Skip to content

Commit

Permalink
Update authentication validation webhook logic
Browse files Browse the repository at this point in the history
  • Loading branch information
sgayangi committed Aug 6, 2024
1 parent cf2a4b6 commit 577a40a
Showing 1 changed file with 36 additions and 45 deletions.
81 changes: 36 additions & 45 deletions common-go-libs/apis/dp/v1alpha2/authentication_webhook.go
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,6 @@ func (r *Authentication) ValidateAuthentication() error {
}

var mutualSSL *MutualSSLConfig
// var oauth2Auth OAuth2Auth
var authTypes *APIAuth

isOAuthEnabled := true
Expand All @@ -86,53 +85,45 @@ func (r *Authentication) ValidateAuthentication() error {

isAPIKeyEnabled := false
isAPIKeyMandatory := false
errorType := "default"

if r.Spec.Default != nil && r.Spec.Default.AuthTypes != nil {
authTypes = r.Spec.Default.AuthTypes
}

if r.Spec.Override != nil && r.Spec.Override.AuthTypes != nil {
authTypes = r.Spec.Override.AuthTypes
errorType = "override"
}

isOAuthEnabled = !authTypes.OAuth2.Disabled
isOAuthMandatory = authTypes.OAuth2.Required == "mandatory"

if authTypes.MutualSSL != nil {
mutualSSL = authTypes.MutualSSL
isMTLSEnabled = !authTypes.MutualSSL.Disabled
isMTLSMandatory = authTypes.MutualSSL.Required == "mandatory"
}

if authTypes.APIKey != nil {
isAPIKeyEnabled = true
isAPIKeyMandatory = authTypes.APIKey.Required == "mandatory"
}

if mutualSSL != nil && r.Spec.TargetRef.Kind != constants.KindAPI {
allErrs = append(allErrs, field.Invalid(field.NewPath("spec").Child("default").Child("authTypes").Child("oauth2"), r.Spec.Default.AuthTypes.MutualSSL,
"invalid authentication - mTLS can currently only be added for APIs"))
}

isMTLSMandatory = isMTLSEnabled && isMTLSMandatory // false
isOAuthMandatory = isOAuthEnabled && isOAuthMandatory // true && true
isAPIKeyMandatory = isAPIKeyEnabled && isAPIKeyMandatory // true && false = false

isMTLSOptional := isMTLSEnabled && !isMTLSMandatory
isOAuthOptional := isOAuthEnabled && !isOAuthMandatory
isAPIKeyOptional := isAPIKeyEnabled && !isAPIKeyMandatory

if !(
// at least one must be enabled and mandatory
(isMTLSMandatory || isOAuthMandatory || isAPIKeyMandatory) ||
// mTLS is enabled and one of OAuth2 or APIKey is optional
(isMTLSOptional && (isOAuthOptional || isAPIKeyOptional))) {
allErrs = append(allErrs, field.Invalid(field.NewPath("spec").Child(errorType).Child("authTypes"), r.Spec.Default.AuthTypes,
"invalid authtypes provided: one of mTLS, APIKey, OAuth2 has to be enabled and mandatory "+
"OR mTLS and one of OAuth2 or APIKey need to be optional "+
"OR all three can be optional"))
isOAuthEnabled = !authTypes.OAuth2.Disabled
isOAuthMandatory = authTypes.OAuth2.Required == "mandatory"
if authTypes.MutualSSL != nil {
mutualSSL = authTypes.MutualSSL
isMTLSEnabled = !authTypes.MutualSSL.Disabled
isMTLSMandatory = authTypes.MutualSSL.Required == "mandatory"
}

if authTypes.APIKey != nil {
isAPIKeyEnabled = true
isAPIKeyMandatory = authTypes.APIKey.Required == "mandatory"
}

if mutualSSL != nil && r.Spec.TargetRef.Kind != constants.KindAPI {
allErrs = append(allErrs, field.Invalid(field.NewPath("spec").Child("default").Child("authTypes").Child("oauth2"), r.Spec.Default.AuthTypes.MutualSSL,
"invalid authentication - mTLS can currently only be added for APIs"))
}

isMTLSMandatory = isMTLSEnabled && isMTLSMandatory
isOAuthMandatory = isOAuthEnabled && isOAuthMandatory
isAPIKeyMandatory = isAPIKeyEnabled && isAPIKeyMandatory

isMTLSOptional := isMTLSEnabled && !isMTLSMandatory
isOAuthOptional := isOAuthEnabled && !isOAuthMandatory
isAPIKeyOptional := isAPIKeyEnabled && !isAPIKeyMandatory

// valid security combinations
// at least one must be enabled and mandatory
// OR mTLS is enabled and one of OAuth2 or APIKey is optional

if !((isMTLSMandatory || isOAuthMandatory || isAPIKeyMandatory) || (isMTLSOptional && (isOAuthOptional || isAPIKeyOptional))) {
allErrs = append(allErrs, field.Invalid(field.NewPath("spec").Child("default").Child("authTypes"), authTypes,
"invalid authtypes provided: one of mTLS, APIKey, OAuth2 has to be enabled and mandatory "+
"OR mTLS and one of OAuth2 or APIKey need to be optional "+
"OR all three can be optional"))
}
}

if len(allErrs) > 0 {
Expand Down

0 comments on commit 577a40a

Please sign in to comment.