From 71b776fe060049be425c55a63fadf4caf5d9eca9 Mon Sep 17 00:00:00 2001 From: Yusuf Kanchwala <30405568+kanchwala-yusuf@users.noreply.github.com> Date: Mon, 19 Apr 2021 10:59:09 +0530 Subject: [PATCH] add authentication with API key for the /logs endpoint (#663) * add authentication with API key for the /logs endpoint * fixing go mod files --- go.sum | 2 -- pkg/http-server/routes.go | 2 +- pkg/http-server/webhook-scan-logs.go | 20 ++++++++++++++++++++ 3 files changed, 21 insertions(+), 3 deletions(-) diff --git a/go.sum b/go.sum index 3fa0151ee..1875706aa 100644 --- a/go.sum +++ b/go.sum @@ -1143,8 +1143,6 @@ golang.org/x/sys v0.0.0-20200905004654-be1d3432aa8f/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210113181707-4bcb84eeeb78/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210324051608-47abb6519492 h1:Paq34FxTluEPvVyayQqMPgHm+vTOrIifmcYxFBx9TLg= -golang.org/x/sys v0.0.0-20210324051608-47abb6519492/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210415045647-66c3f260301c h1:6L+uOeS3OQt/f4eFHXZcTxeZrGCuz+CLElgEBjbcTA4= golang.org/x/sys v0.0.0-20210415045647-66c3f260301c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= diff --git a/pkg/http-server/routes.go b/pkg/http-server/routes.go index 74f9a179b..ae63054bd 100644 --- a/pkg/http-server/routes.go +++ b/pkg/http-server/routes.go @@ -37,7 +37,7 @@ func (g *APIServer) Routes(configFile string) []*Route { {verb: "POST", path: versionedPath("/{iac}/{iacVersion}/{cloud}/remote/dir/scan"), fn: h.scanRemoteRepo}, // k8s webhook Routes - {verb: "GET", path: "/k8s/webhooks/logs", fn: h.getLogs}, + {verb: "GET", path: "/k8s/webhooks/{apiKey}/logs", fn: h.getLogs}, {verb: "GET", path: "/k8s/webhooks/logs/{uid}", fn: h.getLogByUID}, {verb: "POST", path: versionedPath("/k8s/webhooks/{apiKey}/scan/validate"), fn: h.validateK8SWebhook}, } diff --git a/pkg/http-server/webhook-scan-logs.go b/pkg/http-server/webhook-scan-logs.go index 53b0fa225..404297de9 100644 --- a/pkg/http-server/webhook-scan-logs.go +++ b/pkg/http-server/webhook-scan-logs.go @@ -24,6 +24,7 @@ import ( "time" "github.com/accurics/terrascan/pkg/config" + admissionWebhook "github.com/accurics/terrascan/pkg/k8s/admission-webhook" "github.com/accurics/terrascan/pkg/k8s/dblogs" "github.com/accurics/terrascan/pkg/results" "github.com/gorilla/mux" @@ -65,6 +66,25 @@ type webhookDisplayedShowLog struct { func (g *APIHandler) getLogs(w http.ResponseWriter, r *http.Request) { + var ( + params = mux.Vars(r) + apiKey = params["apiKey"] + ) + + // Validate if authorized (API key is specified and matched the server one (saved in an environment variable) + validatingWebhook := admissionWebhook.NewValidatingWebhook(g.configFile, []byte("")) + if err := validatingWebhook.Authorize(apiKey); err != nil { + switch err { + case admissionWebhook.ErrAPIKeyMissing: + apiErrorResponse(w, err.Error(), http.StatusBadRequest) + case admissionWebhook.ErrUnauthorized: + apiErrorResponse(w, err.Error(), http.StatusUnauthorized) + default: + apiErrorResponse(w, err.Error(), http.StatusInternalServerError) + } + return + } + // Return an HTML page including all the logs history logger := dblogs.NewWebhookScanLogger()