fix(docker-desktop): support auth cookies [BE-11134] (#12108)

2024-08-21 18:21:51 +12:00
parent 8cd53a4b7a
commit f016b31388
8 changed files with 70 additions and 38 deletions
--- a/api/http/security/bouncer.go
+++ b/api/http/security/bouncer.go
@@ -528,7 +528,12 @@ func (bouncer *RequestBouncer) EdgeComputeOperation(next http.Handler) http.Hand
 // - public routes
 // - kubectl - a bearer token is needed, and no csrf token can be sent
 // - api token
-func ShouldSkipCSRFCheck(r *http.Request) (bool, error) {
+// - docker desktop extension
+func ShouldSkipCSRFCheck(r *http.Request, isDockerDesktopExtension bool) (bool, error) {
+	if isDockerDesktopExtension {
+		return true, nil
+	}
+
 	cookie, _ := r.Cookie(portainer.AuthCookieKey)
 	hasCookie := cookie != nil && cookie.Value != ""

--- a/api/http/security/bouncer_test.go
+++ b/api/http/security/bouncer_test.go
@@ -386,40 +386,52 @@ func Test_apiKeyLookup(t *testing.T) {
 func Test_ShouldSkipCSRFCheck(t *testing.T) {

 	tt := []struct {
-		name           string
-		cookieValue    string
-		apiKey         string
-		authHeader     string
-		expectedResult bool
-		expectedError  bool
+		name                     string
+		cookieValue              string
+		apiKey                   string
+		authHeader               string
+		isDockerDesktopExtension bool
+		expectedResult           bool
+		expectedError            bool
 	}{
 		{
-			name:        "Should return false when cookie is present",
-			cookieValue: "test-cookie",
+			name:                     "Should return false (not skip) when cookie is present",
+			cookieValue:              "test-cookie",
+			isDockerDesktopExtension: false,
 		},
 		{
-			name:           "Should return true when cookie is not present",
-			cookieValue:    "",
-			expectedResult: true,
+			name:                     "Should return true (skip) when cookie is present and docker desktop extension is true",
+			cookieValue:              "test-cookie",
+			isDockerDesktopExtension: true,
+			expectedResult:           true,
 		},
 		{
-			name:           "Should return true when api key is present",
-			cookieValue:    "",
-			apiKey:         "test-api-key",
-			expectedResult: true,
+			name:                     "Should return true (skip) when cookie is not present",
+			cookieValue:              "",
+			isDockerDesktopExtension: false,
+			expectedResult:           true,
 		},
 		{
-			name:           "Should return true when auth header is present",
-			cookieValue:    "",
-			authHeader:     "test-auth-header",
-			expectedResult: true,
+			name:                     "Should return true (skip) when api key is present",
+			cookieValue:              "",
+			apiKey:                   "test-api-key",
+			isDockerDesktopExtension: false,
+			expectedResult:           true,
 		},
 		{
-			name:          "Should return false and error when both api key and auth header are present",
-			cookieValue:   "",
-			apiKey:        "test-api-key",
-			authHeader:    "test-auth-header",
-			expectedError: true,
+			name:                     "Should return true (skip) when auth header is present",
+			cookieValue:              "",
+			authHeader:               "test-auth-header",
+			isDockerDesktopExtension: false,
+			expectedResult:           true,
+		},
+		{
+			name:                     "Should return false (not skip) and error when both api key and auth header are present",
+			cookieValue:              "",
+			apiKey:                   "test-api-key",
+			authHeader:               "test-auth-header",
+			isDockerDesktopExtension: false,
+			expectedError:            true,
 		},
 	}

@@ -437,7 +449,7 @@ func Test_ShouldSkipCSRFCheck(t *testing.T) {
 				req.Header.Set(jwtTokenHeader, test.authHeader)
 			}

-			result, err := ShouldSkipCSRFCheck(req)
+			result, err := ShouldSkipCSRFCheck(req, test.isDockerDesktopExtension)
 			is.Equal(test.expectedResult, result)
 			if test.expectedError {
 				is.Error(err)