openshift · openshift-bot · Feb 24, 2015 · Feb 20, 2015
diff --git a/pkg/auth/authenticator/request/basicauthrequest/basicauth.go b/pkg/auth/authenticator/request/basicauthrequest/basicauth.go
@@ -13,10 +13,11 @@ import (
 
 type basicAuthRequestHandler struct {
 	passwordAuthenticator authenticator.Password
+	removeHeader          bool
 }
 
-func NewBasicAuthAuthentication(passwordAuthenticator authenticator.Password) authenticator.Request {
-	return &basicAuthRequestHandler{passwordAuthenticator}
+func NewBasicAuthAuthentication(passwordAuthenticator authenticator.Password, removeHeader bool) authenticator.Request {
+	return &basicAuthRequestHandler{passwordAuthenticator, removeHeader}
 }
 
 func (authHandler *basicAuthRequestHandler) AuthenticateRequest(req *http.Request) (user.Info, bool, error) {
@@ -25,7 +26,11 @@ func (authHandler *basicAuthRequestHandler) AuthenticateRequest(req *http.Reques
 		return nil, false, err
 	}
 
-	return authHandler.passwordAuthenticator.AuthenticatePassword(username, password)
+	user, ok, err := authHandler.passwordAuthenticator.AuthenticatePassword(username, password)
+	if ok && authHandler.removeHeader {
+		req.Header.Del("Authorization")
+	}
+	return user, ok, err
 }
 
 func getBasicAuthInfo(r *http.Request) (string, string, error) {

diff --git a/pkg/auth/authenticator/request/basicauthrequest/basicauth_test.go b/pkg/auth/authenticator/request/basicauthrequest/basicauth_test.go
@@ -30,7 +30,7 @@ func (mock *mockPasswordAuthenticator) AuthenticatePassword(username, password s
 
 func TestAuthenticateRequestValid(t *testing.T) {
 	passwordAuthenticator := &mockPasswordAuthenticator{}
-	authRequestHandler := NewBasicAuthAuthentication(passwordAuthenticator)
+	authRequestHandler := NewBasicAuthAuthentication(passwordAuthenticator, true)
 	req, _ := http.NewRequest("GET", "http://example.org", nil)
 	req.SetBasicAuth(Username, Password)
 
@@ -48,7 +48,7 @@ func TestAuthenticateRequestInvalid(t *testing.T) {
 		ExpectedError = "No valid base64 data in basic auth scheme found"
 	)
 	passwordAuthenticator := &mockPasswordAuthenticator{isAuthenticated: true}
-	authRequestHandler := NewBasicAuthAuthentication(passwordAuthenticator)
+	authRequestHandler := NewBasicAuthAuthentication(passwordAuthenticator, true)
 	req, _ := http.NewRequest("GET", "http://example.org", nil)
 	req.Header.Add("Authorization", "Basic invalid:string")
 

diff --git a/pkg/auth/authenticator/request/bearertoken/bearertoken.go b/pkg/auth/authenticator/request/bearertoken/bearertoken.go
@@ -9,11 +9,14 @@ import (
 )
 
 type Authenticator struct {
+	// auth is the token authenticator to use to validate the token
 	auth authenticator.Token
+	// removeHeader indicates whether the Authorization header should be removeHeaderd on successful auth
+	removeHeader bool
 }
 
-func New(auth authenticator.Token) *Authenticator {
-	return &Authenticator{auth}
+func New(auth authenticator.Token, removeHeader bool) *Authenticator {
+	return &Authenticator{auth, removeHeader}
 }
 
 func (a *Authenticator) AuthenticateRequest(req *http.Request) (user.Info, bool, error) {
@@ -27,5 +30,9 @@ func (a *Authenticator) AuthenticateRequest(req *http.Request) (user.Info, bool,
 	}
 
 	token := parts[1]
-	return a.auth.AuthenticateToken(token)
+	user, ok, err := a.auth.AuthenticateToken(token)
+	if ok && a.removeHeader {
+		req.Header.Del("Authorization")
+	}
+	return user, ok, err
 }
diff --git a/pkg/auth/authenticator/request/paramtoken/paramtoken.go b/pkg/auth/authenticator/request/paramtoken/paramtoken.go
@@ -13,16 +13,16 @@ import (
 // For this authenticator to work, tokens will be part of the request URL, and are more likely to be logged or otherwise exposed.
 // Every effort should be made to filter tokens from being logged when using this authenticator.
 type Authenticator struct {
-	// Param is the query param to use as a token
+	// param is the query param to use as a token
 	param string
-	// Auth is the token authenticator to use to validate the token
+	// auth is the token authenticator to use to validate the token
 	auth authenticator.Token
-	// Remove indicates whether the parameter should be stripped from the incoming request
-	remove bool
+	// removeParam indicates whether the parameter should be stripped from the incoming request
+	removeParam bool
 }
 
