Add HTTP request header X-Consul-Token

Add support for an X-Consul-Token HTTP request header to specify the token with which this request should be fulfilled. The header would have precedence over the responding Agent's default token, but would have lower precedence than a token specified in the query string.
2015-10-19 08:59:24 -05:00 · 2015-10-19 08:59:24 -05:00 · 5f175add40
parent a5b245d5ec
commit 5f175add40
3 changed files with 37 additions and 3 deletions
--- a/command/agent/http.go
+++ b/command/agent/http.go
@ -463,13 +463,18 @@ func (s *HTTPServer) parseDC(req *http.Request, dc *string) {
 	}
 }

-// parseToken is used to parse the ?token query param
+// parseToken is used to parse the ?token query param or the X-Consul-Token header
 func (s *HTTPServer) parseToken(req *http.Request, token *string) {
 	if other := req.URL.Query().Get("token"); other != "" {
 		*token = other
 		return
 	}

+	if other := req.Header.Get("X-Consul-Token"); other != "" {
+		*token = other
+		return
+	}
+
 	// Set the AtlasACLToken if SCADA
 	if s.addr == scadaHTTPAddr && s.agent.config.AtlasACLToken != "" {
 		*token = s.agent.config.AtlasACLToken
--- a/command/agent/http_test.go
+++ b/command/agent/http_test.go
@ -472,6 +472,22 @@ func TestACLResolution(t *testing.T) {
 		t.Fatalf("err: %v", err)
 	}

+	// Request with header token only
+	reqHeaderToken, err := http.NewRequest("GET",
+		"/v1/catalog/nodes", nil)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	reqHeaderToken.Header.Add("X-Consul-Token", "bar")
+
+	// Request with header and querystring tokens
+	reqBothTokens, err := http.NewRequest("GET",
+		"/v1/catalog/nodes?token=baz", nil)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	reqBothTokens.Header.Add("X-Consul-Token", "zap")
+
 	httpTest(t, func(srv *HTTPServer) {
 		// Check when no token is set
 		srv.agent.config.ACLToken = ""
@ -513,6 +529,18 @@ func TestACLResolution(t *testing.T) {
 		if token != "foo" {
 			t.Fatalf("bad: %s", token)
 		}
+
+		// Header token has precedence over agent token
+		srv.parseToken(reqHeaderToken, &token)
+		if token != "bar" {
+			t.Fatalf("bad: %s", token)
+		}
+
+		// Querystring token has precendence over header and agent tokens
+		srv.parseToken(reqBothTokens, &token)
+		if token != "baz" {
+			t.Fatalf("bad: %s", token)
+		}
 	})
 }

--- a/website/source/docs/agent/http.html.markdown
+++ b/website/source/docs/agent/http.html.markdown
@ -91,5 +91,6 @@ on the query string, formatted JSON will be returned.
 Several endpoints in Consul use or require ACL tokens to operate. An agent
 can be configured to use a default token in requests using the `acl_token`
 configuration option. However, the token can also be specified per-request
-by using the `token` query parameter. This will take precedent over the
-default token.
+by using the `X-Consul-Token` request header or the `token` querystring
+parameter. The request header takes precedence over the default token, and
+the querystring parameter takes precedence over everything.