github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-25 12:43:23 +00:00
Code Issues Projects Releases Wiki Activity

Remove unnecessary authorization headers after authorization is successful

Browse Source
This commit is contained in:
mbohlool 2016-10-06 10:17:01 -07:00
parent 07eba4c6ef
commit 7e80ab2401
2 changed files with 13 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
pkg/auth/handlers/handlers.go
View File

@ -43,7 +43,8 @@ func init() {
// WithAuthentication creates an http handler that tries to authenticate the given request as a user, and then // WithAuthentication creates an http handler that tries to authenticate the given request as a user, and then
// stores any such user found onto the provided context for the request. If authentication fails or returns an error // stores any such user found onto the provided context for the request. If authentication fails or returns an error
// the failed handler is used. On success, handler is invoked to serve the request. // the failed handler is used. On success, "Authorization" header is removed from the request and handler
// is invoked to serve the request.
func WithAuthentication(handler http.Handler, mapper api.RequestContextMapper, auth authenticator.Request, failed http.Handler) http.Handler { func WithAuthentication(handler http.Handler, mapper api.RequestContextMapper, auth authenticator.Request, failed http.Handler) http.Handler {
if auth == nil { if auth == nil {
glog.Warningf("Authentication is disabled") glog.Warningf("Authentication is disabled")
@ -60,6 +61,9 @@ func WithAuthentication(handler http.Handler, mapper api.RequestContextMapper, a
return return
} }
// authorization header is not required anymore in case of a successful authentication.
req.Header.Del("Authorization")
if ctx, ok := mapper.Get(req); ok { if ctx, ok := mapper.Get(req); ok {
mapper.Update(req, api.WithUser(ctx, user)) mapper.Update(req, api.WithUser(ctx, user))
} }

10
pkg/auth/handlers/handlers_test.go
View File

@ -40,18 +40,24 @@ func TestAuthenticateRequest(t *testing.T) {
if user == nil || !ok { if user == nil || !ok {
t.Errorf("no user stored in context: %#v", ctx) t.Errorf("no user stored in context: %#v", ctx)
} }
if req.Header.Get("Authorization") != "" {
t.Errorf("Authorization header should be removed from request on success: %#v", req)
}
close(success) close(success)
}), }),
contextMapper, contextMapper,
authenticator.RequestFunc(func(req *http.Request) (user.Info, bool, error) { authenticator.RequestFunc(func(req *http.Request) (user.Info, bool, error) {
return &user.DefaultInfo{Name: "user"}, true, nil if req.Header.Get("Authorization") == "Something" {
return &user.DefaultInfo{Name: "user"}, true, nil
}
return nil, false, errors.New("Authorization header is missing.")
}), }),
http.HandlerFunc(func(_ http.ResponseWriter, _ *http.Request) { http.HandlerFunc(func(_ http.ResponseWriter, _ *http.Request) {
t.Errorf("unexpected call to failed") t.Errorf("unexpected call to failed")
}), }),
) )
auth.ServeHTTP(httptest.NewRecorder(), &http.Request{}) auth.ServeHTTP(httptest.NewRecorder(), &http.Request{Header: map[string][]string{"Authorization": {"Something"}}})
<-success <-success
empty, err := api.IsEmpty(contextMapper) empty, err := api.IsEmpty(contextMapper)