Skip to content

feat(sources): add access to URL path in custom VRL auth #23165

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
pront merged 9 commits into from
Jun 24, 2025
Merged

feat(sources): add access to URL path in custom VRL auth #23165

Show file tree
Hide file tree
Changes from 5 commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
9d6d68f
feat(sources) add access to URL path in custom VRL auth
Jun 6, 2025
a4a44a3
update website docs for VRL custom auth
Jun 6, 2025
cd2d4cc
format components.cue (tabs vs spaces)
Jun 6, 2025
8d0af47
Add changelog entry
Jun 6, 2025
0cdcfe3
Merge branch 'master' into byronwolfman/customizable-auth-path
byronwolfman Jun 18, 2025
7b699cc
Merge branch 'master' into byronwolfman/customizable-auth-path
byronwolfman Jun 23, 2025
29f1bcb
Address changelog linter
Jun 23, 2025
7eebcfd
Merge branch 'master' into byronwolfman/customizable-auth-path
thomasqueirozb Jun 23, 2025
fc5ef40
Merge branch 'master' into byronwolfman/customizable-auth-path
pront Jun 24, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions changelog.d/23165_custom_auth_path_access.feature.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Enabled URL path access in VRL scripts of custom auth strategy for server components.
49 changes: 40 additions & 9 deletions src/common/http/server_auth.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -198,6 +198,7 @@ impl HttpServerAuthMatcher {
&self,
address: Option<&SocketAddr>,
headers: &HeaderMap<HeaderValue>,
path: &str,
) -> Result<(), ErrorMessage> {
match self {
HttpServerAuthMatcher::AuthHeader(expected, err_message) => {
Expand All @@ -218,7 +219,7 @@ impl HttpServerAuthMatcher {
}
}
HttpServerAuthMatcher::Vrl { program } => {
self.handle_vrl_auth(address, headers, program)
self.handle_vrl_auth(address, headers, path, program)
}
}
}
Expand All @@ -227,6 +228,7 @@ impl HttpServerAuthMatcher {
&self,
address: Option<&SocketAddr>,
headers: &HeaderMap<HeaderValue>,
path: &str,
program: &Program,
) -> Result<(), ErrorMessage> {
let mut target = VrlTarget::new(
Expand All @@ -250,6 +252,7 @@ impl HttpServerAuthMatcher {
"address".into(),
address.map_or(Value::Null, |a| Value::from(a.ip().to_string())),
),
("path".into(), Value::from(path.to_owned())),
]),
Default::default(),
)),
Expand Down Expand Up @@ -439,7 +442,7 @@ mod tests {

let matcher = basic_auth.build(&Default::default()).unwrap();

let result = matcher.handle_auth(Some(&next_addr()), &HeaderMap::new());
let result = matcher.handle_auth(Some(&next_addr()), &HeaderMap::new(), "/");

assert!(result.is_err());
let error = result.unwrap_err();
Expand All @@ -458,7 +461,7 @@ mod tests {

let mut headers = HeaderMap::new();
headers.insert(AUTHORIZATION, HeaderValue::from_static("Basic wrong"));
let result = matcher.handle_auth(Some(&next_addr()), &headers);
let result = matcher.handle_auth(Some(&next_addr()), &headers, "/");

assert!(result.is_err());
let error = result.unwrap_err();
Expand All @@ -482,7 +485,7 @@ mod tests {
AUTHORIZATION,
Authorization::basic(&username, &password).0.encode(),
);
let result = matcher.handle_auth(Some(&next_addr()), &headers);
let result = matcher.handle_auth(Some(&next_addr()), &headers, "/");

assert!(result.is_ok());
}
Expand All @@ -497,7 +500,7 @@ mod tests {

let mut headers = HeaderMap::new();
headers.insert(AUTHORIZATION, HeaderValue::from_static("test"));
let result = matcher.handle_auth(Some(&next_addr()), &headers);
let result = matcher.handle_auth(Some(&next_addr()), &headers, "/");

