal/validator/handler_test.go b/internal/validator/handler_test.go index 883cb51f..6a13bbe0 100644 --- a/internal/validator/handler_test.go +++ b/internal/validator/handler_test.go @@ -58,7 +58,7 @@ var _ = Describe("Handler", func() { Describe("Blocklisted OrgIDs", func() { It("Rejects archives if org_id is blocklisted", func() { - cfg.Set("blocklist.orgids", "1337") + cfg.Set("blocklist.org.ids", "1337") req := &messageModel.IngressValidationRequest{ OrgID: "1337", From 9577f10dcbf85b6c1a9b53f58e0ed00fe294aa68 Mon Sep 17 00:00:00 2001 From: Derek Horton Date: Wed, 18 Sep 2024 16:52:20 -0500 Subject: [PATCH 05/10] Log the blocked request, do not trigger an error --- internal/validator/handler.go | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/internal/validator/handler.go b/internal/validator/handler.go index b6fe9435..8498defb 100644 --- a/internal/validator/handler.go +++ b/internal/validator/handler.go @@ -69,12 +69,18 @@ func (this *handler) onMessage(ctx context.Context, msg *kafka.Message) { ctx = utils.SetLog(ctx, utils.GetLogFromContext(ctx).With("url", request.URL)) utils.GetLogFromContext(ctx).Debugw("Processing request", "account", request.Account, + "org_id", request.OrgID, "topic", *msg.TopicPartition.Topic, "partition", msg.TopicPartition.Partition, "offset", msg.TopicPartition.Offset.String(), "size", request.Size, ) + if utils.IsOrgIdBlocklisted(cfg, request.OrgID) { + utils.GetLogFromContext(ctx).Debugw("Rejecting payload because the org_id is blocklisted") + return + } + if err := this.validateRequest(&request); err != nil { this.validationFailed(ctx, err, requestType, &request) return @@ -156,10 +162,6 @@ func (this *handler) validateRequest(request *messageModel.IngressValidationRequ return fmt.Errorf("Rejecting payload due to file size: %d", request.Size) } - if utils.IsOrgIdBlocklisted(cfg, request.OrgID) { - return fmt.Errorf("Rejecting payload because the org_id is blocklisted: %s", request.OrgID) - } - return } From 50c52ab5519b3a45ace8a2e270c2b4d2ed2974b1 Mon Sep 17 00:00:00 2001 From: Derek Horton Date: Thu, 19 Sep 2024 17:15:21 -0500 Subject: [PATCH 06/10] Create a new instance of the config object --- internal/api/controllers/private/private_suite_test.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/internal/api/controllers/private/private_suite_test.go b/internal/api/controllers/private/private_suite_test.go index 2431862f..217aae67 100644 --- a/internal/api/controllers/private/private_suite_test.go +++ b/internal/api/controllers/private/private_suite_test.go @@ -8,6 +8,7 @@ import ( . "github.com/onsi/ginkgo/extensions/table" . "github.com/onsi/gomega" + "playbook-dispatcher/internal/common/config" "playbook-dispatcher/internal/common/utils" ) @@ -61,6 +62,8 @@ var _ = Describe("Validation", func() { var _ = Describe("Blocklisted OrgIDs", func() { DescribeTable("validateFields", func(orgID string, result bool) { + cfg := config.Get() + cfg.Set("blocklist.org.ids", "1337,1234") isBlocked := utils.IsOrgIdBlocklisted(cfg, orgID) From 2b3036bec4edeb8b00d2c64c5f83b655afd8b52d Mon Sep 17 00:00:00 2001 From: Derek Horton Date: Mon, 23 Sep 2024 13:37:30 -0500 Subject: [PATCH 07/10] viper.GetStringSlice() doesn't