add version checks for synchronizer client (#58)

Signed-off-by: Matthias Bertschy <[email protected]>
kubescape · Feb 14, 2024 · 7d751f8 · 7d751f8
1 parent 3352570
commit 7d751f8
Show file tree

Hide file tree

Showing 4 changed files with 22 additions and 0 deletions.
diff --git a/cmd/client/main.go b/cmd/client/main.go
@@ -2,8 +2,10 @@ package main
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"net"
+	"net/http"
 	"net/url"
 	"os"
 	"time"
@@ -82,11 +84,14 @@ func main() {
 	adapter := incluster.NewInClusterAdapter(cfg.InCluster, k8sclient)
 
 	// authentication headers
+	version := os.Getenv("RELEASE")
 	dialer := ws.Dialer{
 		Header: ws.HandshakeHeaderHTTP(map[string][]string{
 			core.AccessKeyHeader:   {cfg.InCluster.AccessKey},
 			core.AccountHeader:     {cfg.InCluster.Account},
 			core.ClusterNameHeader: {cfg.InCluster.ClusterName},
+			core.HelmVersionHeader: {os.Getenv("HELM_RELEASE")},
+			core.VersionHeader:     {version},
 		}),
 		NetDial: utils.GetDialer(),
 	}
@@ -102,6 +107,10 @@ func main() {
 		var conn net.Conn
 		if err := backoff.RetryNotify(func() error {
 			conn, _, _, err = dialer.Dial(ctx, cfg.InCluster.ServerUrl)
+			var status ws.StatusError
+			if errors.As(err, &status) && status == http.StatusFailedDependency {
+				return backoff.Permanent(fmt.Errorf("server rejected our client version <%s>, please update", version))
+			}
 			return err
 		}, utils.NewBackOff(), func(err error, d time.Duration) {
 			logger.L().Ctx(ctx).Warning("connection error", helpers.Error(err),

diff --git a/cmd/server/authentication/authentication.go b/cmd/server/authentication/authentication.go
@@ -35,6 +35,8 @@ func AuthenticationServerMiddleware(cfg *config.AuthenticationServerConfig, next
 		accessKey := r.Header.Get(core.AccessKeyHeader)
 		account := r.Header.Get(core.AccountHeader)
 		cluster := r.Header.Get(core.ClusterNameHeader)
+		helmVersion := r.Header.Get(core.HelmVersionHeader)
+		version := r.Header.Get(core.VersionHeader)
 
 		if accessKey == "" || account == "" || cluster == "" {
 			logger.L().Error("missing headers on incoming connection",
@@ -46,6 +48,11 @@ func AuthenticationServerMiddleware(cfg *config.AuthenticationServerConfig, next
 			return
 		}
 
+		if version == "invalid" {
+			w.WriteHeader(http.StatusFailedDependency)
+			return
+		}
+
 		if client != nil {
 
 			u, err := url.Parse(cfg.Url)
@@ -115,6 +122,8 @@ func AuthenticationServerMiddleware(cfg *config.AuthenticationServerConfig, next
 			Cluster:        cluster,
 			ConnectionId:   connectionId,
 			ConnectionTime: connectionTime,
+			HelmVersion:    helmVersion,
+			Version:        version,
 		})
 
 		// create new request using the new context

diff --git a/core/headers.go b/core/headers.go
@@ -5,4 +5,6 @@ const (
 	AccessKeyHeader   = "X-API-KEY"
 	AccountHeader     = "X-API-ACCOUNT"
 	ClusterNameHeader = "X-API-CLUSTER"
+	HelmVersionHeader = "X-HELM-VERSION"
+	VersionHeader     = "X-SYNCHRONIZER-VERSION"
 )
diff --git a/domain/identifiers.go b/domain/identifiers.go
@@ -40,6 +40,8 @@ type ClientIdentifier struct {
 	Cluster        string
 	ConnectionId   string
 	ConnectionTime time.Time
+	HelmVersion    string
+	Version        string
 }
 
 func (c ClientIdentifier) String() string {