Shave off an IAM lookup if the user is the anonymous user (#305)

* Shave off an IAM lookup if the user is the anonymous user

* Fix build

* If authz failures are turned off, make the token type unknown instead of invalid

* Change returned token format when authz failures are disabled

* Change logic back

* Fix logic

internal/auth/auth.go

@@ -410,6 +410,10 @@ func (v verifier) performAuthCheck() (aclResults *perms.ACLResults, userId strin
 	// Validate the token and fetch the corresponding user ID
 	switch v.requestInfo.TokenFormat {
 	case AuthTokenTypeBearer, AuthTokenTypeSplitCookie:
+		if v.requestInfo.Token == "" {
+			// This will end up staying as the anonymous user
+			break
+		}
 		tokenRepo, err := v.authTokenRepoFn()
 		if err != nil {
 			retErr = fmt.Errorf("perform auth check: failed to get authtoken repo: %w", err)
@@ -459,31 +463,41 @@ func (v verifier) performAuthCheck() (aclResults *perms.ACLResults, userId strin
 		v.logger.Warn("NOTE: recovery KMS was used to authorize a call", "url", v.requestInfo.Path, "method", v.requestInfo.Method)
 	}
 
-	// Fetch and parse grants for this user ID (which may include grants for
-	// u_anon and u_auth)
 	iamRepo, err := v.iamRepoFn()
 	if err != nil {
 		retErr = fmt.Errorf("perform auth check: failed to get iam repo: %w", err)
 		return
 	}
 
-	// Look up scope details to return
-	// TODO: maybe we can combine this info into the view used in GrantsForUser below
-	scp, err := iamRepo.LookupScope(v.ctx, v.res.ScopeId)
-	if err != nil {
-		retErr = fmt.Errorf("perform auth check: failed to lookup scope: %w", err)
-		return
-	}
-	if scp == nil {
-		retErr = fmt.Errorf("perform auth check: non-existent scope %q", v.res.ScopeId)
-		return
-	}
-	scopeInfo = &scopes.ScopeInfo{
-		Id:            scp.GetPublicId(),
-		Type:          scp.GetType(),
-		Name:          scp.GetName(),
-		Description:   scp.GetDescription(),
-		ParentScopeId: scp.GetParentId(),
+	// Look up scope details to return. We can skip a lookup when using the
+	// global scope
+	switch v.res.ScopeId {
+	case "global":
+		scopeInfo = &scopes.ScopeInfo{
+			Id:            scope.Global.String(),
+			Type:          scope.Global.String(),
+			Name:          scope.Global.String(),
+			Description:   "Global Scope",
+			ParentScopeId: "",
+		}
+
+	default:
+		scp, err := iamRepo.LookupScope(v.ctx, v.res.ScopeId)
+		if err != nil {
+			retErr = fmt.Errorf("perform auth check: failed to lookup scope: %w", err)
+			return
+		}
+		if scp == nil {
+			retErr = fmt.Errorf("perform auth check: non-existent scope %q", v.res.ScopeId)
+			return
+		}
+		scopeInfo = &scopes.ScopeInfo{
+			Id:            scp.GetPublicId(),
+			Type:          scp.GetType(),
+			Name:          scp.GetName(),
+			Description:   scp.GetDescription(),
+			ParentScopeId: scp.GetParentId(),
+		}
 	}
 
 	// At this point we don't need to look up grants since it's automatically allowed
@@ -496,6 +510,8 @@ func (v verifier) performAuthCheck() (aclResults *perms.ACLResults, userId strin
 	var parsedGrants []perms.Grant
 	var grantPairs []perms.GrantPair
 
+	// Fetch and parse grants for this user ID (which may include grants for
+	// u_anon and u_auth)
 	grantPairs, err = iamRepo.GrantsForUser(v.ctx, userId)
 	if err != nil {
 		retErr = fmt.Errorf("perform auth check: failed to query for user grants: %w", err)

internal/servers/controller/handler.go

@@ -207,8 +207,12 @@ func wrapHandlerWithCommonFuncs(h http.Handler, c *Controller, props HandlerProp
 
 		requestInfo.PublicId, requestInfo.Token, requestInfo.TokenFormat = auth.GetTokenFromRequest(c.logger, c.kms, r)
 		if requestInfo.TokenFormat == auth.AuthTokenTypeInvalid {
-			w.WriteHeader(http.StatusForbidden)
-			return
+			if disableAuthzFailures {
+				requestInfo.TokenFormat = auth.AuthTokenTypeBearer
+			} else {
+				w.WriteHeader(http.StatusForbidden)
+				return
+			}
 		}
 		ctx = auth.NewVerifierContext(ctx, c.logger, c.IamRepoFn, c.AuthTokenRepoFn, c.ServersRepoFn, c.kms, requestInfo)