fix: Ensure redirect to login when using empty auth token (argoproj#4496

) Signed-off-by: Simon Behar <[email protected]>
highb · Nov 9, 2020 · bfc13c3 · bfc13c3
1 parent d56ce89
commit bfc13c3
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 18 deletions.
diff --git a/server/auth/gatekeeper.go b/server/auth/gatekeeper.go
@@ -129,9 +129,9 @@ func getAuthHeader(md metadata.MD) string {
 func (s gatekeeper) getClients(ctx context.Context) (versioned.Interface, kubernetes.Interface, *types.Claims, error) {
  md, _ := metadata.FromIncomingContext(ctx)
  authorization := getAuthHeader(md)
- mode, err := s.Modes.GetMode(authorization)
- if err != nil {
- return nil, nil, nil, status.Error(codes.InvalidArgument, err.Error())
+ mode, valid := s.Modes.GetMode(authorization)
+ if !valid {
+ return nil, nil, nil, status.Error(codes.Unauthenticated, "token not valid for requested mode")
  }
  switch mode {
  case Client:

diff --git a/server/auth/mode.go b/server/auth/mode.go
@@ -30,15 +30,12 @@ func (m Modes) Add(value string) error {
  return nil
 }
 
-func (m Modes) GetMode(authorisation string) (Mode, error) {
- if strings.HasPrefix(authorisation, sso.Prefix) && m[SSO] {
- return SSO, nil
+func (m Modes) GetMode(authorisation string) (Mode, bool) {
+ if strings.HasPrefix(authorisation, sso.Prefix) {
+ return SSO, m[SSO]
  }
- if (strings.HasPrefix(authorisation, "Bearer ") || strings.HasPrefix(authorisation, "Basic ")) && m[Client] {
- return Client, nil
+ if strings.HasPrefix(authorisation, "Bearer ") || strings.HasPrefix(authorisation, "Basic ") {
+ return Client, m[Client]
  }
- if m[Server] {
- return Server, nil
- }
- return "", errors.New("unrecognized token")
+ return Server, m[Server]
 }
diff --git a/server/auth/mode_test.go b/server/auth/mode_test.go
@@ -43,20 +43,20 @@ func TestModes_GetMode(t *testing.T) {
  Server: true,
  }
  t.Run("Client", func(t *testing.T) {
- mode, err := m.GetMode("Bearer ")
- if assert.NoError(t, err) {
+ mode, valid := m.GetMode("Bearer ")
+ if assert.True(t, valid) {
  assert.Equal(t, Client, mode)
  }
  })
  t.Run("Server", func(t *testing.T) {
- mode, err := m.GetMode("")
- if assert.NoError(t, err) {
+ mode, valid := m.GetMode("")
+ if assert.True(t, valid) {
  assert.Equal(t, Server, mode)
  }
  })
  t.Run("SSO", func(t *testing.T) {
- mode, err := m.GetMode("Bearer v2:")
- if assert.NoError(t, err) {
+ mode, valid := m.GetMode("Bearer v2:")
+ if assert.True(t, valid) {
  assert.Equal(t, SSO, mode)
  }
  })