-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Passthrough OAuth bearer token supplied to Query service through to ES storage #1599
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,84 @@ | ||
// Copyright (c) 2019 The Jaeger Authors. | ||
// | ||
// Licensed under the Apache License, Version 2.0 (the "License"); | ||
// you may not use this file except in compliance with the License. | ||
// You may obtain a copy of the License at | ||
// | ||
// http://www.apache.org/licenses/LICENSE-2.0 | ||
// | ||
// Unless required by applicable law or agreed to in writing, software | ||
// distributed under the License is distributed on an "AS IS" BASIS, | ||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
// See the License for the specific language governing permissions and | ||
// limitations under the License. | ||
|
||
package app | ||
|
||
import ( | ||
"net/http" | ||
"net/http/httptest" | ||
"sync" | ||
"testing" | ||
|
||
"github.com/stretchr/testify/assert" | ||
"go.uber.org/zap" | ||
|
||
"github.com/jaegertracing/jaeger/storage/spanstore" | ||
) | ||
|
||
|
||
func Test_bearTokenPropagationHandler(t *testing.T) { | ||
logger := zap.NewNop() | ||
bearerToken := "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhZG1pbiIsIm5hbWUiOiJKb2huIERvZSIsImlhdCI" | ||
|
||
validTokenHandler := func(stop *sync.WaitGroup) http.HandlerFunc { | ||
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { | ||
ctx := r.Context() | ||
token, ok := spanstore.GetBearerToken(ctx) | ||
assert.Equal(t, token, bearerToken) | ||
assert.True(t, ok) | ||
stop.Done() | ||
}) | ||
} | ||
|
||
emptyHandler := func(stop *sync.WaitGroup) http.HandlerFunc { | ||
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { | ||
ctx := r.Context() | ||
token, _ := spanstore.GetBearerToken(ctx) | ||
assert.Empty(t, token, bearerToken) | ||
stop.Done() | ||
}) | ||
} | ||
|
||
testCases := []struct { | ||
name string | ||
sendHeader bool | ||
header string | ||
handler func(stop *sync.WaitGroup) http.HandlerFunc | ||
}{ | ||
{ name:"Bearer token", sendHeader: true, header: "Bearer " + bearerToken, handler:validTokenHandler}, | ||
{ name:"Invalid header",sendHeader: true, header: bearerToken, handler:emptyHandler}, | ||
jpkrohling marked this conversation as resolved.
Show resolved
Hide resolved
|
||
{ name:"No header", sendHeader: false, handler:emptyHandler}, | ||
{ name:"Basic Auth", sendHeader: true, header: "Basic " + bearerToken, handler:emptyHandler}, | ||
{ name:"X-Forwarded-Access-Token", sendHeader: true, header: "Bearer " + bearerToken, handler:validTokenHandler}, | ||
} | ||
|
||
for _, testCase := range testCases { | ||
t.Run(testCase.name, func(t *testing.T) { | ||
stop := sync.WaitGroup{} | ||
stop.Add(1) | ||
r := bearerTokenPropagationHandler(logger, testCase.handler(&stop)) | ||
server := httptest.NewServer(r) | ||
defer server.Close() | ||
req , err := http.NewRequest("GET", server.URL, nil) | ||
assert.Nil(t,err) | ||
if testCase.sendHeader { | ||
req.Header.Add("Authorization", testCase.header) | ||
} | ||
_, err = httpClient.Do(req) | ||
assert.Nil(t, err) | ||
stop.Wait() | ||
}) | ||
} | ||
|
||
} |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,51 @@ | ||
// Copyright (c) 2019 The Jaeger Authors. | ||
// | ||
// Licensed under the Apache License, Version 2.0 (the "License"); | ||
// you may not use this file except in compliance with the License. | ||
// You may obtain a copy of the License at | ||
// | ||
// http://www.apache.org/licenses/LICENSE-2.0 | ||
// | ||
// Unless required by applicable law or agreed to in writing, software | ||
// distributed under the License is distributed on an "AS IS" BASIS, | ||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
// See the License for the specific language governing permissions and | ||
// limitations under the License. | ||
|
||
package app | ||
|
||
import ( | ||
"net/http" | ||
"strings" | ||
|
||
"go.uber.org/zap" | ||
|
||
"github.com/jaegertracing/jaeger/storage/spanstore" | ||
) | ||
|
||
func bearerTokenPropagationHandler(logger *zap.Logger, h http.Handler) http.Handler { | ||
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { | ||
ctx := r.Context() | ||
authHeaderValue := r.Header.Get("Authorization") | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I think we also need to be checking for @jpkrohling does this sound reasonable to you? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Yes, it does. That's a common header set by reverse proxies. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I put support for X-Forwarded-Access-Token, I tried to get token from there if Authorization header is not defined. |
||
// If no Authorization header is present, try with X-Forwarded-Access-Token | ||
if authHeaderValue == "" { | ||
authHeaderValue = r.Header.Get("X-Forwarded-Access-Token") | ||
} | ||
if authHeaderValue != "" { | ||
headerValue := strings.Split(authHeaderValue, " ") | ||
token := "" | ||
if len(headerValue) == 2 { | ||
// Make sure we only capture bearer token , not other types like Basic auth. | ||
if headerValue[0] == "Bearer" { | ||
token = headerValue[1] | ||
} | ||
} else { | ||
logger.Warn("Invalid authorization header, skipping bearer token propagation") | ||
} | ||
h.ServeHTTP(w, r.WithContext(spanstore.ContextWithBearerToken(ctx, token))) | ||
} else { | ||
h.ServeHTTP(w, r.WithContext(ctx)) | ||
} | ||
}) | ||
|
||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Look, I found another bear!