in internal/beater/auth/authenticator.go [177:207]
func (a *Authenticator) Authenticate(ctx context.Context, kind string, token string) (AuthenticationDetails, Authorizer, error) {
if a.apikey == nil && a.secretToken == "" {
// No auth required, let everyone through.
return AuthenticationDetails{Method: MethodNone}, allowAuth{}, nil
}
switch kind {
case "":
if a.anonymous != nil {
return AuthenticationDetails{Method: MethodAnonymous}, a.anonymous, nil
}
return AuthenticationDetails{}, nil, errAuthMissing
case headers.APIKey:
if a.apikey != nil {
details, authz, err := a.apikey.authenticate(ctx, token)
if err != nil {
return AuthenticationDetails{}, nil, err
}
return AuthenticationDetails{Method: MethodAPIKey, APIKey: details}, authz, nil
}
case headers.Bearer:
if a.secretToken != "" && subtle.ConstantTimeCompare([]byte(a.secretToken), []byte(token)) == 1 {
return AuthenticationDetails{Method: MethodSecretToken}, allowAuth{}, nil
}
default:
return AuthenticationDetails{}, nil, fmt.Errorf(
"%w: unknown Authentication header %s: %s",
ErrAuthFailed, kind, expectedAuthHeaderFormat,
)
}
return AuthenticationDetails{}, nil, ErrAuthFailed
}