diff --git a/rest/src/main/java/com/netflix/conductor/rest/rbac/RbacHttpFilter.java b/rest/src/main/java/com/netflix/conductor/rest/rbac/RbacHttpFilter.java index f4c75c6285..f590b320b4 100644 --- a/rest/src/main/java/com/netflix/conductor/rest/rbac/RbacHttpFilter.java +++ b/rest/src/main/java/com/netflix/conductor/rest/rbac/RbacHttpFilter.java @@ -44,6 +44,8 @@ public class RbacHttpFilter implements Filter { private boolean testingUser; + private boolean isRbacLessEndpoint; + public RbacHttpFilter(RbacProperties properties) { this.properties = properties; } @@ -60,7 +62,7 @@ public RbacHttpFilter(RbacProperties properties) { * error. * * @param servletRequest ServletRequest object representing the HTTP request. - * @param servletResponse ServletResponse object representing the HTTP response + * @param servletResponse ServletResponse object representing the HTTP response. * @param filterChain FilterChain object to proceed with the filter chain. * @throws IOException IOException if an input or output error occurs while filtering the * request or response. @@ -74,9 +76,10 @@ public void doFilter( HttpServletRequest request = (HttpServletRequest) servletRequest; HttpServletResponse response = (HttpServletResponse) servletResponse; - final String healthCheck = "health"; - if (request.getRequestURI().contains(healthCheck)) { - filterChain.doFilter(servletRequest, servletResponse); + triggerNoRbacEndpoints( + request.getRequestURI(), filterChain, servletRequest, servletResponse); + if (isRbacLessEndpoint) { + isRbacLessEndpoint = false; return; } @@ -104,6 +107,45 @@ private boolean validateHeaders(List headers) { return headers.stream().anyMatch(fromHeader::equals); } + /** + * Processes the given request URI to determine if it corresponds to an endpoint that does not + * require RBAC. If the URI contains specific keywords indicating such endpoints, the filter + * chain is executed without further RBAC checks. + * + * @param requestUri the URI of the incoming request. + * @param filterChain FilterChain object to proceed with the filter chain. + * @param servletRequest ServletRequest object representing the HTTP request. + * @param servletResponse ServletResponse object representing the HTTP response. + * @throws ServletException ServletException if the request could not be handled. + * @throws IOException IOException if an input or output error occurs while filtering the + * request or response. + */ + private void triggerNoRbacEndpoints( + String requestUri, + FilterChain filterChain, + ServletRequest servletRequest, + ServletResponse servletResponse) + throws ServletException, IOException { + final String ampersand = "&"; + final boolean hasAmpersand = requestUri.contains(ampersand); + final String healthCheck = "health"; + final String apiDocs = "v3/api-docs"; + + if (hasAmpersand) { + int ampersandIndex = requestUri.indexOf(ampersand); + String path = requestUri.substring(0, ampersandIndex); + if (path.contains(healthCheck) || path.contains(apiDocs)) { + isRbacLessEndpoint = true; + filterChain.doFilter(servletRequest, servletResponse); + } + } else { + if (requestUri.contains(healthCheck) || requestUri.contains(apiDocs)) { + isRbacLessEndpoint = true; + filterChain.doFilter(servletRequest, servletResponse); + } + } + } + /** * Creates a user object based on the provided roles and groups, considering administrative * access.