From d6897dfb69cf46824bd51f4ece04891f9c8a2b9d Mon Sep 17 00:00:00 2001
From: Stas <sts@abc3.dev>
Date: Tue, 4 Jun 2024 22:08:05 +0200
Subject: [PATCH] feat: add api and metrics token blocklists (#350)

* feat: add api and metrics token blocklists
---
 VERSION                                       |  2 +-
 config/runtime.exs                            |  4 +++-
 config/test.exs                               |  6 ++++-
 lib/supavisor_web/router.ex                   |  8 ++++---
 .../controllers/tenant_controller_test.exs    | 23 ++++++++++++++++++-
 5 files changed, 36 insertions(+), 7 deletions(-)

diff --git a/VERSION b/VERSION
index 439ba987..b30a0053 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-1.1.56
+1.1.57
diff --git a/config/runtime.exs b/config/runtime.exs
index c74f9f0f..d5909ca5 100644
--- a/config/runtime.exs
+++ b/config/runtime.exs
@@ -156,7 +156,9 @@ if config_env() != :test do
     global_upstream_ca: upstream_ca,
     global_downstream_cert: downstream_cert,
     global_downstream_key: downstream_key,
-    reconnect_on_db_close: System.get_env("RECONNECT_ON_DB_CLOSE") == "true"
+    reconnect_on_db_close: System.get_env("RECONNECT_ON_DB_CLOSE") == "true",
+    api_blocklist: System.get_env("API_TOKEN_BLOCKLIST", "") |> String.split(","),
+    metrics_blocklist: System.get_env("METRICS_TOKEN_BLOCKLIST", "") |> String.split(",")
 
   config :supavisor, Supavisor.Repo,
     url: System.get_env("DATABASE_URL", "ecto://postgres:postgres@localhost:6432/postgres"),
diff --git a/config/test.exs b/config/test.exs
index 59006dcc..dcd59c57 100644
--- a/config/test.exs
+++ b/config/test.exs
@@ -10,7 +10,11 @@ config :supavisor,
   proxy_port_transaction: System.get_env("PROXY_PORT_TRANSACTION", "7654") |> String.to_integer(),
   secondary_proxy_port: 7655,
   secondary_http: 4003,
-  prom_poll_rate: 500
+  prom_poll_rate: 500,
+  api_blocklist: [
+    "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJvbGUiOiJibG9ja2VkIiwiaWF0IjoxNjQ1MTkyODI0LCJleHAiOjE5NjA3Njg4MjR9.y-V3D1N2e8UTXc5PJzmV9cqMteq0ph2wl0yt42akQgA"
+  ],
+  metrics_blocklist: []
 
 config :supavisor, Supavisor.Repo,
   username: "postgres",
diff --git a/lib/supavisor_web/router.ex b/lib/supavisor_web/router.ex
index 50608dfe..e51830a3 100644
--- a/lib/supavisor_web/router.ex
+++ b/lib/supavisor_web/router.ex
@@ -12,11 +12,11 @@ defmodule SupavisorWeb.Router do
 
   pipeline :api do
     plug(:accepts, ["json"])
-    plug(:check_auth, :api_jwt_secret)
+    plug(:check_auth, [:api_jwt_secret, :api_blocklist])
   end
 
   pipeline :metrics do
-    plug(:check_auth, :metrics_jwt_secret)
+    plug(:check_auth, [:metrics_jwt_secret, :metrics_blocklist])
   end
 
   pipeline :openapi do
@@ -84,10 +84,12 @@ defmodule SupavisorWeb.Router do
 
   defp check_auth(%{request_path: "/api/health"} = conn, _), do: conn
 
-  defp check_auth(conn, secret_key) do
+  defp check_auth(conn, [secret_key, blocklist_key]) do
     secret = Application.fetch_env!(:supavisor, secret_key)
+    blocklist = Application.fetch_env!(:supavisor, blocklist_key)
 
     with ["Bearer " <> token] <- get_req_header(conn, "authorization"),
+         false <- token in blocklist,
          {:ok, _claims} <- Supavisor.Jwt.authorize(token, secret) do
       conn
     else
diff --git a/test/supavisor_web/controllers/tenant_controller_test.exs b/test/supavisor_web/controllers/tenant_controller_test.exs
index bb9d05f2..a18f98f1 100644
--- a/test/supavisor_web/controllers/tenant_controller_test.exs
+++ b/test/supavisor_web/controllers/tenant_controller_test.exs
@@ -8,6 +8,8 @@ defmodule SupavisorWeb.TenantControllerTest do
 
   @jwt "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJvbGUiOiJhbm9uIiwiaWF0IjoxNjQ1MTkyODI0LCJleHAiOjE5NjA3Njg4MjR9.M9jrxyvPLkUxWgOYSf5dNdJ8v_eRrq810ShFRT8N-6M"
 
+  @blocked_jwt "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJvbGUiOiJibG9ja2VkIiwiaWF0IjoxNjQ1MTkyODI0LCJleHAiOjE5NjA3Njg4MjR9.y-V3D1N2e8UTXc5PJzmV9cqMteq0ph2wl0yt42akQgA"
+
   @user_valid_attrs %{
     db_user_alias: "some_db_user",
     db_user: "some db_user",
@@ -51,7 +53,15 @@ defmodule SupavisorWeb.TenantControllerTest do
         "Bearer " <> @jwt
       )
 
-    {:ok, conn: new_conn}
+    blocked_conn =
+      conn
+      |> put_req_header("accept", "application/json")
+      |> put_req_header(
+        "authorization",
+        "Bearer " <> @blocked_jwt
+      )
+
+    {:ok, conn: new_conn, blocked_conn: blocked_conn}
   end
 
   describe "create tenant" do
@@ -66,6 +76,17 @@ defmodule SupavisorWeb.TenantControllerTest do
     end
   end
 
+  describe "create tenant with blocked ip" do
+    test "renders tenant when data is valid", %{blocked_conn: blocked_conn} do
+      blocked_conn =
+        put(blocked_conn, Routes.tenant_path(blocked_conn, :update, "dev_tenant"),
+          tenant: @create_attrs
+        )
+
+      assert blocked_conn.status == 403
+    end
+  end
+
   describe "update tenant" do
     setup [:create_tenant]