aboutsummaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorAlex Auvolat <alex@adnab.me>2022-05-23 16:40:10 +0200
committerAlex Auvolat <alex@adnab.me>2022-05-23 16:40:10 +0200
commit1c88ee9bc50a8226fe0c7cf11533ddcf4b183885 (patch)
tree5112c2d412b3312bab106bd287a88ce45b7089f9 /src
parentd768f559da43032b257fc759c3b22ca29e1bbe49 (diff)
downloadgarage-1c88ee9bc50a8226fe0c7cf11533ddcf4b183885.tar.gz
garage-1c88ee9bc50a8226fe0c7cf11533ddcf4b183885.zip
Make authorization token mandatory for admin API
Diffstat (limited to 'src')
-rw-r--r--src/api/admin/api_server.rs26
1 files changed, 18 insertions, 8 deletions
diff --git a/src/api/admin/api_server.rs b/src/api/admin/api_server.rs
index a0af9bd9..57e3e5cf 100644
--- a/src/api/admin/api_server.rs
+++ b/src/api/admin/api_server.rs
@@ -107,17 +107,27 @@ impl ApiHandler for AdminApiServer {
req: Request<Body>,
endpoint: Endpoint,
) -> Result<Response<Body>, Error> {
- let expected_auth_header = match endpoint.authorization_type() {
- Authorization::MetricsToken => self.metrics_token.as_ref(),
- Authorization::AdminToken => self.admin_token.as_ref(),
- };
+ let expected_auth_header =
+ match endpoint.authorization_type() {
+ Authorization::MetricsToken => self.metrics_token.as_ref(),
+ Authorization::AdminToken => match &self.admin_token {
+ None => return Err(Error::forbidden(
+ "Admin token isn't configured, admin API access is disabled for security.",
+ )),
+ Some(t) => Some(t),
+ },
+ };
if let Some(h) = expected_auth_header {
match req.headers().get("Authorization") {
- None => Err(Error::forbidden("Authorization token must be provided")),
- Some(v) if v.to_str().map(|hv| hv == h).unwrap_or(false) => Ok(()),
- _ => Err(Error::forbidden("Invalid authorization token provided")),
- }?;
+ None => return Err(Error::forbidden("Authorization token must be provided")),
+ Some(v) => {
+ let authorized = v.to_str().map(|hv| hv.trim() == h).unwrap_or(false);
+ if !authorized {
+ return Err(Error::forbidden("Invalid authorization token provided"));
+ }
+ }
+ }
}
match endpoint {