Skip to content

Commit f5369ee

Browse files
committed
Add denyHosts to pairing websocket
Signed-off-by: Paolo Di Tommaso <[email protected]>
1 parent 6166910 commit f5369ee

File tree

2 files changed

+79
-0
lines changed

2 files changed

+79
-0
lines changed

src/main/groovy/io/seqera/wave/service/pairing/socket/PairingWebSocket.groovy

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -66,10 +66,20 @@ class PairingWebSocket {
6666
@Value('${wave.closeSessionOnInvalidLicenseToken:false}')
6767
private boolean closeSessionOnInvalidLicenseToken
6868

69+
@Nullable
70+
@Value('${wave.denyHosts}')
71+
private List<String> denyHosts
72+
6973
@OnOpen
7074
void onOpen(String service, String token, String endpoint, WebSocketSession session) {
7175
log.debug "Opening pairing session - endpoint: ${endpoint} [sessionId: $session.id]"
7276

77+
if( isDenyHost(endpoint) ) {
78+
log.warn "Pairing not allowed for endpoint: ${endpoint}"
79+
session.close(CloseReason.POLICY_VIOLATION)
80+
return
81+
}
82+
7383
// check for a valid connection token
7484
if( licenseManager && !isLicenseTokenValid(token, endpoint) && closeSessionOnInvalidLicenseToken ) {
7585
session.close(CloseReason.POLICY_VIOLATION)
@@ -150,4 +160,11 @@ class PairingWebSocket {
150160
return true
151161
}
152162

163+
protected boolean isDenyHost(String endpoint) {
164+
for( String it : (denyHosts ?: List.of()) ) {
165+
if( endpoint.contains(it) )
166+
return true
167+
}
168+
return false
169+
}
153170
}
Lines changed: 62 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,62 @@
1+
/*
2+
* Wave, containers provisioning service
3+
* Copyright (c) 2023-2024, Seqera Labs
4+
*
5+
* This program is free software: you can redistribute it and/or modify
6+
* it under the terms of the GNU Affero General Public License as published by
7+
* the Free Software Foundation, either version 3 of the License, or
8+
* (at your option) any later version.
9+
*
10+
* This program is distributed in the hope that it will be useful,
11+
* but WITHOUT ANY WARRANTY; without even the implied warranty of
12+
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13+
* GNU Affero General Public License for more details.
14+
*
15+
* You should have received a copy of the GNU Affero General Public License
16+
* along with this program. If not, see <https://www.gnu.org/licenses/>.
17+
*/
18+
19+
package io.seqera.wave.service.pairing
20+
21+
import spock.lang.Specification
22+
23+
import io.micronaut.context.ApplicationContext
24+
import io.micronaut.test.extensions.spock.annotation.MicronautTest
25+
import io.seqera.wave.service.pairing.socket.PairingWebSocket
26+
27+
/**
28+
*
29+
* @author Paolo Di Tommaso <[email protected]>
30+
*/
31+
@MicronautTest
32+
class PairingWebSocketTest extends Specification {
33+
34+
def 'should allow any host' () {
35+
given:
36+
def ctx = ApplicationContext.run()
37+
def pairing = ctx.getBean(PairingWebSocket)
38+
39+
expect:
40+
!pairing.isDenyHost('foo')
41+
!pairing.isDenyHost('seqera.io')
42+
!pairing.isDenyHost('ngrok')
43+
44+
cleanup:
45+
ctx.close()
46+
}
47+
48+
def 'should disallowed deny hosts' () {
49+
given:
50+
def ctx = ApplicationContext.run(['wave.denyHosts': ['ngrok','hctal']])
51+
def pairing = ctx.getBean(PairingWebSocket)
52+
53+
expect:
54+
pairing.isDenyHost('ngrok')
55+
pairing.isDenyHost('hctal')
56+
and:
57+
!pairing.isDenyHost('seqera.io')
58+
59+
cleanup:
60+
ctx.close()
61+
}
62+
}

0 commit comments

Comments
 (0)