parse ACL token from authorization header (#12534)

2022-06-06 12:51:02 -07:00 · 2022-06-06 12:51:02 -07:00 · 544c276128
parent 86116a7607
commit 544c276128
3 changed files with 71 additions and 11 deletions
--- a/command/agent/http.go
+++ b/command/agent/http.go
@ -806,6 +806,27 @@ func (s *HTTPServer) parseToken(req *http.Request, token *string) {
 		*token = other
 		return
 	}
+
+	if other := req.Header.Get("Authorization"); other != "" {
+		// HTTP Authorization headers are in the format: <Scheme>[SPACE]<Value>
+		// Ref. https://tools.ietf.org/html/rfc7236#section-3
+		parts := strings.Split(other, " ")
+
+		// Authorization Header is invalid if containing 1 or 0 parts, e.g.:
+		// "" || "<Scheme><Value>" || "<Scheme>" || "<Value>"
+		if len(parts) > 1 {
+			scheme := parts[0]
+			// Everything after "<Scheme>" is "<Value>", trimmed
+			value := strings.TrimSpace(strings.Join(parts[1:], " "))
+
+			// <Scheme> must be "Bearer"
+			if strings.ToLower(scheme) == "bearer" {
+				// Since Bearer tokens shouldn't contain spaces (rfc6750#section-2.1)
+				// "value" is tokenized, only the first item is used
+				*token = strings.TrimSpace(strings.Split(value, " ")[0])
+			}
+		}
+	}
 }

 // parse is a convenience method for endpoints that need to parse multiple flags
--- a/command/agent/http_test.go
+++ b/command/agent/http_test.go
@ -535,16 +535,47 @@ func TestParseToken(t *testing.T) {
 	s := makeHTTPServer(t, nil)
 	defer s.Shutdown()

-	req, err := http.NewRequest("GET", "/v1/jobs", nil)
-	req.Header.Add("X-Nomad-Token", "foobar")
-	if err != nil {
-		t.Fatalf("err: %v", err)
+	cases := []struct {
+		Name          string
+		HeaderKey     string
+		HeaderValue   string
+		ExpectedToken string
+	}{
+		{
+			Name:          "Parses token from X-Nomad-Token",
+			HeaderKey:     "X-Nomad-Token",
+			HeaderValue:   "foobar",
+			ExpectedToken: "foobar",
+		},
+		{
+			Name:          "Parses token from bearer authentication",
+			HeaderKey:     "Authorization",
+			HeaderValue:   "Bearer foobar",
+			ExpectedToken: "foobar",
+		},
+		{
+			Name:          "Fails to parse token from bad bearer authentication",
+			HeaderKey:     "Authorization",
+			HeaderValue:   "foobar",
+			ExpectedToken: "",
+		},
 	}

-	var token string
-	s.Server.parseToken(req, &token)
-	if token != "foobar" {
-		t.Fatalf("bad %s", token)
+	for i := range cases {
+		tc := cases[i]
+		t.Run(tc.Name, func(t *testing.T) {
+			req, err := http.NewRequest("GET", "/v1/jobs", nil)
+			req.Header.Add(tc.HeaderKey, tc.HeaderValue)
+			if err != nil {
+				t.Fatalf("err: %v", err)
+			}
+
+			var token string
+			s.Server.parseToken(req, &token)
+			if token != tc.ExpectedToken {
+				t.Fatalf("bad %s", token)
+			}
+		})
 	}
 }

--- a/website/content/api-docs/index.mdx
+++ b/website/content/api-docs/index.mdx
@ -66,15 +66,15 @@ administration.

 ## ACLs

-Several endpoints in Nomad use or require ACL tokens to operate. The token are used to authenticate the request and determine if the request is allowed based on the associated authorizations. Tokens are specified per-request by using the `X-Nomad-Token` request header set to the `SecretID` of an ACL Token.
+Several endpoints in Nomad use or require ACL tokens to operate. The token are used to authenticate the request and determine if the request is allowed based on the associated authorizations. Tokens are specified per-request by using the `X-Nomad-Token` request header or with the Bearer scheme in the authorization header set to the `SecretID` of an ACL Token.

 For more details about ACLs, please see the [ACL Guide](https://learn.hashicorp.com/collections/nomad/access-control).

 ## Authentication

-When ACLs are enabled, a Nomad token should be provided to API requests using the `X-Nomad-Token` header. When using authentication, clients should communicate via TLS.
+When ACLs are enabled, a Nomad token should be provided to API requests using the `X-Nomad-Token` header or with the Bearer scheme in the authorization header. When using authentication, clients should communicate via TLS.

-Here is an example using curl:
+Here is an example using curl with `X-Nomad-Token`:

 ```shell-session
 $ curl \
@ -82,6 +82,14 @@ $ curl \
    https://localhost:4646/v1/jobs
 ```

+Below is an example using `curl` with a [RFC6750](https://tools.ietf.org/html/rfc6750) Bearer token:
+
+```shell-session
+$ curl \
+    --header "Authorization: Bearer <token>" \
+    http://localhost:4646/v1/jobs
+```
+
 ## Namespaces

 Nomad has support for namespaces, which allow jobs and their associated objects