add authentication with API key for the /logs endpoint (#663)

* add authentication with API key for the /logs endpoint * fixing go mod files
tenable · Apr 19, 2021 · 71b776f · 71b776f
1 parent 225a914
commit 71b776f
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 3 deletions.
diff --git a/go.sum b/go.sum
@@ -1143,8 +1143,6 @@ golang.org/x/sys v0.0.0-20200905004654-be1d3432aa8f/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210113181707-4bcb84eeeb78/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210324051608-47abb6519492 h1:Paq34FxTluEPvVyayQqMPgHm+vTOrIifmcYxFBx9TLg=
-golang.org/x/sys v0.0.0-20210324051608-47abb6519492/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210415045647-66c3f260301c h1:6L+uOeS3OQt/f4eFHXZcTxeZrGCuz+CLElgEBjbcTA4=
 golang.org/x/sys v0.0.0-20210415045647-66c3f260301c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=

diff --git a/pkg/http-server/routes.go b/pkg/http-server/routes.go
@@ -37,7 +37,7 @@ func (g *APIServer) Routes(configFile string) []*Route {
 		{verb: "POST", path: versionedPath("/{iac}/{iacVersion}/{cloud}/remote/dir/scan"), fn: h.scanRemoteRepo},
 
 		// k8s webhook Routes
-		{verb: "GET", path: "/k8s/webhooks/logs", fn: h.getLogs},
+		{verb: "GET", path: "/k8s/webhooks/{apiKey}/logs", fn: h.getLogs},
 		{verb: "GET", path: "/k8s/webhooks/logs/{uid}", fn: h.getLogByUID},
 		{verb: "POST", path: versionedPath("/k8s/webhooks/{apiKey}/scan/validate"), fn: h.validateK8SWebhook},
 	}

diff --git a/pkg/http-server/webhook-scan-logs.go b/pkg/http-server/webhook-scan-logs.go
@@ -24,6 +24,7 @@ import (
 	"time"
 
 	"github.com/accurics/terrascan/pkg/config"
+	admissionWebhook "github.com/accurics/terrascan/pkg/k8s/admission-webhook"
 	"github.com/accurics/terrascan/pkg/k8s/dblogs"
 	"github.com/accurics/terrascan/pkg/results"
 	"github.com/gorilla/mux"
@@ -65,6 +66,25 @@ type webhookDisplayedShowLog struct {
 
 func (g *APIHandler) getLogs(w http.ResponseWriter, r *http.Request) {
 
+	var (
+		params = mux.Vars(r)
+		apiKey = params["apiKey"]
+	)
+
+	// Validate if authorized (API key is specified and matched the server one (saved in an environment variable)
+	validatingWebhook := admissionWebhook.NewValidatingWebhook(g.configFile, []byte(""))
+	if err := validatingWebhook.Authorize(apiKey); err != nil {
+		switch err {
+		case admissionWebhook.ErrAPIKeyMissing:
+			apiErrorResponse(w, err.Error(), http.StatusBadRequest)
+		case admissionWebhook.ErrUnauthorized:
+			apiErrorResponse(w, err.Error(), http.StatusUnauthorized)
+		default:
+			apiErrorResponse(w, err.Error(), http.StatusInternalServerError)
+		}
+		return
+	}
+
 	// Return an HTML page including all the logs history
 	logger := dblogs.NewWebhookScanLogger()