[bearertokenauthextension] Implement configauth ServerAuthenticator (o…

…pen-telemetry#22739) Closes open-telemetry#22737 --------- Signed-off-by: Benedikt Bongartz <[email protected]>
sakulali · Jun 14, 2023 · f66845f · f66845f
1 parent 6a83a9a
commit f66845f
Show file tree

Hide file tree

Showing 4 changed files with 91 additions and 1 deletion.
diff --git a/.chloggen/bearertokenauthextension_impl_server_authenticator.yaml b/.chloggen/bearertokenauthextension_impl_server_authenticator.yaml
@@ -0,0 +1,16 @@
+# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix'
+change_type: enhancement
+
+# The name of the component, or a single word describing the area of concern, (e.g. filelogreceiver)
+component: bearertokenauthextension
+
+# A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`).
+note: Extension now implements configauth.ServerAuthenticator
+
+# One or more tracking issues related to the change
+issues: [22737]
+
+# (Optional) One or more lines of additional information to render under the primary note.
+# These lines will be padded with 2 spaces and then inserted directly into the document.
+# Use pipe (|) for multiline entries.
+subtext:
diff --git a/extension/bearertokenauthextension/README.md b/extension/bearertokenauthextension/README.md
@@ -13,7 +13,7 @@
 
 
 
-This extension implements `configauth.ClientAuthenticator` and can be used in both http and gRPC exporters inside the `auth` settings, as a means to embed a static token for every RPC call that will be made.
+This extension implements  both `configauth.ServerAuthenticator` and `configauth.ClientAuthenticator`. It can be used in both http and gRPC exporters inside the `auth` settings, as a means to embed a static token for every RPC call that will be made.
 
 The authenticator type has to be set to `bearertokenauth`.
 

diff --git a/extension/bearertokenauthextension/bearertokenauth.go b/extension/bearertokenauthextension/bearertokenauth.go
@@ -5,6 +5,7 @@ package bearertokenauthextension // import "github.com/open-telemetry/openteleme
 
 import (
  "context"
+ "errors"
  "fmt"
  "net/http"
  "os"
@@ -34,6 +35,11 @@ func (c *PerRPCAuth) RequireTransportSecurity() bool {
  return true
 }
 
+var (
+ _ auth.Server = (*BearerTokenAuth)(nil)
+ _ auth.Client = (*BearerTokenAuth)(nil)
+)
+
 // BearerTokenAuth is an implementation of auth.Client. It embeds a static authorization "bearer" token in every rpc call.
 type BearerTokenAuth struct {
  muTokenString sync.RWMutex
@@ -171,6 +177,23 @@ func (b *BearerTokenAuth) RoundTripper(base http.RoundTripper) (http.RoundTrippe
  }, nil
 }
 
+// Authenticate checks whether the given context contains valid auth data.
+func (b *BearerTokenAuth) Authenticate(ctx context.Context, headers map[string][]string) (context.Context, error) {
+ auth, ok := headers["authorization"]
+ if !ok || len(auth) == 0 {
+ return ctx, errors.New("authentication didn't succeed")
+ }
+ token := auth[0]
+ expect := b.tokenString
+ if len(b.scheme) != 0 {
+ expect = fmt.Sprintf("%s %s", b.scheme, expect)
+ }
+ if expect != token {
+ return ctx, fmt.Errorf("scheme or token does not match: %s", token)
+ }
+ return ctx, nil
+}
+
 // BearerAuthRoundTripper intercepts and adds Bearer token Authorization headers to each http request.
 type BearerAuthRoundTripper struct {
  baseTransport http.RoundTripper

diff --git a/extension/bearertokenauthextension/bearertokenauth_test.go b/extension/bearertokenauthextension/bearertokenauth_test.go
@@ -200,3 +200,54 @@ func TestBearerTokenFileContentUpdate(t *testing.T) {
  authHeaderValue = resp.Header.Get("Authorization")
  assert.Equal(t, authHeaderValue, fmt.Sprintf("%s %s", scheme, string(token)))
 }
+
+func TestBearerServerAuthenticateWithScheme(t *testing.T) {
+ const token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." // #nosec
+ cfg := createDefaultConfig().(*Config)
+ cfg.Scheme = "Bearer"
+ cfg.BearerToken = token
+
+ bauth := newBearerTokenAuth(cfg, nil)
+ assert.NotNil(t, bauth)
+
+ ctx := context.Background()
+ assert.Nil(t, bauth.Start(ctx, componenttest.NewNopHost()))
+
+ _, err := bauth.Authenticate(ctx, map[string][]string{"authorization": {"Bearer " + token}})
+ assert.NoError(t, err)
+
+ _, err = bauth.Authenticate(ctx, map[string][]string{"authorization": {"Bearer " + "1234"}})
+ assert.Error(t, err)
+
+ _, err = bauth.Authenticate(ctx, map[string][]string{"authorization": {"" + token}})
+ assert.Error(t, err)
+
+ assert.Nil(t, bauth.Shutdown(context.Background()))
+}
+
+func TestBearerServerAuthenticate(t *testing.T) {
+ const token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." // #nosec
+ cfg := createDefaultConfig().(*Config)
+ cfg.Scheme = ""
+ cfg.BearerToken = token
+
+ bauth := newBearerTokenAuth(cfg, nil)
+ assert.NotNil(t, bauth)
+
+ ctx := context.Background()
+ assert.Nil(t, bauth.Start(ctx, componenttest.NewNopHost()))
+
+ _, err := bauth.Authenticate(ctx, map[string][]string{"authorization": {"Bearer " + token}})
+ assert.Error(t, err)
+
+ _, err = bauth.Authenticate(ctx, map[string][]string{"authorization": {"Bearer " + "1234"}})
+ assert.Error(t, err)
+
+ _, err = bauth.Authenticate(ctx, map[string][]string{"authorization": {"invalidtoken"}})
+ assert.Error(t, err)
+
+ _, err = bauth.Authenticate(ctx, map[string][]string{"authorization": {token}})
+ assert.NoError(t, err)
+
+ assert.Nil(t, bauth.Shutdown(context.Background()))
+}