From ab5c4e23bd230617f03f10a367c919e9ac6166e2 Mon Sep 17 00:00:00 2001 From: Gyu-Ho Lee Date: Wed, 20 Jul 2016 16:23:41 -0700 Subject: [PATCH] v2http: add 'ClientCertAuthEnabled' in handlers --- etcdserver/api/v2http/client_auth.go | 27 ++++++++++++++------------- 1 file changed, 14 insertions(+), 13 deletions(-) diff --git a/etcdserver/api/v2http/client_auth.go b/etcdserver/api/v2http/client_auth.go index 286dd3209..2b3278528 100644 --- a/etcdserver/api/v2http/client_auth.go +++ b/etcdserver/api/v2http/client_auth.go @@ -26,15 +26,16 @@ import ( ) type authHandler struct { - sec auth.Store - cluster api.Cluster + sec auth.Store + cluster api.Cluster + clientCertAuthEnabled bool } -func hasWriteRootAccess(sec auth.Store, r *http.Request) bool { +func hasWriteRootAccess(sec auth.Store, r *http.Request, clientCertAuthEnabled bool) bool { if r.Method == "GET" || r.Method == "HEAD" { return true } - return hasRootAccess(sec, r) + return hasRootAccess(sec, r, clientCertAuthEnabled) } func userFromBasicAuth(sec auth.Store, r *http.Request) *auth.User { @@ -74,7 +75,7 @@ func userFromClientCertificate(sec auth.Store, r *http.Request) *auth.User { return nil } -func hasRootAccess(sec auth.Store, r *http.Request) bool { +func hasRootAccess(sec auth.Store, r *http.Request, clientCertAuthEnabled bool) bool { if sec == nil { // No store means no auth available, eg, tests. return true @@ -84,7 +85,7 @@ func hasRootAccess(sec auth.Store, r *http.Request) bool { } var rootUser *auth.User - if r.Header.Get("Authorization") == "" { + if r.Header.Get("Authorization") == "" && clientCertAuthEnabled { rootUser = userFromClientCertificate(sec, r) if rootUser == nil { return false @@ -105,7 +106,7 @@ func hasRootAccess(sec auth.Store, r *http.Request) bool { return false } -func hasKeyPrefixAccess(sec auth.Store, r *http.Request, key string, recursive bool) bool { +func hasKeyPrefixAccess(sec auth.Store, r *http.Request, key string, recursive, clientCertAuthEnabled bool) bool { if sec == nil { // No store means no auth available, eg, tests. return true @@ -115,7 +116,7 @@ func hasKeyPrefixAccess(sec auth.Store, r *http.Request, key string, recursive b } var user *auth.User - if r.Header.Get("Authorization") == "" { + if r.Header.Get("Authorization") == "" && clientCertAuthEnabled { user = userFromClientCertificate(sec, r) if user == nil { plog.Warningf("auth: no authorization provided, checking guest access") @@ -178,7 +179,7 @@ func (sh *authHandler) baseRoles(w http.ResponseWriter, r *http.Request) { if !allowMethod(w, r.Method, "GET") { return } - if !hasRootAccess(sh.sec, r) { + if !hasRootAccess(sh.sec, r, sh.clientCertAuthEnabled) { writeNoAuth(w, r) return } @@ -242,7 +243,7 @@ func (sh *authHandler) forRole(w http.ResponseWriter, r *http.Request, role stri if !allowMethod(w, r.Method, "GET", "PUT", "DELETE") { return } - if !hasRootAccess(sh.sec, r) { + if !hasRootAccess(sh.sec, r, sh.clientCertAuthEnabled) { writeNoAuth(w, r) return } @@ -326,7 +327,7 @@ func (sh *authHandler) baseUsers(w http.ResponseWriter, r *http.Request) { if !allowMethod(w, r.Method, "GET") { return } - if !hasRootAccess(sh.sec, r) { + if !hasRootAccess(sh.sec, r, sh.clientCertAuthEnabled) { writeNoAuth(w, r) return } @@ -398,7 +399,7 @@ func (sh *authHandler) forUser(w http.ResponseWriter, r *http.Request, user stri if !allowMethod(w, r.Method, "GET", "PUT", "DELETE") { return } - if !hasRootAccess(sh.sec, r) { + if !hasRootAccess(sh.sec, r, sh.clientCertAuthEnabled) { writeNoAuth(w, r) return } @@ -511,7 +512,7 @@ func (sh *authHandler) enableDisable(w http.ResponseWriter, r *http.Request) { if !allowMethod(w, r.Method, "GET", "PUT", "DELETE") { return } - if !hasWriteRootAccess(sh.sec, r) { + if !hasWriteRootAccess(sh.sec, r, sh.clientCertAuthEnabled) { writeNoAuth(w, r) return }