From 22381f46f05b6be6d9133855c5ae37e215efc955 Mon Sep 17 00:00:00 2001 From: Nikita Skrynnik Date: Mon, 19 Dec 2022 20:14:43 +1100 Subject: [PATCH] check empty path in getSpiffeIDFromPath function Signed-off-by: Nikita Skrynnik --- pkg/registry/common/authorize/common.go | 23 +++++++++++++++------ pkg/registry/common/authorize/ns_client.go | 16 ++++---------- pkg/registry/common/authorize/ns_server.go | 12 ++--------- pkg/registry/common/authorize/nse_client.go | 12 ++--------- pkg/registry/common/authorize/nse_server.go | 12 ++--------- 5 files changed, 27 insertions(+), 48 deletions(-) diff --git a/pkg/registry/common/authorize/common.go b/pkg/registry/common/authorize/common.go index 89e866d39..3d69b42b8 100644 --- a/pkg/registry/common/authorize/common.go +++ b/pkg/registry/common/authorize/common.go @@ -20,7 +20,6 @@ import ( "context" "github.com/golang-jwt/jwt/v4" - "github.com/pkg/errors" "github.com/spiffe/go-spiffe/v2/spiffeid" "github.com/networkservicemesh/sdk/pkg/registry/common/grpcmetadata" @@ -73,22 +72,34 @@ func getRawMap(m *PathIdsMap) map[string][]string { return rawMap } -func getSpiffeIDFromPath(path *grpcmetadata.Path) (spiffeid.ID, error) { +func getSpiffeIDFromPath(ctx context.Context, path *grpcmetadata.Path) spiffeid.ID { + if len(path.PathSegments) == 0 { + log.FromContext(ctx).Warn("can't get spiffe id from empty path") + } tokenString := path.PathSegments[0].Token claims := jwt.MapClaims{} _, _, err := jwt.NewParser().ParseUnverified(tokenString, &claims) if err != nil { - return spiffeid.ID{}, errors.Errorf("failed to parse jwt token: %s", err.Error()) + log.FromContext(ctx).Warnf("failed to parse jwt token: %s", err.Error()) + return spiffeid.ID{} } sub, ok := claims["sub"] if !ok { - return spiffeid.ID{}, errors.New("failed to get field 'sub' from jwt token payload") + log.FromContext(ctx).Warn("failed to get field 'sub' from jwt token payload") + return spiffeid.ID{} } subString, ok := sub.(string) if !ok { - return spiffeid.ID{}, errors.New("failed to convert field 'sub' from jwt token payload to string") + log.FromContext(ctx).Warn("failed to convert field 'sub' from jwt token payload to string") + return spiffeid.ID{} + } + + id, err := spiffeid.FromString(subString) + if err != nil { + log.FromContext(ctx).Warn("failed to parse spiffeid from string: %s", err.Error()) + return spiffeid.ID{} } - return spiffeid.FromString(subString) + return id } diff --git a/pkg/registry/common/authorize/ns_client.go b/pkg/registry/common/authorize/ns_client.go index 5ba71b8bc..e2cdb4f8f 100644 --- a/pkg/registry/common/authorize/ns_client.go +++ b/pkg/registry/common/authorize/ns_client.go @@ -80,13 +80,9 @@ func (c *authorizeNSClient) Register(ctx context.Context, ns *registry.NetworkSe } path = grpcmetadata.PathFromContext(ctx) - - spiffeID, err := getSpiffeIDFromPath(path) - if err != nil { - return nil, err - } - + spiffeID := getSpiffeIDFromPath(ctx, path) rawMap := getRawMap(c.nsPathIdsMap) + input := RegistryOpaInput{ ResourceID: spiffeID.String(), ResourceName: resp.Name, @@ -127,13 +123,9 @@ func (c *authorizeNSClient) Unregister(ctx context.Context, ns *registry.Network } path = grpcmetadata.PathFromContext(ctx) - - spiffeID, err := getSpiffeIDFromPath(path) - if err != nil { - return nil, err - } - + spiffeID := getSpiffeIDFromPath(ctx, path) rawMap := getRawMap(c.nsPathIdsMap) + input := RegistryOpaInput{ ResourceID: spiffeID.String(), ResourceName: ns.Name, diff --git a/pkg/registry/common/authorize/ns_server.go b/pkg/registry/common/authorize/ns_server.go index 62b93bf12..5cc17c364 100644 --- a/pkg/registry/common/authorize/ns_server.go +++ b/pkg/registry/common/authorize/ns_server.go @@ -56,11 +56,7 @@ func (s *authorizeNSServer) Register(ctx context.Context, ns *registry.NetworkSe } path := grpcmetadata.PathFromContext(ctx) - - spiffeID, err := getSpiffeIDFromPath(path) - if err != nil { - return nil, err - } + spiffeID := getSpiffeIDFromPath(ctx, path) index := path.Index var leftSide = &grpcmetadata.Path{ @@ -94,11 +90,7 @@ func (s *authorizeNSServer) Unregister(ctx context.Context, ns *registry.Network } path := grpcmetadata.PathFromContext(ctx) - - spiffeID, err := getSpiffeIDFromPath(path) - if err != nil { - return nil, err - } + spiffeID := getSpiffeIDFromPath(ctx, path) index := path.Index var leftSide = &grpcmetadata.Path{ diff --git a/pkg/registry/common/authorize/nse_client.go b/pkg/registry/common/authorize/nse_client.go index 4978b9aee..e51730a8a 100644 --- a/pkg/registry/common/authorize/nse_client.go +++ b/pkg/registry/common/authorize/nse_client.go @@ -81,11 +81,7 @@ func (c *authorizeNSEClient) Register(ctx context.Context, nse *registry.Network } path = grpcmetadata.PathFromContext(ctx) - - spiffeID, err := getSpiffeIDFromPath(path) - if err != nil { - return nil, err - } + spiffeID := getSpiffeIDFromPath(ctx, path) rawMap := getRawMap(c.nsePathIdsMap) input := RegistryOpaInput{ @@ -134,11 +130,7 @@ func (c *authorizeNSEClient) Unregister(ctx context.Context, nse *registry.Netwo } path = grpcmetadata.PathFromContext(ctx) - - spiffeID, err := getSpiffeIDFromPath(path) - if err != nil { - return nil, err - } + spiffeID := getSpiffeIDFromPath(ctx, path) rawMap := getRawMap(c.nsePathIdsMap) input := RegistryOpaInput{ diff --git a/pkg/registry/common/authorize/nse_server.go b/pkg/registry/common/authorize/nse_server.go index 590a8700f..a85c2ff7c 100644 --- a/pkg/registry/common/authorize/nse_server.go +++ b/pkg/registry/common/authorize/nse_server.go @@ -56,11 +56,7 @@ func (s *authorizeNSEServer) Register(ctx context.Context, nse *registry.Network } path := grpcmetadata.PathFromContext(ctx) - - spiffeID, err := getSpiffeIDFromPath(path) - if err != nil { - return nil, err - } + spiffeID := getSpiffeIDFromPath(ctx, path) index := path.Index var leftSide = &grpcmetadata.Path{ @@ -95,11 +91,7 @@ func (s *authorizeNSEServer) Unregister(ctx context.Context, nse *registry.Netwo } path := grpcmetadata.PathFromContext(ctx) - - spiffeID, err := getSpiffeIDFromPath(path) - if err != nil { - return nil, err - } + spiffeID := getSpiffeIDFromPath(ctx, path) index := path.Index var leftSide = &grpcmetadata.Path{