vector/common/http/

server_auth.rs

//! Shared authentication config between components that use HTTP.
use std::{collections::HashMap, fmt, net::SocketAddr};

use bytes::Bytes;
use headers::{Authorization, authorization::Credentials};
use http::{HeaderMap, HeaderValue, StatusCode, header::AUTHORIZATION};
use serde::{
    Deserialize,
    de::{Error, MapAccess, Visitor},
};
use vector_config::configurable_component;
use vector_lib::{
    TimeZone, compile_vrl,
    event::{Event, LogEvent, VrlTarget},
    lookup::OwnedTargetPath,
    sensitive_string::SensitiveString,
};
use vector_vrl_metrics::MetricsStorage;
use vrl::{
    compiler::{CompilationResult, CompileConfig, Program, runtime::Runtime},
    core::Value,
    prelude::TypeState,
    value::{KeyString, ObjectMap},
};

use crate::format_vrl_diagnostics;

use super::ErrorMessage;

/// Configuration of the authentication strategy for server mode sinks and sources.
///
/// Use the HTTP authentication with HTTPS only. The authentication credentials are passed as an
/// HTTP header without any additional encryption beyond what is provided by the transport itself.
#[configurable_component(no_deser)]
#[derive(Clone, Debug, Eq, PartialEq)]
#[configurable(metadata(docs::enum_tag_description = "The authentication strategy to use."))]
#[serde(tag = "strategy", rename_all = "snake_case")]
pub enum HttpServerAuthConfig {
    /// Basic authentication.
    ///
    /// The username and password are concatenated and encoded using [base64][base64].
    ///
    /// [base64]: https://en.wikipedia.org/wiki/Base64
    Basic {
        /// The basic authentication username.
        #[configurable(metadata(docs::examples = "${USERNAME}"))]
        #[configurable(metadata(docs::examples = "username"))]
        username: String,

        /// The basic authentication password.
        #[configurable(metadata(docs::examples = "${PASSWORD}"))]
        #[configurable(metadata(docs::examples = "password"))]
        password: SensitiveString,
    },

    /// Custom authentication using VRL code.
    ///
    /// Takes in request and validates it using VRL code. The VRL program must return a boolean.
    Custom {
        /// The VRL boolean expression.
        source: String,
    },
}

// Custom deserializer implementation to default `strategy` to `basic`
impl<'de> Deserialize<'de> for HttpServerAuthConfig {
    fn deserialize<D>(deserializer: D) -> Result<Self, D::Error>
    where
        D: serde::Deserializer<'de>,
    {
        struct HttpServerAuthConfigVisitor;

        const FIELD_KEYS: [&str; 4] = ["strategy", "username", "password", "source"];

        impl<'de> Visitor<'de> for HttpServerAuthConfigVisitor {
            type Value = HttpServerAuthConfig;

            fn expecting(&self, formatter: &mut fmt::Formatter) -> fmt::Result {
                formatter.write_str("a valid authentication strategy (basic or custom)")
            }

            fn visit_map<A>(self, mut map: A) -> Result<HttpServerAuthConfig, A::Error>
            where
                A: MapAccess<'de>,
            {
                let mut fields: HashMap<&str, String> = HashMap::default();

                while let Some(key) = map.next_key::<String>()? {
                    if let Some(field_index) = FIELD_KEYS.iter().position(|k| *k == key.as_str()) {
                        if fields.contains_key(FIELD_KEYS[field_index]) {
                            return Err(Error::duplicate_field(FIELD_KEYS[field_index]));
                        }
                        fields.insert(FIELD_KEYS[field_index], map.next_value()?);
                    } else {
                        return Err(Error::unknown_field(&key, &FIELD_KEYS));
                    }
                }

                // Default to "basic" if strategy is missing
                let strategy = fields
                    .get("strategy")
                    .map(String::as_str)
                    .unwrap_or_else(|| "basic");

                match strategy {
                    "basic" => {
                        let username = fields
                            .remove("username")
                            .ok_or_else(|| Error::missing_field("username"))?;
                        let password = fields
                            .remove("password")
                            .ok_or_else(|| Error::missing_field("password"))?;
                        Ok(HttpServerAuthConfig::Basic {
                            username,
                            password: SensitiveString::from(password),
                        })
                    }
                    "custom" => {
                        let source = fields
                            .remove("source")
                            .ok_or_else(|| Error::missing_field("source"))?;
                        Ok(HttpServerAuthConfig::Custom { source })
                    }
                    _ => Err(Error::unknown_variant(strategy, &["basic", "custom"])),
                }
            }
        }

