From 0a3714eaac8d785ef22f3545c059adcb2b86ae98 Mon Sep 17 00:00:00 2001 From: James Bardin Date: Fri, 5 Aug 2016 11:38:10 -0400 Subject: [PATCH] Don't send access_token in request params Always send the access_token in the X-Atlas-Token header. --- state/remote/atlas.go | 6 +++++- state/remote/atlas_test.go | 11 +++++++++++ 2 files changed, 16 insertions(+), 1 deletion(-) diff --git a/state/remote/atlas.go b/state/remote/atlas.go index 24e81f177..5343c0236 100644 --- a/state/remote/atlas.go +++ b/state/remote/atlas.go @@ -23,6 +23,7 @@ import ( const ( // defaultAtlasServer is used when no address is given defaultAtlasServer = "https://atlas.hashicorp.com/" + atlasTokenHeader = "X-Atlas-Token" ) func atlasFactory(conf map[string]string) (Client, error) { @@ -92,6 +93,8 @@ func (c *AtlasClient) Get() (*Payload, error) { return nil, fmt.Errorf("Failed to make HTTP request: %v", err) } + req.Header.Set(atlasTokenHeader, c.AccessToken) + // Request the url client, err := c.http() if err != nil { @@ -170,6 +173,7 @@ func (c *AtlasClient) Put(state []byte) error { } // Prepare the request + req.Header.Set(atlasTokenHeader, c.AccessToken) req.Header.Set("Content-MD5", b64) req.Header.Set("Content-Type", "application/json") req.ContentLength = int64(len(state)) @@ -204,6 +208,7 @@ func (c *AtlasClient) Delete() error { if err != nil { return fmt.Errorf("Failed to make HTTP request: %v", err) } + req.Header.Set(atlasTokenHeader, c.AccessToken) // Make the request client, err := c.http() @@ -249,7 +254,6 @@ func (c *AtlasClient) url() *url.URL { values := url.Values{} values.Add("atlas_run_id", c.RunId) - values.Add("access_token", c.AccessToken) return &url.URL{ Scheme: c.ServerURL.Scheme, diff --git a/state/remote/atlas_test.go b/state/remote/atlas_test.go index 1d73540a4..9d4f226fe 100644 --- a/state/remote/atlas_test.go +++ b/state/remote/atlas_test.go @@ -218,6 +218,17 @@ func (f *fakeAtlas) NoConflictAllowed(b bool) { } func (f *fakeAtlas) handler(resp http.ResponseWriter, req *http.Request) { + // access tokens should only be sent as a header + if req.FormValue("access_token") != "" { + http.Error(resp, "access_token in request params", http.StatusBadRequest) + return + } + + if req.Header.Get(atlasTokenHeader) == "" { + http.Error(resp, "missing access token", http.StatusBadRequest) + return + } + switch req.Method { case "GET": // Respond with the current stored state.