From 85b187293f12f149494986872d6b06789945ea18 Mon Sep 17 00:00:00 2001 From: Janis Date: Sun, 3 May 2026 13:12:50 +0200 Subject: [PATCH] fix(auth): correct internal secret validation logic in InternalAuthFilter --- .github/workflows/native-image.yml | 29 ++++++++++++------- .../security/InternalAuthFilter.scala | 2 +- 2 files changed, 19 insertions(+), 12 deletions(-) diff --git a/.github/workflows/native-image.yml b/.github/workflows/native-image.yml index 0183825..b96b2bf 100644 --- a/.github/workflows/native-image.yml +++ b/.github/workflows/native-image.yml @@ -19,12 +19,20 @@ jobs: - id: check run: | if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then + echo "Triggered manually — allowing build" echo "allowed=true" >> "$GITHUB_OUTPUT" else COMMIT_AUTHOR=$(git log -1 --format='%an') + COMMIT_SHA=$(git log -1 --format='%H') + COMMIT_MSG=$(git log -1 --format='%s') + echo "Commit: ${COMMIT_SHA}" + echo "Author: ${COMMIT_AUTHOR}" + echo "Message: ${COMMIT_MSG}" if [[ "$COMMIT_AUTHOR" == "TeamCity" ]]; then + echo "Author is TeamCity — allowing build" echo "allowed=true" >> "$GITHUB_OUTPUT" else + echo "Author is not TeamCity — skipping build" echo "allowed=false" >> "$GITHUB_OUTPUT" fi fi @@ -59,8 +67,10 @@ jobs: if [ -f "modules/${{ matrix.module }}/versions.env" ]; then source modules/${{ matrix.module }}/versions.env VERSION="${MAJOR}.${MINOR}.${PATCH}" + echo "[${{ matrix.module }}] Version: ${VERSION}" echo "version=${VERSION}" >> "$GITHUB_OUTPUT" else + echo "[${{ matrix.module }}] No versions.env found — using 'latest'" echo "version=latest" >> "$GITHUB_OUTPUT" fi @@ -69,19 +79,16 @@ jobs: env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | - # Exchange the GitHub token for a GHCR registry JWT - TOKEN=$(curl -s \ - -u "${{ github.actor }}:${GH_TOKEN}" \ - "https://ghcr.io/token?scope=repository:now-chess/now-chess-systems/${{ matrix.module }}:pull&service=ghcr.io" \ - | jq -r .token) - - STATUS=$(curl -s -o /dev/null -w "%{http_code}" \ - -H "Authorization: Bearer ${TOKEN}" \ - "https://ghcr.io/v2/now-chess/now-chess-systems/${{ matrix.module }}/manifests/${{ steps.version.outputs.version }}") - - if [[ "$STATUS" == "200" ]]; then + PACKAGE="now-chess-systems%2F${{ matrix.module }}" + VERSION="${{ steps.version.outputs.version }}" + EXISTING_TAGS=$(gh api "orgs/now-chess/packages/container/${PACKAGE}/versions" \ + --jq '.[].metadata.container.tags[]' 2>/dev/null || echo "") + echo "[${{ matrix.module }}] Existing tags: $(echo "${EXISTING_TAGS}" | tr '\n' ' ' | xargs)" + if echo "${EXISTING_TAGS}" | grep -qx "${VERSION}"; then + echo "[${{ matrix.module }}] Image ${VERSION} already exists — skipping build" echo "exists=true" >> "$GITHUB_OUTPUT" else + echo "[${{ matrix.module }}] Image ${VERSION} not found — will build" echo "exists=false" >> "$GITHUB_OUTPUT" fi diff --git a/modules/security/src/main/scala/de/nowchess/security/InternalAuthFilter.scala b/modules/security/src/main/scala/de/nowchess/security/InternalAuthFilter.scala index d713f42..aebe02b 100644 --- a/modules/security/src/main/scala/de/nowchess/security/InternalAuthFilter.scala +++ b/modules/security/src/main/scala/de/nowchess/security/InternalAuthFilter.scala @@ -23,5 +23,5 @@ class InternalAuthFilter extends ContainerRequestFilter: override def filter(ctx: ContainerRequestContext): Unit = if authEnabled then val header = Option(ctx.getHeaderString("X-Internal-Secret")) - if header.isEmpty || header.get.equals(secret) then + if header.isEmpty || (!header.get.equals(secret)) then ctx.abortWith(Response.status(Response.Status.UNAUTHORIZED).build())