fix: Skip azure authentication on /api resources#2702
Conversation
| if envName != "" { // We shouldn't receive an empty env, added just as a second layer of validation | ||
| function, tail := xpath.Shift(tail) | ||
| switch function { | ||
| case "lock", "releasetrain", "applications", "cluster": |
There was a problem hiding this comment.
"applications" and "cluster" are not returning true for the non-api case, it seems. Why should they for /api-API?
There was a problem hiding this comment.
The cluster endpoint simply does not exist for the old api. The applications endpoint does exist, but I can't tell you if it's needed because we are not using it.
| case "lock", "releasetrain", "applications", "cluster": | ||
| return true | ||
| case "": // create environment | ||
| if tail == "/" && (requestMethod == http.MethodPost || requestMethod == http.MethodDelete) { |
There was a problem hiding this comment.
MethodDelete is not returning true for the non-api case, it seems. Why should it for /api-API?
There was a problem hiding this comment.
I also stubled about this. My best idea is that this simply a bug that we haven't found yet because we rarely delete environments.
| } | ||
|
|
||
| // Skip azure authentication with ID for `/` (POST: createEnv), `/release`, `/releasetrain` and `/locks` endpoints. The requests will be validated with pgp signature | ||
| // Also requests to the `/api` endpoints do the same. |
There was a problem hiding this comment.
instead of adding this feature to /api, we should add the required endpoint to the old api.
The new /api is essentially our migration path to get away from "azureauth".
There was a problem hiding this comment.
I'm not picky. I just need one way to access it.
3 participants
There are basically two api endpoints at the moment. The old one on
/environmentand/environment-groupand the newer one on/api/environmentand/api/environment-group. For the old one, the azure authentication is explictly skipped in favour of gpg message signing but the new endpoints don't have that feature. Therefore, the new endpoints are basically unusable from our build server when azure auth is enabled.