Skip to content

Commit

Permalink
Add default access token to webservice
Browse files Browse the repository at this point in the history
  • Loading branch information
Platform committed Oct 9, 2024
1 parent 0376c66 commit 662b75e
Show file tree
Hide file tree
Showing 2 changed files with 23 additions and 2 deletions.
7 changes: 5 additions & 2 deletions pkg/auth/authenticator.go
Original file line number Diff line number Diff line change
Expand Up @@ -83,8 +83,11 @@ func (a *Authenticator) TestAccess(request *Request, wsvc WebservicesCacheEntry)
defer cacheReaders.Dec()

if token == "" {
reason = CerberusReasonTokenEmpty
return
if wsvc.defaultAccessToken == NoDefaultAccessToken {
reason = CerberusReasonTokenEmpty
return
}
token = wsvc.defaultAccessToken
}

ac, ok := a.accessTokensCache.ReadAccessToken(token)
Expand Down
18 changes: 18 additions & 0 deletions pkg/auth/authenticator_cache.go
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,17 @@ import (
"sigs.k8s.io/controller-runtime/pkg/client"
)

// DefaultAccessTokenAnnotation is used to set a default AccessToken
// webservice when there is no access token provided in request headers
// It is used when you want to ignore access token on a webservice but
// you need to have UpstreamAuth and Authentication headers on request
// NOTE: you need to set RAW access token in annotation, not it's name or ref
const DefaultAccessTokenAnnotation = "cerberus.snappcloud.io/default-access-token"

// NoDefaultAccessToken is used to identify when no default access token
// is set on websevice (thus, Cerberus will perform it's normal behavior)
const NoDefaultAccessToken = ""

// AccessTokensCache is where Authenticator holds its authentication data,
// under the hood it is a Map from RawTokens to some information about
// AccessToken, see AccessCacheEntry for more information
Expand All @@ -38,6 +49,7 @@ type AllowedWebservicesCache map[string]struct{}
type WebservicesCacheEntry struct {
v1alpha1.WebService
allowedNamespacesCache AllowedNamespacesCache
defaultAccessToken string
}

// AllowedNamespacesCache will hold all namespaces that are allowed to call this webservice
Expand Down Expand Up @@ -126,9 +138,15 @@ func (a *Authenticator) buildNewWebservicesCache(
)
continue
}

defaultAccessToken := NoDefaultAccessToken
if v, ok := webservice.Annotations[DefaultAccessTokenAnnotation]; ok {
defaultAccessToken = v
}
newWebservicesCache[webservice.LocalName()] = WebservicesCacheEntry{
WebService: webservice,
allowedNamespacesCache: make(AllowedNamespacesCache),
defaultAccessToken: defaultAccessToken,
}
}
webserviceCacheEntries.Set(float64(len(newWebservicesCache)))
Expand Down

0 comments on commit 662b75e

Please sign in to comment.