updated primaryHandler and talaria config to include a check for fail…

…Open
xmidt-org · Oct 4, 2023 · e3960e9 · e3960e9
1 parent 132df05
commit e3960e9
Show file tree

Hide file tree

Showing 2 changed files with 41 additions and 14 deletions.
diff --git a/primaryHandler.go b/primaryHandler.go
@@ -79,6 +79,10 @@ const (
 	// RehasherServicesConfigKey is the path to the services for whose events talaria's
 	// rehasher should listen to.
 	RehasherServicesConfigKey = "device.rehasher.services"
+
+	// FailOpenConfigKey is the path to the fail open boolean which will determine
+	// which route to take when a device tries to connect to talaria
+	FailOpenConfigKey = "failOpen"
 )
 
 // NoOpConstructor provides a transparent way for constructors that make up
@@ -314,20 +318,39 @@ func NewPrimaryHandler(logger *zap.Logger, manager device.Manager, v *viper.Vipe
 	}
 
 	// the secured variant of the device connect handler - compatible with v2 and v3
-	r.Handle(
-		fmt.Sprintf("%s/{version:%s|%s}/device", baseURI, v2, version),
-		deviceConnectChain.
-			Extend(versionCompatibleAuth).
-			Append(DeviceMetadataMiddleware(getLogger)).
-			Then(connectHandler),
-	).HeadersRegexp("Authorization", ".*")
-
-	r.Handle(
-		fmt.Sprintf("%s/{version:%s|%s}/device", baseURI, v2, version),
-		deviceConnectChain.
-			Append(DeviceMetadataMiddleware(getLogger)).
-			Then(connectHandler),
-	)
+	var failOpen = true
+	if v.IsSet(FailOpenConfigKey) {
+		err := v.UnmarshalKey(FailOpenConfigKey, failOpen)
+		if err != nil {
+			logger.Error("failOpen parse failure", zap.Error(err))
+			return nil, errors.New("failed parsing FailOpen boolean")
+
+		}
+	}
+	if failOpen {
+		r.Handle(
+			fmt.Sprintf("%s/{version:%s|%s}/device", baseURI, v2, version),
+			deviceConnectChain.
+				Extend(versionCompatibleAuth).
+				Append(DeviceMetadataMiddleware(getLogger)).
+				Then(connectHandler),
+		).HeadersRegexp("Authorization", ".*")
+
+		r.Handle(
+			fmt.Sprintf("%s/{version:%s|%s}/device", baseURI, v2, version),
+			deviceConnectChain.
+				Append(DeviceMetadataMiddleware(getLogger)).
+				Then(connectHandler),
+		)
+	} else {
+		r.Handle(
+			fmt.Sprintf("%s/{version:%s|%s}/device", baseURI, v2, version),
+			deviceConnectChain.
+				Extend(versionCompatibleAuth).
+				Append(DeviceMetadataMiddleware(getLogger)).
+				Then(connectHandler),
+		)
+	}
 
 	apiHandler.Handle(
 		"/device/{deviceID}/stat",

diff --git a/talaria.yaml b/talaria.yaml
@@ -633,3 +633,7 @@ zap:
   # "console", as well as any third-party encodings registered via
   # RegisterEncoder.
   encoding: json
+
+#(Optional) failOpen determines if talaria should allow devices without authentication to connect or not
+#default is to allow for fail open
+failOpen: true