        deserializer.deserialize_map(HttpServerAuthConfigVisitor)
    }
}

impl HttpServerAuthConfig {
    /// Builds an auth matcher based on provided configuration.
    /// Used to validate configuration if needed, before passing it to the
    /// actual component for usage.
    pub fn build(
        &self,
        enrichment_tables: &vector_lib::enrichment::TableRegistry,
        metrics_storage: &MetricsStorage,
    ) -> crate::Result<HttpServerAuthMatcher> {
        match self {
            HttpServerAuthConfig::Basic { username, password } => {
                Ok(HttpServerAuthMatcher::AuthHeader(
                    Authorization::basic(username, password.inner()).0.encode(),
                    "Invalid username/password",
                ))
            }
            HttpServerAuthConfig::Custom { source } => {
                let state = TypeState::default();

                let mut config = CompileConfig::default();
                config.set_custom(enrichment_tables.clone());
                config.set_custom(metrics_storage.clone());
                // Lock the event body (.field) as read-only, but leave metadata (%field) writable
                // so the VRL program can enrich authenticated events via %field = value.
                config.set_read_only_path(OwnedTargetPath::event_root(), true);

                let CompilationResult {
                    program,
                    warnings,
                    config: _,
                } = compile_vrl(source, &vector_vrl_functions::all(), &state, config)
                    .map_err(|diagnostics| format_vrl_diagnostics(source, diagnostics))?;

                if !program.final_type_info().result.is_boolean() {
                    return Err("VRL conditions must return a boolean.".into());
                }

                if !warnings.is_empty() {
                    let warnings = format_vrl_diagnostics(source, warnings);
                    warn!(message = "VRL compilation warning.", %warnings);
                }

                Ok(HttpServerAuthMatcher::Vrl { program })
            }
        }
    }
}

/// Built auth matcher with validated configuration
/// Can be used directly in a component to validate authentication in HTTP requests
#[allow(clippy::large_enum_variant)]
#[derive(Clone, Debug)]
pub enum HttpServerAuthMatcher {
    /// Matcher for comparing exact value of Authorization header
    AuthHeader(HeaderValue, &'static str),
    /// Matcher for running VRL script for requests, to allow for custom validation.
    /// Metadata (`%field`) writes in the program are extracted and returned to the caller
    /// for injection into authenticated events.
    Vrl {
        /// Compiled VRL script
        program: Program,
    },
}

impl HttpServerAuthMatcher {
    /// Validates the request. Returns `Ok(Some(enrichment))` when auth passes and the VRL program
    /// wrote `%field` values; returns `Ok(None)` when auth passes with no metadata enrichment.
    pub fn handle_auth(
        &self,
        address: Option<&SocketAddr>,
        headers: &HeaderMap<HeaderValue>,
        path: &str,
    ) -> Result<Option<ObjectMap>, ErrorMessage> {
        match self {
            HttpServerAuthMatcher::AuthHeader(expected, err_message) => {
                if let Some(header) = headers.get(AUTHORIZATION) {
                    if expected == header {
                        Ok(None)
                    } else {
                        Err(ErrorMessage::new(
                            StatusCode::UNAUTHORIZED,
                            err_message.to_string(),
                        ))
                    }
                } else {
                    Err(ErrorMessage::new(
                        StatusCode::UNAUTHORIZED,
                        "No authorization header".to_owned(),
                    ))
                }
            }
            HttpServerAuthMatcher::Vrl { program } => {
                self.handle_vrl_auth(address, headers, path, program)
            }
        }
    }

    fn handle_vrl_auth(
        &self,
        address: Option<&SocketAddr>,
        headers: &HeaderMap<HeaderValue>,
        path: &str,
        program: &Program,
    ) -> Result<Option<ObjectMap>, ErrorMessage> {
        let mut target = VrlTarget::new(
            Event::Log(LogEvent::from_map(
                ObjectMap::from([
                    (
                        "headers".into(),
                        Value::Object(
                            headers
                                .iter()
                                .map(|(k, v)| {
                                    (
                                        KeyString::from(k.to_string()),
                                        Value::Bytes(Bytes::copy_from_slice(v.as_bytes())),
                                    )
                                })
                                .collect::<ObjectMap>(),
                        ),
                    ),
                    (
                        "address".into(),
                        address.map_or(Value::Null, |a| Value::from(a.ip().to_string())),
                    ),
                    ("path".into(), Value::from(path.to_owned())),
                ]),
                Default::default(),
            )),
            program.info(),
            false,
        );
        let timezone = TimeZone::default();

