Skip to content

Commit

Permalink
Handle requests not using RBAC
Browse files Browse the repository at this point in the history 
Current requests:
- health_check
- v3/api-docks

Method - triggerNoRbacEndpoints handles these scenarios:
Request contains & - trim string till & and filter when specified values are present in URI.
Request contains ? - getRequestURI() automatically returns URI path without query string and filter when specified values are present in URI.

When specified values are found and filtering is done, isRbacLessEndpoint value is set to true, which prevents further code execution.

Type: Improvement
Signed-off-by: jmasar <[email protected]>
  • Loading branch information
jmasar committed Jun 26, 2024
1 parent 54c1037 commit 37aa6b5
Showing 1 changed file with 46 additions and 4 deletions.
50 changes: 46 additions & 4 deletions rest/src/main/java/com/netflix/conductor/rest/rbac/RbacHttpFilter.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,8 @@ public class RbacHttpFilter implements Filter {

private boolean testingUser;

private boolean isRbacLessEndpoint;

public RbacHttpFilter(RbacProperties properties) {
this.properties = properties;
}
Expand All @@ -60,7 +62,7 @@ public RbacHttpFilter(RbacProperties properties) {
* error.
*
* @param servletRequest ServletRequest object representing the HTTP request.
* @param servletResponse ServletResponse object representing the HTTP response
* @param servletResponse ServletResponse object representing the HTTP response.
* @param filterChain FilterChain object to proceed with the filter chain.
* @throws IOException IOException if an input or output error occurs while filtering the
* request or response.
Expand All @@ -74,9 +76,10 @@ public void doFilter(
HttpServletRequest request = (HttpServletRequest) servletRequest;
HttpServletResponse response = (HttpServletResponse) servletResponse;

final String healthCheck = "health";
if (request.getRequestURI().contains(healthCheck)) {
filterChain.doFilter(servletRequest, servletResponse);
triggerNoRbacEndpoints(
request.getRequestURI(), filterChain, servletRequest, servletResponse);
if (isRbacLessEndpoint) {
isRbacLessEndpoint = false;
return;
}

Expand Down Expand Up @@ -104,6 +107,45 @@ private boolean validateHeaders(List<String> headers) {
return headers.stream().anyMatch(fromHeader::equals);
}

/**
* Processes the given request URI to determine if it corresponds to an endpoint that does not
* require RBAC. If the URI contains specific keywords indicating such endpoints, the filter
* chain is executed without further RBAC checks.
*
* @param requestUri the URI of the incoming request.
* @param filterChain FilterChain object to proceed with the filter chain.
* @param servletRequest ServletRequest object representing the HTTP request.
* @param servletResponse ServletResponse object representing the HTTP response.
* @throws ServletException ServletException if the request could not be handled.
* @throws IOException IOException if an input or output error occurs while filtering the
* request or response.
*/
private void triggerNoRbacEndpoints(
String requestUri,
FilterChain filterChain,
ServletRequest servletRequest,
ServletResponse servletResponse)
throws ServletException, IOException {
final String ampersand = "&";
final boolean hasAmpersand = requestUri.contains(ampersand);
final String healthCheck = "health";
final String apiDocs = "v3/api-docs";

if (hasAmpersand) {
int ampersandIndex = requestUri.indexOf(ampersand);
String path = requestUri.substring(0, ampersandIndex);
if (path.contains(healthCheck) || path.contains(apiDocs)) {
isRbacLessEndpoint = true;
filterChain.doFilter(servletRequest, servletResponse);
}
} else {
if (requestUri.contains(healthCheck) || requestUri.contains(apiDocs)) {
isRbacLessEndpoint = true;
filterChain.doFilter(servletRequest, servletResponse);
}
}
}

/**
* Creates a user object based on the provided roles and groups, considering administrative
* access.
Expand Down

0 comments on commit 37aa6b5

Please sign in to comment.