-func New(param string, auth authenticator.Token, remove bool) *Authenticator {
-	return &Authenticator{param, auth, remove}
+func New(param string, auth authenticator.Token, removeParam bool) *Authenticator {
+	return &Authenticator{param, auth, removeParam}
 }
 
 func (a *Authenticator) AuthenticateRequest(req *http.Request) (user.Info, bool, error) {
@@ -31,9 +31,10 @@ func (a *Authenticator) AuthenticateRequest(req *http.Request) (user.Info, bool,
 	if token == "" {
 		return nil, false, nil
 	}
-	if a.remove {
+	user, ok, err := a.auth.AuthenticateToken(token)
+	if ok && a.removeParam {
 		q.Del(a.param)
 		req.URL.RawQuery = q.Encode()
 	}
-	return a.auth.AuthenticateToken(token)
+	return user, ok, err
 }
diff --git a/pkg/cmd/server/origin/auth.go b/pkg/cmd/server/origin/auth.go
@@ -519,13 +519,13 @@ func (c *AuthConfig) getAuthenticationRequestHandlerFromType(authRequestHandlerT
 			if err != nil {
 				glog.Fatalf("Error creating TokenAuthenticator: %v.  The oauth server cannot start!", err)
 			}
-			authRequestHandler = bearertoken.New(tokenAuthenticator)
+			authRequestHandler = bearertoken.New(tokenAuthenticator, true)
 		case TokenStoreFile:
 			tokenAuthenticator, err := GetCSVTokenAuthenticator(c.TokenFilePath)
 			if err != nil {
 				glog.Fatalf("Error creating TokenAuthenticator: %v.  The oauth server cannot start!", err)
 			}
-			authRequestHandler = bearertoken.New(tokenAuthenticator)
+			authRequestHandler = bearertoken.New(tokenAuthenticator, true)
 		default:
 			glog.Fatalf("Unknown TokenStore %s. Must be oauth or file.  The oauth server cannot start!", c.TokenStore)
 		}
@@ -538,7 +538,7 @@ func (c *AuthConfig) getAuthenticationRequestHandlerFromType(authRequestHandlerT
 		authRequestHandler = headerrequest.NewAuthenticator(authRequestConfig, identityMapper)
 	case AuthRequestHandlerBasicAuth:
 		passwordAuthenticator := c.getPasswordAuthenticator()
-		authRequestHandler = basicauthrequest.NewBasicAuthAuthentication(passwordAuthenticator)
+		authRequestHandler = basicauthrequest.NewBasicAuthAuthentication(passwordAuthenticator, true)
 	case AuthRequestHandlerSession:
 		authRequestHandler = c.getSessionAuth()
 	default:

diff --git a/pkg/cmd/server/start.go b/pkg/cmd/server/start.go
@@ -392,7 +392,7 @@ func start(cfg *config, args []string) error {
 		if err != nil {
 			glog.Fatalf("Error creating TokenAuthenticator: %v", err)
 		}
-		authenticators = append(authenticators, bearertoken.New(tokenAuthenticator))
+		authenticators = append(authenticators, bearertoken.New(tokenAuthenticator, true))
 		// Allow token as access_token param for WebSockets
 		// TODO: make the param name configurable
 		// TODO: limit this authenticator to watch methods, if possible

diff --git a/test/integration/cli_get_token_test.go b/test/integration/cli_get_token_test.go
@@ -46,7 +46,7 @@ func TestGetToken(t *testing.T) {
 	userRegistry := useretcd.New(etcdHelper, user.NewDefaultUserInitStrategy())
 	identityMapper := identitymapper.NewAlwaysCreateUserIdentityToUserMapper("front-proxy-test" /*for now*/, userRegistry)
 
-	authRequestHandler := basicauthrequest.NewBasicAuthAuthentication(allowanypassword.New(identityMapper))
+	authRequestHandler := basicauthrequest.NewBasicAuthAuthentication(allowanypassword.New(identityMapper), true)
 	authHandler := oauthhandlers.NewUnionAuthenticationHandler(
 		map[string]oauthhandlers.AuthenticationChallenger{"login": passwordchallenger.NewBasicAuthChallenger("openshift")}, nil, nil)