bearer token

Author: Vladimir Kotal

apiary.apib

@@ -5,7 +5,7 @@ HIFORMAT: 1A
 OpenGrok RESTful API documentation. The following endpoints are accessible under `/api/v1` with the exception of `/metrics`.
 
 Besides `/suggester`, `/search` and `/metrics` endpoints, everything is accessible from `localhost` only
-unless authentication tokens are configured in the web application and used via the 'Authorization' HTTP header
+unless authentication bearer tokens are configured in the web application and used via the 'Authorization' HTTP header
 (within HTTPS connection).
 
 ## Annotation [/annotation{?path}]

opengrok-web/src/main/java/org/opengrok/web/api/v1/filter/IncomingFilter.java

@@ -48,9 +48,11 @@
 import java.util.logging.Logger;
 
 /**
- * This filter allows the request in case it contains the correct authentication token
+ * This filter allows the request in case it contains the correct authentication bearer token
  * (needs to come in via HTTPS) or it is coming from localhost or its path matches the list
  * of built in paths.
+ * If the request does not contain valid token and appears to come from localhost however is proxied
+ * (contains either X-Forwarded-For or Forwarded HTTP headers) it is denied.
  */
 @Provider
 @PreMatching
@@ -76,6 +78,8 @@ public class IncomingFilter implements ContainerRequestFilter {
             "127.0.0.1", "0:0:0:0:0:0:0:1", "localhost"
     ));
 
+    static final String BEARER = "Bearer ";  // Authorization header value prefix
+
     @PostConstruct
     public void init() {
         try {
@@ -97,11 +101,14 @@ public void filter(final ContainerRequestContext context) {
         String path = context.getUriInfo().getPath();
 
         if (request.isSecure()) {
-            String authHeader;
-            if (((authHeader = request.getHeader(HttpHeaders.AUTHORIZATION)) != null) &&
-                    RuntimeEnvironment.getInstance().getAuthenticationTokens().contains(authHeader)) {
-                logger.log(Level.FINEST, "allowing request to {0} based on authentication header", path);
-                return;
+            String authHeaderValue;
+            if ((authHeaderValue = request.getHeader(HttpHeaders.AUTHORIZATION)) != null &&
+                    authHeaderValue.startsWith(BEARER)) {
+                String tokenValue = authHeaderValue.substring(BEARER.length());
+                if (RuntimeEnvironment.getInstance().getAuthenticationTokens().contains(tokenValue)) {
+                    logger.log(Level.FINEST, "allowing request to {0} based on authentication header token", path);
+                    return;
+                }
             }
         }
 

opengrok-web/src/test/java/org/opengrok/web/api/v1/filter/IncomingFilterTest.java

@@ -63,7 +63,8 @@ private void nonLocalhostTestWithToken(boolean allowed) throws Exception {
         RuntimeEnvironment.getInstance().setAuthenticationTokens(tokens);
 
         Map<String, String> headers = new TreeMap<>();
-        headers.put(HttpHeaders.AUTHORIZATION, allowed ? allowedToken : allowedToken + "_");
+        final String authHeaderValue = IncomingFilter.BEARER + allowedToken;
+        headers.put(HttpHeaders.AUTHORIZATION, allowed ? authHeaderValue : authHeaderValue + "_");
         IncomingFilter filter = mockWithRemoteAddress("192.168.1.1", headers, true);
 
         ContainerRequestContext context = mockContainerRequestContext("test");