Enforce authorization on log rules endpoint based on labels from matcher (observatorium#824)

JoaoBraveCoding · web-flow · commit 526508558978 · 2025-06-16T17:25:29.000+02:00
diff --git a/api/logs/v1/rules_labels_enforcer.go b/api/logs/v1/rules_labels_enforcer.go
@@ -15,32 +15,17 @@ import (
 
 const labelsParam = "labels"
 
-// WithEnforceRulesLabelFilters returns a middleware that enforces that every query
-// parameter has a matching matcher returned by authorization endpoint.
-func WithEnforceRulesLabelFilters(labelKeys map[string][]string) func(http.Handler) http.Handler {
+// WithEnforceRulesAuthorizationLabels returns a middleware that enforces that every query
+// matcher returned by authorization endpoint has a matching URL parameter.
+func WithEnforceRulesAuthorizationLabels() func(http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			tenant, ok := authentication.GetTenant(r.Context())
-			if !ok {
-				httperr.PrometheusAPIError(w, "missing tenant id", http.StatusBadRequest)
-
-				return
-			}
-
-			keys, ok := labelKeys[tenant]
-			if !ok || len(keys) == 0 {
-				next.ServeHTTP(w, r)
-
-				return
-			}
-
 			data, ok := authorization.GetData(r.Context())
 			if !ok {
 				httperr.PrometheusAPIError(w, "error finding authorization label matcher", http.StatusInternalServerError)
 
 				return
 			}
-
 			// Early pass to the next if no authz label enforcement configured.
 			if data == "" {
 				next.ServeHTTP(w, r)
@@ -65,26 +50,14 @@ func WithEnforceRulesLabelFilters(labelKeys map[string][]string) func(http.Handl
 			// If the authorization endpoint provides any matchers, ensure that the URL parameter value
 			// matches an authorization matcher with the same URL parameter key.
 			queryParams := r.URL.Query()
-			for _, key := range keys {
-				var (
-					val     = queryParams.Get(key)
-					matched = false
-				)
-
-				for _, matcher := range matchers {
-					if matcher == nil {
-						continue
-					}
-
-					if matcher.Name == key && matcher.Matches(val) {
-						matched = true
-						break
-					}
+			for _, matcher := range matchers {
+				if matcher == nil {
+					continue
 				}
+				val := queryParams.Get(matcher.Name)
 
-				if !matched {
-					httperr.PrometheusAPIError(w, fmt.Sprintf("unauthorized access for URL parameter %q and value %q", key, val), http.StatusForbidden)
-
+				if !matcher.Matches(val) {
+					httperr.PrometheusAPIError(w, fmt.Sprintf("unauthorized access for URL parameter %q and value %q", matcher.Name, val), http.StatusForbidden)
 					return
 				}
 			}
diff --git a/main.go b/main.go
@@ -750,7 +750,7 @@ func main() {
 								logsv1.WithWriteMiddleware(authorization.WithAuthorizers(authorizers, rbac.Write, "logs")),
 								logsv1.WithRulesLabelFilters(cfg.logs.rulesLabelFilters),
 								logsv1.WithRulesReadMiddleware(logsv1.WithEnforceTenantAsRuleNamespace()),
-								logsv1.WithRulesReadMiddleware(logsv1.WithEnforceRulesLabelFilters(cfg.logs.rulesLabelFilters)),
+								logsv1.WithRulesReadMiddleware(logsv1.WithEnforceRulesAuthorizationLabels()),
 								logsv1.WithRulesReadMiddleware(logsv1.WithParametersAsLabelsFilterRules(cfg.logs.rulesLabelFilters)),
 								logsv1.WithRulesWriteMiddleware(logsv1.WithEnforceTenantAsRuleNamespace()),
 								logsv1.WithRulesWriteMiddleware(logsv1.WithEnforceRuleLabels(cfg.logs.tenantLabel)),
