Merge pull request #223 from jhiemstrawisc/fix-director-authz

Fix director authz
PelicanPlatform · Oct 12, 2023 · 3bf1ae3 · 3bf1ae3
2 parents e5a6f00 + c70d73f
commit 3bf1ae3
Show file tree

Hide file tree

Showing 2 changed files with 39 additions and 1 deletion.
diff --git a/director/redirect.go b/director/redirect.go
@@ -77,8 +77,12 @@ func getRealIP(ginCtx *gin.Context) (ipAddr netip.Addr, err error) {
 func getAuthzEscaped(req *http.Request) (authzEscaped string) {
 	if authzQuery := req.URL.Query()["authz"]; len(authzQuery) > 0 {
 		authzEscaped = authzQuery[0]
+		// if the authz URL query is coming from XRootD, it probably has a "Bearer " tacked in front
+		// even though it's coming via a URL
+		authzEscaped = strings.TrimPrefix(authzEscaped, "Bearer ")
 	} else if authzHeader := req.Header["Authorization"]; len(authzHeader) > 0 {
-		authzEscaped = url.QueryEscape(authzHeader[0])
+		authzEscaped = strings.TrimPrefix(authzHeader[0], "Bearer ")
+		authzEscaped = url.QueryEscape(authzEscaped)
 	}
 	return
 }

diff --git a/director/redirect_test.go b/director/redirect_test.go
@@ -214,3 +214,37 @@ func TestDirectorRegistration(t *testing.T) {
 	assert.False(t, NamespaceAdContainsPath(namaspaceADs, "/foo/bar"), "Found namespace in the director cache even if the token validation failed.")
 	serverAds.DeleteAll()
 }
+
+func TestGetAuthzEscaped(t *testing.T) {
+	// Test passing a token via header with no bearer prefix
+	req, err := http.NewRequest(http.MethodPost, "http://fake-server.com", bytes.NewBuffer([]byte("a body")))
+	assert.NoError(t, err)
+	req.Header.Set("Authorization", "tokenstring")
+	escapedToken := getAuthzEscaped(req)
+	assert.Equal(t, escapedToken, "tokenstring")
+
+	// Test passing a token via query with no bearer prefix
+	req, err = http.NewRequest(http.MethodPost, "http://fake-server.com/foo?authz=tokenstring", bytes.NewBuffer([]byte("a body")))
+	assert.NoError(t, err)
+	escapedToken = getAuthzEscaped(req)
+	assert.Equal(t, escapedToken, "tokenstring")
+
+	// Test passing the token via header with Bearer prefix
+	req, err = http.NewRequest(http.MethodPost, "http://fake-server.com", bytes.NewBuffer([]byte("a body")))
+	assert.NoError(t, err)
+	req.Header.Set("Authorization", "Bearer tokenstring")
+	escapedToken = getAuthzEscaped(req)
+	assert.Equal(t, escapedToken, "tokenstring")
+
+	// Test passing the token via URL with Bearer prefix and + encoded space
+	req, err = http.NewRequest(http.MethodPost, "http://fake-server.com/foo?authz=Bearer+tokenstring", bytes.NewBuffer([]byte("a body")))
+	assert.NoError(t, err)
+	escapedToken = getAuthzEscaped(req)
+	assert.Equal(t, escapedToken, "tokenstring")
+
+	// Finally, the same test as before, but test with %20 encoded space
+	req, err = http.NewRequest(http.MethodPost, "http://fake-server.com/foo?authz=Bearer%20tokenstring", bytes.NewBuffer([]byte("a body")))
+	assert.NoError(t, err)
+	escapedToken = getAuthzEscaped(req)
+	assert.Equal(t, escapedToken, "tokenstring")
+}