Making the /ping route authentication optional

influxdata · Jan 21, 2019 · 320c994 · 320c994
1 parent fa9a654
commit 320c994
Show file tree

Hide file tree

Showing 2 changed files with 75 additions and 12 deletions.
diff --git a/plugins/inputs/influxdb_listener/http_listener.go b/plugins/inputs/influxdb_listener/http_listener.go
@@ -45,8 +45,9 @@ type HTTPListener struct {
 
 	tlsint.ServerConfig
 
-	BasicUsername string
-	BasicPassword string
+	BasicUsername    string
+	BasicPassword    string
+	AuthenticatePing bool
 
 	TimeFunc
 
@@ -103,6 +104,9 @@ const sampleConfig = `
   ## You probably want to make sure you have TLS configured above for this.
   # basic_username = "foobar"
   # basic_password = "barfoo"
+
+  # True if the /ping route should be authenticated
+  # authenticate_ping = true
 `
 
 func (h *HTTPListener) SampleConfig() string {
@@ -229,9 +233,13 @@ func (h *HTTPListener) ServeHTTP(res http.ResponseWriter, req *http.Request) {
 		h.PingsRecv.Incr(1)
 		defer h.PingsServed.Incr(1)
 		// respond to ping requests
-		h.AuthenticateIfSet(func(res http.ResponseWriter, req *http.Request) {
+		if h.AuthenticatePing {
+			h.AuthenticateIfSet(func(res http.ResponseWriter, req *http.Request) {
+				res.WriteHeader(http.StatusNoContent)
+			}, res, req)
+		} else {
 			res.WriteHeader(http.StatusNoContent)
-		}, res, req)
+		}
 	default:
 		defer h.NotFoundsServed.Incr(1)
 		// Don't know how to respond to calls to other endpoints
@@ -423,14 +431,16 @@ func init() {
 	// http_listener deprecated in 1.9
 	inputs.Add("http_listener", func() telegraf.Input {
 		return &HTTPListener{
-			ServiceAddress: ":8186",
-			TimeFunc:       time.Now,
+			ServiceAddress:   ":8186",
+			TimeFunc:         time.Now,
+			AuthenticatePing: true,
 		}
 	})
 	inputs.Add("influxdb_listener", func() telegraf.Input {
 		return &HTTPListener{
-			ServiceAddress: ":8186",
-			TimeFunc:       time.Now,
+			ServiceAddress:   ":8186",
+			TimeFunc:         time.Now,
+			AuthenticatePing: true,
 		}
 	})
 }
diff --git a/plugins/inputs/influxdb_listener/http_listener_test.go b/plugins/inputs/influxdb_listener/http_listener_test.go
@@ -410,26 +410,79 @@ func TestWriteHTTPEmpty(t *testing.T) {
 	require.EqualValues(t, 204, resp.StatusCode)
 }
 
-func TestQueryAndPingHTTP(t *testing.T) {
+func TestQueryHTTP(t *testing.T) {
 	listener := newTestHTTPListener()
 
 	acc := &testutil.Accumulator{}
 	require.NoError(t, listener.Start(acc))
 	defer listener.Stop()
 
-	// post query to listener
 	resp, err := http.Post(
 		createURL(listener, "http", "/query", "db=&q=CREATE+DATABASE+IF+NOT+EXISTS+%22mydb%22"), "", nil)
 	require.NoError(t, err)
 	require.EqualValues(t, 200, resp.StatusCode)
+}
+
+func TestPingWithoutAuth(t *testing.T) {
+	listener := newTestHTTPListener()
+
+	acc := &testutil.Accumulator{}
+	require.NoError(t, listener.Start(acc))
+	defer listener.Stop()
+
+	resp, err := http.Post(createURL(listener, "http", "/ping", ""), "", nil)
+	require.NoError(t, err)
+	resp.Body.Close()
+	require.EqualValues(t, 204, resp.StatusCode)
+}
+
+func TestPingWithDisabledAuth(t *testing.T) {
+	listener := newTestHTTPAuthListener()
+	listener.AuthenticatePing = false
+
+	acc := &testutil.Accumulator{}
+	require.NoError(t, listener.Start(acc))
+	defer listener.Stop()
+
+	resp, err := http.Post(createURL(listener, "http", "/ping", ""), "", nil)
+	require.NoError(t, err)
+	resp.Body.Close()
+	require.EqualValues(t, 204, resp.StatusCode)
+}
+
+func TestPingWithAuth(t *testing.T) {
+	listener := newTestHTTPAuthListener()
+	listener.AuthenticatePing = true
 
-	// post ping to listener
-	resp, err = http.Post(createURL(listener, "http", "/ping", ""), "", nil)
+	acc := &testutil.Accumulator{}
+	require.NoError(t, listener.Start(acc))
+	defer listener.Stop()
+
+	req, err := http.NewRequest("POST", createURL(listener, "http", "/ping", ""), nil)
+	require.NoError(t, err)
+	req.SetBasicAuth(basicUsername, basicPassword)
+
+	client := &http.Client{}
+	resp, err := client.Do(req)
 	require.NoError(t, err)
 	resp.Body.Close()
 	require.EqualValues(t, 204, resp.StatusCode)
 }
 
+func TestPingWithAuthFailure(t *testing.T) {
+	listener := newTestHTTPAuthListener()
+	listener.AuthenticatePing = true
+
+	acc := &testutil.Accumulator{}
+	require.NoError(t, listener.Start(acc))
+	defer listener.Stop()
+
+	resp, err := http.Post(createURL(listener, "http", "/ping", ""), "", nil)
+	require.NoError(t, err)
+	resp.Body.Close()
+	require.EqualValues(t, 401, resp.StatusCode)
+}
+
 func TestWriteWithPrecision(t *testing.T) {
 	listener := newTestHTTPListener()