Fixed the improper resource access if it's not allocated

This fix is for meta api and proxy access - now only the allocated application resource will be able to get the metadata, access to proxy and the resource-by-ip. Otherwise it's getting weird if we are able to get or modify the resource parameters from the machine that's not the actual resource.
adobe · May 10, 2022 · 157f238 · 157f238
1 parent 8f993d2
commit 157f238
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 1 deletion.
diff --git a/lib/fish/application.go b/lib/fish/application.go
@@ -1,6 +1,8 @@
 package fish
 
 import (
+	"errors"
+
 	"github.com/adobe/aquarium-fish/lib/openapi/types"
 )
 
@@ -50,3 +52,13 @@ func (f *Fish) ApplicationListGetStatusNew() (as []types.Application, err error)
 	).Find(&as).Error
 	return as, err
 }
+
+func (f *Fish) ApplicationIsAllocated(app_id int64) (err error) {
+	state, err := f.ApplicationStateGetByApplication(app_id)
+	if err != nil {
+		return err
+	} else if state.Status != types.ApplicationStateStatusALLOCATED {
+		return errors.New("Fish: The Application is not allocated")
+	}
+	return nil
+}
diff --git a/lib/fish/resource.go b/lib/fish/resource.go
@@ -116,13 +116,18 @@ func (f *Fish) ResourceGetByIP(ip string) (res *types.Resource, err error) {
 	// Check by IP first
 	err = f.db.Where("node_id = ?", f.GetNodeID()).Where("ip_addr = ?", ip).First(res).Error
 	if err == nil {
+		// Check if the state is allocated to prevent old resources access
+		if f.ApplicationIsAllocated(res.ApplicationID) != nil {
+			return nil, errors.New("Fish: Prohibited to access the Resource of not allocated Application")
+		}
+
 		return res, nil
 	}
 
 	// Make sure the IP is the controlled network, otherwise someone from outside
 	// could become a local node resource, so let's be careful
 	if !isControlledNetwork(ip) {
-		return res, errors.New("Fish: Prohibited to serve the Resource IP from not controlled network")
+		return nil, errors.New("Fish: Prohibited to serve the Resource IP from not controlled network")
 	}
 
 	// Check by MAC and update IP if found
@@ -136,6 +141,11 @@ func (f *Fish) ResourceGetByIP(ip string) (res *types.Resource, err error) {
 		return nil, err
 	}
 
+	// Check if the state is allocated to prevent old resources access
+	if f.ApplicationIsAllocated(res.ApplicationID) != nil {
+		return nil, errors.New("Fish: Prohibited to access the Resource of not allocated Application")
+	}
+
 	log.Println("Fish: Update IP address for the Resource", res.ID, ip)
 	res.IpAddr = ip
 	err = f.ResourceSave(res)