Make authorization token mandatory for admin API

This commit is contained in:
Alex 2022-05-23 16:40:10 +02:00
parent d768f559da
commit 1c88ee9bc5
Signed by untrusted user: lx
GPG key ID: 0E496D15096376BE

View file

@ -107,17 +107,27 @@ impl ApiHandler for AdminApiServer {
req: Request<Body>, req: Request<Body>,
endpoint: Endpoint, endpoint: Endpoint,
) -> Result<Response<Body>, Error> { ) -> Result<Response<Body>, Error> {
let expected_auth_header = match endpoint.authorization_type() { let expected_auth_header =
Authorization::MetricsToken => self.metrics_token.as_ref(), match endpoint.authorization_type() {
Authorization::AdminToken => self.admin_token.as_ref(), Authorization::MetricsToken => self.metrics_token.as_ref(),
}; Authorization::AdminToken => match &self.admin_token {
None => return Err(Error::forbidden(
"Admin token isn't configured, admin API access is disabled for security.",
)),
Some(t) => Some(t),
},
};
if let Some(h) = expected_auth_header { if let Some(h) = expected_auth_header {
match req.headers().get("Authorization") { match req.headers().get("Authorization") {
None => Err(Error::forbidden("Authorization token must be provided")), None => return Err(Error::forbidden("Authorization token must be provided")),
Some(v) if v.to_str().map(|hv| hv == h).unwrap_or(false) => Ok(()), Some(v) => {
_ => Err(Error::forbidden("Invalid authorization token provided")), let authorized = v.to_str().map(|hv| hv.trim() == h).unwrap_or(false);
}?; if !authorized {
return Err(Error::forbidden("Invalid authorization token provided"));
}
}
}
} }
match endpoint { match endpoint {