Add HTTP request header X-Consul-Token

Add support for an X-Consul-Token HTTP request header to specify the
token with which this request should be fulfilled. The header would have
precedence over the responding Agent's default token, but would have
lower precedence than a token specified in the query string.
This commit is contained in:
David Adams 2015-10-19 08:59:24 -05:00
parent a926e41c44
commit b7bcb2a414
3 changed files with 37 additions and 3 deletions

View File

@ -463,13 +463,18 @@ func (s *HTTPServer) parseDC(req *http.Request, dc *string) {
}
}
// parseToken is used to parse the ?token query param
// parseToken is used to parse the ?token query param or the X-Consul-Token header
func (s *HTTPServer) parseToken(req *http.Request, token *string) {
if other := req.URL.Query().Get("token"); other != "" {
*token = other
return
}
if other := req.Header.Get("X-Consul-Token"); other != "" {
*token = other
return
}
// Set the AtlasACLToken if SCADA
if s.addr == scadaHTTPAddr && s.agent.config.AtlasACLToken != "" {
*token = s.agent.config.AtlasACLToken

View File

@ -472,6 +472,22 @@ func TestACLResolution(t *testing.T) {
t.Fatalf("err: %v", err)
}
// Request with header token only
reqHeaderToken, err := http.NewRequest("GET",
"/v1/catalog/nodes", nil)
if err != nil {
t.Fatalf("err: %v", err)
}
reqHeaderToken.Header.Add("X-Consul-Token", "bar")
// Request with header and querystring tokens
reqBothTokens, err := http.NewRequest("GET",
"/v1/catalog/nodes?token=baz", nil)
if err != nil {
t.Fatalf("err: %v", err)
}
reqBothTokens.Header.Add("X-Consul-Token", "zap")
httpTest(t, func(srv *HTTPServer) {
// Check when no token is set
srv.agent.config.ACLToken = ""
@ -513,6 +529,18 @@ func TestACLResolution(t *testing.T) {
if token != "foo" {
t.Fatalf("bad: %s", token)
}
// Header token has precedence over agent token
srv.parseToken(reqHeaderToken, &token)
if token != "bar" {
t.Fatalf("bad: %s", token)
}
// Querystring token has precendence over header and agent tokens
srv.parseToken(reqBothTokens, &token)
if token != "baz" {
t.Fatalf("bad: %s", token)
}
})
}

View File

@ -91,5 +91,6 @@ on the query string, formatted JSON will be returned.
Several endpoints in Consul use or require ACL tokens to operate. An agent
can be configured to use a default token in requests using the `acl_token`
configuration option. However, the token can also be specified per-request
by using the `token` query parameter. This will take precedent over the
default token.
by using the `X-Consul-Token` request header or the `token` querystring
parameter. The request header takes precedence over the default token, and
the querystring parameter takes precedence over everything.