assert!(result.is_ok());
}
Expand All @@ -513,7 +516,7 @@ mod tests {
let matcher = custom_auth.build(&Default::default()).unwrap();

let headers = HeaderMap::new();
let result = matcher.handle_auth(Some(&next_addr()), &headers);
let result = matcher.handle_auth(Some(&next_addr()), &headers, "/");

assert!(result.is_ok());
}
Expand All @@ -529,7 +532,35 @@ mod tests {
let matcher = custom_auth.build(&Default::default()).unwrap();

let headers = HeaderMap::new();
let result = matcher.handle_auth(None, &headers);
let result = matcher.handle_auth(None, &headers, "/");

assert!(result.is_err());
}

#[test]
fn custom_auth_matcher_should_be_able_to_check_path() {
let custom_auth = HttpServerAuthConfig::Custom {
source: r#".path == "/ok""#.to_string(),
};

let matcher = custom_auth.build(&Default::default()).unwrap();

let headers = HeaderMap::new();
let result = matcher.handle_auth(Some(&next_addr()), &headers, "/ok");

assert!(result.is_ok());
}

#[test]
fn custom_auth_matcher_should_return_401_with_wrong_path() {
let custom_auth = HttpServerAuthConfig::Custom {
source: r#".path == "/ok""#.to_string(),
};

let matcher = custom_auth.build(&Default::default()).unwrap();

let headers = HeaderMap::new();
let result = matcher.handle_auth(Some(&next_addr()), &headers, "/bad");

assert!(result.is_err());
}
Expand All @@ -544,7 +575,7 @@ mod tests {

let mut headers = HeaderMap::new();
headers.insert(AUTHORIZATION, HeaderValue::from_static("wrong value"));
let result = matcher.handle_auth(Some(&next_addr()), &headers);
let result = matcher.handle_auth(Some(&next_addr()), &headers, "/");

assert!(result.is_err());
let error = result.unwrap_err();
Expand All @@ -562,7 +593,7 @@ mod tests {

let mut headers = HeaderMap::new();
headers.insert(AUTHORIZATION, HeaderValue::from_static("test"));
let result = matcher.handle_auth(Some(&next_addr()), &headers);
let result = matcher.handle_auth(Some(&next_addr()), &headers, "/");

assert!(result.is_err());
let error = result.unwrap_err();
Expand Down
2 changes: 1 addition & 1 deletion src/sinks/websocket_server/sink.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -214,7 +214,7 @@ impl WebSocketListenerSink {
));
return Ok(response);
};
match auth.handle_auth(Some(&addr), req.headers()) {
match auth.handle_auth(Some(&addr), req.headers(), req.uri().path()) {
Ok(_) => {
extra_tags.append(&mut Self::extract_extra_tags(
&extra_tags_config,
Expand Down
6 changes: 5 additions & 1 deletion src/sources/util/http/prelude.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -133,7 +133,11 @@ pub trait HttpSource: Clone + Send + Sync + 'static {
let events = auth_matcher
.as_ref()
.map_or(Ok(()), |a| {
a.handle_auth(addr.as_ref().map(|a| a.0).as_ref(), &headers)
a.handle_auth(
addr.as_ref().map(|a| a.0).as_ref(),
&headers,
path.as_str(),
)
})
.and_then(|()| self.decode(encoding_header.as_deref(), body))
.and_then(|body| {
Expand Down
4 changes: 2 additions & 2 deletions website/cue/reference/components.cue
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1290,8 +1290,8 @@ components: {
authorization code using VRL. Here is an example that looks up the token in an
enrichment table backed by a CSV file.

Currently custom VRL auth has access to `headers` and `address` (IP address of the
client).
Currently custom VRL auth has access to `headers`, `path`, and `address` (IP
address of the client).

```yaml
\(kind)s:
Expand Down
Loading