From f4c8cc221e42eadecf5bebaf1e2cbde1846755d1 Mon Sep 17 00:00:00 2001 From: Yunkon Kim Date: Thu, 16 Nov 2023 14:39:50 +0900 Subject: [PATCH] Update to optionally enable/disable authentication - Perform skipping BasicAuth separated from AUTH enablement --- Dockerfile | 3 ++- conf/setup.env | 4 +-- pkg/api/rest/server/server.go | 46 +++++++++++++++++++---------------- 3 files changed, 29 insertions(+), 24 deletions(-) diff --git a/Dockerfile b/Dockerfile index a726212..c1c3c26 100644 --- a/Dockerfile +++ b/Dockerfile @@ -52,7 +52,8 @@ ENV DB_PASSWORD cm_beetle # API Setting # ALLOW_ORIGINS (ex: https://cloud-barista.org,xxx.xxx.xxx.xxx or * for all) ENV ALLOW_ORIGINS * -ENV SKIP_BASIC_AUTH false +## Set ENABLE_AUTH=true currently for basic auth for all routes (i.e., url or path) +ENV ENABLE_AUTH true ENV API_USERNAME default ENV API_PASSWORD default diff --git a/conf/setup.env b/conf/setup.env index 25fcb02..5e56167 100644 --- a/conf/setup.env +++ b/conf/setup.env @@ -19,8 +19,8 @@ export DB_PASSWORD=cm_beetle # Set API access config ## ALLOW_ORIGINS (ex: https://cloud-barista.org,http://localhost:8080 or * for all) export ALLOW_ORIGINS=* -## Set SKIP_BASIC_AUTH=true to skip basic auth for all routes (i.e., url or path) -export SKIP_BASIC_AUTH=false +## Set ENABLE_AUTH=true currently for basic auth for all routes (i.e., url or path) +export ENABLE_AUTH=true export API_USERNAME=default export API_PASSWORD=default diff --git a/pkg/api/rest/server/server.go b/pkg/api/rest/server/server.go index cf3f0a9..9d87a9f 100644 --- a/pkg/api/rest/server/server.go +++ b/pkg/api/rest/server/server.go @@ -97,30 +97,32 @@ func RunServer(port string) { AllowMethods: []string{http.MethodGet, http.MethodPut, http.MethodPost, http.MethodDelete}, })) - skipBasicAuthOption := os.Getenv("SKIP_BASIC_AUTH") == "true" + // Conditions to prevent abnormal operation due to typos (e.g., ture, falss, etc.) + enableAuth := os.Getenv("ENABLE_AUTH") == "true" apiUser := os.Getenv("API_USERNAME") apiPass := os.Getenv("API_PASSWORD") - e.Use(middleware.BasicAuthWithConfig(middleware.BasicAuthConfig{ - Skipper: func(c echo.Context) bool { - if skipBasicAuthOption || - c.Path() == "/beetle/health" || - c.Path() == "/beetle/httpVersion" { - // c.Path() == "/beetle/swagger/*" { - return true - } - return false - }, - Validator: func(username, password string, c echo.Context) (bool, error) { - // Be careful to use constant time comparison to prevent timing attacks - if subtle.ConstantTimeCompare([]byte(username), []byte(apiUser)) == 1 && - subtle.ConstantTimeCompare([]byte(password), []byte(apiPass)) == 1 { - return true, nil - } - return false, nil - }, - })) + if enableAuth { + e.Use(middleware.BasicAuthWithConfig(middleware.BasicAuthConfig{ + // Skip authentication for some routes that do not require authentication + Skipper: func(c echo.Context) bool { + if c.Path() == "/beetle/health" || + c.Path() == "/beetle/httpVersion" { + return true + } + return false + }, + Validator: func(username, password string, c echo.Context) (bool, error) { + // Be careful to use constant time comparison to prevent timing attacks + if subtle.ConstantTimeCompare([]byte(username), []byte(apiUser)) == 1 && + subtle.ConstantTimeCompare([]byte(password), []byte(apiPass)) == 1 { + return true, nil + } + return false, nil + }, + })) + } fmt.Println("\n \n ") fmt.Print(banner) @@ -173,7 +175,9 @@ func RunServer(port string) { selfEndpoint := os.Getenv("SELF_ENDPOINT") apidashboard := " http://" + selfEndpoint + "/beetle/swagger/index.html" - fmt.Println(" Access to API dashboard" + " (username: " + apiUser + " / password: " + apiPass + ")") + if enableAuth { + fmt.Println(" Access to API dashboard" + " (username: " + apiUser + " / password: " + apiPass + ")") + } fmt.Printf(noticeColor, apidashboard) fmt.Println("\n ")