        let result = Runtime::default().resolve(&mut target, program, &timezone);
        match result.map_err(|e| {
            warn!("Handling auth failed: {}", e);
            ErrorMessage::new(StatusCode::UNAUTHORIZED, "Auth failed".to_owned())
        })? {
            vrl::core::Value::Boolean(true) => {
                let enrichment = if let VrlTarget::LogEvent(_, metadata) = &target {
                    metadata
                        .value()
                        .as_object()
                        .filter(|m| !m.is_empty())
                        .cloned()
                } else {
                    None
                };
                Ok(enrichment)
            }
            vrl::core::Value::Boolean(false) => Err(ErrorMessage::new(
                StatusCode::UNAUTHORIZED,
                "Auth failed".to_owned(),
            )),
            _ => Err(ErrorMessage::new(
                StatusCode::UNAUTHORIZED,
                "Invalid return value".to_owned(),
            )),
        }
    }
}

#[cfg(test)]
mod tests {
    use indoc::indoc;

    use super::*;
    use crate::test_util::{addr::next_addr, random_string};

    impl HttpServerAuthMatcher {
        fn auth_header(self) -> (HeaderValue, &'static str) {
            match self {
                HttpServerAuthMatcher::AuthHeader(header_value, error_message) => {
                    (header_value, error_message)
                }
                HttpServerAuthMatcher::Vrl { .. } => {
                    panic!("Expected HttpServerAuthMatcher::AuthHeader")
                }
            }
        }
    }

    #[test]
    fn config_should_default_to_basic() {
        let config: HttpServerAuthConfig = serde_yaml::from_str(indoc! { r#"
            username: foo
            password: bar
            "#
        })
        .unwrap();

        if let HttpServerAuthConfig::Basic { username, password } = config {
            assert_eq!(username, "foo");
            assert_eq!(password.inner(), "bar");
        } else {
            panic!("Expected HttpServerAuthConfig::Basic");
        }
    }

    #[test]
    fn config_should_support_explicit_basic_strategy() {
        let config: HttpServerAuthConfig = serde_yaml::from_str(indoc! { r#"
            strategy: basic
            username: foo
            password: bar
            "#
        })
        .unwrap();

        if let HttpServerAuthConfig::Basic { username, password } = config {
            assert_eq!(username, "foo");
            assert_eq!(password.inner(), "bar");
        } else {
            panic!("Expected HttpServerAuthConfig::Basic");
        }
    }

    #[test]
    fn config_should_support_custom_strategy() {
        let config: HttpServerAuthConfig = serde_yaml::from_str(indoc! { r#"
            strategy: custom
            source: "true"
            "#
        })
        .unwrap();

        assert!(matches!(config, HttpServerAuthConfig::Custom { .. }));
        if let HttpServerAuthConfig::Custom { source } = config {
            assert_eq!(source, "true");
        } else {
            panic!("Expected HttpServerAuthConfig::Custom");
        }
    }

    #[test]
    fn build_basic_auth_should_always_work() {
        let basic_auth = HttpServerAuthConfig::Basic {
            username: random_string(16),
            password: random_string(16).into(),
        };

        let matcher = basic_auth.build(&Default::default(), &Default::default());

        assert!(matcher.is_ok());
        assert!(matches!(
            matcher.unwrap(),
            HttpServerAuthMatcher::AuthHeader { .. }
        ));
    }

    #[test]
    fn build_basic_auth_should_use_username_password_related_message() {
        let basic_auth = HttpServerAuthConfig::Basic {
            username: random_string(16),
            password: random_string(16).into(),
        };

        let (_, error_message) = basic_auth
            .build(&Default::default(), &Default::default())
            .unwrap()
            .auth_header();
        assert_eq!("Invalid username/password", error_message);
    }

    #[test]
    fn build_basic_auth_should_use_encode_basic_header() {
        let username = random_string(16);
        let password = random_string(16);
        let basic_auth = HttpServerAuthConfig::Basic {
            username: username.clone(),
            password: password.clone().into(),
        };

        let (header, _) = basic_auth
            .build(&Default::default(), &Default::default())
            .unwrap()
            .auth_header();
        assert_eq!(
            Authorization::basic(&username, &password).0.encode(),
            header
        );
    }

    #[test]
    fn build_custom_should_fail_on_invalid_source() {
        let custom_auth = HttpServerAuthConfig::Custom {
            source: "invalid VRL source".to_string(),
        };

        assert!(
            custom_auth
                .build(&Default::default(), &Default::default())
                .is_err()
        );
    }

