Sign upLogin

SUSE/rmt

View on GitHub
Star
engines/strict_authentication/app/controllers/strict_authentication/authentication_controller.rb

Summary

Maintainability
A
0 mins
Test Coverage
require_dependency 'strict_authentication/application_controller'

module StrictAuthentication
  class AuthenticationController < ::ApplicationController
    before_action :authenticate_system

    # This is the endpoint for nginx subrequest auth check
    def check
      request_uri = request.headers['X-Original-URI']
      auth_result = path_allowed?(request.headers['X-Original-URI'])
      logger.info "Authentication subrequest for #{request_uri} -- #{auth_result ? 'allowed' : 'denied'}"
      head auth_result ? :ok : :forbidden
    end

    protected

    def path_allowed?(path)
      return false if path.blank?
      return true if path =~ %r{/product\.license/}

      path = '/' + path.gsub(/^#{RMT::DEFAULT_MIRROR_URL_PREFIX}/, '')

      # Allow access to SLES 12 and 12-SP1 repos for systems migrating from SLES 11
      has_sles11 = @system.products.where(identifier: 'SUSE_SLES').first
      return true if (has_sles11 && (path =~ %r{/12/} || path =~ %r{/12-SP1/}))

      all_allowed_paths.find { |allowed_path| path =~ /^#{Regexp.escape(allowed_path)}/ }
    end

    def all_allowed_paths
      # return all versions of the same product and arch
      # (that the system has available with that subscription)
      # in order to validate access not only for current product but others
      # feature requested by SUMA team
      # so they can check if a customer has access to other products and show those
      # to them or verify paths
      all_product_versions = @system.products.map { |p| Product.where(identifier: p.identifier, arch: p.arch) }.flatten
      allowed_paths = all_product_versions.map { |prod| prod.repositories.pluck(:local_path) }.flatten
      # for the SUMa PAYG offers, RMT access verification code allows access
      # to the SUMa Client Tools channels and SUMa Proxy channels
      # when product is SUMA_Server and PAYG or SUMA_Server and used as SCC proxy
      manager_prod = @system.products.any? { |p| p.identifier.downcase.include?('manager-server') }

      if manager_prod
        # add all SUMA products paths
        manager_products = Product.where('identifier LIKE ?', '%manager%')
        manager_product_repo_paths = manager_products.map { |prod| prod.repositories.pluck(:local_path) }.flatten
        allowed_paths += manager_product_repo_paths
      end
      allowed_paths
    end
  end
end