Skip to content

fix: Skip azure authentication on /api resources #2702

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
hannesg wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix: Skip azure authentication on /api resources #2702

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 19 additions & 0 deletions pkg/auth/azure.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -129,9 +129,28 @@ func AllowBypassingAzureAuth(allowedPaths []string, requestUrlPath string, reque
}

// Skip azure authentication with ID for `/` (POST: createEnv), `/release`, `/releasetrain` and `/locks` endpoints. The requests will be validated with pgp signature
// Also requests to the `/api` endpoints do the same.
Copy link
Copy Markdown
Contributor

@sven-urbanski-freiheit-com sven-urbanski-freiheit-com Jan 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

instead of adding this feature to /api, we should add the required endpoint to the old api.
The new /api is essentially our migration path to get away from "azureauth".

Copy link
Copy Markdown
Member Author

@hannesg hannesg Jan 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not picky. I just need one way to access it.

// usage in requests from outside the cluster (e.g. by GitHub Actions and the publish.sh script).
group, tail := xpath.Shift(requestUrlPath)

if group == "api" {
subgroup, tail := xpath.Shift(tail)
if subgroup == "environments" || subgroup == "environment-groups" {
envName, tail := xpath.Shift(tail)
if envName != "" { // We shouldn't receive an empty env, added just as a second layer of validation
function, tail := xpath.Shift(tail)
switch function {
case "lock", "releasetrain", "applications", "cluster":
Copy link
Copy Markdown

@ghost ghost Jan 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"applications" and "cluster" are not returning true for the non-api case, it seems. Why should they for /api-API?

Copy link
Copy Markdown
Member Author

@hannesg hannesg Jan 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The cluster endpoint simply does not exist for the old api. The applications endpoint does exist, but I can't tell you if it's needed because we are not using it.

return true
case "": // create environment
if tail == "/" && (requestMethod == http.MethodPost || requestMethod == http.MethodDelete) {
Copy link
Copy Markdown

@ghost ghost Jan 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

MethodDelete is not returning true for the non-api case, it seems. Why should it for /api-API?

Copy link
Copy Markdown
Member Author

@hannesg hannesg Jan 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I also stubled about this. My best idea is that this simply a bug that we haven't found yet because we rarely delete environments.

return true
}
}
}
}
}

if group == "environments" || group == "environment-groups" {
envName, tail := xpath.Shift(tail)
if envName != "" { // We shouldn't receive an empty env, added just as a second layer of validation
Expand Down
Loading