From 1c88ee9bc50a8226fe0c7cf11533ddcf4b183885 Mon Sep 17 00:00:00 2001 From: Alex Auvolat Date: Mon, 23 May 2022 16:40:10 +0200 Subject: Make authorization token mandatory for admin API --- src/api/admin/api_server.rs | 26 ++++++++++++++++++-------- 1 file changed, 18 insertions(+), 8 deletions(-) (limited to 'src') diff --git a/src/api/admin/api_server.rs b/src/api/admin/api_server.rs index a0af9bd9..57e3e5cf 100644 --- a/src/api/admin/api_server.rs +++ b/src/api/admin/api_server.rs @@ -107,17 +107,27 @@ impl ApiHandler for AdminApiServer { req: Request, endpoint: Endpoint, ) -> Result, Error> { - let expected_auth_header = match endpoint.authorization_type() { - Authorization::MetricsToken => self.metrics_token.as_ref(), - Authorization::AdminToken => self.admin_token.as_ref(), - }; + let expected_auth_header = + match endpoint.authorization_type() { + Authorization::MetricsToken => self.metrics_token.as_ref(), + Authorization::AdminToken => match &self.admin_token { + None => return Err(Error::forbidden( + "Admin token isn't configured, admin API access is disabled for security.", + )), + Some(t) => Some(t), + }, + }; if let Some(h) = expected_auth_header { match req.headers().get("Authorization") { - None => Err(Error::forbidden("Authorization token must be provided")), - Some(v) if v.to_str().map(|hv| hv == h).unwrap_or(false) => Ok(()), - _ => Err(Error::forbidden("Invalid authorization token provided")), - }?; + None => return Err(Error::forbidden("Authorization token must be provided")), + Some(v) => { + let authorized = v.to_str().map(|hv| hv.trim() == h).unwrap_or(false); + if !authorized { + return Err(Error::forbidden("Invalid authorization token provided")); + } + } + } } match endpoint { -- cgit v1.2.3