lib/auth: add NewTokenPossibleMultitenant() for parsing auth token, which can be multitenant

Disallow parsing multitenant token at auth.NewToken().

Use auth.NewTokenPossibleMultitenant() at vminsert only. All the other callers should call auth.NewToken(),
since they do not support multitenant token.

This is a follow-up for f0c06b428e

Updates https://github.com/VictoriaMetrics/VictoriaMetrics/issues/4910
This commit is contained in:
Aliaksandr Valialkin 2023-08-30 14:08:47 +02:00
parent bda9699657
commit 3a2d035283
No known key found for this signature in database
GPG Key ID: A72BEC6CD3D0DED1
4 changed files with 31 additions and 11 deletions

View File

@ -208,7 +208,7 @@ func requestHandler(w http.ResponseWriter, r *http.Request) bool {
// This is not our link. // This is not our link.
return false return false
} }
at, err := auth.NewToken(p.AuthToken) at, err := auth.NewTokenPossibleMultitenant(p.AuthToken)
if err != nil { if err != nil {
httpserver.Errorf(w, r, "auth error: %s", err) httpserver.Errorf(w, r, "auth error: %s", err)
return true return true

View File

@ -292,11 +292,6 @@ func requestHandler(w http.ResponseWriter, r *http.Request) bool {
httpserver.Errorf(w, r, "auth error: %s", err) httpserver.Errorf(w, r, "auth error: %s", err)
return true return true
} }
if at == nil {
// the only option for at to be nil is when p.AuthToken == "multitenant"
// vmselect does not have multitenant endpoint, so request must be rejected
return false
}
switch p.Prefix { switch p.Prefix {
case "select": case "select":
return selectHandler(qt, startTime, w, r, p, at) return selectHandler(qt, startTime, w, r, p, at)

View File

@ -24,12 +24,7 @@ func (t *Token) String() string {
} }
// NewToken returns new Token for the given authToken. // NewToken returns new Token for the given authToken.
//
// If authToken == "multitenant", then nil Token is returned.
func NewToken(authToken string) (*Token, error) { func NewToken(authToken string) (*Token, error) {
if authToken == "multitenant" {
return nil, nil
}
var t Token var t Token
if err := t.Init(authToken); err != nil { if err := t.Init(authToken); err != nil {
return nil, err return nil, err
@ -37,6 +32,16 @@ func NewToken(authToken string) (*Token, error) {
return &t, nil return &t, nil
} }
// NewTokenPossibleMultitenant returns new Token for the given authToken.
//
// If authToken == "multitenant", then nil Token is returned.
func NewTokenPossibleMultitenant(authToken string) (*Token, error) {
if authToken == "multitenant" {
return nil, nil
}
return NewToken(authToken)
}
// Init initializes t from authToken. // Init initializes t from authToken.
func (t *Token) Init(authToken string) error { func (t *Token) Init(authToken string) error {
tmp := strings.Split(authToken, ":") tmp := strings.Split(authToken, ":")

View File

@ -26,6 +26,24 @@ func TestNewTokenSuccess(t *testing.T) {
f("1:4294967295", "1:4294967295") f("1:4294967295", "1:4294967295")
// max uint32 accountID and projectID // max uint32 accountID and projectID
f("4294967295:4294967295", "4294967295:4294967295") f("4294967295:4294967295", "4294967295:4294967295")
}
func TestNewTokenPossibleMultitenantSuccess(t *testing.T) {
f := func(token string, want string) {
t.Helper()
newToken, err := NewTokenPossibleMultitenant(token)
if err != nil {
t.Fatalf("unexpected error: %s", err)
}
got := newToken.String()
if got != want {
t.Fatalf("unexpected NewToken() result;got\n%s\nwant\n%s", got, want)
}
}
// token with accountID only
f("1", "1")
// token with accountID and projecTID
f("1:2", "1:2")
// multitenant // multitenant
f("multitenant", "multitenant") f("multitenant", "multitenant")
} }
@ -75,4 +93,6 @@ func TestNewTokenFailure(t *testing.T) {
f("a:b:c") f("a:b:c")
// many int parts in the token" // many int parts in the token"
f("1:2:3") f("1:2:3")
// multitenant
f("multitenant")
} }