Merge pull request #1631 from ConductionNL/feature/BEHEER-2135/Proxie…

…s-without-auth Enable not overriding auth for proxies
ConductionNL · Mar 25, 2024 · 2c131d0 · 2c131d0
2 parents 4ffbaf9 + 443f682
commit 2c131d0
Show file tree

Hide file tree

Showing 4 changed files with 77 additions and 27 deletions.
diff --git a/api/migrations/Version20240321082004.php b/api/migrations/Version20240321082004.php
@@ -0,0 +1,31 @@
+<?php
+
+declare(strict_types=1);
+
+namespace DoctrineMigrations;
+
+use Doctrine\DBAL\Schema\Schema;
+use Doctrine\Migrations\AbstractMigration;
+
+/**
+ * Auto-generated Migration: Please modify to your needs!
+ */
+final class Version20240321082004 extends AbstractMigration
+{
+    public function getDescription(): string
+    {
+        return '';
+    }
+
+    public function up(Schema $schema): void
+    {
+        // this up() migration is auto-generated, please modify it to your needs
+        $this->addSql('ALTER TABLE endpoint ADD proxy_overrules_authentication BOOLEAN DEFAULT false');
+    }
+
+    public function down(Schema $schema): void
+    {
+        // this down() migration is auto-generated, please modify it to your needs
+        $this->addSql('ALTER TABLE endpoint DROP proxy_overrules_authentication');
+    }
+}
diff --git a/api/src/Entity/Endpoint.php b/api/src/Entity/Endpoint.php
@@ -136,17 +136,13 @@ class Endpoint
      */
     private ?string $tag = null;
 
-    // @TODO remove totally?
-    // /**
-    //  * @var string The type of this Endpoint.
-    //  *
-    //  * @Assert\NotNull
-    //  * @Assert\Choice({"gateway-endpoint", "entity-route", "entity-endpoint", "documentation-endpoint"})
-    //  *
-    //  * @Groups({"read", "write"})
-    //  * @ORM\Column(type="string")
-    //  */
-    // private string $type;
+     /**
+      * @var bool Whether or not the proxy should overrule the authentication from the request.
+      *
+      * @Groups({"read", "write"})
+      * @ORM\Column(type="boolean", options={"default":false}, nullable=true)
+      */
+     private ?bool $proxyOverrulesAuthentication = false;
 
     /**
      * @var array|null The path of this Endpoint.
@@ -615,18 +611,6 @@ public function setTag(?string $tag): self
         return $this;
     }
 
-    // public function getType(): ?string
-    // {
-    //     return $this->type;
-    // }
-
-    // public function setType(string $type): self
-    // {
-    //     $this->type = $type;
-
-    //     return $this;
-    // }
-
     public function getPath(): ?array
     {
         return $this->path;
@@ -996,4 +980,16 @@ public function removeFederationProxy(Gateway $federationProxy): self
 
         return $this;
     }
+
+    public function getProxyOverrulesAuthentication(): ?bool
+    {
+        return $this->proxyOverrulesAuthentication;
+    }
+
+    public function setProxyOverrulesAuthentication(bool $proxyOverrulesAuthentication): self
+    {
+        $this->proxyOverrulesAuthentication = $proxyOverrulesAuthentication;
+
+        return $this;
+    }
 }
diff --git a/api/src/Security/ApiKeyAuthenticator.php b/api/src/Security/ApiKeyAuthenticator.php
@@ -3,6 +3,7 @@
 namespace App\Security;
 
 use App\Entity\Application;
+use App\Entity\Endpoint;
 use App\Entity\User;
 use App\Security\User\AuthenticationUser;
 use Doctrine\ORM\EntityManagerInterface;
@@ -37,8 +38,18 @@ public function __construct(
      */
     public function supports(Request $request): ?bool
     {
-        return $request->headers->has('Authorization') &&
-            strpos($request->headers->get('Authorization'), 'Bearer') === false;
+        if($request->headers->has('Authorization') === true &&
+            strpos($request->headers->get('Authorization'), 'Bearer') === false) {
+
+            $pathTemp = explode('/api/', $request->getPathInfo(), 2);
+            $endpoint = null;
+            if(count($pathTemp) > 1) {
+                $path = $pathTemp[1];
+                $endpoint = $this->entityManager->getRepository(Endpoint::class)->findByMethodRegex($request->getMethod(), $path);
+            }
+            return ($endpoint instanceof Endpoint === false || $endpoint->getProxyOverrulesAuthentication() == false);
+        }
+        return false;
     }
 
     private function prefixRoles(array $roles): array
@@ -130,6 +141,7 @@ public function authenticate(Request $request): PassportInterface
             'roles'        => $roleArray['roles'],
         ];
 
+
         return new Passport(
             new UserBadge($userArray['id'], function ($userIdentifier) use ($userArray) {
                 return new AuthenticationUser(

diff --git a/api/src/Security/TokenAuthenticator.php b/api/src/Security/TokenAuthenticator.php
@@ -3,6 +3,7 @@
 namespace App\Security;
 
 use App\Entity\Authentication;
+use App\Entity\Endpoint;
 use App\Entity\SecurityGroup;
 use App\Exception\GatewayException;
 use App\Security\User\AuthenticationUser;
@@ -52,8 +53,18 @@ public function __construct(
      */
     public function supports(Request $request): ?bool
     {
-        return $request->headers->has('Authorization') &&
-            strpos($request->headers->get('Authorization'), 'Bearer') === 0;
+        if($request->headers->has('Authorization') === true &&
+            strpos($request->headers->get('Authorization'), 'Bearer') === 0) {
+
+            $pathTemp = explode('/api/', $request->getPathInfo(), 2);
+            $endpoint = null;
+            if(count($pathTemp) > 1) {
+                $path = $pathTemp[1];
+                $endpoint = $this->entityManager->getRepository(Endpoint::class)->findByMethodRegex($request->getMethod(), $path);
+            }
+            return ($endpoint instanceof Endpoint === false || $endpoint->getProxyOverrulesAuthentication() == false);
+        }
+        return false;
     }
 
     /**