Skip to content

require whisk auth fix #480

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 7 commits into
base: master
Choose a base branch
from
Open

require whisk auth fix #480

Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
6420cbf
require whisk auth fix
steven0711dong Jan 27, 2020
2ec599e
add a comment
steven0711dong Jan 29, 2020
e142318
trigger travis build
steven0711dong Feb 1, 2020
5767d4d
trigger travis build
steven0711dong Feb 1, 2020
bc8977b
trigger travis
steven0711dong Feb 1, 2020
2cbc2fa
trigger travis
steven0711dong Feb 1, 2020
1de1d9c
travis
steven0711dong Feb 1, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
90 changes: 61 additions & 29 deletions commands/action.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ import (
"math/rand"
"os"
"path/filepath"
"reflect"
"strconv"
"strings"
"time"

Expand Down Expand Up @@ -439,6 +439,11 @@ func parseAction(cmd *cobra.Command, args []string, update bool) (*whisk.Action,
}

action.Annotations = annotations.(whisk.KeyValueArr)
var requireWhiskAuth = action.Annotations.FindKeyValue(WEB_SECURE_ANNOT)
_, isNumberFormat := action.Annotations[requireWhiskAuth].Value.(json.Number)
if requireWhiskAuth > -1 && isNumberFormat {
action.Annotations.AddOrReplace(&whisk.KeyValue{Key: WEB_SECURE_ANNOT, Value: string(action.Annotations[requireWhiskAuth].Value.(json.Number))})
}
}

if len(Flags.action.kind) > 0 && len(Flags.action.docker) > 0 {
Expand Down Expand Up @@ -573,7 +578,7 @@ func augmentWebSecureArg(cmd *cobra.Command, args []string, originalAction *whis
augmentedAction.Annotations = augmentedAction.Annotations.AppendKeyValueArr(getWebSecureAnnotations(existingAction))
}
}
augmentedAction.Annotations = updateWebSecureAnnotation(Flags.action.websecure, augmentedAction.Annotations)
augmentedAction.Annotations = updateWebSecureAnnotation(Flags.action.websecure, augmentedAction.Annotations, existingAction)
}

whisk.Debug(whisk.DbgInfo, "augmentWebSecureArg: Augmented action struct: %#v\n", augmentedAction)
Expand Down Expand Up @@ -849,49 +854,76 @@ func getWebSecureAnnotations(action *whisk.Action) whisk.KeyValueArr {
return webKvArr[0:j]
}

func getNewSecret(secret interface{}) string {
_, isJSONNum := secret.(json.Number)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd replace this with the ability to generate an alphanumeric secret instead.
Something like:

rand.Seed(time.Now().UnixNano())
var alphabet = []rune("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ")
b := make([]rune, SECRET_LENGTH)
for i := range b {
   b[i] = alphabet[rand.Intn(len(alphabet))]
}
return string(b)

_, isInt := secret.(int64)
if isJSONNum {
return string(secret.(json.Number))
} else if isInt {
return strconv.FormatInt(secret.(int64), 10)
}
return secret.(string)
}

/*
* Update the existing annotations with the web security annotation
* If the current web security setting and existing setting are the "same", keep the existing value
* -> checking for the same "--web-secure true" setting means just checking if the two values are integers
* If the current web security setting is "false", remove any existing setting
*/
func updateWebSecureAnnotation(websecure string, annotations whisk.KeyValueArr) whisk.KeyValueArr {
secureSecret := webSecureSecret(websecure) // will be false when "--web-secure false"
existingSecret := annotations.GetValue(WEB_SECURE_ANNOT)
_, disableSecurity := secureSecret.(bool)
_, newSecretIsInt := secureSecret.(int64)
var existingSecretIsInt bool = false
if existingSecret != nil {
_, existingSecretIsInt = existingSecret.(json.Number)
}

