Check if auth config is provided when using access control

pkg/api/authn.go

@@ -237,6 +237,27 @@ func basicAuthHandler(c *Controller) mux.MiddlewareFunc {
 	}
 }
 
+func isAuthnEnabled(config *Config) bool {
+	if config.HTTP.Auth != nil &&
+		(config.HTTP.Auth.HTPasswd.Path != "" || config.HTTP.Auth.LDAP != nil) {
+		return true
+	}
+
+	return false
+}
+
+func isBearerAuthEnabled(config *Config) bool {
+	if config.HTTP.Auth != nil &&
+		config.HTTP.Auth.Bearer != nil &&
+		config.HTTP.Auth.Bearer.Cert != "" &&
+		config.HTTP.Auth.Bearer.Realm != "" &&
+		config.HTTP.Auth.Bearer.Service != "" {
+		return true
+	}
+
+	return false
+}
+
 func authFail(w http.ResponseWriter, realm string, delay int) {
 	time.Sleep(time.Duration(delay) * time.Second)
 	w.Header().Set("WWW-Authenticate", realm)

pkg/api/authz.go

@@ -216,18 +216,6 @@ func getUsername(r *http.Request) string {
 	return pair[0]
 }
 
-func isBearerAuthEnabled(config *Config) bool {
-	if config.HTTP.Auth != nil &&
-		config.HTTP.Auth.Bearer != nil &&
-		config.HTTP.Auth.Bearer.Cert != "" &&
-		config.HTTP.Auth.Bearer.Realm != "" &&
-		config.HTTP.Auth.Bearer.Service != "" {
-		return true
-	}
-
-	return false
-}
-
 func authzFail(w http.ResponseWriter, realm string, delay int) {
 	time.Sleep(time.Duration(delay) * time.Second)
 	w.Header().Set("WWW-Authenticate", realm)

pkg/api/routes.go

@@ -54,8 +54,9 @@ func NewRouteHandler(c *Controller) *RouteHandler {
 
 func (rh *RouteHandler) SetupRoutes() {
 	rh.c.Router.Use(AuthHandler(rh.c))
-
-	if !isBearerAuthEnabled(rh.c.Config) && rh.c.Config.AccessControl != nil {
+	// authz is being enabled because authn is found
+	if rh.c.Config.AccessControl != nil && !isBearerAuthEnabled(rh.c.Config) && isAuthnEnabled(rh.c.Config) {
+		rh.c.Log.Info().Msg("access control is being enabled")
 		rh.c.Router.Use(AuthzHandler(rh.c))
 	}