add project-level access for jwt auth

ffddorf · Apr 3, 2022 · 56429cb · 56429cb
1 parent 5120200
commit 56429cb
Show file tree

Hide file tree

Showing 4 changed files with 14 additions and 7 deletions.
diff --git a/cmd/terraform-backend.go b/cmd/terraform-backend.go
@@ -32,7 +32,9 @@ func stateHandler(store storage.Storage, locker lock.Locker, kms kms.KMS) func(h
 
 		vars := mux.Vars(req)
 		state := &terraform.State{
-			ID: terraform.GetStateID(vars["project"], vars["id"]),
+			ID:      terraform.GetStateID(vars["project"], vars["name"]),
+			Project: vars["project"],
+			Name:    vars["name"],
 		}
 
 		log.Infof("%s %s", req.Method, req.URL.Path)
@@ -171,7 +173,7 @@ func main() {
 	tlsCert := viper.GetString("tls_cert")
 
 	r := mux.NewRouter().StrictSlash(true)
-	r.HandleFunc("/state/{project}/{id}", stateHandler(store, locker, kms))
+	r.HandleFunc("/state/{project}/{name}", stateHandler(store, locker, kms))
 	r.HandleFunc("/health", healthHandler)
 
 	if tlsKey != "" && tlsCert != "" {

diff --git a/docs/auth.md b/docs/auth.md
@@ -38,6 +38,8 @@ JWT allow granting access to a state for a given time (the token lifetime). The
 }
 ```
 
+NOTE: `state` value can be set to `*` to allow accessing all project states
+
 ### Config
 | Environment Variable     | Type | Example                                      | Description                                                                       |
 |--------------------------|------|----------------------------------------------|-----------------------------------------------------------------------------------|

diff --git a/terraform/auth/jwt/jwt.go b/terraform/auth/jwt/jwt.go
@@ -46,8 +46,9 @@ func (b *JWTAuth) Authenticate(secret string, s *terraform.State) (bool, error)
 		return false, err
 	}
 
-	tokenID := terraform.GetStateID(claims.TerraformBackend.Project, claims.TerraformBackend.State)
-	if s.ID == tokenID {
+	if s.Project == claims.TerraformBackend.Project && claims.TerraformBackend.State == "*" {
+		return true, nil
+	} else if s.Project == claims.TerraformBackend.Project && s.Name == claims.TerraformBackend.State {
 		return true, nil
 	}
 

diff --git a/terraform/terraform.go b/terraform/terraform.go
@@ -6,9 +6,11 @@ import (
 )
 
 type State struct {
-	ID   string
-	Data []byte
-	Lock []byte
+	ID      string
+	Data    []byte
+	Lock    []byte
+	Project string
+	Name    string
 }
 
 func GetStateID(project, id string) string {