From fafb4e20494fbfb775dd9b4966b3ec8b4af37abc Mon Sep 17 00:00:00 2001
From: pedram <pedy4000@gmail.com>
Date: Wed, 9 Oct 2024 04:02:18 +0330
Subject: [PATCH] Add default  access token to webservice (#52)

Co-authored-by: Platform <platform@snapp.cab>
---
 pkg/auth/authenticator.go       |  7 +++++--
 pkg/auth/authenticator_cache.go | 18 ++++++++++++++++++
 2 files changed, 23 insertions(+), 2 deletions(-)

diff --git a/pkg/auth/authenticator.go b/pkg/auth/authenticator.go
index 93d64cf..63e45c7 100644
--- a/pkg/auth/authenticator.go
+++ b/pkg/auth/authenticator.go
@@ -83,8 +83,11 @@ func (a *Authenticator) TestAccess(request *Request, wsvc WebservicesCacheEntry)
 	defer cacheReaders.Dec()
 
 	if token == "" {
-		reason = CerberusReasonTokenEmpty
-		return
+		if wsvc.defaultAccessToken == NoDefaultAccessToken {
+			reason = CerberusReasonTokenEmpty
+			return
+		}
+		token = wsvc.defaultAccessToken
 	}
 
 	ac, ok := a.accessTokensCache.ReadAccessToken(token)
diff --git a/pkg/auth/authenticator_cache.go b/pkg/auth/authenticator_cache.go
index 400d113..5d2a607 100644
--- a/pkg/auth/authenticator_cache.go
+++ b/pkg/auth/authenticator_cache.go
@@ -12,6 +12,17 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 
+// DefaultAccessTokenAnnotation is used to set a default AccessToken
+// webservice when there is no access token provided in request headers
+// It is used when you want to ignore access token on a webservice but
+// you need to have UpstreamAuth and Authentication headers on request
+// NOTE: you need to set RAW access token in annotation, not it's name or ref
+const DefaultAccessTokenAnnotation = "cerberus.snappcloud.io/default-access-token"
+
+// NoDefaultAccessToken is used to identify when no default access token
+// is set on websevice (thus, Cerberus will perform it's normal behavior)
+const NoDefaultAccessToken = ""
+
 // AccessTokensCache is where Authenticator holds its authentication data,
 // under the hood it is a Map from RawTokens to some information about
 // AccessToken, see AccessCacheEntry for more information
@@ -38,6 +49,7 @@ type AllowedWebservicesCache map[string]struct{}
 type WebservicesCacheEntry struct {
 	v1alpha1.WebService
 	allowedNamespacesCache AllowedNamespacesCache
+	defaultAccessToken     string
 }
 
 // AllowedNamespacesCache will hold all namespaces that are allowed to call this webservice
@@ -126,9 +138,15 @@ func (a *Authenticator) buildNewWebservicesCache(
 			)
 			continue
 		}
+
+		defaultAccessToken := NoDefaultAccessToken
+		if v, ok := webservice.Annotations[DefaultAccessTokenAnnotation]; ok {
+			defaultAccessToken = v
+		}
 		newWebservicesCache[webservice.LocalName()] = WebservicesCacheEntry{
 			WebService:             webservice,
 			allowedNamespacesCache: make(AllowedNamespacesCache),
+			defaultAccessToken:     defaultAccessToken,
 		}
 	}
 	webserviceCacheEntries.Set(float64(len(newWebservicesCache)))