    #[test]
    fn build_custom_should_fail_on_non_boolean_return_type() {
        let custom_auth = HttpServerAuthConfig::Custom {
            source: indoc! {r#"
                .success = true
                .
                "#}
            .to_string(),
        };

        assert!(
            custom_auth
                .build(&Default::default(), &Default::default())
                .is_err()
        );
    }

    #[test]
    fn build_custom_should_success_on_proper_source_with_boolean_return_type() {
        let custom_auth = HttpServerAuthConfig::Custom {
            source: indoc! {r#"
                .headers.authorization == "Basic test"
                "#}
            .to_string(),
        };

        assert!(
            custom_auth
                .build(&Default::default(), &Default::default())
                .is_ok()
        );
    }

    #[test]
    fn basic_auth_matcher_should_return_401_when_missing_auth_header() {
        let basic_auth = HttpServerAuthConfig::Basic {
            username: random_string(16),
            password: random_string(16).into(),
        };

        let matcher = basic_auth
            .build(&Default::default(), &Default::default())
            .unwrap();

        let (_guard, addr) = next_addr();
        let result = matcher.handle_auth(Some(&addr), &HeaderMap::new(), "/");

        assert!(result.is_err());
        let error = result.unwrap_err();
        assert_eq!(401, error.code());
        assert_eq!("No authorization header", error.message());
    }

    #[test]
    fn basic_auth_matcher_should_return_401_and_with_wrong_credentials() {
        let basic_auth = HttpServerAuthConfig::Basic {
            username: random_string(16),
            password: random_string(16).into(),
        };

        let matcher = basic_auth
            .build(&Default::default(), &Default::default())
            .unwrap();

        let mut headers = HeaderMap::new();
        headers.insert(AUTHORIZATION, HeaderValue::from_static("Basic wrong"));
        let (_guard, addr) = next_addr();
        let result = matcher.handle_auth(Some(&addr), &headers, "/");

        assert!(result.is_err());
        let error = result.unwrap_err();
        assert_eq!(401, error.code());
        assert_eq!("Invalid username/password", error.message());
    }

    #[test]
    fn basic_auth_matcher_should_return_ok_for_correct_credentials() {
        let username = random_string(16);
        let password = random_string(16);
        let basic_auth = HttpServerAuthConfig::Basic {
            username: username.clone(),
            password: password.clone().into(),
        };

        let matcher = basic_auth
            .build(&Default::default(), &Default::default())
            .unwrap();

        let mut headers = HeaderMap::new();
        headers.insert(
            AUTHORIZATION,
            Authorization::basic(&username, &password).0.encode(),
        );
        let (_guard, addr) = next_addr();
        let result = matcher.handle_auth(Some(&addr), &headers, "/");

        assert!(result.is_ok());
    }

    #[test]
    fn custom_auth_matcher_should_return_ok_for_true_vrl_script_result() {
        let custom_auth = HttpServerAuthConfig::Custom {
            source: r#".headers.authorization == "test""#.to_string(),
        };

        let matcher = custom_auth
            .build(&Default::default(), &Default::default())
            .unwrap();

        let mut headers = HeaderMap::new();
        headers.insert(AUTHORIZATION, HeaderValue::from_static("test"));
        let (_guard, addr) = next_addr();
        let result = matcher.handle_auth(Some(&addr), &headers, "/");

        assert!(result.is_ok());
    }

    #[test]
    fn custom_auth_matcher_should_be_able_to_check_address() {
        let (_guard, addr) = next_addr();
        let addr_string = addr.ip().to_string();
        let custom_auth = HttpServerAuthConfig::Custom {
            source: format!(".address == \"{addr_string}\""),
        };

        let matcher = custom_auth
            .build(&Default::default(), &Default::default())
            .unwrap();

        let headers = HeaderMap::new();
        let result = matcher.handle_auth(Some(&addr), &headers, "/");

        assert!(result.is_ok());
    }

    #[test]
    fn custom_auth_matcher_should_work_with_missing_address_too() {
        let (_guard, addr) = next_addr();
        let addr_string = addr.ip().to_string();
        let custom_auth = HttpServerAuthConfig::Custom {
            source: format!(".address == \"{addr_string}\""),
        };

        let matcher = custom_auth
            .build(&Default::default(), &Default::default())
            .unwrap();

        let headers = HeaderMap::new();
        let result = matcher.handle_auth(None, &headers, "/");

