Mirroristas/etcd
2
0
Fork 0
mirror of https://github.com/etcd-io/etcd.git synced 2024-09-27 06:25:44 +00:00
Code Issues Packages Projects Releases Wiki Activity

etcdserver: handle malformed basic auth

Browse Source 
return insufficient credentials if basic auth header is malformed

Fixes #3280
This commit is contained in:
Mohammad Samman 2015-08-24 11:10:19 -07:00
parent 7bd558b2e0
commit e2e002f94e
2 changed files with 58 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
etcdserver/etcdhttp/client_auth.go
View File

@ -76,9 +76,14 @@ func hasKeyPrefixAccess(sec auth.Store, r *http.Request, key string, recursive b
if !sec.AuthEnabled() { if !sec.AuthEnabled() {
return true return true
} }
if r.Header.Get("Authorization") == "" {
plog.Warningf("auth: no authorization provided, checking guest access")
return hasGuestAccess(sec, r, key)
}
username, password, ok := netutil.BasicAuth(r) username, password, ok := netutil.BasicAuth(r)
if !ok { if !ok {
return hasGuestAccess(sec, r, key) plog.Warningf("auth: malformed basic auth encoding")
return false
} }
user, err := sec.GetUser(username) user, err := sec.GetUser(username)
if err != nil { if err != nil {

52
etcdserver/etcdhttp/client_auth_test.go
View File

@ -238,6 +238,28 @@ func TestAuthFlow(t *testing.T) {
wcode: http.StatusOK, wcode: http.StatusOK,
wbody: ``, wbody: ``,
}, },
{
req: (func() *http.Request {
req := mustJSONRequest(t, "DELETE", "enable", "")
req.SetBasicAuth("root", "bad")
return req
})(),
store: mockAuthStore{
enabled: true,
user: &auth.User{
User: "root",
Password: goodPassword,
Roles: []string{"root"},
},
roles: map[string]*auth.Role{
"root": {
Role: "guest",
},
},
},
wcode: http.StatusUnauthorized,
wbody: `{"message":"Insufficient credentials"}`,
},
} }
for i, tt := range testCases { for i, tt := range testCases {
@ -470,6 +492,36 @@ func TestPrefixAccess(t *testing.T) {
hasKeyPrefixAccess: true, hasKeyPrefixAccess: true,
hasRecursiveAccess: false, hasRecursiveAccess: false,
}, },
{
key: "/foo",
req: (func() *http.Request {
req := mustJSONRequest(t, "GET", "somepath", "")
req.Header.Set("Authorization", "malformedencoding")
return req
})(),
store: &mockAuthStore{
enabled: true,
user: &auth.User{
User: "root",
Password: goodPassword,
Roles: []string{"root"},
},
roles: map[string]*auth.Role{
"guest": {
Role: "guest",
Permissions: auth.Permissions{
KV: auth.RWPermission{
Read: []string{"/foo*"},
Write: []string{"/foo*"},
},
},
},
},
},
hasRoot: false,
hasKeyPrefixAccess: false,
hasRecursiveAccess: false,
},
} }
for i, tt := range table { for i, tt := range table {