fix(server): Only try to use auth-mode if enabled. Fixes argoproj#4400 (

argoproj#4412) Signed-off-by: Alex Collins <[email protected]>
jlegrone · Nov 2, 2020 · 2628be9 · 2628be9
1 parent 7f2ff80
commit 2628be9
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 13 deletions.
diff --git a/server/auth/gatekeeper.go b/server/auth/gatekeeper.go
@@ -129,13 +129,10 @@ func getAuthHeader(md metadata.MD) string {
 func (s gatekeeper) getClients(ctx context.Context) (versioned.Interface, kubernetes.Interface, *types.Claims, error) {
  md, _ := metadata.FromIncomingContext(ctx)
  authorization := getAuthHeader(md)
- mode, err := GetMode(authorization)
+ mode, err := s.Modes.GetMode(authorization)
  if err != nil {
  return nil, nil, nil, status.Error(codes.InvalidArgument, err.Error())
  }
- if !s.Modes[mode] {
- return nil, nil, nil, status.Errorf(codes.Unauthenticated, "client auth-mode is %v, but that mode is disabled", mode)
- }
  switch mode {
  case Client:
  restConfig, wfClient, kubeClient, err := s.clientForAuthorization(authorization)

diff --git a/server/auth/mode.go b/server/auth/mode.go
@@ -30,15 +30,15 @@ func (m Modes) Add(value string) error {
  return nil
 }
 
-func GetMode(authorisation string) (Mode, error) {
- if authorisation == "" {
- return Server, nil
- }
- if strings.HasPrefix(authorisation, sso.Prefix) {
+func (m Modes) GetMode(authorisation string) (Mode, error) {
+ if strings.HasPrefix(authorisation, sso.Prefix) && m[SSO] {
  return SSO, nil
  }
- if strings.HasPrefix(authorisation, "Bearer ") || strings.HasPrefix(authorisation, "Basic ") {
+ if (strings.HasPrefix(authorisation, "Bearer ") || strings.HasPrefix(authorisation, "Basic ")) && m[Client] {
  return Client, nil
  }
+ if m[Server] {
+ return Server, nil
+ }
  return "", errors.New("unrecognized token")
 }
diff --git a/server/auth/mode_test.go b/server/auth/mode_test.go
@@ -37,20 +37,25 @@ func TestModes_Add(t *testing.T) {
  })
 }
 func TestModes_GetMode(t *testing.T) {
+ m := Modes{
+ Client: true,
+ SSO: true,
+ Server: true,
+ }
  t.Run("Client", func(t *testing.T) {
- mode, err := GetMode("Bearer ")
+ mode, err := m.GetMode("Bearer ")
  if assert.NoError(t, err) {
  assert.Equal(t, Client, mode)
  }
  })
  t.Run("Server", func(t *testing.T) {
- mode, err := GetMode("")
+ mode, err := m.GetMode("")
  if assert.NoError(t, err) {
  assert.Equal(t, Server, mode)
  }
  })
  t.Run("SSO", func(t *testing.T) {
- mode, err := GetMode("Bearer v2:")
+ mode, err := m.GetMode("Bearer v2:")
  if assert.NoError(t, err) {
  assert.Equal(t, SSO, mode)
  }