From 8fe97271bf6c86ab8e124f6e3c8f03d40f740bda Mon Sep 17 00:00:00 2001
From: NiniOak <anita.akaeze@hashicorp.com>
Date: Thu, 29 Aug 2024 17:20:35 -0700
Subject: [PATCH 1/2] initial ideas

---
 .../subcommand/sync-catalog/command.go        | 33 +++++++++++++++++--
 1 file changed, 31 insertions(+), 2 deletions(-)

diff --git a/control-plane/subcommand/sync-catalog/command.go b/control-plane/subcommand/sync-catalog/command.go
index 004f1bea17..93b0a49864 100644
--- a/control-plane/subcommand/sync-catalog/command.go
+++ b/control-plane/subcommand/sync-catalog/command.go
@@ -17,8 +17,10 @@ import (
 	"time"
 
 	"github.com/armon/go-metrics/prometheus"
+	"github.com/davecgh/go-spew/spew"
 	mapset "github.com/deckarep/golang-set"
 	"github.com/hashicorp/consul-server-connection-manager/discovery"
+	"github.com/hashicorp/consul/api"
 	"github.com/hashicorp/go-hclog"
 	"github.com/mitchellh/cli"
 	"github.com/prometheus/client_golang/prometheus/promhttp"
@@ -396,7 +398,7 @@ func (c *Command) Run(args []string) int {
 	// Start metrics handler
 	go func() {
 		mux := http.NewServeMux()
-		mux.Handle(c.flagMetricsPath, c.authorizeMiddleware()(promhttp.Handler()))
+		mux.Handle(c.flagMetricsPath, c.authorizeMiddleware(consulConfig)(promhttp.Handler()))
 		var handler http.Handler = mux
 
 		c.UI.Info(fmt.Sprintf("Listening on %q...", c.flagMetricsPort))
@@ -523,11 +525,38 @@ func (c *Command) recordMetrics() (*prometheus.PrometheusSink, error) {
 	return sink, nil
 }
 
+func (c *Command) validateToken(token string, consulConfig *consul.Config) bool {
+	if token == "" {
+		return false
+	}
+
+	// Create a new consul client.
+	consulClient, err := consul.NewClientFromConnMgr(consulConfig, c.connMgr)
+	if err != nil {
+		c.logger.Error("failed to create Consul API client", "err", err)
+		return false
+	}
+
+	tok, _, err := consulClient.ACL().TokenReadSelf(&api.QueryOptions{Token: token})
+	if err != nil && tok != nil {
+		c.logger.Error("failed to validate ACL token", "err", err)
+		return false
+	}
+
+	spew.Dump(tok)
+	c.logger.Info("ACL token validated", "token", tok)
+
+	return true
+}
+
 // authorizeMiddleware validates the token and returns http handler.
-func (c *Command) authorizeMiddleware() func(http.Handler) http.Handler {
+func (c *Command) authorizeMiddleware(consulConfig *consul.Config) func(http.Handler) http.Handler {
+
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			// TO-DO: Validate the token and proceed to the next handler
+			token := r.Header.Get("X-Consul-Token")
+			c.validateToken(token, consulConfig)
 			next.ServeHTTP(w, r)
 		})
 	}

From 65b4e5c663a68eb1876c4911fd54a88e2a5b2acc Mon Sep 17 00:00:00 2001
From: NiniOak <anita.akaeze@hashicorp.com>
Date: Fri, 30 Aug 2024 12:36:56 -0700
Subject: [PATCH 2/2] Updated PR

---
 control-plane/subcommand/sync-catalog/command.go | 16 +++++++---------
 1 file changed, 7 insertions(+), 9 deletions(-)

diff --git a/control-plane/subcommand/sync-catalog/command.go b/control-plane/subcommand/sync-catalog/command.go
index 93b0a49864..9c5e0493e5 100644
--- a/control-plane/subcommand/sync-catalog/command.go
+++ b/control-plane/subcommand/sync-catalog/command.go
@@ -17,7 +17,6 @@ import (
 	"time"
 
 	"github.com/armon/go-metrics/prometheus"
-	"github.com/davecgh/go-spew/spew"
 	mapset "github.com/deckarep/golang-set"
 	"github.com/hashicorp/consul-server-connection-manager/discovery"
 	"github.com/hashicorp/consul/api"
@@ -533,19 +532,16 @@ func (c *Command) validateToken(token string, consulConfig *consul.Config) bool
 	// Create a new consul client.
 	consulClient, err := consul.NewClientFromConnMgr(consulConfig, c.connMgr)
 	if err != nil {
-		c.logger.Error("failed to create Consul API client", "err", err)
+		c.logger.Error("failed to create Consul API client", "error", err)
 		return false
 	}
 
 	tok, _, err := consulClient.ACL().TokenReadSelf(&api.QueryOptions{Token: token})
-	if err != nil && tok != nil {
-		c.logger.Error("failed to validate ACL token", "err", err)
+	if err != nil || tok == nil {
+		c.logger.Error("failed to validate ACL token", "error", err)
 		return false
 	}
 
-	spew.Dump(tok)
-	c.logger.Info("ACL token validated", "token", tok)
-
 	return true
 }
 
@@ -554,9 +550,11 @@ func (c *Command) authorizeMiddleware(consulConfig *consul.Config) func(http.Han
 
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			// TO-DO: Validate the token and proceed to the next handler
 			token := r.Header.Get("X-Consul-Token")
-			c.validateToken(token, consulConfig)
+			if !c.validateToken(token, consulConfig) {
+				http.Error(w, "invalid token", http.StatusInternalServerError)
+				return
+			}
 			next.ServeHTTP(w, r)
 		})
 	}