work like i expected it to --- internal/common/utils/misc.go | 2 +- internal/validator/handler_test.go | 32 ++++++++++++++++++++++++++---- 2 files changed, 29 insertions(+), 5 deletions(-) diff --git a/internal/common/utils/misc.go b/internal/common/utils/misc.go index e0395123..50634949 100644 --- a/internal/common/utils/misc.go +++ b/internal/common/utils/misc.go @@ -111,7 +111,7 @@ func LoadSchemas(cfg *viper.Viper, schemaNames []string) (schemas []*jsonschema. } func IsOrgIdBlocklisted(cfg *viper.Viper, orgId string) bool { - blocklistedOrgIds := cfg.GetStringSlice("blocklist.org.ids") + blocklistedOrgIds := strings.Split(cfg.GetString("blocklist.org.ids"), ",") if len(blocklistedOrgIds) > 0 { for _, blockedOrgId := range blocklistedOrgIds { if blockedOrgId == orgId { diff --git a/internal/validator/handler_test.go b/internal/validator/handler_test.go index 6a13bbe0..614e3b91 100644 --- a/internal/validator/handler_test.go +++ b/internal/validator/handler_test.go @@ -3,10 +3,15 @@ package validator import ( "bytes" "encoding/base64" + "encoding/json" "io/ioutil" + "playbook-dispatcher/internal/common/constants" + kafkaUtils "playbook-dispatcher/internal/common/kafka" messageModel "playbook-dispatcher/internal/common/model/message" "playbook-dispatcher/internal/common/utils/test" + k "github.com/confluentinc/confluent-kafka-go/kafka" + "github.com/ghodss/yaml" . "github.com/onsi/ginkgo" . "github.com/onsi/ginkgo/extensions/table" @@ -61,12 +66,14 @@ var _ = Describe("Handler", func() { cfg.Set("blocklist.org.ids", "1337") req := &messageModel.IngressValidationRequest{ - OrgID: "1337", - Size: 1024, + OrgID: "1337", + Size: 1024, + RequestID: "1234-56789", } - err := instance.validateRequest(req) - Expect(err).To(HaveOccurred()) + kafkaMessage := newKafkaMessage(req, playbookPayloadHeaderValue) + + instance.onMessage(test.TestContext(), kafkaMessage) }) }) @@ -199,3 +206,20 @@ fdqPl7IwpOzJmfqrZ1duqTJ62NbTeDDPjOvQ6F70PsJi4KXiLSqngthpIkJLtF3l // TODO: test parsing (timestamps, etc.) }) + +func newKafkaMessage(value interface{}, requestType string) *k.Message { + marshalled, err := json.Marshal(value) + Expect(err).ToNot(HaveOccurred()) + + topic := "platform.upload.announce" + + return &k.Message{ + Value: marshalled, + Headers: kafkaUtils.Headers(constants.HeaderRequestId, "test", constants.HeaderRequestType, requestType), + TopicPartition: k.TopicPartition{ + Topic: &topic, + Partition: 0, + Offset: k.Offset(0), + }, + } +} From 5bbf89f4d9e6ee1616df41e555f2cb773cfa8550 Mon Sep 17 00:00:00 2001 From: Derek Horton Date: Mon, 23 Sep 2024 13:39:10 -0500 Subject: [PATCH 08/10] The range call should do what we need --- internal/common/utils/misc.go | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/internal/common/utils/misc.go b/internal/common/utils/misc.go index 50634949..1bf96ff8 100644 --- a/internal/common/utils/misc.go +++ b/internal/common/utils/misc.go @@ -112,11 +112,9 @@ func LoadSchemas(cfg *viper.Viper, schemaNames []string) (schemas []*jsonschema. func IsOrgIdBlocklisted(cfg *viper.Viper, orgId string) bool { blocklistedOrgIds := strings.Split(cfg.GetString("blocklist.org.ids"), ",") - if len(blocklistedOrgIds) > 