Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
* 'main' of https://github.com/snapp-incubator/Cerberus:
  feat: add extra headers in response
  • Loading branch information
SamMHD committed Aug 29, 2023
2 parents f6330c3 + f41cbfe commit 725de10
Showing 1 changed file with 32 additions and 16 deletions.
48 changes: 32 additions & 16 deletions pkg/auth/authenticator.go
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ type Authenticator struct {
updateLock sync.Mutex
}

type ExtraHeaders map[string]string
type AccessCache map[string]AccessCacheEntry
type ServicesCache map[string]struct{}

Expand Down Expand Up @@ -136,35 +137,44 @@ func (a *Authenticator) UpdateCache(c client.Client, ctx context.Context, readOn
return nil
}

func (a *Authenticator) TestAccess(wsvc string, token string) (bool, CerberusReason) {

func (a *Authenticator) TestAccess(wsvc string, token string) (bool, CerberusReason, ExtraHeaders) {
a.cacheLock.RLock()
defer a.cacheLock.RUnlock()

newExtraHeaders := make(ExtraHeaders)

if wsvc == "" {
return false, CerberusReasonLookupEmpty
return false, CerberusReasonLookupEmpty, newExtraHeaders
}
if token == "" {
return false, CerberusReasonTokenEmpty
return false, CerberusReasonTokenEmpty, newExtraHeaders
}

if _, ok := (*a.servicesCache)[wsvc]; !ok {
return false, CerberusReasonWebserviceNotFound
return false, CerberusReasonWebserviceNotFound, newExtraHeaders
}
if _, ok := (*a.accessCache)[token]; !ok {
return false, CerberusReasonTokenNotFound

ac, ok := (*a.accessCache)[token]

if !ok {
return false, CerberusReasonTokenNotFound, newExtraHeaders
}

newExtraHeaders["Access-Token-Name"] = ac.AccessToken.ObjectMeta.Name

if _, ok := (*a.accessCache)[token].allowedServices[wsvc]; !ok {
return false, CerberusReasonUnauthorized
return false, CerberusReasonUnauthorized, newExtraHeaders
}
return true, CerberusReasonOK

return true, CerberusReasonOK, newExtraHeaders
}

func (a *Authenticator) Check(ctx context.Context, request *Request) (*Response, error) {
wsvc := request.Context["webservice"]
token := request.Request.Header.Get("X-Cerberus-Token")

ok, reason := a.TestAccess(wsvc, token)
ok, reason, extraHeaders := a.TestAccess(wsvc, token)
a.logger.Info("checking request", "res(ok)", ok, "req", request)

var httpStatusCode int
Expand All @@ -174,15 +184,21 @@ func (a *Authenticator) Check(ctx context.Context, request *Request) (*Response,
httpStatusCode = http.StatusUnauthorized
}

response := http.Response{
StatusCode: httpStatusCode,
Header: http.Header{
"Auth-Handler": {"cerberus"},
"Cerberus-Reason": {string(reason)},
},
}

for key, value := range extraHeaders {
response.Header.Add(key, value)
}

return &Response{
Allow: ok,
Response: http.Response{
StatusCode: httpStatusCode,
Header: http.Header{
"Auth-Handler": {"cerberus"},
"Cerberus-Reason": {string(reason)},
},
},
Response: response,
}, nil
}

Expand Down

0 comments on commit 725de10

Please sign in to comment.