Support Bearer token

Signed-off-by: kpango <kpango@vdaas.org>

Author: kpango

handler/grpc.go

@@ -41,7 +41,8 @@ import (
 )
 
 const (
-	gRPC = "grpc"
+	gRPC              = "grpc"
+	defaultAuthHeader = "Authorization"
 )
 
 type GRPCHandler struct {
@@ -63,6 +64,14 @@ func NewGRPC(opts ...GRPCOption) (grpc.StreamHandler, io.Closer) {
 		return nil, nil
 	}
 
+	if gh.roleCfg.Enable && gh.roleCfg.RoleAuthHeader == "" {
+		gh.roleCfg.RoleAuthHeader = defaultAuthHeader
+	}
+
+	if gh.atCfg.Enable && gh.atCfg.AccessTokenAuthHeader == "" {
+		gh.atCfg.AccessTokenAuthHeader = defaultAuthHeader
+	}
+
 	dialOpts := []grpc.DialOption{
 		grpc.WithTransportCredentials(insecure.NewCredentials()),
 	}
@@ -73,7 +82,7 @@ func NewGRPC(opts ...GRPCOption) (grpc.StreamHandler, io.Closer) {
 		for _, pattern := range gh.proxyCfg.OriginHealthCheckPaths {
 			if pattern != "" &&
 				(fullMethodName == pattern || wildcardMatch(pattern, fullMethodName)) {
-				glg.Infof("Authorization checking skipped on: %s,\tby %s pattern", fullMethodName, pattern)
+				glg.Infof("Authorization checking skipped on: %s by pattern %s", fullMethodName, pattern)
 				conn, err = gh.dialContext(ctx, target, dialOpts...)
 				return ctx, conn, err
 			}
@@ -124,7 +133,7 @@ func (gh *GRPCHandler) authorizeRoleToken(ctx context.Context, fullMethodName st
 	if len(rts) == 0 {
 		return nil, status.Error(codes.Unauthenticated, ErrRoleTokenNotFound)
 	}
-	p, err = gh.authorizationd.AuthorizeRoleToken(ctx, rts[0], gRPC, fullMethodName)
+	p, err = gh.authorizationd.AuthorizeRoleToken(ctx, trimBearer(rts[0]), gRPC, fullMethodName)
 	if err != nil {
 		return nil, status.Error(codes.Unauthenticated, err.Error())
 	}
@@ -139,11 +148,12 @@ func (gh *GRPCHandler) authorizeAccessToken(ctx context.Context, fullMethodName
 	if len(ats) == 0 {
 		return nil, status.Error(codes.Unauthenticated, ErrAccessTokenNotFound)
 	}
+	tok := trimBearer(ats[0])
 	cs, ok := clientCertFromContext(ctx)
 	if ok && cs != nil && cs[0] != nil {
-		p, err = gh.authorizationd.AuthorizeAccessToken(ctx, ats[0], gRPC, fullMethodName, cs[0])
+		p, err = gh.authorizationd.AuthorizeAccessToken(ctx, tok, gRPC, fullMethodName, cs[0])
 	} else {
-		p, err = gh.authorizationd.AuthorizeAccessToken(ctx, ats[0], gRPC, fullMethodName, nil)
+		p, err = gh.authorizationd.AuthorizeAccessToken(ctx, tok, gRPC, fullMethodName, nil)
 	}
 	if err != nil {
 		return nil, status.Error(codes.Unauthenticated, err.Error())

handler/handler.go

@@ -229,3 +229,23 @@ func wildcardMatch(pattern, target string) bool {
 	}
 	return true
 }
+
+// trimBearer removes a leading "Bearer " or "bearer " (7 bytes)
+// with zero allocations. ASCII-only, single fast path, minimal branching.
+func trimBearer(tok string) string {
+	tl := len(tok) // Require at least 7 bytes: "Bearer "
+	if tl == 0 || tl < 7 {
+		return tok
+	}
+	// Normalize only the first byte case via ASCII bit trick.
+	// 'B' (0x42) and 'b' (0x62) share lowercasing by (b|0x20) == 'b' (0x62).
+	if (tok[0] | 0x20) != 'b' {
+		return tok
+	}
+	// Compare the remaining 6 bytes via string slice == const.
+	// This becomes a single runtime.memequal call (no allocation).
+	if tok[1:7] == "earer " {
+		return tok[7:]
+	}
+	return tok
+}

