Do not attach authorization header in bearerAuthPlugin if response is…

… a redirect

Signed-off-by: carabasdaniel <dani@aserto.com>

v1/plugins/rest/auth.go

@@ -126,10 +126,14 @@ type bearerAuthPlugin struct {
 	// encode is set to true for the OCIDownloader because
 	// it expects tokens in plain text but needs them in base64.
 	encode bool
+	logger logging.Logger
 }
 
 func (ap *bearerAuthPlugin) NewClient(c Config) (*http.Client, error) {
 	t, err := DefaultTLSConfig(c)
+
+	ap.logger = c.logger
+
 	if err != nil {
 		return nil, err
 	}
@@ -153,6 +157,9 @@ func (ap *bearerAuthPlugin) NewClient(c Config) (*http.Client, error) {
 
 func (ap *bearerAuthPlugin) Prepare(req *http.Request) error {
 	token := ap.Token
+	if ap.logger == nil {
+		ap.logger = logging.Get()
+	}
 
 	if ap.TokenPath != "" {
 		bytes, err := os.ReadFile(ap.TokenPath)
@@ -166,7 +173,12 @@ func (ap *bearerAuthPlugin) Prepare(req *http.Request) error {
 		token = base64.StdEncoding.EncodeToString([]byte(token))
 	}
 
-	req.Header.Add("Authorization", fmt.Sprintf("%v %v", ap.Scheme, token))
+	if req.Response != nil && (req.Response.StatusCode == http.StatusPermanentRedirect || req.Response.StatusCode == http.StatusTemporaryRedirect) {
+		ap.logger.Debug("not attaching authorization header as the response contains a redirect")
+	} else {
+		ap.logger.Debug("attaching authorization header")
+		req.Header.Add("Authorization", fmt.Sprintf("%v %v", ap.Scheme, token))
+	}
 	return nil
 }
 

v1/plugins/rest/auth_test.go

@@ -1,10 +1,13 @@
 package rest
 
 import (
+	"bytes"
+	"net/http"
 	"strings"
 	"testing"
 
 	"github.com/open-policy-agent/opa/v1/keys"
+	"github.com/open-policy-agent/opa/v1/logging"
 )
 
 func TestOCIWithAWSAuthSetsUpECRAuthPlugin(t *testing.T) {
@@ -321,3 +324,52 @@ func TestOauth2WithClientAssertionPathOverrideAssertionType(t *testing.T) {
 		t.Errorf("OAuth2.ClientAssertionType = %v, want = %v", client.config.Credentials.OAuth2.ClientAssertionType, "urn:ietf:params:oauth:my-thing")
 	}
 }
+
+func TestBearerTokenHeaderAttachement(t *testing.T) {
+	conf := `{
+		"name": "foo",
+		"url": "http://localhost",
+		"type":"oci",
+		"credentials": {
+	      "bearer": {
+		    "token":"user:password",
+          }, 
+        }
+    }`
+	client, err := New([]byte(conf), map[string]*keys.Config{})
+	if err != nil {
+		t.Fatalf("New() = %v", err)
+	}
+	var buf bytes.Buffer
+	client.logger.SetLevel(logging.Debug)
+	client.logger.(*logging.StandardLogger).SetOutput(&buf)
+
+	_, err = client.config.Credentials.Bearer.NewClient(client.config)
+	if err != nil {
+		t.Fatalf("Bearer Auth Plugin new client should not error = %q", err)
+	}
+
+	err = client.config.Credentials.Bearer.Prepare(&http.Request{Response: &http.Response{StatusCode: http.StatusTemporaryRedirect}})
+	if err != nil {
+		t.Fatalf("Bearer Auth Plugin should not error on redirect = %q ", err)
+	}
+	if !strings.Contains(buf.String(), "not attaching authorization header as the response contains a redirect") {
+		t.Fatalf("log debug output does not contain the message to confirm that the authorization header was not attached")
+	}
+
+	err = client.config.Credentials.Bearer.Prepare(&http.Request{Response: &http.Response{StatusCode: http.StatusTemporaryRedirect}})
+	if err != nil {
+		t.Fatalf("Bearer Auth Plugin should not error on redirect = %q ", err)
+	}
+	if !strings.Contains(buf.String(), "not attaching authorization header as the response contains a redirect") {
+		t.Fatalf("log debug output does not contain the message to confirm that the authorization header was not attached")
+	}
+
+	err = client.config.Credentials.Bearer.Prepare(&http.Request{Header: http.Header{}})
+	if err != nil {
+		t.Fatalf("Bearer Auth Plugin should not error on redirect = %q ", err)
+	}
+	if !strings.Contains(buf.String(), "attaching authorization header") {
+		t.Fatalf("log debug output should show that the authorization header is attached")
+	}
+}