Update Zypper auth check

When a hybrid system runs zypper command, the check needs to take care of the subscription verification Currently, the check lacks paid extension ID, resulting in an unsuccessful verification This change fixes that If system is hybrid, and the path being accessed belongs to a paid extension, we check that the paid extension subscription is active if the repository path belongs to a free repository or no matches with paid extensions, no need to check the subscription if ZypperAuth handle_scc_subscription method gets called without a product id, the method will check _all_ non free products suscriptions to be active, if any This fixes bsc#1230157
SUSE · Jan 10, 2025 · ac56301 · ac56301
1 parent 5aabdb4
commit ac56301
Showing 1 changed file with 33 additions and 5 deletions.
diff --git a/engines/zypper_auth/lib/zypper_auth/engine.rb b/engines/zypper_auth/lib/zypper_auth/engine.rb
@@ -51,9 +51,22 @@ def verify_instance(request, logger, system, params_product_id = nil)
     end
 
     def handle_scc_subscription(request, system, verification_provider, params_product_id = nil)
-      product_class = Product.find_by(id: params_product_id).product_class if params_product_id.present?
-      result = SccProxy.scc_check_subscription_expiration(request.headers, system, product_class)
-      return true if result[:is_active]
+      if params_product_id.present?
+        product_class = Product.find_by(id: params_product_id).product_class
+        result = SccProxy.scc_check_subscription_expiration(request.headers, system, product_class)
+        return true if result[:is_active]
+      else
+        # no product id provided
+        # check all non free extensions subscriptions with SCC, if any
+        paid_extensions = system.products.select { |prod| prod if !prod.free && prod.product_type == 'extension' }
+        return true if paid_extensions.empty?
+
+        all_active = paid_extensions.all? do |paid_extension|
+          result = SccProxy.scc_check_subscription_expiration(request.headers, system, paid_extension.product_class)
+          result[:is_active]
+        end
+        return true if all_active
+      end
 
       ZypperAuth.zypper_auth_message(request, system, verification_provider, result[:message])
       false
@@ -140,8 +153,23 @@ def verify_instance
         alias_method :original_path_allowed?, :path_allowed?
 
         # additional validation for strict_authentication auth subrequest
-        def path_allowed?(path)
-          return false unless original_path_allowed?(path)
+        def path_allowed?(headers)
+          return false unless original_path_allowed?(headers)
+
+          if @system.hybrid?
+            paid_extensions = @system.products.select { |prod| prod if !prod.free && prod.product_type == 'extension' }
+            paid_extensions.each do |paid_extension|
+              repos_paths = paid_extension.repositories.pluck(:local_path)
+              repos_paths.each do |repo_path|
+                if headers.fetch('X-Original-URI', '').include? repo_path
+                  logger.info "verifying paid extension #{paid_extension.identifier}"
+                  return ZypperAuth.verify_instance(request, logger, @system, paid_extension.id)
+                end
+              end
+            end
+          end
+          # either no hybrid system, no need to check for paid extensions
+          # or path not found on paid extensions and system is hybrid
           ZypperAuth.verify_instance(request, logger, @system)
         end
       end