Preparations for status backend

api_auth_docker/Dockerfile

@@ -12,11 +12,13 @@ RUN apk add --update --no-cache \
 
 COPY auth.sh /etc/nginx/conf.d/
 COPY default.conf /etc/nginx/conf.d/default.conf
-COPY statuspage.html /etc/nginx/conf.d/status/
 COPY entrypoint.sh entrypoint.sh
 COPY trace.sh /etc/nginx/conf.d/
 COPY tests.sh /etc/nginx/conf.d/
 
 RUN chmod +x /etc/nginx/conf.d/auth.sh entrypoint.sh
 
+RUN touch /var/log/gatekeeper.log
+RUN chmod a+rw /var/log/gatekeeper.log
+
 ENTRYPOINT ["./entrypoint.sh"]

api_auth_docker/auth.sh

@@ -88,8 +88,9 @@ verify_group()
 
   local id=${1}
   # REQUEST_URI should look like this: /v0/watch/2blablabla
+  local context=$(echo "${REQUEST_URI#\/}" | cut -d '/' -f1)
   local action=$(echo "${REQUEST_URI#\/}" | cut -d '/' -f2)
-  trace "[verify_group] action=${action}"
+  trace "[verify_group] context=${context} action=${action}"
 
   # Check for code injection
   # action can be alphanum... and _ and - but nothing else
@@ -99,18 +100,25 @@ verify_group()
     return 1
   esac
 
-  # It is so much faster to include the keys here instead of grep'ing the file for key.
-  . ./api.properties
-
   local needed_group
   local ugroups
 
-  eval needed_group='$action_'${action}
-  trace "[verify_group] needed_group=${needed_group}"
-
   eval ugroups='$ugroups_'$id
   trace "[verify_group] user groups=${ugroups}"
 
+  if [ $context = "s" ]; then
+    # static files only accessible by a certain group
+    needed_group=${action}
+  elif [ $context = "v0" ]; then
+    # actual api calls
+    # It is so much faster to include the keys here instead of grep'ing the file for key.
+    . ./api.properties
+    eval needed_group='$action_'${action}
+  fi
+
+  trace "[verify_group] needed_group=${needed_group}"
+
+
   case "${ugroups}" in
     *${needed_group}*) trace "[verify_group] Access granted"; return 0 ;;
   esac

api_auth_docker/default.conf

@@ -5,11 +5,9 @@ server {
   ssl_certificate /etc/ssl/certs/cert.pem;
   ssl_certificate_key /etc/ssl/private/key.pem;
 
-  location /status {
-    auth_basic "status";
-    auth_basic_user_file conf.d/status/htpasswd;
+  location /s/ {
+    auth_request /auth;
     root /etc/nginx/conf.d;
-    index statuspage.html;
   }
 
   include /etc/nginx/conf.d/nginx-spark-conf;
@@ -27,6 +25,7 @@ server {
   }
 
   location /auth {
+    error_log /var/log/shice.log debug;
     internal;
     include fastcgi_params;
     fastcgi_param SCRIPT_FILENAME /etc/nginx/conf.d/auth.sh;

api_auth_docker/trace.sh

@@ -3,13 +3,6 @@
 trace()
 {
 	if [ -n "${TRACING}" ]; then
-		echo "[$(date +%Y-%m-%dT%H:%M:%S%z)] $$ ${1}" 1>&2
-	fi
-}
-
-trace_rc()
-{
-	if [ -n "${TRACING}" ]; then
-		echo "[$(date +%Y-%m-%dT%H:%M:%S%z)] $$ Last return code: ${1}" 1>&2
+		echo "[$(date +%Y-%m-%dT%H:%M:%S%z)] $$ $*" 2>>/var/log/gatekeeper.log 1>&2
 	fi
 }