Merge branch 'master' into sle-micro-sles-access

SUSE · Nov 27, 2024 · 3221c29 · 3221c29
2 parents 1edefed + 5b0a2d5
commit 3221c29
Showing 1 changed file with 14 additions and 6 deletions.
diff --git a/.../strict_authentication/app/controllers/strict_authentication/authentication_controller.rb b/.../strict_authentication/app/controllers/strict_authentication/authentication_controller.rb
@@ -7,27 +7,28 @@ class AuthenticationController < ::ApplicationController
     # This is the endpoint for nginx subrequest auth check
     def check
       request_uri = request.headers['X-Original-URI']
-      auth_result = path_allowed?(request.headers['X-Original-URI'])
+      auth_result = path_allowed?(request.headers)
       logger.info "Authentication subrequest for #{request_uri} -- #{auth_result ? 'allowed' : 'denied'}"
       head auth_result ? :ok : :forbidden
     end
 
     protected
 
-    def path_allowed?(path)
+    def path_allowed?(headers)
+      path = headers['X-Original-URI']
       return false if path.blank?
+
       return true if path =~ %r{/product\.license/}
 
       path = '/' + path.gsub(/^#{RMT::DEFAULT_MIRROR_URL_PREFIX}/, '')
-
       # Allow access to SLES 12 and 12-SP1 repos for systems migrating from SLES 11
       has_sles11 = @system.products.where(identifier: 'SUSE_SLES').first
       return true if (has_sles11 && (path =~ %r{/12/} || path =~ %r{/12-SP1/}))
 
-      all_allowed_paths.find { |allowed_path| path =~ /^#{Regexp.escape(allowed_path)}/ }
+      all_allowed_paths(headers).find { |allowed_path| path =~ /^#{Regexp.escape(allowed_path)}/ }
     end
 
-    def all_allowed_paths
+    def all_allowed_paths(headers)
       # return all versions of the same product and arch
       # (that the system has available with that subscription)
       # in order to validate access not only for current product but others
@@ -53,7 +54,14 @@ def all_allowed_paths
       # for the SUMa PAYG offers, RMT access verification code allows access
       # to the SUMa Client Tools channels and SUMa Proxy channels
       # when product is SUMA_Server and PAYG or SUMA_Server and used as SCC proxy
-      manager_prod = @system.products.any? { |p| p.identifier.downcase.include?('manager-server') }
+      manager_prod = @system.products.any? do |p|
+        manager = p.identifier.downcase.include?('manager-server')
+        # SUMA 5.0 must have access to SUMA 4.3, 4.2 and so on
+        micro = p.identifier.downcase.include?('sle-micro')
+        instance_id_header = headers.fetch('X-Instance-Identifier', '').casecmp('suse-manager-server').zero?
+        instance_version_header = headers.fetch('X-Instance-Version', '0').split('.')[0] >= '5'
+        manager || (micro && instance_id_header && instance_version_header)
+      end
 
       if manager_prod
         # add all SUMA products paths