if existingSecretIsInt && newSecretIsInt {
whisk.Debug(whisk.DbgInfo, "Retaining existing secret number\n")
} else if existingSecret != nil && disableSecurity {
whisk.Debug(whisk.DbgInfo, "disabling web-secure; deleting annotation: %v\n", WEB_SECURE_ANNOT)
annotations = deleteKey(WEB_SECURE_ANNOT, annotations)
func updateWebSecureAnnotation(websecure string, annotations whisk.KeyValueArr, existingAction *whisk.Action) whisk.KeyValueArr {
secureSecret, secureSecretIsRandomlyGenerated := webSecureSecret(websecure)
userProvidedSecret := annotations.GetValue(WEB_SECURE_ANNOT)
//There is no existing action. So we create require-whisk-auth value based on user input.
if existingAction == nil {
whisk.Debug(whisk.DbgInfo, "Creating secure secret for user based on their input\n")
//Users indicated secret value on command line.
if userProvidedSecret != nil {
whisk.Debug(whisk.DbgInfo, "Setting %v annotation; new secret %v\n", WEB_SECURE_ANNOT, userProvidedSecret)
annotations = annotations.AddOrReplace(&whisk.KeyValue{Key: WEB_SECURE_ANNOT, Value: getNewSecret(userProvidedSecret)})
return annotations
}
whisk.Debug(whisk.DbgInfo, "Setting %v annotation; new secret %v\n", WEB_SECURE_ANNOT, secureSecret)
annotations = annotations.AddOrReplace(&whisk.KeyValue{Key: WEB_SECURE_ANNOT, Value: getNewSecret(secureSecret)})
} else {
whisk.Debug(whisk.DbgInfo, "Setting %v annotation; prior secret %v new secret %v\n",
WEB_SECURE_ANNOT, reflect.TypeOf(existingSecret), reflect.TypeOf(secureSecret))
annotations = annotations.AddOrReplace(&whisk.KeyValue{Key: WEB_SECURE_ANNOT, Value: secureSecret})
existingSecret := existingAction.Annotations.GetValue(WEB_SECURE_ANNOT)
_, disableSecurity := secureSecret.(bool)
if existingSecret != nil && disableSecurity {
whisk.Debug(whisk.DbgInfo, "disabling web-secure; deleting annotation: %v\n", WEB_SECURE_ANNOT)
annotations = deleteKey(WEB_SECURE_ANNOT, annotations)
return annotations
}
//if existingAction secret is not the same with annotations secret, this means user updated the secret using annotation
if existingSecret != annotations.GetValue(WEB_SECURE_ANNOT) {
whisk.Debug(whisk.DbgInfo, "User updates action using --web-secure true -a require-whisk-auth secureKkeyVal. Setting %v annotation; new secret %v\n", WEB_SECURE_ANNOT, annotations.GetValue(WEB_SECURE_ANNOT))
annotations = annotations.AddOrReplace(&whisk.KeyValue{Key: WEB_SECURE_ANNOT, Value: getNewSecret(annotations.GetValue(WEB_SECURE_ANNOT))})
} else {
//new secret is randomly generated, then user typed true
if secureSecretIsRandomlyGenerated {
whisk.Debug(whisk.DbgInfo, "User updates action using --web-secure true without explicitly setting require-whisk-auth annotation. Retaining original action require-whisk-auth value\n")
} else {
//new secret is not randomly generated, then user typed string.
whisk.Debug(whisk.DbgInfo, "User updates action using --web-secure string. Setting %v annotation; new secret %v\n", WEB_SECURE_ANNOT, secureSecret)
annotations = annotations.AddOrReplace(&whisk.KeyValue{Key: WEB_SECURE_ANNOT, Value: getNewSecret(secureSecret)})
}
}
}

return annotations
}

//
// Generate a secret according to the --web-secure setting
// true: return a random int64
// false: return false, meaning no secret was returned
// string: return the same string
func webSecureSecret(webSecureMode string) interface{} {
// Generate a secret according to the --web-secure setting and return an indication of whether a random number is generated as secure key
// true: return a random int64 and true
// false: return false and false
// string: return the same string and false
func webSecureSecret(webSecureMode string) (interface{}, bool) {
switch strings.ToLower(webSecureMode) {
case "true":
return genWebActionSecureKey()
return genWebActionSecureKey(), true
case "false":
return false
return false, false
default:
return webSecureMode
return webSecureMode, false
}
}

Expand Down