From 4064c1e8e8a6efed18e862913534cab81783d98b Mon Sep 17 00:00:00 2001 From: Jesus Bermudez Velazquez Date: Fri, 8 Nov 2024 15:30:41 +0000 Subject: [PATCH 1/2] Check for SLE Micro and SUMa headers to grant access SUMA 5.0 is based on SLE Micro, to access older SUMA versions we are using new headers present in the request to grant access to SUMA 4.X repositories --- .../authentication_controller.rb | 20 +++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/engines/strict_authentication/app/controllers/strict_authentication/authentication_controller.rb b/engines/strict_authentication/app/controllers/strict_authentication/authentication_controller.rb index 311c38fc0..ec671999b 100644 --- a/engines/strict_authentication/app/controllers/strict_authentication/authentication_controller.rb +++ b/engines/strict_authentication/app/controllers/strict_authentication/authentication_controller.rb @@ -7,27 +7,28 @@ class AuthenticationController < ::ApplicationController # This is the endpoint for nginx subrequest auth check def check request_uri = request.headers['X-Original-URI'] - auth_result = path_allowed?(request.headers['X-Original-URI']) + auth_result = path_allowed?(request.headers) logger.info "Authentication subrequest for #{request_uri} -- #{auth_result ? 'allowed' : 'denied'}" head auth_result ? :ok : :forbidden end protected - def path_allowed?(path) + def path_allowed?(headers) + path = headers['X-Original-URI'] return false if path.blank? + return true if path =~ %r{/product\.license/} path = '/' + path.gsub(/^#{RMT::DEFAULT_MIRROR_URL_PREFIX}/, '') - # Allow access to SLES 12 and 12-SP1 repos for systems migrating from SLES 11 has_sles11 = @system.products.where(identifier: 'SUSE_SLES').first return true if (has_sles11 && (path =~ %r{/12/} || path =~ %r{/12-SP1/})) - all_allowed_paths.find { |allowed_path| path =~ /^#{Regexp.escape(allowed_path)}/ } + all_allowed_paths(headers).find { |allowed_path| path =~ /^#{Regexp.escape(allowed_path)}/ } end - def all_allowed_paths + def all_allowed_paths(headers) # return all versions of the same product and arch # (that the system has available with that subscription) # in order to validate access not only for current product but others @@ -39,7 +40,14 @@ def all_allowed_paths # for the SUMa PAYG offers, RMT access verification code allows access # to the SUMa Client Tools channels and SUMa Proxy channels # when product is SUMA_Server and PAYG or SUMA_Server and used as SCC proxy - manager_prod = @system.products.any? { |p| p.identifier.downcase.include?('manager-server') } + manager_prod = @system.products.any? do |p| + manager = p.identifier.downcase.include?('manager-server') + # SUMA 5.0 must have access to SUMA 4.3, 4.2 and so on + micro = p.identifier.downcase.include?('sle-micro') + instance_id_header = headers.fetch('X-Instance-Identifier', '').casecmp('suse-manager-server').zero? + instance_version_header = headers.fetch('X-Instance-Version', '') == '5.0' + manager || (micro && instance_id_header && instance_version_header) + end if manager_prod # add all SUMA products paths From 3e03f2261af9e9d60bc884877229fc6404a2530b Mon Sep 17 00:00:00 2001 From: Jesus Bermudez Velazquez Date: Tue, 26 Nov 2024 17:07:18 +0000 Subject: [PATCH 2/2] Allowing future SUMA versions in the check --- .../strict_authentication/authentication_controller.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/engines/strict_authentication/app/controllers/strict_authentication/authentication_controller.rb b/engines/strict_authentication/app/controllers/strict_authentication/authentication_controller.rb index ec671999b..a0109ad34 100644 --- a/engines/strict_authentication/app/controllers/strict_authentication/authentication_controller.rb +++ b/engines/strict_authentication/app/controllers/strict_authentication/authentication_controller.rb @@ -45,7 +45,7 @@ def all_allowed_paths(headers) # SUMA 5.0 must have access to SUMA 4.3, 4.2 and so on micro = p.identifier.downcase.include?('sle-micro') instance_id_header = headers.fetch('X-Instance-Identifier', '').casecmp('suse-manager-server').zero? - instance_version_header = headers.fetch('X-Instance-Version', '') == '5.0' + instance_version_header = headers.fetch('X-Instance-Version', '0').split('.')[0] >= '5' manager || (micro && instance_id_header && instance_version_header) end