From 6d5755d5525e3cbc349da9bcc96dc52c58c8d962 Mon Sep 17 00:00:00 2001
From: Simon Gottschlag <simon.gottschlag@xenit.se>
Date: Fri, 3 Nov 2023 15:31:11 +0100
Subject: [PATCH] add static secret support

---
 src/main.go      | 12 +++++++++---
 src/main_test.go | 21 +++++++++++++++++++++
 2 files changed, 30 insertions(+), 3 deletions(-)

diff --git a/src/main.go b/src/main.go
index 0262294..63b9c43 100644
--- a/src/main.go
+++ b/src/main.go
@@ -136,9 +136,14 @@ func run(ctx context.Context, cfg config) error {
 
 		_, err = oidcTokenHandler.ParseToken(c.Request.Context(), token)
 		if err != nil {
-			//nolint:errcheck // ignore
-			c.AbortWithError(http.StatusForbidden, fmt.Errorf("unable to validate the token: %v", err))
-			return
+			switch {
+			case cfg.StaticSecret != "" && token == cfg.StaticSecret:
+				// do nothing, valid static secret
+			default:
+				//nolint:errcheck // ignore
+				c.AbortWithError(http.StatusForbidden, fmt.Errorf("unable to validate the token: %v", err))
+				return
+			}
 		}
 
 		rp.ServeHTTP(c.Writer, c.Request)
@@ -175,6 +180,7 @@ type config struct {
 	AzureContainerRegistryUser     string   `json:"azure_container_registry_user" arg:"--azure-container-registry-user,env:AZURE_CONTAINER_REGISTRY_USER,required" help:"The user for the Azure Container Registry that should be proxied."`
 	AzureContainerRegistryPassword string   `json:"azure_container_registry_password" arg:"--azure-container-registry-password,env:AZURE_CONTAINER_REGISTRY_PASSWORD,required" help:"The password for the Azure Container Registry that should be proxied."`
 	AllowedTenantIDs               []string `json:"allowed_tenant_ids" arg:"--allowed-tenant-ids,env:ALLOWED_TENANT_IDS,required" help:"A list of the allowed tenant ids that can use the proxy."`
+	StaticSecret                   string   `json:"static_secret" arg:"--static-secret,env:STATIC_SECRET" help:"A static secret, that if set, can be used instead of token authentication."`
 
 	issuer       string
 	audience     string
diff --git a/src/main_test.go b/src/main_test.go
index 0074d91..1207ce0 100644
--- a/src/main_test.go
+++ b/src/main_test.go
@@ -49,6 +49,7 @@ func TestDefault(t *testing.T) {
 		AzureContainerRegistryUser:     "ze-user",
 		AzureContainerRegistryPassword: "ze-pass",
 		AllowedTenantIDs:               []string{"ze-tenant-id"},
+		StaticSecret:                   "ze-static-secret",
 		Address:                        fmt.Sprintf(":%d", port),
 	}
 
@@ -170,6 +171,26 @@ func TestDefault(t *testing.T) {
 		require.Equal(t, http.StatusForbidden, res.StatusCode)
 	})
 
+	t.Run("GET /v2/foobar valid token", func(t *testing.T) {
+		req, err := http.NewRequest(http.MethodGet, fmt.Sprintf("http://127.0.0.1:%d/v2/foobar", port), http.NoBody)
+		require.NoError(t, err)
+		req.SetBasicAuth("will-be-ignored", op.GetToken(t).AccessToken)
+
+		res, err := http.DefaultClient.Do(req)
+		require.NoError(t, err)
+		require.Equal(t, http.StatusOK, res.StatusCode)
+	})
+
+	t.Run("GET /v2/foobar valid static secret", func(t *testing.T) {
+		req, err := http.NewRequest(http.MethodGet, fmt.Sprintf("http://127.0.0.1:%d/v2/foobar", port), http.NoBody)
+		require.NoError(t, err)
+		req.SetBasicAuth("will-be-ignored", "ze-static-secret")
+
+		res, err := http.DefaultClient.Do(req)
+		require.NoError(t, err)
+		require.Equal(t, http.StatusOK, res.StatusCode)
+	})
+
 	cancel()
 	err := g.Wait()
 	require.NoError(t, err)