feat: use project/environment IDs to confirm environment identity

Add a cross-check on environment and project IDs to confirm correct environment identity.
uselagoon · Jan 24, 2022 · d15b2ef · d15b2ef
1 parent 243c33e
commit d15b2ef
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 2 deletions.
diff --git a/internal/lagoondb/client.go b/internal/lagoondb/client.go
@@ -18,6 +18,8 @@ const pkgName = "github.com/uselagoon/ssh-portal/internal/lagoondb"
 type SSHAccessQuery struct {
 	SSHFingerprint string
 	NamespaceName  string
+	ProjectID      int
+	EnvironmentID  int
 }
 
 // Client is a Lagoon API-DB client
@@ -27,6 +29,7 @@ type Client struct {
 
 // Environment is a Lagoon project environment.
 type Environment struct {
+	ID            int                    `db:"id"`
 	Name          string                 `db:"name"`
 	NamespaceName string                 `db:"namespace_name"`
 	ProjectID     int                    `db:"project_id"`
@@ -67,11 +70,12 @@ func (c *Client) EnvironmentByNamespaceName(ctx context.Context, name string) (*
 	env := Environment{}
 	err := c.db.GetContext(ctx, &env, `
 	SELECT
+		environment.environment_type AS type,
+		environment.id AS id,
 		environment.name AS name,
 		environment.openshift_project_name AS namespace_name,
 		project.id AS project_id,
-		project.name AS project_name,
-		environment.environment_type AS type
+		project.name AS project_name
 	FROM environment JOIN project ON environment.project = project.id
 	WHERE environment.openshift_project_name = ?`, name)
 	if err != nil {

diff --git a/internal/server/server.go b/internal/server/server.go
@@ -72,6 +72,22 @@ func sshportal(ctx context.Context, log *zap.Logger, c *nats.EncodedConn,
 				zap.Any("query", query), zap.Error(err))
 			return
 		}
+		// sanity check the environment we found
+		// if this check fails it likely means a collision in
+		// project+environment -> namespace_name mapping, or some similar logic
+		// error.
+		if (query.ProjectID != 0 && query.ProjectID != env.ProjectID) ||
+			(query.EnvironmentID != 0 && query.EnvironmentID != env.ID) {
+			log.Warn("ID mismatch in environment identification",
+				zap.Any("query", query), zap.Any("env", env), zap.Error(err))
+			if err = c.Publish(replySubject, false); err != nil {
+				log.Error("couldn't publish reply",
+					zap.Any("query", query),
+					zap.Bool("reply value", false),
+					zap.Error(err))
+			}
+			return
+		}
 		// get the user
 		user, err := l.UserBySSHFingerprint(ctx, query.SSHFingerprint)
 		if err != nil {