From 197cde8fae3fffad832d7b2159dc256a7d5a7d7a Mon Sep 17 00:00:00 2001 From: Marc 'risson' Schmitt Date: Mon, 23 Mar 2026 13:52:04 +0000 Subject: [PATCH] internal/web: remove authentication for metrics (#21077) --- authentik/root/monitoring.py | 15 --------------- authentik/root/tests/test_views.py | 25 ++----------------------- internal/web/metrics.go | 1 - internal/web/web.go | 21 ++++----------------- 4 files changed, 6 insertions(+), 56 deletions(-) diff --git a/authentik/root/monitoring.py b/authentik/root/monitoring.py index 890e3d6061..15e461cff9 100644 --- a/authentik/root/monitoring.py +++ b/authentik/root/monitoring.py @@ -1,10 +1,5 @@ """Metrics view""" -from hmac import compare_digest -from pathlib import Path -from tempfile import gettempdir - -from django.conf import settings from django.db import connections from django.db.utils import OperationalError from django.dispatch import Signal @@ -18,18 +13,8 @@ monitoring_set = Signal() class MetricsView(View): """Wrapper around ExportToDjangoView with authentication, accessed by the authentik router""" - def __init__(self, **kwargs): - _tmp = Path(gettempdir()) - with open(_tmp / "authentik-core-metrics.key") as _f: - self.monitoring_key = _f.read() - def get(self, request: HttpRequest) -> HttpResponse: """Check for HTTP-Basic auth""" - auth_header = request.META.get("HTTP_AUTHORIZATION", "") - auth_type, _, given_credentials = auth_header.partition(" ") - authed = auth_type == "Bearer" and compare_digest(given_credentials, self.monitoring_key) - if not authed and not settings.DEBUG: - return HttpResponse(status=401) monitoring_set.send_robust(self) return ExportToDjangoView(request) diff --git a/authentik/root/tests/test_views.py b/authentik/root/tests/test_views.py index f574a9ba50..d069bc5ac1 100644 --- a/authentik/root/tests/test_views.py +++ b/authentik/root/tests/test_views.py @@ -1,9 +1,5 @@ """root tests""" -from pathlib import Path -from secrets import token_urlsafe -from tempfile import gettempdir - from django.test import TransactionTestCase from django.urls import reverse @@ -11,26 +7,9 @@ from django.urls import reverse class TestRoot(TransactionTestCase): """Test root application""" - def setUp(self): - _tmp = Path(gettempdir()) - self.token = token_urlsafe(32) - with open(_tmp / "authentik-core-metrics.key", "w") as _f: - _f.write(self.token) - - def tearDown(self): - _tmp = Path(gettempdir()) - (_tmp / "authentik-core-metrics.key").unlink() - - def test_monitoring_error(self): - """Test monitoring without any credentials""" - response = self.client.get(reverse("metrics")) - self.assertEqual(response.status_code, 401) - - def test_monitoring_ok(self): + def test_monitoring(self): """Test monitoring with credentials""" - auth_headers = {"HTTP_AUTHORIZATION": f"Bearer {self.token}"} - response = self.client.get(reverse("metrics"), **auth_headers) - self.assertEqual(response.status_code, 200) + self.assertEqual(self.client.get(reverse("metrics")).status_code, 200) def test_monitoring_live(self): """Test LiveView""" diff --git a/internal/web/metrics.go b/internal/web/metrics.go index b1ff6dc949..d4aad84ec4 100644 --- a/internal/web/metrics.go +++ b/internal/web/metrics.go @@ -37,7 +37,6 @@ func (ws *WebServer) runMetricsServer(listen string) { l.WithError(err).Warning("failed to get upstream metrics") return } - re.Header.Set("Authorization", fmt.Sprintf("Bearer %s", ws.metricsKey)) res, err := ws.upstreamHttpClient().Do(re) if err != nil { l.WithError(err).Warning("failed to get upstream metrics") diff --git a/internal/web/web.go b/internal/web/web.go index e27f54442e..d49733e852 100644 --- a/internal/web/web.go +++ b/internal/web/web.go @@ -31,7 +31,6 @@ import ( const ( SocketName = "authentik.sock" IPCKeyFile = "authentik-core-ipc.key" - MetricsKeyFile = "authentik-core-metrics.key" CoreSocketName = "authentik-core.sock" ) @@ -52,8 +51,7 @@ type WebServer struct { upstreamClient *http.Client upstreamURL *url.URL - metricsKey string - ipcKey string + ipcKey string } func NewWebServer() *WebServer { @@ -92,6 +90,7 @@ func NewWebServer() *WebServer { upstreamClient: upstreamClient, upstreamURL: u, } + ws.mainRouter.PathPrefix(config.Get().Web.Path).Path("/-/metrics/").Handler(http.NotFoundHandler()) ws.configureStatic() ws.configureProxy() // Redirect for sub-folder @@ -122,15 +121,7 @@ func (ws *WebServer) upstreamHealthcheck() bool { func (ws *WebServer) prepareKeys() { tmp := os.TempDir() key := base64.StdEncoding.EncodeToString(securecookie.GenerateRandomKey(64)) - err := os.WriteFile(path.Join(tmp, MetricsKeyFile), []byte(key), 0o600) - if err != nil { - ws.log.WithError(err).Warning("failed to save metrics key") - return - } - ws.metricsKey = key - - key = base64.StdEncoding.EncodeToString(securecookie.GenerateRandomKey(64)) - err = os.WriteFile(path.Join(tmp, IPCKeyFile), []byte(key), 0o600) + err := os.WriteFile(path.Join(tmp, IPCKeyFile), []byte(key), 0o600) if err != nil { ws.log.WithError(err).Warning("failed to save ipc key") return @@ -228,11 +219,7 @@ func (ws *WebServer) Shutdown() { ws.log.Info("shutting down gunicorn") ws.g.Kill() tmp := os.TempDir() - err := os.Remove(path.Join(tmp, MetricsKeyFile)) - if err != nil { - ws.log.WithError(err).Warning("failed to remove metrics key file") - } - err = os.Remove(path.Join(tmp, IPCKeyFile)) + err := os.Remove(path.Join(tmp, IPCKeyFile)) if err != nil { ws.log.WithError(err).Warning("failed to remove ipc key file") }