Merge pull request #1246 from SUSE/suma-access-micro

Check for SLE Micro and SUMa headers to grant access
SUSE · Nov 27, 2024 · 5b0a2d5 · 5b0a2d5
2 parents 27dfa84 + d18c03c
commit 5b0a2d5
Showing 1 changed file with 14 additions and 6 deletions.
diff --git a/.../strict_authentication/app/controllers/strict_authentication/authentication_controller.rb b/.../strict_authentication/app/controllers/strict_authentication/authentication_controller.rb
@@ -7,27 +7,28 @@ class AuthenticationController < ::ApplicationController
     # This is the endpoint for nginx subrequest auth check
     def check
       request_uri = request.headers['X-Original-URI']
-      auth_result = path_allowed?(request.headers['X-Original-URI'])
+      auth_result = path_allowed?(request.headers)
       logger.info "Authentication subrequest for #{request_uri} -- #{auth_result ? 'allowed' : 'denied'}"
       head auth_result ? :ok : :forbidden
     end
 
     protected
 
-    def path_allowed?(path)
+    def path_allowed?(headers)
+      path = headers['X-Original-URI']
       return false if path.blank?
+
       return true if path =~ %r{/product\.license/}
 
       path = '/' + path.gsub(/^#{RMT::DEFAULT_MIRROR_URL_PREFIX}/, '')
-
       # Allow access to SLES 12 and 12-SP1 repos for systems migrating from SLES 11
       has_sles11 = @system.products.where(identifier: 'SUSE_SLES').first
       return true if (has_sles11 && (path =~ %r{/12/} || path =~ %r{/12-SP1/}))
 
-      all_allowed_paths.find { |allowed_path| path =~ /^#{Regexp.escape(allowed_path)}/ }
+      all_allowed_paths(headers).find { |allowed_path| path =~ /^#{Regexp.escape(allowed_path)}/ }
     end
 
-    def all_allowed_paths
+    def all_allowed_paths(headers)
       # return all versions of the same product and arch
       # (that the system has available with that subscription)
       # in order to validate access not only for current product but others
@@ -39,7 +40,14 @@ def all_allowed_paths
       # for the SUMa PAYG offers, RMT access verification code allows access
       # to the SUMa Client Tools channels and SUMa Proxy channels
       # when product is SUMA_Server and PAYG or SUMA_Server and used as SCC proxy
-      manager_prod = @system.products.any? { |p| p.identifier.downcase.include?('manager-server') }
+      manager_prod = @system.products.any? do |p|
+        manager = p.identifier.downcase.include?('manager-server')
+        # SUMA 5.0 must have access to SUMA 4.3, 4.2 and so on
+        micro = p.identifier.downcase.include?('sle-micro')
+        instance_id_header = headers.fetch('X-Instance-Identifier', '').casecmp('suse-manager-server').zero?
+        instance_version_header = headers.fetch('X-Instance-Version', '0').split('.')[0] >= '5'
+        manager || (micro && instance_id_header && instance_version_header)
+      end
 
       if manager_prod
         # add all SUMA products paths