Skip to content

Commit

Permalink
Check for SLE Micro and SUMa headers to grant access
Browse files Browse the repository at this point in the history
SUMA 5.0 is based on SLE Micro, to access older SUMA versions
we are using new headers present in the request to grant access
to SUMA 4.X repositories
  • Loading branch information
jesusbv committed Nov 12, 2024
1 parent ac5c206 commit c88f431
Showing 1 changed file with 14 additions and 6 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -7,27 +7,28 @@ class AuthenticationController < ::ApplicationController
# This is the endpoint for nginx subrequest auth check
def check
request_uri = request.headers['X-Original-URI']
auth_result = path_allowed?(request.headers['X-Original-URI'])
auth_result = path_allowed?(request.headers)
logger.info "Authentication subrequest for #{request_uri} -- #{auth_result ? 'allowed' : 'denied'}"
head auth_result ? :ok : :forbidden
end

protected

def path_allowed?(path)
def path_allowed?(headers)
path = request.headers['X-Original-URI']
return false if path.blank?

return true if path =~ %r{/product\.license/}

path = '/' + path.gsub(/^#{RMT::DEFAULT_MIRROR_URL_PREFIX}/, '')

# Allow access to SLES 12 and 12-SP1 repos for systems migrating from SLES 11
has_sles11 = @system.products.where(identifier: 'SUSE_SLES').first
return true if (has_sles11 && (path =~ %r{/12/} || path =~ %r{/12-SP1/}))

all_allowed_paths.find { |allowed_path| path =~ /^#{Regexp.escape(allowed_path)}/ }
all_allowed_paths(headers).find { |allowed_path| path =~ /^#{Regexp.escape(allowed_path)}/ }
end

def all_allowed_paths
def all_allowed_paths(headers)
# return all versions of the same product and arch
# (that the system has available with that subscription)
# in order to validate access not only for current product but others
Expand All @@ -39,7 +40,14 @@ def all_allowed_paths
# for the SUMa PAYG offers, RMT access verification code allows access
# to the SUMa Client Tools channels and SUMa Proxy channels
# when product is SUMA_Server and PAYG or SUMA_Server and used as SCC proxy
manager_prod = @system.products.any? { |p| p.identifier.downcase.include?('manager-server') }
manager_prod = @system.products.any? do |p|
manager = p.identifier.downcase.include?('manager-server')
# SUMA 5.0 must have access to SUMA 4.3, 4.2 and so on
micro = p.identifier.downcase.include?('sle-micro')
instance_id_header = headers.fetch('X-Instance-Identifier', '').casecmp('suse-manager-server').zero?
instance_version_header = headers.fetch('X-Instance-Version', '') == '5.0'
manager || (micro && instance_id_header && instance_version_header)
end

if manager_prod
# add all SUMA products paths
Expand Down

0 comments on commit c88f431

Please sign in to comment.