Skip to content

Commit c26d7e9

Browse files
committed
refactor(controlplane): remove regex support in authz middleware
Replace the regex fallback in the authz policy lookup with exact endpoint matching. The only rule relying on it ("/controlplane.v1.OrgMetricsService/.*") is replaced by explicit entries for the Totals, TopWorkflowsByRunsCount and DailyRunsCount endpoints. Assisted-by: Claude Code Signed-off-by: Jose I. Paris <jiparis@chainloop.dev> Chainloop-Trace-Sessions: af6e1c77-67e9-454c-8a56-5220930f328c
1 parent 8efb6e0 commit c26d7e9

3 files changed

Lines changed: 15 additions & 21 deletions

File tree

app/controlplane/pkg/authz/authz.go

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -385,7 +385,9 @@ var ServerOperationsMap = map[string]*OperationPolicy{
385385
"/controlplane.v1.IntegrationsService/Attach": {Policies: []*Policy{PolicyAttachedIntegrationAttach}},
386386
"/controlplane.v1.IntegrationsService/Detach": {Policies: []*Policy{PolicyAttachedIntegrationDetach}},
387387
// Metrics
388-
"/controlplane.v1.OrgMetricsService/.*": {Policies: []*Policy{PolicyOrgMetricsRead}},
388+
"/controlplane.v1.OrgMetricsService/Totals": {Policies: []*Policy{PolicyOrgMetricsRead}},
389+
"/controlplane.v1.OrgMetricsService/TopWorkflowsByRunsCount": {Policies: []*Policy{PolicyOrgMetricsRead}},
390+
"/controlplane.v1.OrgMetricsService/DailyRunsCount": {Policies: []*Policy{PolicyOrgMetricsRead}},
389391
// Robot Account
390392
"/controlplane.v1.RobotAccountService/List": {Policies: []*Policy{PolicyRobotAccountList}},
391393
"/controlplane.v1.RobotAccountService/Create": {Policies: []*Policy{PolicyRobotAccountCreate}},

app/controlplane/pkg/authz/middleware/middleware.go

Lines changed: 2 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -18,7 +18,6 @@ package middleware
1818
import (
1919
"context"
2020
"errors"
21-
"regexp"
2221

2322
errorsAPI "github.com/go-kratos/kratos/v2/errors"
2423

@@ -103,25 +102,13 @@ func checkPolicies(ctx context.Context, subject, apiOperation string, enforcer E
103102
return nil
104103
}
105104

106-
// policiesLookup returns the policies required for a given API operation
107-
// it performs a two run lookup
108-
// 1 - It checks if there is an entry in the map
109-
// 2 - if there is not, it runs a regex match in each key in case one of those keys contains a regex
105+
// policiesLookup returns the policies required for a given API operation.
106+
// It looks up the operation directly in the ServerOperationsMap.
110107
func policiesLookup(apiOperation string) ([]*authz.Policy, error) {
111-
// Direct match
112108
entry, found := authz.ServerOperationsMap[apiOperation]
113109
if found {
114110
return entry.Policies, nil
115111
}
116112

117-
// second pass trying to match a regex
118-
// i.e "/controlplane.v1.OrgMetricsService/.*" -> "/controlplane.v1.OrgMetricsService/Totals"
119-
for k, entry := range authz.ServerOperationsMap {
120-
found, _ := regexp.MatchString(k, apiOperation)
121-
if found {
122-
return entry.Policies, nil
123-
}
124-
}
125-
126113
return nil, errors.New("operation not allowed")
127114
}

app/controlplane/pkg/authz/middleware/middleware_test.go

Lines changed: 10 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -193,20 +193,25 @@ func TestPoliciesLookup(t *testing.T) {
193193
operation: "/controlplane.v1.WorkflowContractService/List",
194194
},
195195
{
196-
name: "operation found with regexp",
197-
operation: "/controlplane.v1.OrgMetricsService/List",
196+
name: "org metrics operation found",
197+
operation: "/controlplane.v1.OrgMetricsService/Totals",
198198
},
199199
{
200-
name: "operation found with regexp 2",
200+
name: "org metrics operation found 2",
201+
operation: "/controlplane.v1.OrgMetricsService/DailyRunsCount",
202+
},
203+
{
204+
name: "non-existing org metrics operation, error not found",
201205
operation: "/controlplane.v1.OrgMetricsService/boom",
206+
wantErr: true,
202207
},
203208
{
204-
name: "operation found with regexp, error wrong prefix",
209+
name: "operation error wrong prefix",
205210
operation: "/boom/controlplane.v1.OrgMetricsService",
206211
wantErr: true,
207212
},
208213
{
209-
name: "operation found with regexp, error not found",
214+
name: "operation error not found",
210215
operation: "/controlplane.v1.OrgMetricsService",
211216
wantErr: true,
212217
},

0 commit comments

Comments
 (0)