Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add basic auth support for interface #353

Merged
merged 6 commits into from
Apr 10, 2020

Conversation

jheth
Copy link
Contributor

@jheth jheth commented Apr 8, 2020

Add optional basic auth support to keep the interface from being publicly available.

Description

  • Added new environment variables to enable and configure basic authentication. Disabled by default.
  • When enabled, adds a new middleware to support basic auth
  • Respect whitelist of paths (prefix or exact match)

Motivation and Context

  • This solves the issue of hosting flagr where it is reachable on the public internet but you do not want outside users to access the web interface.

How Has This Been Tested?

  • Deployed to our hosting provider and manually tested basic auth prompt with various env values.

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

  • My code follows the code style of this project.
  • My change requires a change to the documentation.
  • I have updated the documentation accordingly.
  • I have added tests to cover my changes.
  • All new and existing tests passed.

return false
}

func (a *basicAuth) ServeHTTP(w http.ResponseWriter, req *http.Request, next http.HandlerFunc) {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do you mind adding a unit test for it? thanks

pkg/config/env.go Outdated Show resolved Hide resolved
pkg/config/middleware_test.go Show resolved Hide resolved
pkg/config/middleware_test.go Outdated Show resolved Hide resolved
@jheth jheth force-pushed the basic-auth-support branch from 76794ba to daa3326 Compare April 8, 2020 22:31
@codecov-io
Copy link

Codecov Report

Merging #353 into master will increase coverage by 0.05%.
The diff coverage is 87.09%.

Impacted file tree graph

@@            Coverage Diff             @@
##           master     #353      +/-   ##
==========================================
+ Coverage   81.75%   81.81%   +0.05%     
==========================================
  Files          26       26              
  Lines        1540     1567      +27     
==========================================
+ Hits         1259     1282      +23     
- Misses        211      214       +3     
- Partials       70       71       +1     
Impacted Files Coverage Δ
pkg/config/middleware.go 68.12% <87.09%> (+3.46%) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update f94aa14...daa3326. Read the comment docs.

pkg/config/env.go Outdated Show resolved Hide resolved
Copy link
Collaborator

@zhouzhuojie zhouzhuojie left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, left one more comment on the defaults

@marceloboeira
Copy link
Member

PS: You could also do that on your http LB, either nginx or aws ELB, or k8s... it's much easier...

@jheth
Copy link
Contributor Author

jheth commented Apr 9, 2020

Agreed, that would be the easier path. We have this on heroku though which always has a public reachable domain. *.herokuapp.com

@marceloboeira
Copy link
Member

@jheth I see, yeap, Heroku is extremely customizable on the infra-level. I think you could run kong on Heroku and do that, but then it would be more complex eheh

res.Body = new(bytes.Buffer)
req, _ := http.NewRequest("GET", "http://localhost:18000/api/v1/flags", nil)
hh.ServeHTTP(res, req)
assert.Equal(t, http.StatusOK, res.Code)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

actually one more thing to test - a happy code path that the basicauth is serving the traffic with username/password passed. this test didn't cover that because /api/v1/flags was one of the default whitelist.

That's why this line wasn't covered yet. https://codecov.io/gh/checkr/flagr/pull/353/diff?src=pr&el=tree#D2-266

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good call. Thanks for catching that. It's been added.

@zhouzhuojie zhouzhuojie merged commit f94e01b into openflagr:master Apr 10, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants