From 1082055e4d288e69c2f4d6abee7d09f7562c9735 Mon Sep 17 00:00:00 2001
From: Diego Cepeda <dcepeda@linkedin.com>
Date: Wed, 18 Aug 2021 11:13:16 -0700
Subject: [PATCH] remove internal app allowlist

---
 src/iris/api.py | 22 +++++-----------------
 1 file changed, 5 insertions(+), 17 deletions(-)

diff --git a/src/iris/api.py b/src/iris/api.py
index 8674d7e8..ce7827aa 100644
--- a/src/iris/api.py
+++ b/src/iris/api.py
@@ -767,9 +767,7 @@ def process_request(self, req, resp):
 
 
 class AuthMiddleware(object):
-    def __init__(self, config={}, debug=False):
-
-        self.allowlisted_apps = config.get('allowlisted_internal_apps', [])
+    def __init__(self, debug=False):
         if debug:
             self.process_resource = self.debug_auth
 
@@ -891,12 +889,6 @@ def process_resource(self, req, resp, resource, params):  # pragma: no cover
                             req.context['app'] = app
                             if username_header:
                                 req.context['username'] = username_header
-
-                            # if trying to access internal route ensure that the app is in the allowlist
-                            if hasattr(resource, "internal_allowlist_only"):
-                                if resource.internal_allowlist_only:
-                                    if app_name not in self.allowlisted_apps:
-                                        raise HTTPUnauthorized('This endpoint is only available for internal allowlisted applications', '', [])
                             return
                 # No successful HMACs match, fail auth.
                 if username_header:
@@ -915,8 +907,8 @@ def process_resource(self, req, resp, resource, params):  # pragma: no cover
 
 
 class ACLMiddleware(object):
-    def __init__(self, config={}, debug=False):
-        self.allowlisted_apps = config.get('allowlisted_internal_apps', [])
+    def __init__(self, debug):
+        pass
 
     def process_resource(self, req, resp, resource, params):
         self.process_frontend_routes(req, resource)
@@ -942,10 +934,6 @@ def process_admin_acl(self, req, resource, params):
         enforce_user = getattr(resource, 'enforce_user', False)
         app = req.context.get('app')
 
-        # internally allowlisted apps have access to all internal data
-        if req.context.get('app', {}).get('name') in self.allowlisted_apps:
-            return
-
         if not req.context['username']:
             # Check if we need to raise 401s when user must be enforced
             if enforce_user:
@@ -5435,8 +5423,8 @@ def construct_falcon_api(debug, healthcheck_path, allowed_origins, iris_sender_a
     cors = CORS(allow_origins_list=allowed_origins)
     api = API(middleware=[
         ReqBodyMiddleware(),
-        AuthMiddleware(config=config, debug=debug),
-        ACLMiddleware(config=config, debug=debug),
+        AuthMiddleware(debug=debug),
+        ACLMiddleware(debug=debug),
         HeaderMiddleware(),
         cors.middleware
     ])