From c934632de936ed159a77704abf75be3af84e842c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mika=C3=ABl=20Cluseau?= <mcluseau@isi.nc>
Date: Thu, 24 Jan 2019 11:38:06 +1300
Subject: [PATCH] feat: admin token

---
 cmd/dkl-local-server/http.go | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/cmd/dkl-local-server/http.go b/cmd/dkl-local-server/http.go
index fb4e1e3..8dea7b0 100644
--- a/cmd/dkl-local-server/http.go
+++ b/cmd/dkl-local-server/http.go
@@ -20,6 +20,7 @@ import (
 
 var (
 	hostsToken = flag.String("hosts-token", "", "Token to give to access /hosts (open is none)")
+	adminToken = flag.String("admin-token", "", "Token to give to access to admin actions (open is none)")
 
 	reHost = regexp.MustCompile("^/hosts/([^/]+)/([^/]+)$")
 
@@ -27,14 +28,22 @@ var (
 )
 
 func authorizeHosts(r *http.Request) bool {
-	if *hostsToken == "" {
+	return authorizeToken(r, *hostsToken)
+}
+
+func authorizeAdmin(r *http.Request) bool {
+	return authorizeToken(r, *adminToken)
+}
+
+func authorizeToken(r *http.Request, token string) bool {
+	if token == "" {
 		// access is open
 		return true
 	}
 
 	reqToken := r.Header.Get("Authorization")
 
-	return reqToken == "Bearer "+*hostsToken
+	return reqToken == "Bearer "+token
 }
 
 func forbidden(w http.ResponseWriter, r *http.Request) {
@@ -256,7 +265,7 @@ func serveCluster(w http.ResponseWriter, r *http.Request) {
 }
 
 func uploadConfig(w http.ResponseWriter, r *http.Request) {
-	if !authorizeHosts(r) { // FIXME admin token instead
+	if !authorizeAdmin(r) {
 		forbidden(w, r)
 		return
 	}