diff options
author | Alex Auvolat <alex@adnab.me> | 2022-05-23 16:40:10 +0200 |
---|---|---|
committer | Alex Auvolat <alex@adnab.me> | 2022-05-23 16:40:10 +0200 |
commit | 1c88ee9bc50a8226fe0c7cf11533ddcf4b183885 (patch) | |
tree | 5112c2d412b3312bab106bd287a88ce45b7089f9 /src | |
parent | d768f559da43032b257fc759c3b22ca29e1bbe49 (diff) | |
download | garage-1c88ee9bc50a8226fe0c7cf11533ddcf4b183885.tar.gz garage-1c88ee9bc50a8226fe0c7cf11533ddcf4b183885.zip |
Make authorization token mandatory for admin API
Diffstat (limited to 'src')
-rw-r--r-- | src/api/admin/api_server.rs | 26 |
1 files changed, 18 insertions, 8 deletions
diff --git a/src/api/admin/api_server.rs b/src/api/admin/api_server.rs index a0af9bd9..57e3e5cf 100644 --- a/src/api/admin/api_server.rs +++ b/src/api/admin/api_server.rs @@ -107,17 +107,27 @@ impl ApiHandler for AdminApiServer { req: Request<Body>, endpoint: Endpoint, ) -> Result<Response<Body>, Error> { - let expected_auth_header = match endpoint.authorization_type() { - Authorization::MetricsToken => self.metrics_token.as_ref(), - Authorization::AdminToken => self.admin_token.as_ref(), - }; + let expected_auth_header = + match endpoint.authorization_type() { + Authorization::MetricsToken => self.metrics_token.as_ref(), + Authorization::AdminToken => match &self.admin_token { + None => return Err(Error::forbidden( + "Admin token isn't configured, admin API access is disabled for security.", + )), + Some(t) => Some(t), + }, + }; if let Some(h) = expected_auth_header { match req.headers().get("Authorization") { - None => Err(Error::forbidden("Authorization token must be provided")), - Some(v) if v.to_str().map(|hv| hv == h).unwrap_or(false) => Ok(()), - _ => Err(Error::forbidden("Invalid authorization token provided")), - }?; + None => return Err(Error::forbidden("Authorization token must be provided")), + Some(v) => { + let authorized = v.to_str().map(|hv| hv.trim() == h).unwrap_or(false); + if !authorized { + return Err(Error::forbidden("Invalid authorization token provided")); + } + } + } } match endpoint { |