diff --git a/internal/auth/auth.go b/internal/auth/auth.go index 8914096e3f..858172123e 100644 --- a/internal/auth/auth.go +++ b/internal/auth/auth.go @@ -410,6 +410,10 @@ func (v verifier) performAuthCheck() (aclResults *perms.ACLResults, userId strin // Validate the token and fetch the corresponding user ID switch v.requestInfo.TokenFormat { case AuthTokenTypeBearer, AuthTokenTypeSplitCookie: + if v.requestInfo.Token == "" { + // This will end up staying as the anonymous user + break + } tokenRepo, err := v.authTokenRepoFn() if err != nil { retErr = fmt.Errorf("perform auth check: failed to get authtoken repo: %w", err) @@ -459,31 +463,41 @@ func (v verifier) performAuthCheck() (aclResults *perms.ACLResults, userId strin v.logger.Warn("NOTE: recovery KMS was used to authorize a call", "url", v.requestInfo.Path, "method", v.requestInfo.Method) } - // Fetch and parse grants for this user ID (which may include grants for - // u_anon and u_auth) iamRepo, err := v.iamRepoFn() if err != nil { retErr = fmt.Errorf("perform auth check: failed to get iam repo: %w", err) return } - // Look up scope details to return - // TODO: maybe we can combine this info into the view used in GrantsForUser below - scp, err := iamRepo.LookupScope(v.ctx, v.res.ScopeId) - if err != nil { - retErr = fmt.Errorf("perform auth check: failed to lookup scope: %w", err) - return - } - if scp == nil { - retErr = fmt.Errorf("perform auth check: non-existent scope %q", v.res.ScopeId) - return - } - scopeInfo = &scopes.ScopeInfo{ - Id: scp.GetPublicId(), - Type: scp.GetType(), - Name: scp.GetName(), - Description: scp.GetDescription(), - ParentScopeId: scp.GetParentId(), + // Look up scope details to return. We can skip a lookup when using the + // global scope + switch v.res.ScopeId { + case "global": + scopeInfo = &scopes.ScopeInfo{ + Id: scope.Global.String(), + Type: scope.Global.String(), + Name: scope.Global.String(), + Description: "Global Scope", + ParentScopeId: "", + } + + default: + scp, err := iamRepo.LookupScope(v.ctx, v.res.ScopeId) + if err != nil { + retErr = fmt.Errorf("perform auth check: failed to lookup scope: %w", err) + return + } + if scp == nil { + retErr = fmt.Errorf("perform auth check: non-existent scope %q", v.res.ScopeId) + return + } + scopeInfo = &scopes.ScopeInfo{ + Id: scp.GetPublicId(), + Type: scp.GetType(), + Name: scp.GetName(), + Description: scp.GetDescription(), + ParentScopeId: scp.GetParentId(), + } } // At this point we don't need to look up grants since it's automatically allowed @@ -496,6 +510,8 @@ func (v verifier) performAuthCheck() (aclResults *perms.ACLResults, userId strin var parsedGrants []perms.Grant var grantPairs []perms.GrantPair + // Fetch and parse grants for this user ID (which may include grants for + // u_anon and u_auth) grantPairs, err = iamRepo.GrantsForUser(v.ctx, userId) if err != nil { retErr = fmt.Errorf("perform auth check: failed to query for user grants: %w", err) diff --git a/internal/servers/controller/handler.go b/internal/servers/controller/handler.go index caf1b9dddf..7708022c2b 100644 --- a/internal/servers/controller/handler.go +++ b/internal/servers/controller/handler.go @@ -207,8 +207,12 @@ func wrapHandlerWithCommonFuncs(h http.Handler, c *Controller, props HandlerProp requestInfo.PublicId, requestInfo.Token, requestInfo.TokenFormat = auth.GetTokenFromRequest(c.logger, c.kms, r) if requestInfo.TokenFormat == auth.AuthTokenTypeInvalid { - w.WriteHeader(http.StatusForbidden) - return + if disableAuthzFailures { + requestInfo.TokenFormat = auth.AuthTokenTypeBearer + } else { + w.WriteHeader(http.StatusForbidden) + return + } } ctx = auth.NewVerifierContext(ctx, c.logger, c.IamRepoFn, c.AuthTokenRepoFn, c.ServersRepoFn, c.kms, requestInfo)