Run no-op claim mapper even without auth info (#4197)

Author: dnr

common/authorization/claim_mapper.go

@@ -57,10 +57,18 @@ type ClaimMapper interface {
 
 // @@@SNIPEND
 
+// Normally, GetClaims will never be called without either an auth token or TLS metadata set in
+// AuthInfo. However, if you want your ClaimMapper to be called in all cases, you can implement
+// this additional interface and return false.
+type ClaimMapperWithAuthInfoRequired interface {
+	AuthInfoRequired() bool
+}
+
 // No-op claim mapper that gives system level admin permission to everybody
 type noopClaimMapper struct{}
 
 var _ ClaimMapper = (*noopClaimMapper)(nil)
+var _ ClaimMapperWithAuthInfoRequired = (*noopClaimMapper)(nil)
 
 func NewNoopClaimMapper() ClaimMapper {
 	return &noopClaimMapper{}
@@ -70,6 +78,11 @@ func (*noopClaimMapper) GetClaims(_ *AuthInfo) (*Claims, error) {
 	return &Claims{System: RoleAdmin}, nil
 }
 
+// This implementation can run even without auth info.
+func (*noopClaimMapper) AuthInfoRequired() bool {
+	return false
+}
+
 func GetClaimMapperFromConfig(config *config.Authorization, logger log.Logger) (ClaimMapper, error) {
 
 	switch strings.ToLower(config.ClaimMapper) {

common/authorization/claim_mapper_mock.go

@@ -89,8 +89,13 @@ func (a *interceptor) Interceptor(
 			tlsSubject = &clientCert.Subject
 		}
 
+		authInfoRequired := true
+		if cm, ok := a.claimMapper.(ClaimMapperWithAuthInfoRequired); ok {
+			authInfoRequired = cm.AuthInfoRequired()
+		}
+
 		// Add auth info to context only if there's some auth info
-		if tlsSubject != nil || len(authHeaders) > 0 {
+		if tlsSubject != nil || len(authHeaders) > 0 || !authInfoRequired {
 			var authHeader string
 			var authExtraHeader string
 			var audience string

common/authorization/interceptor.go

@@ -133,3 +133,23 @@ func (s *authorizerInterceptorSuite) TestAuthorizationFailed() {
 	s.Nil(res)
 	s.Error(err)
 }
+
+func (s *authorizerInterceptorSuite) TestNoopClaimMapperWithoutTLS() {
+	admin := &Claims{System: RoleAdmin}
+	s.mockAuthorizer.EXPECT().Authorize(gomock.Any(), admin, describeNamespaceTarget).
+		DoAndReturn(func(ctx context.Context, caller *Claims, target *CallTarget) (Result, error) {
+			// check that claims are present in ctx also
+			s.Equal(admin, ctx.Value(MappedClaims))
+
+			return Result{Decision: DecisionAllow}, nil
+		})
+
+	interceptor := NewAuthorizationInterceptor(
+		NewNoopClaimMapper(),
+		s.mockAuthorizer,
+		s.mockMetricsHandler,
+		log.NewNoopLogger(),
+		nil)
+	_, err := interceptor(ctx, describeNamespaceRequest, describeNamespaceInfo, s.handler)
+	s.NoError(err)
+}