        assert!(result.is_err());
    }

    #[test]
    fn custom_auth_matcher_should_be_able_to_check_path() {
        let custom_auth = HttpServerAuthConfig::Custom {
            source: r#".path == "/ok""#.to_string(),
        };

        let matcher = custom_auth
            .build(&Default::default(), &Default::default())
            .unwrap();

        let headers = HeaderMap::new();
        let (_guard, addr) = next_addr();
        let result = matcher.handle_auth(Some(&addr), &headers, "/ok");

        assert!(result.is_ok());
    }

    #[test]
    fn custom_auth_matcher_should_return_401_with_wrong_path() {
        let custom_auth = HttpServerAuthConfig::Custom {
            source: r#".path == "/ok""#.to_string(),
        };

        let matcher = custom_auth
            .build(&Default::default(), &Default::default())
            .unwrap();

        let headers = HeaderMap::new();
        let (_guard, addr) = next_addr();
        let result = matcher.handle_auth(Some(&addr), &headers, "/bad");

        assert!(result.is_err());
    }

    #[test]
    fn custom_auth_matcher_should_return_401_for_false_vrl_script_result() {
        let custom_auth = HttpServerAuthConfig::Custom {
            source: r#".headers.authorization == "test""#.to_string(),
        };

        let matcher = custom_auth
            .build(&Default::default(), &Default::default())
            .unwrap();

        let mut headers = HeaderMap::new();
        headers.insert(AUTHORIZATION, HeaderValue::from_static("wrong value"));
        let (_guard, addr) = next_addr();
        let result = matcher.handle_auth(Some(&addr), &headers, "/");

        assert!(result.is_err());
        let error = result.unwrap_err();
        assert_eq!(401, error.code());
        assert_eq!("Auth failed", error.message());
    }

    #[test]
    fn custom_auth_matcher_should_return_401_for_failed_script_execution() {
        let custom_auth = HttpServerAuthConfig::Custom {
            source: "abort".to_string(),
        };

        let matcher = custom_auth
            .build(&Default::default(), &Default::default())
            .unwrap();

        let mut headers = HeaderMap::new();
        headers.insert(AUTHORIZATION, HeaderValue::from_static("test"));
        let (_guard, addr) = next_addr();
        let result = matcher.handle_auth(Some(&addr), &headers, "/");

        assert!(result.is_err());
        let error = result.unwrap_err();
        assert_eq!(401, error.code());
        assert_eq!("Auth failed", error.message());
    }

    // Backward-compat: existing `custom` scripts that don't write metadata still work and return
    // Ok(None) — no enrichment, no change in behavior.
    #[test]
    fn custom_auth_matcher_returns_none_enrichment_when_no_metadata_written() {
        let custom_auth = HttpServerAuthConfig::Custom {
            source: r#".headers.authorization == "Bearer token""#.to_string(),
        };

        let matcher = custom_auth
            .build(&Default::default(), &Default::default())
            .unwrap();

        let mut headers = HeaderMap::new();
        headers.insert(AUTHORIZATION, HeaderValue::from_static("Bearer token"));
        let (_guard, addr) = next_addr();
        let result = matcher.handle_auth(Some(&addr), &headers, "/");

        assert!(result.is_ok());
        assert_eq!(
            None,
            result.unwrap(),
            "no metadata written => no enrichment"
        );
    }

    // Existing `custom` scripts that write metadata via `%field = value` now enrich events.
    #[test]
    fn custom_auth_matcher_returns_enrichment_when_metadata_written() {
        let custom_auth = HttpServerAuthConfig::Custom {
            source: indoc! {r#"
                %tenant_id = "acme"
                true
                "#}
            .to_string(),
        };

        let matcher = custom_auth
            .build(&Default::default(), &Default::default())
            .unwrap();

        let headers = HeaderMap::new();
        let (_guard, addr) = next_addr();
        let result = matcher.handle_auth(Some(&addr), &headers, "/");

        assert!(result.is_ok());
        let enrichment = result.unwrap().expect("expected enrichment map");
        assert_eq!(
            enrichment.get("tenant_id").cloned(),
            Some(vrl::core::Value::from("acme")),
        );
    }

    // Existing `custom` scripts still cannot mutate event body fields.
    #[test]
    fn custom_auth_build_fails_when_event_body_write_attempted() {
        let custom_auth = HttpServerAuthConfig::Custom {
            source: indoc! {r#"
                .new_field = "value"
                true
                "#}
            .to_string(),
        };

        assert!(
            custom_auth
                .build(&Default::default(), &Default::default())
                .is_err(),
            "writing to event body (.field) must be rejected at compile time"
        );
    }
}