HGWGDC-21161: Logging of unauthorised requests (#8)

* HGWGDC-21161: Logging of unauthorised requests.

* HGWGDC-21161: Refactor config and initialize the config in main.go

forwarder.go

@@ -32,6 +32,11 @@ func forwarder(c echo.Context, client *http.Client) error {
 	req := c.Request()
 	ctx := req.Context()
 
+	if isAuthHeaderCheckEnabled && len(c.Request().Header.Get("Authorization")) == 0 {
+		log.Ctx(ctx).Error().Msg("authorization header not provided")
+		return c.JSON(http.StatusBadRequest, echo.NewHTTPError(http.StatusBadRequest, "authorization header not provided"))
+	}
+
 	// store scheme of original request
 	originalRequestScheme := req.URL.Scheme
 	if originalRequestScheme == "" {

main.go

@@ -52,6 +52,8 @@ var (
 	sentryEnabled              = false
 	remoteUpdateAddressEnabled = false
 	resourceURL                *url.URL
+	isAuthHeaderCheckEnabled   = false
+	authHeaderCheckRequestPath = ""
 )
 
 var rootCmd = &cobra.Command{
@@ -62,6 +64,9 @@ var rootCmd = &cobra.Command{
 		printConfig()
 		logging(viper.Sub("log"))
 
+		isAuthHeaderCheckEnabled = viper.GetBool("server.authHeader.check.enabled")
+		authHeaderCheckRequestPath = viper.GetString("server.authHeader.check.requestPath")
+
 		var err error
 		petasosURL, err = url.Parse(viper.GetString(petasosEndpoint))
 		if err != nil {

metrics.go

@@ -4,6 +4,8 @@ import (
 	"strconv"
 	"time"
 
+	"strings"
+
 	"github.com/labstack/echo/v4"
 	"github.com/labstack/echo/v4/middleware"
 	"github.com/prometheus/client_golang/prometheus"
@@ -14,8 +16,10 @@ import (
 var labelNames = []string{"code", "method", "host", "url"}
 
 type metricRegistry struct {
-	TotalRequests         *prometheus.CounterVec
-	ServerRequestDuration *prometheus.HistogramVec
+	TotalRequests             *prometheus.CounterVec
+	ServerRequestDuration     *prometheus.HistogramVec
+	RequestsWithoutAuthHeader *prometheus.CounterVec
+	RequestsWithAuthHeader    *prometheus.CounterVec
 }
 
 func provideMetrics(e *echo.Echo) {
@@ -31,6 +35,12 @@ func provideMetrics(e *echo.Echo) {
 	if err := prometheus.Register(mr.ServerRequestDuration); err != nil {
 		metrics.Logger.Fatal(err)
 	}
+	if err := prometheus.Register(mr.RequestsWithoutAuthHeader); err != nil {
+		metrics.Logger.Fatal(err)
+	}
+	if err := prometheus.Register(mr.RequestsWithAuthHeader); err != nil {
+		metrics.Logger.Fatal(err)
+	}
 
 	metrics.Use(mr.getMiddleware())
 	metrics.GET("/metrics", echo.WrapHandler(promhttp.Handler()))
@@ -73,17 +83,42 @@ func registerMetrics() *metricRegistry {
 		labelNames,
 	)
 
+	requestsWithoutAuthHeader := prometheus.NewCounterVec(
+		prometheus.CounterOpts{
+			Namespace: namespace,
+			Subsystem: subsystem,
+			Name:      "server_request_without_auth_header_count",
+			Help:      "total requests without authorization header",
+		},
+		labelNames,
+	)
+
+	requestsWithAuthHeader := prometheus.NewCounterVec(
+		prometheus.CounterOpts{
+			Namespace: namespace,
+			Subsystem: subsystem,
+			Name:      "server_request_with_auth_header_count",
+			Help:      "total requests with authorization header",
+		},
+		labelNames,
+	)
+
 	return &metricRegistry{
-		TotalRequests:         totalRequests,
-		ServerRequestDuration: serverRequestDuration,
+		TotalRequests:             totalRequests,
+		ServerRequestDuration:     serverRequestDuration,
+		RequestsWithoutAuthHeader: requestsWithoutAuthHeader,
+		RequestsWithAuthHeader:    requestsWithAuthHeader,
 	}
 }
 
 func (mr *metricRegistry) getMiddleware() echo.MiddlewareFunc {
 	return func(next echo.HandlerFunc) echo.HandlerFunc {
 		return func(c echo.Context) error {
-			startTime := time.Now()
+			isCpeRedirectRequest := strings.Contains(c.Request().RequestURI, authHeaderCheckRequestPath)
+			isAuthHeaderPresent := len(c.Request().Header.Get("Authorization")) > 0
 			c.Request().Header.Set("Accept-Encoding", "identity")
+
+			startTime := time.Now()
 			err := next(c)
 			elapsed := time.Since(startTime).Seconds()
 			status := strconv.Itoa(c.Response().Status)
@@ -96,6 +131,14 @@ func (mr *metricRegistry) getMiddleware() echo.MiddlewareFunc {
 
 			mr.TotalRequests.WithLabelValues(values...).Inc()
 			mr.ServerRequestDuration.WithLabelValues(values...).Observe(elapsed)
+
+			if isCpeRedirectRequest {
+				if !isAuthHeaderPresent {
+					mr.RequestsWithoutAuthHeader.WithLabelValues(values...).Inc()
+				} else {
+					mr.RequestsWithAuthHeader.WithLabelValues(values...).Inc()
+				}
+			}
 			return err
 		}
 	}

petasos-rewriter.yaml

@@ -7,6 +7,14 @@ server:
   # If set, all redirects will use this scheme [http, https]
   fixedScheme:
 
+  # Verify the presence of the Authorization header in requests that are redirected to Talaria
+  authHeader:
+    check:
+      # If enabled, the request will be rejected if the Authorization header is not present
+      enabled: true
+      # The request path where the presence of the Authorization header is to be checked
+      requestPath: api
+
 #Petasos endpoint, usually private
 petasos:
   endpoint: http://192.168.100.128:6400