Merge pull request #3494 from skoeva/auth3

backend: auth: Extract ParseClusterAndToken from headlamp.go

Author: illume

backend/cmd/headlamp.go

@@ -33,7 +33,6 @@ import (
 	"os"
 	"path"
 	"path/filepath"
-	"regexp"
 	"runtime"
 	"strings"
 	"syscall"
@@ -838,30 +837,6 @@ func createHeadlampHandler(config *HeadlampConfig) http.Handler {
 	return r
 }
 
-func parseClusterAndToken(r *http.Request) (string, string) {
-	cluster := ""
-	re := regexp.MustCompile(`^/clusters/([^/]+)/.*`)
-	urlString := r.URL.RequestURI()
-
-	matches := re.FindStringSubmatch(urlString)
-	if len(matches) > 1 {
-		cluster = matches[1]
-	}
-
-	// Try Authorization header first (for backward compatibility)
-	token := r.Header.Get("Authorization")
-	token = strings.TrimPrefix(token, "Bearer ")
-
-	// If no auth header, try cookie
-	if token == "" && cluster != "" {
-		if cookieToken, err := auth.GetTokenFromCookie(r, cluster); err == nil {
-			token = cookieToken
-		}
-	}
-
-	return cluster, token
-}
-
 func getExpiryTime(payload map[string]interface{}) (time.Time, error) {
 	exp, ok := payload["exp"].(float64)
 	if !ok {
@@ -1157,7 +1132,7 @@ func (c *HeadlampConfig) OIDCTokenRefreshMiddleware(next http.Handler) http.Hand
 		}
 
 		// parse cluster and token
-		cluster, token := parseClusterAndToken(r)
+		cluster, token := auth.ParseClusterAndToken(r)
 		if c.shouldBypassOIDCRefresh(cluster, token, w, r, span, ctx, start, next) {
 			return
 		}

backend/cmd/headlamp_test.go

@@ -1001,17 +1001,6 @@ func TestGetOidcCallbackURL(t *testing.T) {
 	}
 }
 
-func TestParseClusterAndToken(t *testing.T) {
-	ctx := context.Background()
-	req, err := http.NewRequestWithContext(ctx, "GET", "/clusters/test-cluster/api", nil)
-	require.NoError(t, err)
-	req.Header.Set("Authorization", "Bearer test-token")
-
-	cluster, token := parseClusterAndToken(req)
-	assert.Equal(t, "test-cluster", cluster)
-	assert.Equal(t, "test-token", token)
-}
-
 func TestIsTokenAboutToExpire(t *testing.T) {
 	// Token that expires in 4 minutes
 	header := "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9."

backend/pkg/auth/auth.go

@@ -19,6 +19,9 @@ package auth
 import (
 	"encoding/base64"
 	"encoding/json"
+	"net/http"
+	"regexp"
+	"strings"
 )
 
 // DecodeBase64JSON decodes a base64 URL-encoded JSON string into a map.
@@ -35,3 +38,37 @@ func DecodeBase64JSON(base64JSON string) (map[string]interface{}, error) {
 
 	return payloadMap, nil
 }
+
+// clusterPathRegex matches /clusters/<cluster>/...
+var clusterPathRegex = regexp.MustCompile(`^/clusters/([^/]+)/.*`)
+
+// bearerTokenRegex matches valid bearer tokens as specified by RFC 6750:
+// https://datatracker.ietf.org/doc/html/rfc6750#section-2.1
+var bearerTokenRegex = regexp.MustCompile(`^[\x21-\x7E]+$`)
+
+// ParseClusterAndToken extracts the cluster name from the URL path and
+// the Bearer token from the Authorization header of the HTTP request.
+func ParseClusterAndToken(r *http.Request) (string, string) {
+	cluster := ""
+
+	matches := clusterPathRegex.FindStringSubmatch(r.URL.Path)
+	if len(matches) > 1 {
+		cluster = matches[1]
+	}
+
+	token := strings.TrimSpace(r.Header.Get("Authorization"))
+	if strings.Contains(token, ",") {
+		return cluster, ""
+	}
+
+	const bearerPrefix = "Bearer "
+	if strings.HasPrefix(strings.ToLower(token), strings.ToLower(bearerPrefix)) {
+		token = strings.TrimSpace(token[len(bearerPrefix):])
+	}
+
+	if token != "" && !bearerTokenRegex.MatchString(token) {
+		return cluster, ""
+	}
+
+	return cluster, token
+}

backend/pkg/auth/auth_test.go

@@ -17,6 +17,8 @@ limitations under the License.
 package auth_test
 
 import (
+	"context"
+	"net/http"
 	"reflect"
 	"testing"
 
@@ -89,3 +91,85 @@ func TestDecodeBase64JSON(t *testing.T) {
 		})
 	}
 }
+
+var parseClusterAndTokenTests = []struct {
+	name        string
+	url         string
+	authHeader  string
+	wantCluster string
+	wantToken   string
+}{
+	{
+		name:        "standard case",
+		url:         "/clusters/test-cluster/api",
+		authHeader:  "Bearer test-token",
+		wantCluster: "test-cluster",
+		wantToken:   "test-token",
+	},
+	{
+		name:        "lowercase bearer",
+		url:         "/clusters/abc/api",
+		authHeader:  "bearer token-lowercase",
+		wantCluster: "abc",
+		wantToken:   "token-lowercase",
+	},
+	{
+		name:        "uppercase bearer",
+		url:         "/clusters/xyz/api",
+		authHeader:  "BEARER token-upper",
+		wantCluster: "xyz",
+		wantToken:   "token-upper",
+	},
+	{
+		name:        "extra spaces before bearer",
+		url:         "/clusters/extra/api",
+		authHeader:  "   Bearer  spaced-token",
+		wantCluster: "extra",
+		wantToken:   "spaced-token",
+	},
+	{
+		name:        "not a clusters path",
+		url:         "/no-clusters-prefix/api",
+		authHeader:  "Bearer test-token",
+		wantCluster: "",
+		wantToken:   "test-token",
+	},
+	{
+		name:        "multiple bearer tokens",
+		url:         "/clusters/test/api",
+		authHeader:  "Bearer xxx, Bearer yyy",
+		wantCluster: "test",
+		wantToken:   "",
+	},
+	{
+		name:        "no cluster in path",
+		url:         "/clusters/",
+		authHeader:  "Bearer some-token",
+		wantCluster: "",
+		wantToken:   "some-token",
+	},
+}
+
+func TestParseClusterAndToken(t *testing.T) {
+	for _, tt := range parseClusterAndTokenTests {
+		t.Run(tt.name, func(t *testing.T) {
+			req, err := http.NewRequestWithContext(context.Background(), "GET", tt.url, nil)
+			if err != nil {
+				t.Fatalf("ParseClusterAndToken() error = %v", err)
+			}
+
+			if tt.authHeader != "" {
+				req.Header.Set("Authorization", tt.authHeader)
+			}
+
+			cluster, token := auth.ParseClusterAndToken(req)
+			if cluster != tt.wantCluster {
+				t.Errorf("ParseClusterAndToken() got cluster %q, want %q", cluster, tt.wantCluster)
+			}
+
+			if token != tt.wantToken {
+				t.Errorf("ParseClusterAndToken() got token = %q, want %q", token, tt.wantToken)
+			}
+		})
+	}
+}