release: 0.5.3 (#61)

.github/workflows/deploy.yml

@@ -68,6 +68,7 @@ jobs:
             "GITHUB_TOKEN=${{ secrets.GH_TOKEN }}"
             "REDIS_HOST=${{ secrets.REDIS_HOST }}"
             "REDIS_PORT=${{ secrets.REDIS_PORT }}"
+            "INTERNAL_SECRET=${{ secrets.INTERNAL_SECRET }}"
 
   deploy:
     needs: build

Dockerfile

@@ -6,6 +6,7 @@ ARG DB_PASSWORD
 ARG GITHUB_TOKEN
 ARG REDIS_HOST
 ARG REDIS_PORT
+ARG INTERNAL_SECRET
 
 ARG JAR_FILE=./build/libs/*.jar
 COPY ${JAR_FILE} gitanimals-render.jar
@@ -15,12 +16,14 @@ ENV db_url=${DB_URL} \
   db_password=${DB_PASSWORD} \
   github_token=${GITHUB_TOKEN} \
   redis_host=${REDIS_HOST} \
-  redis_port=${REDIS_PORT}
+  redis_port=${REDIS_PORT} \
+  internal_secret=${INTERNAL_SECRET}
 
 ENTRYPOINT java -jar gitanimals-render.jar \
   --spring.datasource.url=${db_url} \
   --spring.datasource.username=${db_username} \
   --spring.datasource.password=${db_password} \
   --netx.host=${redis_host} \
   --netx.port=${redis_port} \
-  --github.token=${github_token}
+  --github.token=${github_token} \
+  --internal.secret=${internal_secret}

src/main/kotlin/org/gitanimals/render/controller/interceptor/InterceptorConfigurer.kt

@@ -8,7 +8,7 @@ import org.springframework.web.servlet.config.annotation.WebMvcConfigurer
 
 @Configuration
 class InterceptorConfigurer(
-    @Value("\${white.ip}") private val whiteIps: List<String>
+    @Value("\${internal.secret}") private val internalSecret: String,
 ) : WebMvcConfigurer {
 
     override fun addInterceptors(registry: InterceptorRegistry) {
@@ -18,5 +18,5 @@ class InterceptorConfigurer(
     }
 
     @Bean
-    fun internalApiInterceptor(): InternalApiInterceptor = InternalApiInterceptor(whiteIps)
+    fun internalApiInterceptor(): InternalApiInterceptor = InternalApiInterceptor(internalSecret)
 }

src/main/kotlin/org/gitanimals/render/controller/interceptor/InternalApiInterceptor.kt

@@ -5,40 +5,21 @@ import jakarta.servlet.http.HttpServletResponse
 import org.springframework.web.servlet.HandlerInterceptor
 
 class InternalApiInterceptor(
-    private val whiteIps: List<String>,
+    private val internalSecret: String,
 ) : HandlerInterceptor {
 
     override fun preHandle(
         request: HttpServletRequest,
         response: HttpServletResponse,
         handler: Any,
     ): Boolean {
-        return whiteIps.contains(extractIp(request))
-    }
-
-    private fun extractIp(request: HttpServletRequest): String {
-        val headers = arrayOf(
-            "Proxy-Client-IP",
-            "WL-Proxy-Client-IP", "HTTP_CLIENT_IP", "HTTP_X_FORWARDED_FOR",
-            "X-Real-IP", "X-RealIP", "REMOTE_ADDR"
-        )
-
-        var ip: String? = request.getHeader("X-Forwarded-For")
-
-        for (header in headers) {
-            if (ip.isNullOrEmpty() || "unknown".equals(ip, ignoreCase = true)) {
-                ip = request.getHeader(header)
-            }
-        }
-
-        if (ip.isNullOrEmpty() || "unknown".equals(ip, ignoreCase = true)) {
-            ip = request.remoteAddr
-        }
+        val requestSecret = request.getHeader("Internal-Secret")
 
-        if (ip == "0:0:0:0:0:0:0:1") {
-            ip = "127.0.0.1"
+        if (requestSecret == internalSecret) {
+            return true
         }
 
-        return ip ?: throw IllegalStateException("Cannot extract ip")
+        response.sendError(403, "Cannot call internal API")
+        return false
     }
 }

src/main/resources/application.properties

@@ -26,7 +26,7 @@ github.token=
 sentry.dsn=https://fe1aaf784ec135343909a4a0dfe4f0eb@o4505051656486912.ingest.us.sentry.io/4507088960684032
 sentry.traces-sample-rate=1.0
 
-white.ip=127.0.0.1,192.168.35.190,192.168.35.139,39.120.67.208
+internal.secret=
 
 spring.application.name=render.gitanimals
 management.endpoints.web.exposure.include=prometheus

src/test/resources/application.properties

@@ -30,4 +30,4 @@ netx.logging.level=info
 ### GITHUB ###
 github.token=1234
 
-white.ip=127.0.0.1
+internal.secret=foo