From fef657b1826bc4cb530bddb6edfe18d678ae7d72 Mon Sep 17 00:00:00 2001
From: Alex Weaver <weaver.alex.d@gmail.com>
Date: Mon, 18 Nov 2024 16:19:16 -0600
Subject: [PATCH] Reject multiple auth schemes at the same time

---
 pkg/ruler/notifier.go      |  9 ++++++++-
 pkg/ruler/notifier_test.go | 33 +++++++++++++++++++++++++++++++++
 2 files changed, 41 insertions(+), 1 deletion(-)

diff --git a/pkg/ruler/notifier.go b/pkg/ruler/notifier.go
index 9e892212c17..14b3df44fd9 100644
--- a/pkg/ruler/notifier.go
+++ b/pkg/ruler/notifier.go
@@ -28,7 +28,10 @@ import (
 	"github.com/grafana/mimir/pkg/util"
 )
 
-var errRulerNotifierStopped = cancellation.NewErrorf("rulerNotifier stopped")
+var (
+	errRulerNotifierStopped               = cancellation.NewErrorf("rulerNotifier stopped")
+	errRulerSimultaneousBasicAuthAndOAuth = errors.New("cannot use both Basic Auth and OAuth2 simultaneously")
+)
 
 type NotifierConfig struct {
 	TLSEnabled bool             `yaml:"tls_enabled" category:"advanced"`
@@ -210,6 +213,10 @@ func amConfigWithSD(rulerConfig *Config, url *url.URL, sdConfig discovery.Config
 
 	// Whether to use OAuth2 or not.
 	if rulerConfig.Notifier.OAuth2.IsEnabled() {
+		if amConfig.HTTPClientConfig.BasicAuth != nil {
+			return nil, errRulerSimultaneousBasicAuthAndOAuth
+		}
+
 		amConfig.HTTPClientConfig.OAuth2 = &config_util.OAuth2{
 			ClientID:     rulerConfig.Notifier.OAuth2.ClientID,
 			ClientSecret: config_util.Secret(rulerConfig.Notifier.OAuth2.ClientSecret.String()),
diff --git a/pkg/ruler/notifier_test.go b/pkg/ruler/notifier_test.go
index 9cc658fa937..84840d3e0b2 100644
--- a/pkg/ruler/notifier_test.go
+++ b/pkg/ruler/notifier_test.go
@@ -450,6 +450,39 @@ func TestBuildNotifierConfig(t *testing.T) {
 			},
 			err: errors.New("parse \"http://example.local\\x7f\": net/url: invalid control character in URL"),
 		},
+		{
+			name: "basic auth and oauth provided at the same time",
+			cfg: &Config{
+				AlertmanagerURL: "http://alertmanager.default.svc.cluster.local/alertmanager",
+				Notifier: NotifierConfig{
+					BasicAuth: util.BasicAuth{
+						Username: "test-user",
+					},
+					OAuth2: OAuth2Config{
+						ClientID:     "oauth2-client-id",
+						ClientSecret: flagext.SecretWithValue("test"),
+						TokenURL:     "https://oauth2-token-endpoint.local/token",
+						Scopes:       flagext.StringSlice([]string{"action-1", "action-2"}),
+					},
+				},
+			},
+			err: errRulerSimultaneousBasicAuthAndOAuth,
+		},
+		{
+			name: "basic auth via URL and oauth provided at the same time",
+			cfg: &Config{
+				AlertmanagerURL: "http://marco:hunter2@alertmanager.default.svc.cluster.local/alertmanager",
+				Notifier: NotifierConfig{
+					OAuth2: OAuth2Config{
+						ClientID:     "oauth2-client-id",
+						ClientSecret: flagext.SecretWithValue("test"),
+						TokenURL:     "https://oauth2-token-endpoint.local/token",
+						Scopes:       flagext.StringSlice([]string{"action-1", "action-2"}),
+					},
+				},
+			},
+			err: errRulerSimultaneousBasicAuthAndOAuth,
+		},
 	}
 
 	for _, tt := range tests {