Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add default access token to webservice #52

Merged
merged 1 commit into from
Oct 9, 2024
Merged

Add default access token to webservice #52

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 5 additions & 2 deletions pkg/auth/authenticator.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -83,8 +83,11 @@ func (a *Authenticator) TestAccess(request *Request, wsvc WebservicesCacheEntry)
defer cacheReaders.Dec()

if token == "" {
reason = CerberusReasonTokenEmpty
return
if wsvc.defaultAccessToken == NoDefaultAccessToken {
reason = CerberusReasonTokenEmpty
return
}
token = wsvc.defaultAccessToken
}

ac, ok := a.accessTokensCache.ReadAccessToken(token)
Expand Down
18 changes: 18 additions & 0 deletions pkg/auth/authenticator_cache.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,17 @@ import (
"sigs.k8s.io/controller-runtime/pkg/client"
)

// DefaultAccessTokenAnnotation is used to set a default AccessToken
// webservice when there is no access token provided in request headers
// It is used when you want to ignore access token on a webservice but
// you need to have UpstreamAuth and Authentication headers on request
// NOTE: you need to set RAW access token in annotation, not it's name or ref
const DefaultAccessTokenAnnotation = "cerberus.snappcloud.io/default-access-token"

// NoDefaultAccessToken is used to identify when no default access token
// is set on websevice (thus, Cerberus will perform it's normal behavior)
const NoDefaultAccessToken = ""

// AccessTokensCache is where Authenticator holds its authentication data,
// under the hood it is a Map from RawTokens to some information about
// AccessToken, see AccessCacheEntry for more information
Expand All @@ -38,6 +49,7 @@ type AllowedWebservicesCache map[string]struct{}
type WebservicesCacheEntry struct {
v1alpha1.WebService
allowedNamespacesCache AllowedNamespacesCache
defaultAccessToken string
}

// AllowedNamespacesCache will hold all namespaces that are allowed to call this webservice
Expand Down Expand Up @@ -126,9 +138,15 @@ func (a *Authenticator) buildNewWebservicesCache(
)
continue
}

defaultAccessToken := NoDefaultAccessToken
if v, ok := webservice.Annotations[DefaultAccessTokenAnnotation]; ok {
defaultAccessToken = v
}
newWebservicesCache[webservice.LocalName()] = WebservicesCacheEntry{
WebService: webservice,
allowedNamespacesCache: make(AllowedNamespacesCache),
defaultAccessToken: defaultAccessToken,
}
}
webserviceCacheEntries.Set(float64(len(newWebservicesCache)))
Expand Down
Loading