Reject multiple auth schemes at the same time

grafana · Nov 18, 2024 · fef657b · fef657b
1 parent 2eab888
commit fef657b
Show file tree

Hide file tree

Showing 2 changed files with 41 additions and 1 deletion.
diff --git a/pkg/ruler/notifier.go b/pkg/ruler/notifier.go
@@ -28,7 +28,10 @@ import (
 	"github.com/grafana/mimir/pkg/util"
 )
 
-var errRulerNotifierStopped = cancellation.NewErrorf("rulerNotifier stopped")
+var (
+	errRulerNotifierStopped               = cancellation.NewErrorf("rulerNotifier stopped")
+	errRulerSimultaneousBasicAuthAndOAuth = errors.New("cannot use both Basic Auth and OAuth2 simultaneously")
+)
 
 type NotifierConfig struct {
 	TLSEnabled bool             `yaml:"tls_enabled" category:"advanced"`
@@ -210,6 +213,10 @@ func amConfigWithSD(rulerConfig *Config, url *url.URL, sdConfig discovery.Config
 
 	// Whether to use OAuth2 or not.
 	if rulerConfig.Notifier.OAuth2.IsEnabled() {
+		if amConfig.HTTPClientConfig.BasicAuth != nil {
+			return nil, errRulerSimultaneousBasicAuthAndOAuth
+		}
+
 		amConfig.HTTPClientConfig.OAuth2 = &config_util.OAuth2{
 			ClientID:     rulerConfig.Notifier.OAuth2.ClientID,
 			ClientSecret: config_util.Secret(rulerConfig.Notifier.OAuth2.ClientSecret.String()),

diff --git a/pkg/ruler/notifier_test.go b/pkg/ruler/notifier_test.go
@@ -450,6 +450,39 @@ func TestBuildNotifierConfig(t *testing.T) {
 			},
 			err: errors.New("parse \"http://example.local\\x7f\": net/url: invalid control character in URL"),
 		},
+		{
+			name: "basic auth and oauth provided at the same time",
+			cfg: &Config{
+				AlertmanagerURL: "http://alertmanager.default.svc.cluster.local/alertmanager",
+				Notifier: NotifierConfig{
+					BasicAuth: util.BasicAuth{
+						Username: "test-user",
+					},
+					OAuth2: OAuth2Config{
+						ClientID:     "oauth2-client-id",
+						ClientSecret: flagext.SecretWithValue("test"),
+						TokenURL:     "https://oauth2-token-endpoint.local/token",
+						Scopes:       flagext.StringSlice([]string{"action-1", "action-2"}),
+					},
+				},
+			},
+			err: errRulerSimultaneousBasicAuthAndOAuth,
+		},
+		{
+			name: "basic auth via URL and oauth provided at the same time",
+			cfg: &Config{
+				AlertmanagerURL: "http://marco:hunter2@alertmanager.default.svc.cluster.local/alertmanager",
+				Notifier: NotifierConfig{
+					OAuth2: OAuth2Config{
+						ClientID:     "oauth2-client-id",
+						ClientSecret: flagext.SecretWithValue("test"),
+						TokenURL:     "https://oauth2-token-endpoint.local/token",
+						Scopes:       flagext.StringSlice([]string{"action-1", "action-2"}),
+					},
+				},
+			},
+			err: errRulerSimultaneousBasicAuthAndOAuth,
+		},
 	}
 
 	for _, tt := range tests {