Support path exclusion from basic authentication

Signed-off-by: heylongdacoder <heylongdacoder@gmail.com>
prometheus · Aug 30, 2022 · 691a40c · 691a40c
1 parent 0633342
commit 691a40c
Show file tree

Hide file tree

Showing 6 changed files with 34 additions and 3 deletions.
diff --git a/docs/web-config.yml b/docs/web-config.yml
@@ -10,3 +10,8 @@ tls_server_config:
 basic_auth_users:
   alice: $2y$10$mDwo.lAisC94iLAyP81MCesa29IzH37oigHC/42V2pdJlUprsJPze
   bob: $2y$10$hLqFl9jSjoAAy95Z/zw8Ye8wkdMBM8c5Bn1ptYqP/AXyV0.oy0S8m
+
+# Exclude /-/healthy and /-/ready from basic authentication
+basic_auth_excluded_paths:
+- /-/healthy
+- /-/ready
diff --git a/docs/web-configuration.md b/docs/web-configuration.md
@@ -97,6 +97,11 @@ http_server_config:
 # required. Passwords are hashed with bcrypt.
 basic_auth_users:
   [ <string>: <secret> ... ]
+
+# Exclude URL path from basic authentication. For example, health check or
+# metrics endpoints.
+basic_auth_excluded_paths:
+[ - <string> ]
 ```
 
 [A sample configuration file](web-config.yml) is provided.

diff --git a/web/handler.go b/web/handler.go
@@ -102,6 +102,13 @@ func (u *webHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	for _, path := range c.AuthExcludedPaths {
+		if path == r.URL.Path {
+			u.handler.ServeHTTP(w, r)
+			return
+		}
+	}
+
 	user, pass, auth := r.BasicAuth()
 	if auth {
 		hashedPassword, validUser := c.Users[user]

diff --git a/web/testdata/web_config_users_noTLS_excludePath.good.yml b/web/testdata/web_config_users_noTLS_excludePath.good.yml
@@ -0,0 +1,8 @@
+basic_auth_excluded_paths:
+- /
+
+basic_auth_users:
+  alice: $2y$12$1DpfPeqF9HzHJt.EWswy1exHluGfbhnn3yXhR7Xes6m3WJqFg0Wby
+  bob: $2y$18$4VeFDzXIoPHKnKTU3O3GH.N.vZu06CVqczYZ8WvfzrddFU6tGqjR.
+  carol: $2y$10$qRTBuFoULoYNA7AQ/F3ck.trZBPyjV64.oA4ZsSBCIWvXuvQlQTuu
+  dave: $2y$10$2UXri9cIDdgeKjBo4Rlpx.U3ZLDV8X1IxKmsfOvhcM5oXQt/mLmXq
diff --git a/web/tls_config.go b/web/tls_config.go
@@ -34,9 +34,10 @@ var (
 )
 
 type Config struct {
-	TLSConfig  TLSStruct                     `yaml:"tls_server_config"`
-	HTTPConfig HTTPStruct                    `yaml:"http_server_config"`
-	Users      map[string]config_util.Secret `yaml:"basic_auth_users"`
+	TLSConfig         TLSStruct                     `yaml:"tls_server_config"`
+	HTTPConfig        HTTPStruct                    `yaml:"http_server_config"`
+	Users             map[string]config_util.Secret `yaml:"basic_auth_users"`
+	AuthExcludedPaths []string                      `yaml:"basic_auth_excluded_paths"`
 }
 
 type TLSStruct struct {

diff --git a/web/tls_config_test.go b/web/tls_config_test.go
@@ -615,6 +615,11 @@ func TestUsers(t *testing.T) {
 			Password:       "dave123",
 			ExpectedError:  nil,
 		},
+		{
+			Name:           `with correct basic auth and exclude path`,
+			YAMLConfigPath: "testdata/web_config_users_noTLS_excludePath.good.yml",
+			ExpectedError:  nil,
+		},
 		{
 			Name:           `without basic auth and TLS`,
 			YAMLConfigPath: "testdata/web_config_users.good.yml",