From fafb4e20494fbfb775dd9b4966b3ec8b4af37abc Mon Sep 17 00:00:00 2001 From: pedram Date: Wed, 9 Oct 2024 04:02:18 +0330 Subject: [PATCH] Add default access token to webservice (#52) Co-authored-by: Platform --- pkg/auth/authenticator.go | 7 +++++-- pkg/auth/authenticator_cache.go | 18 ++++++++++++++++++ 2 files changed, 23 insertions(+), 2 deletions(-) diff --git a/pkg/auth/authenticator.go b/pkg/auth/authenticator.go index 93d64cf..63e45c7 100644 --- a/pkg/auth/authenticator.go +++ b/pkg/auth/authenticator.go @@ -83,8 +83,11 @@ func (a *Authenticator) TestAccess(request *Request, wsvc WebservicesCacheEntry) defer cacheReaders.Dec() if token == "" { - reason = CerberusReasonTokenEmpty - return + if wsvc.defaultAccessToken == NoDefaultAccessToken { + reason = CerberusReasonTokenEmpty + return + } + token = wsvc.defaultAccessToken } ac, ok := a.accessTokensCache.ReadAccessToken(token) diff --git a/pkg/auth/authenticator_cache.go b/pkg/auth/authenticator_cache.go index 400d113..5d2a607 100644 --- a/pkg/auth/authenticator_cache.go +++ b/pkg/auth/authenticator_cache.go @@ -12,6 +12,17 @@ import ( "sigs.k8s.io/controller-runtime/pkg/client" ) +// DefaultAccessTokenAnnotation is used to set a default AccessToken +// webservice when there is no access token provided in request headers +// It is used when you want to ignore access token on a webservice but +// you need to have UpstreamAuth and Authentication headers on request +// NOTE: you need to set RAW access token in annotation, not it's name or ref +const DefaultAccessTokenAnnotation = "cerberus.snappcloud.io/default-access-token" + +// NoDefaultAccessToken is used to identify when no default access token +// is set on websevice (thus, Cerberus will perform it's normal behavior) +const NoDefaultAccessToken = "" + // AccessTokensCache is where Authenticator holds its authentication data, // under the hood it is a Map from RawTokens to some information about // AccessToken, see AccessCacheEntry for more information @@ -38,6 +49,7 @@ type AllowedWebservicesCache map[string]struct{} type WebservicesCacheEntry struct { v1alpha1.WebService allowedNamespacesCache AllowedNamespacesCache + defaultAccessToken string } // AllowedNamespacesCache will hold all namespaces that are allowed to call this webservice @@ -126,9 +138,15 @@ func (a *Authenticator) buildNewWebservicesCache( ) continue } + + defaultAccessToken := NoDefaultAccessToken + if v, ok := webservice.Annotations[DefaultAccessTokenAnnotation]; ok { + defaultAccessToken = v + } newWebservicesCache[webservice.LocalName()] = WebservicesCacheEntry{ WebService: webservice, allowedNamespacesCache: make(AllowedNamespacesCache), + defaultAccessToken: defaultAccessToken, } } webserviceCacheEntries.Set(float64(len(newWebservicesCache)))