Skip to content

Commit

Permalink
Support path exclusion from basic authentication
Browse files Browse the repository at this point in the history
Signed-off-by: heylongdacoder <heylongdacoder@gmail.com>
  • Loading branch information
heylongdacoder committed Aug 13, 2022
1 parent 0633342 commit 0a9c07b
Show file tree
Hide file tree
Showing 6 changed files with 34 additions and 3 deletions.
5 changes: 5 additions & 0 deletions docs/web-config.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,3 +10,8 @@ tls_server_config:
basic_auth_users:
alice: $2y$10$mDwo.lAisC94iLAyP81MCesa29IzH37oigHC/42V2pdJlUprsJPze
bob: $2y$10$hLqFl9jSjoAAy95Z/zw8Ye8wkdMBM8c5Bn1ptYqP/AXyV0.oy0S8m

# Exclude /-/healthy and /-/ready from basic authentication
basic_auth_excluded_paths:
- /-/healthy
- /-/ready
5 changes: 5 additions & 0 deletions docs/web-configuration.md
Original file line number Diff line number Diff line change
Expand Up @@ -97,6 +97,11 @@ http_server_config:
# required. Passwords are hashed with bcrypt.
basic_auth_users:
[ <string>: <secret> ... ]
# Exclude URL path from basic authentication. One of the reasonable usecase
# would be exclude the health check path when basic_auth_users is configured.
basic_auth_excluded_paths:
[ - <string> ]
```

[A sample configuration file](web-config.yml) is provided.
Expand Down
7 changes: 7 additions & 0 deletions web/handler.go
Original file line number Diff line number Diff line change
Expand Up @@ -102,6 +102,13 @@ func (u *webHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
return
}

for _, path := range c.AuthExcludedPaths {
if path == r.URL.Path {
u.handler.ServeHTTP(w, r)
return
}
}

user, pass, auth := r.BasicAuth()
if auth {
hashedPassword, validUser := c.Users[user]
Expand Down
8 changes: 8 additions & 0 deletions web/testdata/web_config_users_noTLS_excludePath.good.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
basic_auth_excluded_paths:
- /

basic_auth_users:
alice: $2y$12$1DpfPeqF9HzHJt.EWswy1exHluGfbhnn3yXhR7Xes6m3WJqFg0Wby
bob: $2y$18$4VeFDzXIoPHKnKTU3O3GH.N.vZu06CVqczYZ8WvfzrddFU6tGqjR.
carol: $2y$10$qRTBuFoULoYNA7AQ/F3ck.trZBPyjV64.oA4ZsSBCIWvXuvQlQTuu
dave: $2y$10$2UXri9cIDdgeKjBo4Rlpx.U3ZLDV8X1IxKmsfOvhcM5oXQt/mLmXq
7 changes: 4 additions & 3 deletions web/tls_config.go
Original file line number Diff line number Diff line change
Expand Up @@ -34,9 +34,10 @@ var (
)

type Config struct {
TLSConfig TLSStruct `yaml:"tls_server_config"`
HTTPConfig HTTPStruct `yaml:"http_server_config"`
Users map[string]config_util.Secret `yaml:"basic_auth_users"`
TLSConfig TLSStruct `yaml:"tls_server_config"`
HTTPConfig HTTPStruct `yaml:"http_server_config"`
Users map[string]config_util.Secret `yaml:"basic_auth_users"`
AuthExcludedPaths []string `yaml:"basic_auth_excluded_paths"`
}

type TLSStruct struct {
Expand Down
5 changes: 5 additions & 0 deletions web/tls_config_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -615,6 +615,11 @@ func TestUsers(t *testing.T) {
Password: "dave123",
ExpectedError: nil,
},
{
Name: `with correct basic auth and exclude path`,
YAMLConfigPath: "testdata/web_config_users_noTLS_excludePath.good.yml",
ExpectedError: nil,
},
{
Name: `without basic auth and TLS`,
YAMLConfigPath: "testdata/web_config_users.good.yml",
Expand Down

0 comments on commit 0a9c07b

Please sign in to comment.