ResiLien
/
terraform
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #8008 from hashicorp/jbardin/access_token 

Don't send access_token in request params
This commit is contained in:
James Bardin 2016-08-05 12:52:28 -04:00 committed by GitHub
parent 00effbe57b 0a3714eaac
commit a51a2c1426
2 changed files with 16 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
state/remote/atlas.go
View File

@ -23,6 +23,7 @@ import (
const ( const (
// defaultAtlasServer is used when no address is given // defaultAtlasServer is used when no address is given
defaultAtlasServer = "https://atlas.hashicorp.com/" defaultAtlasServer = "https://atlas.hashicorp.com/"
atlasTokenHeader = "X-Atlas-Token"
) )
func atlasFactory(conf map[string]string) (Client, error) { func atlasFactory(conf map[string]string) (Client, error) {
@ -92,6 +93,8 @@ func (c *AtlasClient) Get() (*Payload, error) {
return nil, fmt.Errorf("Failed to make HTTP request: %v", err) return nil, fmt.Errorf("Failed to make HTTP request: %v", err)
} }
req.Header.Set(atlasTokenHeader, c.AccessToken)
// Request the url // Request the url
client, err := c.http() client, err := c.http()
if err != nil { if err != nil {
@ -170,6 +173,7 @@ func (c *AtlasClient) Put(state []byte) error {
} }
// Prepare the request // Prepare the request
req.Header.Set(atlasTokenHeader, c.AccessToken)
req.Header.Set("Content-MD5", b64) req.Header.Set("Content-MD5", b64)
req.Header.Set("Content-Type", "application/json") req.Header.Set("Content-Type", "application/json")
req.ContentLength = int64(len(state)) req.ContentLength = int64(len(state))
@ -204,6 +208,7 @@ func (c *AtlasClient) Delete() error {
if err != nil { if err != nil {
return fmt.Errorf("Failed to make HTTP request: %v", err) return fmt.Errorf("Failed to make HTTP request: %v", err)
} }
req.Header.Set(atlasTokenHeader, c.AccessToken)
// Make the request // Make the request
client, err := c.http() client, err := c.http()
@ -249,7 +254,6 @@ func (c *AtlasClient) url() *url.URL {
values := url.Values{} values := url.Values{}
values.Add("atlas_run_id", c.RunId) values.Add("atlas_run_id", c.RunId)
values.Add("access_token", c.AccessToken)
return &url.URL{ return &url.URL{
Scheme: c.ServerURL.Scheme, Scheme: c.ServerURL.Scheme,

11
state/remote/atlas_test.go
View File

@ -218,6 +218,17 @@ func (f *fakeAtlas) NoConflictAllowed(b bool) {
} }
func (f *fakeAtlas) handler(resp http.ResponseWriter, req *http.Request) { func (f *fakeAtlas) handler(resp http.ResponseWriter, req *http.Request) {
// access tokens should only be sent as a header
if req.FormValue("access_token") != "" {
http.Error(resp, "access_token in request params", http.StatusBadRequest)
return
}
if req.Header.Get(atlasTokenHeader) == "" {
http.Error(resp, "missing access token", http.StatusBadRequest)
return
}
switch req.Method { switch req.Method {
case "GET": case "GET":
// Respond with the current stored state. // Respond with the current stored state.