handler/handler_test.go

@@ -871,3 +871,104 @@ func Test_handleError(t *testing.T) {
 		})
 	}
 }
+
+func Test_wildcardMatch(t *testing.T) {
+	tests := []struct {
+		name    string
+		pattern string
+		target  string
+		want    bool
+	}{
+		// basic cases
+		{"empty pattern and empty target", "", "", true},
+		{"empty pattern and non-empty target", "", "test", false},
+		{"non-empty pattern and empty target", "test", "", false},
+		{"exact match", "test", "test", true},
+		{"no match", "test", "different", false},
+
+		// wildcard cases
+		{"single wildcard", "*", "anything", true},
+		{"single wildcard empty", "*", "", true},
+		{"prefix wildcard", "test*", "testing", true},
+		{"prefix wildcard no match", "test*", "other", false},
+		{"suffix wildcard", "*test", "mytest", true},
+		{"suffix wildcard match", "*test", "testing", true},
+		{"middle wildcard", "te*st", "test", true},
+		{"middle wildcard complex", "te*st", "teXXXst", true},
+		{"multiple wildcards", "*test*", "mytestcase", true},
+
+		// edge cases
+		{"pattern with consecutive wildcards", "test**case", "testcase", true},
+		{"pattern starting with wildcard", "*test", "test", true},
+		{"pattern ending with wildcard", "test*", "test", true},
+		{"complex pattern", "a*b*c", "aXbYc", true},
+		{"complex pattern no match", "a*b*c", "aXcYb", false},
+
+		// security-related path examples
+		{"API path wildcard", "/api/*/users", "/api/v1/users", true},
+		{"health check path", "/health*", "/healthz", true},
+		{"domain wildcard", "*.example.com", "api.example.com", true},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := wildcardMatch(tt.pattern, tt.target); got != tt.want {
+				t.Errorf("wildcardMatch(%q, %q) = %v, want %v",
+					tt.pattern, tt.target, got, tt.want)
+			}
+		})
+	}
+}
+
+func Test_trimBearer(t *testing.T) {
+	tests := []struct {
+		name string
+		in   string
+		want string
+	}{
+		{
+			name: "Uppercase Bearer",
+			in:   "Bearer abc123",
+			want: "abc123",
+		},
+		{
+			name: "Lowercase bearer",
+			in:   "bearer xyz456",
+			want: "xyz456",
+		},
+		{
+			name: "Not a bearer prefix",
+			in:   "ABC abc123",
+			want: "ABC abc123",
+		},
+		{
+			name: "Too short string",
+			in:   "Beare ",
+			want: "Beare ",
+		},
+		{
+			name: "Bearer but no space after",
+			in:   "Bearerabc123",
+			want: "Bearerabc123",
+		},
+		{
+			name: "bearer but no token",
+			in:   "bearer ",
+			want: "",
+		},
+		{
+			name: "Bearer but no token",
+			in:   "Bearer ",
+			want: "",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := trimBearer(tt.in)
+			if got != tt.want {
+				t.Errorf("trimBearer(%q) = %q; want %q", tt.in, got, tt.want)
+			}
+		})
+	}
+}

handler/transport.go

@@ -60,7 +60,7 @@ func (t *transport) RoundTrip(r *http.Request) (*http.Response, error) {
 	if len(r.URL.Path) != 0 { // prevent bypassing empty path on default config
 		for _, urlPath := range t.cfg.OriginHealthCheckPaths {
 			if urlPath == r.URL.Path || wildcardMatch(urlPath, r.URL.Path) {
-				glg.Infof("Authorization checking skipped on: %s,\tby %s pattern", r.URL.Path, urlPath)
+				glg.Infof("Authorization checking skipped on: %s by pattern %s", r.URL.Path, urlPath)
 				r.TLS = nil
 				startTime = time.Now()
 				return t.RoundTripper.RoundTrip(r)