From 563339302b745b1e7ce1238339a66b4888825607 Mon Sep 17 00:00:00 2001 From: shreddedbacon Date: Mon, 8 Jul 2024 18:44:00 +1000 Subject: [PATCH] feat: support verification bypass on ingress --- handlers/unidler/handler.go | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/handlers/unidler/handler.go b/handlers/unidler/handler.go index c179910..2001812 100644 --- a/handlers/unidler/handler.go +++ b/handlers/unidler/handler.go @@ -70,8 +70,6 @@ func (h *Unidler) ingressHandler(path string) func(http.ResponseWriter, *http.Re opLog.Info(fmt.Sprintf("unable to get any namespaces: %v", err)) return } - // if hmac verification is enabled, perform the verification of the request - signedNamespace, verfied := h.verifyRequest(r, namespace) ingress := &networkv1.Ingress{} if err := h.Client.Get(ctx, types.NamespacedName{ Namespace: ns, @@ -82,6 +80,8 @@ func (h *Unidler) ingressHandler(path string) func(http.ResponseWriter, *http.Re h.setMetrics(r, start) return } + // if hmac verification is enabled, perform the verification of the request + signedNamespace, verfied := h.verifyRequest(r, namespace, ingress) xForwardedFor := strings.Split(r.Header.Get("X-Forwarded-For"), ",") trueClientIP := r.Header.Get("True-Client-IP") @@ -180,7 +180,7 @@ func (h *Unidler) genericError(w http.ResponseWriter, r *http.Request, opLog log } // handle verifying the namespace name is signed by our secret -func (h *Unidler) verifyRequest(r *http.Request, ns *corev1.Namespace) (string, bool) { +func (h *Unidler) verifyRequest(r *http.Request, ns *corev1.Namespace, ingress *networkv1.Ingress) (string, bool) { if h.VerifiedUnidling { if val, ok := ns.ObjectMeta.Annotations["idling.amazee.io/disable-request-verification"]; ok { t, _ := strconv.ParseBool(val) @@ -188,6 +188,12 @@ func (h *Unidler) verifyRequest(r *http.Request, ns *corev1.Namespace) (string, return "", true } } + if val, ok := ingress.ObjectMeta.Annotations["idling.amazee.io/disable-request-verification"]; ok { + t, _ := strconv.ParseBool(val) + if t == true { + return "", true + } + } // if hmac verification is enabled, perform the verification of the request signedNamespace := hmacSigner(ns.Name, []byte(h.VerifiedSecret)) verifier := r.URL.Query().Get("verifier")