MCPcopy
hub / github.com/gitpod-io/gitpod / WorkspaceAuthHandler

Function WorkspaceAuthHandler

components/ws-proxy/pkg/proxy/auth.go:20–117  ·  view source on GitHub ↗

WorkspaceAuthHandler rejects requests which are not authenticated or authorized to access a workspace.

(domain string, info WorkspaceInfoProvider)

Source from the content-addressed store, hash-verified

18
19// WorkspaceAuthHandler rejects requests which are not authenticated or authorized to access a workspace.
20func WorkspaceAuthHandler(domain string, info WorkspaceInfoProvider) mux.MiddlewareFunc {
21 return func(h http.Handler) http.Handler {
22 cookiePrefix := domain
23 for _, c := range []string{" ", "-", "."} {
24 cookiePrefix = strings.ReplaceAll(cookiePrefix, c, "_")
25 }
26 cookiePrefix = "_" + cookiePrefix + "_ws_"
27
28 return http.HandlerFunc(func(resp http.ResponseWriter, req *http.Request) {
29 var (
30 log = getLog(req.Context())
31 vars = mux.Vars(req)
32 wsID = vars[workspaceIDIdentifier]
33 port = vars[workspacePortIdentifier]
34 )
35 if wsID == "" {
36 log.Warn("workspace request without workspace ID")
37 resp.WriteHeader(http.StatusForbidden)
38
39 return
40 }
41
42 ws := info.WorkspaceInfo(wsID)
43 if ws == nil {
44 log.WithField("workspaceId", wsID).Warn("did not find workspace info")
45 resp.WriteHeader(http.StatusNotFound)
46
47 return
48 }
49
50 if ws.Auth != nil && ws.Auth.Admission == api.AdmissionLevel_ADMIT_EVERYONE {
51 // workspace is free for all - no tokens or cookies matter
52 h.ServeHTTP(resp, req)
53
54 return
55 }
56
57 if port != "" {
58 // this is a workspace port request and ports can be public or private.
59 // For public ports no tokens or cookies matter, private ports are subject
60 // to the same access policies as the workspace itself is.
61 var isPublic bool
62
63 prt, err := strconv.ParseUint(port, 10, 16)
64 if err != nil {
65 log.WithField("port", port).WithError(err).Error("cannot convert port to int")
66 } else {
67 for _, p := range ws.Ports {
68 if p.Port == uint32(prt) {
69 isPublic = p.Visibility == api.PortVisibility_PORT_VISIBILITY_PUBLIC
70
71 break
72 }
73 }
74 }
75
76 if isPublic {
77 // workspace port is free for all - no tokens or cookies matter

Callers 2

WithDefaultAuthFunction · 0.85
TestWorkspaceAuthHandlerFunction · 0.85

Calls 8

getLogFunction · 0.85
WarnMethod · 0.80
DebugMethod · 0.80
WorkspaceInfoMethod · 0.65
GetMethod · 0.65
ContextMethod · 0.45
ServeHTTPMethod · 0.45
ErrorMethod · 0.45

Tested by 1

TestWorkspaceAuthHandlerFunction · 0.68