diff --git a/VERSION b/VERSION index 439ba987..b30a0053 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -1.1.56 +1.1.57 diff --git a/config/runtime.exs b/config/runtime.exs index c74f9f0f..d5909ca5 100644 --- a/config/runtime.exs +++ b/config/runtime.exs @@ -156,7 +156,9 @@ if config_env() != :test do global_upstream_ca: upstream_ca, global_downstream_cert: downstream_cert, global_downstream_key: downstream_key, - reconnect_on_db_close: System.get_env("RECONNECT_ON_DB_CLOSE") == "true" + reconnect_on_db_close: System.get_env("RECONNECT_ON_DB_CLOSE") == "true", + api_blocklist: System.get_env("API_TOKEN_BLOCKLIST", "") |> String.split(","), + metrics_blocklist: System.get_env("METRICS_TOKEN_BLOCKLIST", "") |> String.split(",") config :supavisor, Supavisor.Repo, url: System.get_env("DATABASE_URL", "ecto://postgres:postgres@localhost:6432/postgres"), diff --git a/config/test.exs b/config/test.exs index 59006dcc..dcd59c57 100644 --- a/config/test.exs +++ b/config/test.exs @@ -10,7 +10,11 @@ config :supavisor, proxy_port_transaction: System.get_env("PROXY_PORT_TRANSACTION", "7654") |> String.to_integer(), secondary_proxy_port: 7655, secondary_http: 4003, - prom_poll_rate: 500 + prom_poll_rate: 500, + api_blocklist: [ + "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJvbGUiOiJibG9ja2VkIiwiaWF0IjoxNjQ1MTkyODI0LCJleHAiOjE5NjA3Njg4MjR9.y-V3D1N2e8UTXc5PJzmV9cqMteq0ph2wl0yt42akQgA" + ], + metrics_blocklist: [] config :supavisor, Supavisor.Repo, username: "postgres", diff --git a/lib/supavisor_web/router.ex b/lib/supavisor_web/router.ex index 50608dfe..e51830a3 100644 --- a/lib/supavisor_web/router.ex +++ b/lib/supavisor_web/router.ex @@ -12,11 +12,11 @@ defmodule SupavisorWeb.Router do pipeline :api do plug(:accepts, ["json"]) - plug(:check_auth, :api_jwt_secret) + plug(:check_auth, [:api_jwt_secret, :api_blocklist]) end pipeline :metrics do - plug(:check_auth, :metrics_jwt_secret) + plug(:check_auth, [:metrics_jwt_secret, :metrics_blocklist]) end pipeline :openapi do @@ -84,10 +84,12 @@ defmodule SupavisorWeb.Router do defp check_auth(%{request_path: "/api/health"} = conn, _), do: conn - defp check_auth(conn, secret_key) do + defp check_auth(conn, [secret_key, blocklist_key]) do secret = Application.fetch_env!(:supavisor, secret_key) + blocklist = Application.fetch_env!(:supavisor, blocklist_key) with ["Bearer " <> token] <- get_req_header(conn, "authorization"), + false <- token in blocklist, {:ok, _claims} <- Supavisor.Jwt.authorize(token, secret) do conn else diff --git a/test/supavisor_web/controllers/tenant_controller_test.exs b/test/supavisor_web/controllers/tenant_controller_test.exs index bb9d05f2..a18f98f1 100644 --- a/test/supavisor_web/controllers/tenant_controller_test.exs +++ b/test/supavisor_web/controllers/tenant_controller_test.exs @@ -8,6 +8,8 @@ defmodule SupavisorWeb.TenantControllerTest do @jwt "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJvbGUiOiJhbm9uIiwiaWF0IjoxNjQ1MTkyODI0LCJleHAiOjE5NjA3Njg4MjR9.M9jrxyvPLkUxWgOYSf5dNdJ8v_eRrq810ShFRT8N-6M" + @blocked_jwt "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJvbGUiOiJibG9ja2VkIiwiaWF0IjoxNjQ1MTkyODI0LCJleHAiOjE5NjA3Njg4MjR9.y-V3D1N2e8UTXc5PJzmV9cqMteq0ph2wl0yt42akQgA" + @user_valid_attrs %{ db_user_alias: "some_db_user", db_user: "some db_user", @@ -51,7 +53,15 @@ defmodule SupavisorWeb.TenantControllerTest do "Bearer " <> @jwt ) - {:ok, conn: new_conn} + blocked_conn = + conn + |> put_req_header("accept", "application/json") + |> put_req_header( + "authorization", + "Bearer " <> @blocked_jwt + ) + + {:ok, conn: new_conn, blocked_conn: blocked_conn} end describe "create tenant" do @@ -66,6 +76,17 @@ defmodule SupavisorWeb.TenantControllerTest do end end + describe "create tenant with blocked ip" do + test "renders tenant when data is valid", %{blocked_conn: blocked_conn} do + blocked_conn = + put(blocked_conn, Routes.tenant_path(blocked_conn, :update, "dev_tenant"), + tenant: @create_attrs + ) + + assert blocked_conn.status == 403 + end + end + describe "update tenant" do setup [:create_tenant]