Add denyHosts to pairing websocket

Signed-off-by: Paolo Di Tommaso <[email protected]>

Author: pditommaso

src/main/groovy/io/seqera/wave/service/pairing/socket/PairingWebSocket.groovy

@@ -66,10 +66,20 @@ class PairingWebSocket {
     @Value('${wave.closeSessionOnInvalidLicenseToken:false}')
     private boolean closeSessionOnInvalidLicenseToken
 
+    @Nullable
+    @Value('${wave.denyHosts}')
+    private List<String> denyHosts
+
     @OnOpen
     void onOpen(String service, String token, String endpoint, WebSocketSession session) {
         log.debug "Opening pairing session - endpoint: ${endpoint} [sessionId: $session.id]"
 
+        if( isDenyHost(endpoint) ) {
+            log.warn "Pairing not allowed for endpoint: ${endpoint}"
+            session.close(CloseReason.POLICY_VIOLATION)
+            return
+        }
+
         // check for a valid connection token
         if( licenseManager && !isLicenseTokenValid(token, endpoint) && closeSessionOnInvalidLicenseToken ) {
             session.close(CloseReason.POLICY_VIOLATION)
@@ -150,4 +160,11 @@ class PairingWebSocket {
         return true
     }
 
+    protected boolean isDenyHost(String endpoint) {
+        for( String it : (denyHosts ?: List.of()) ) {
+            if( endpoint.contains(it) )
+                return true
+        }
+        return false
+    }
 }

src/test/groovy/io/seqera/wave/service/pairing/PairingWebSocketTest.groovy

@@ -0,0 +1,62 @@
+/*
+ *  Wave, containers provisioning service
+ *  Copyright (c) 2023-2024, Seqera Labs
+ *
+ *  This program is free software: you can redistribute it and/or modify
+ *  it under the terms of the GNU Affero General Public License as published by
+ *  the Free Software Foundation, either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU Affero General Public License for more details.
+ *
+ *  You should have received a copy of the GNU Affero General Public License
+ *  along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+package io.seqera.wave.service.pairing
+
+import spock.lang.Specification
+
+import io.micronaut.context.ApplicationContext
+import io.micronaut.test.extensions.spock.annotation.MicronautTest
+import io.seqera.wave.service.pairing.socket.PairingWebSocket
+
+/**
+ *
+ * @author Paolo Di Tommaso <[email protected]>
+ */
+@MicronautTest
+class PairingWebSocketTest extends Specification {
+
+    def 'should allow any host' () {
+        given:
+        def ctx = ApplicationContext.run()
+        def pairing = ctx.getBean(PairingWebSocket)
+
+        expect:
+        !pairing.isDenyHost('foo')
+        !pairing.isDenyHost('seqera.io')
+        !pairing.isDenyHost('ngrok')
+
+        cleanup:
+        ctx.close()
+    }
+
+    def 'should disallowed deny hosts' () {
+        given:
+        def ctx = ApplicationContext.run(['wave.denyHosts': ['ngrok','hctal']])
+        def pairing = ctx.getBean(PairingWebSocket)
+
+        expect:
+        pairing.isDenyHost('ngrok')
+        pairing.isDenyHost('hctal')
+        and:
+        !pairing.isDenyHost('seqera.io')
+
+        cleanup:
+        ctx.close()
+    }
+}