0 { - for _, blockedOrgId := range blocklistedOrgIds { - if blockedOrgId == orgId { - return true - } + for _, blockedOrgId := range blocklistedOrgIds { + if blockedOrgId == orgId { + return true } } From 35fa754d73790175e709b53b3d71ca4bb71368c2 Mon Sep 17 00:00:00 2001 From: Derek Horton Date: Tue, 24 Sep 2024 10:24:52 -0500 Subject: [PATCH 09/10] Allow the blocklist to be configurable --- deploy/clowdapp.yaml | 8 ++++++++ docker-compose.yml | 2 +- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/deploy/clowdapp.yaml b/deploy/clowdapp.yaml index e83b155b..cdfcf52f 100644 --- a/deploy/clowdapp.yaml +++ b/deploy/clowdapp.yaml @@ -175,6 +175,9 @@ objects: - name: SOURCES_PORT value: ${SOURCES_CONNECTOR_PORT} + - name: BLOCKLIST_ORG_IDS + value: ${BLOCKLIST_ORG_IDS} + resources: limits: cpu: ${CPU_LIMIT} @@ -266,6 +269,8 @@ objects: value: ${STORAGE_MAX_CONCURRENCY} - name: ARTIFACT_MAX_SIZE value: ${ARTIFACT_MAX_SIZE} + - name: BLOCKLIST_ORG_IDS + value: ${BLOCKLIST_ORG_IDS} resources: limits: cpu: ${CPU_LIMIT} @@ -378,6 +383,9 @@ parameters: - name: SOURCES_CONNECTOR_PORT value: '8080' +- name: BLOCKLIST_ORG_IDS + value: "" + # Used for testing in ephemeral environments only. - name: PSK_AUTH_TEST value: "" # If a value is not provided the principal is ignored. diff --git a/docker-compose.yml b/docker-compose.yml index f582d039..ce378da4 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -22,7 +22,7 @@ services: CLOWDER_ENABLED: "false" DB_HOST: "db" PSK_AUTH_TEST: "xwKhCUzgJ8" - BLOCKLIST_ORGIDS: "1337,7331" + BLOCKLIST_ORG_IDS: "1337,7331" restart: unless-stopped zookeeper: From d14f5dfa433648e7d53817cdb87d82efd1939365 Mon Sep 17 00:00:00 2001 From: Derek Horton Date: Tue, 24 Sep 2024 16:03:19 -0500 Subject: [PATCH 10/10] Added a debug log message when request is denied --- internal/api/controllers/private/runsCreate.go | 1 + internal/api/controllers/private/runsCreateV2.go | 1 + 2 files changed, 2 insertions(+) diff --git a/internal/api/controllers/private/runsCreate.go b/internal/api/controllers/private/runsCreate.go index dbdc853c..fc4352f2 100644 --- a/internal/api/controllers/private/runsCreate.go +++ b/internal/api/controllers/private/runsCreate.go @@ -33,6 +33,7 @@ func (this *controllers) ApiInternalRunsCreate(ctx echo.Context) error { } if utils.IsOrgIdBlocklisted(this.config, orgIdString) { + utils.GetLogFromEcho(ctx).Debugw("Rejecting request because the org_id is blocklisted") return handleRunCreateError(&utils.BlocklistedOrgIdError{OrgID: orgIdString}) } diff --git a/internal/api/controllers/private/runsCreateV2.go b/internal/api/controllers/private/runsCreateV2.go index 9bea5e6a..40a7f284 100644 --- a/internal/api/controllers/private/runsCreateV2.go +++ b/internal/api/controllers/private/runsCreateV2.go @@ -34,6 +34,7 @@ func (this *controllers) ApiInternalV2RunsCreate(ctx echo.Context) error { context = utils.WithRequestType(context, getRequestTypeLabel(runInputV2)) if utils.IsOrgIdBlocklisted(this.config, string(runInputV2.OrgId)) { + utils.GetLogFromEcho(ctx).Debugw("Rejecting request because the org_id is blocklisted") return handleRunCreateError(&utils.BlocklistedOrgIdError{OrgID: string(runInputV2.OrgId)}) }