Merge pull request #2515 from weaveworks/2477-scope-censor-middleware

Add middleware for conditional Scope report censoring
weaveworks · Feb 26, 2019 · d1e80f8 · d1e80f8
2 parents 660c119 + c32f3e7
commit d1e80f8
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 2 deletions.
diff --git a/authfe/routes.go b/authfe/routes.go
@@ -133,6 +133,11 @@ func routes(c Config, authenticator users.UsersClient, ghIntegration *users_clie
 		Secret: c.gcpSSOSecret,
 	}
 
+	scopeCensorMiddleware := users_client.ScopeCensorMiddleware{
+		UsersClient:  authenticator,
+		UserIDHeader: userIDHeader,
+	}
+
 	userPermissionsMiddleware := users_client.UserPermissionsMiddleware{
 		UsersClient:  authenticator,
 		UserIDHeader: userIDHeader,
@@ -239,8 +244,8 @@ func routes(c Config, authenticator users.UsersClient, ghIntegration *users_clie
 		MiddlewarePrefix{
 			"/api/app/{orgExternalID}",
 			[]PrefixRoutable{
-				Prefix{"/api/report", c.queryHost},
-				Prefix{"/api/topology", c.queryHost},
+				Prefix{"/api/report", scopeCensorMiddleware.Wrap(c.queryHost)},
+				Prefix{"/api/topology", scopeCensorMiddleware.Wrap(c.queryHost)},
 				Prefix{"/api/control", c.controlHost},
 				Prefix{"/api/pipe", c.pipeHost},
 				// API to insert deploy key requires GH token. Insert token with middleware.

diff --git a/users/client/middleware.go b/users/client/middleware.go
@@ -22,6 +22,7 @@ import (
 	"github.com/weaveworks/service/common/constants/webhooks"
 	"github.com/weaveworks/service/common/featureflag"
 	httpUtil "github.com/weaveworks/service/common/http"
+	"github.com/weaveworks/service/common/permission"
 	"github.com/weaveworks/service/common/tracing"
 	"github.com/weaveworks/service/users"
 	"github.com/weaveworks/service/users/tokens"
@@ -452,3 +453,28 @@ func (a UserPermissionsMiddleware) Wrap(next http.Handler) http.Handler {
 		next.ServeHTTP(w, r)
 	})
 }
+
+// ScopeCensorMiddleware is a middleware.Interface which passes
+// certain query params to Scope API depending on user permissions.
+type ScopeCensorMiddleware struct {
+	UsersClient  users.UsersClient
+	UserIDHeader string
+}
+
+// Wrap implements middleware.Interface
+func (a ScopeCensorMiddleware) Wrap(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		// If the user has no permission to view the token, we tell Scope to hide all the sensitive data for the request.
+		if _, err := a.UsersClient.RequireOrgMemberPermissionTo(r.Context(), &users.RequireOrgMemberPermissionToRequest{
+			OrgID:        &users.RequireOrgMemberPermissionToRequest_OrgExternalID{mux.Vars(r)["orgExternalID"]},
+			UserID:       r.Header.Get(a.UserIDHeader),
+			PermissionID: permission.ViewToken,
+		}); err != nil {
+			q := r.URL.Query()
+			q.Set("hideCommandLineArguments", "true")
+			q.Set("hideEnvironmentVariables", "true")
+			r.URL.RawQuery = q.Encode()
+		}
+		next.ServeHTTP(w, r)
+	})
+}