feat: optionnaly limit /hosts access by token

2018-06-13 13:26:00 +11:00 · 2018-06-13 13:26:00 +11:00 · fb55e74856
commit fb55e74856
parent 0b9f3d1199
1 changed files with 28 additions and 0 deletions
--- a/http.go
+++ b/http.go
@ -14,11 +14,29 @@ import (
 )

 var (
+	hostsToken = flag.String("hosts-token", "", "Token to give to access /hosts (open is none)")
+
 	reHost = regexp.MustCompile("^/hosts/([^/]+)/([^/]+)$")

 	trustXFF = flag.Bool("trust-xff", true, "Trust the X-Forwarded-For header")
 )

+func authorizeHosts(r *http.Request) bool {
+	if *hostsToken == "" {
+		// access is open
+		return true
+	}
+
+	reqToken := r.Header.Get("Authorization")
+
+	return reqToken == "Bearer "+*hostsToken
+}
+
+func forbidden(w http.ResponseWriter, r *http.Request) {
+	log.Printf("denied access to %s from %s", r.RequestURI, r.RemoteAddr)
+	http.Error(w, "Forbidden", http.StatusForbidden)
+}
+
 func serveHostByIP(w http.ResponseWriter, r *http.Request) {
 	host, cfg := hostByIP(w, r)
 	if host == nil {
@ -64,6 +82,11 @@ func hostByIP(w http.ResponseWriter, r *http.Request) (*clustersconfig.Host, *cl
 }

 func serveHosts(w http.ResponseWriter, r *http.Request) {
+	if !authorizeHosts(r) {
+		forbidden(w, r)
+		return
+	}
+
 	cfg, err := readConfig()
 	if err != nil {
 		http.Error(w, "", http.StatusServiceUnavailable)
@ -79,6 +102,11 @@ func serveHosts(w http.ResponseWriter, r *http.Request) {
 }

 func serveHost(w http.ResponseWriter, r *http.Request) {
+	if !authorizeHosts(r) {
+		forbidden(w, r)
+		return
+	}
+
 	match := reHost.FindStringSubmatch(r.URL.Path)
 	if match == nil {
 		http.NotFound(w, r)