diff --git a/docs/web-config.yml b/docs/web-config.yml index 942d9812..df655489 100644 --- a/docs/web-config.yml +++ b/docs/web-config.yml @@ -10,3 +10,8 @@ tls_server_config: basic_auth_users: alice: $2y$10$mDwo.lAisC94iLAyP81MCesa29IzH37oigHC/42V2pdJlUprsJPze bob: $2y$10$hLqFl9jSjoAAy95Z/zw8Ye8wkdMBM8c5Bn1ptYqP/AXyV0.oy0S8m + +# Exclude /-/healthy and /-/ready from basic authentication +basic_auth_excluded_paths: +- /-/healthy +- /-/ready diff --git a/docs/web-configuration.md b/docs/web-configuration.md index 79b2caf2..451de94a 100644 --- a/docs/web-configuration.md +++ b/docs/web-configuration.md @@ -97,6 +97,11 @@ http_server_config: # required. Passwords are hashed with bcrypt. basic_auth_users: [ : ... ] + +# Exclude URL path from basic authentication. One of the reasonable usecase +# would be exclude the health check path when basic_auth_users is configured. +basic_auth_excluded_paths: +[ - ] ``` [A sample configuration file](web-config.yml) is provided. diff --git a/web/handler.go b/web/handler.go index ae3ebc03..4a9336e1 100644 --- a/web/handler.go +++ b/web/handler.go @@ -102,6 +102,13 @@ func (u *webHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) { return } + for _, path := range c.AuthExcludedPaths { + if path == r.URL.Path { + u.handler.ServeHTTP(w, r) + return + } + } + user, pass, auth := r.BasicAuth() if auth { hashedPassword, validUser := c.Users[user] diff --git a/web/testdata/web_config_users_noTLS_excludePath.good.yml b/web/testdata/web_config_users_noTLS_excludePath.good.yml new file mode 100644 index 00000000..0d13a9e2 --- /dev/null +++ b/web/testdata/web_config_users_noTLS_excludePath.good.yml @@ -0,0 +1,8 @@ +basic_auth_excluded_paths: +- / + +basic_auth_users: + alice: $2y$12$1DpfPeqF9HzHJt.EWswy1exHluGfbhnn3yXhR7Xes6m3WJqFg0Wby + bob: $2y$18$4VeFDzXIoPHKnKTU3O3GH.N.vZu06CVqczYZ8WvfzrddFU6tGqjR. + carol: $2y$10$qRTBuFoULoYNA7AQ/F3ck.trZBPyjV64.oA4ZsSBCIWvXuvQlQTuu + dave: $2y$10$2UXri9cIDdgeKjBo4Rlpx.U3ZLDV8X1IxKmsfOvhcM5oXQt/mLmXq diff --git a/web/tls_config.go b/web/tls_config.go index 18f34316..79bc51b1 100644 --- a/web/tls_config.go +++ b/web/tls_config.go @@ -34,9 +34,10 @@ var ( ) type Config struct { - TLSConfig TLSStruct `yaml:"tls_server_config"` - HTTPConfig HTTPStruct `yaml:"http_server_config"` - Users map[string]config_util.Secret `yaml:"basic_auth_users"` + TLSConfig TLSStruct `yaml:"tls_server_config"` + HTTPConfig HTTPStruct `yaml:"http_server_config"` + Users map[string]config_util.Secret `yaml:"basic_auth_users"` + AuthExcludedPaths []string `yaml:"basic_auth_excluded_paths"` } type TLSStruct struct { diff --git a/web/tls_config_test.go b/web/tls_config_test.go index 90172467..07b630b4 100644 --- a/web/tls_config_test.go +++ b/web/tls_config_test.go @@ -615,6 +615,11 @@ func TestUsers(t *testing.T) { Password: "dave123", ExpectedError: nil, }, + { + Name: `with correct basic auth and exclude path`, + YAMLConfigPath: "testdata/web_config_users_noTLS_excludePath.good.yml", + ExpectedError: nil, + }, { Name: `without basic auth and TLS`, YAMLConfigPath: "testdata/web_config_users.good.yml",