Authorization header scheme is not case sensitive

[dave-shawley]

Overview of the Issue

The HTTP Authorization header is defined in RFC-7235 as:

credentials = auth-scheme [ 1*SP ( token68 / #auth-param ) ]

The RFC text explicitly states that the auth-scheme token is to be treated as a case-insensitive token.

HTTP provides a simple challenge-response authentication framework
that can be used by a server to challenge a client request and by a
client to provide authentication information. It uses a case-
insensitive token as a means to identify the authentication scheme,
followed by additional information necessary for achieving

The parseTokenInternal function does a case sensitive comparison.

consul/agent/http.go

Lines 885 to 886 in 76cf540

	// <Scheme> must be "Bearer"
	if scheme == "Bearer" {

Reproduction Steps

Steps to reproduce this issue, eg:

1. Run consul with ACLs enabled
2. Create an access token and policy that restricts KV access
3. Retrieve a KV entry via curl using --header 'Authorization: bearer <token> replacing <token> with the real token, the request should fail with an authorization failure
4. Retrieve a KV entry via curl using --header 'Authorization: Bearer <token> replacing <token> with the real token, the request should succeed

Consul info for both Client and Server

Client info

agent:
	check_monitors = 0
	check_ttls = 0
	checks = 0
	services = 0
build:
	prerelease =
	revision = 9be6dfc3
	version = 1.6.1
consul:
	acl = enabled
	bootstrap = false
	known_datacenters = 1
	leader = true
	leader_addr = 127.0.0.1:8300
	server = true
raft:
	applied_index = 1475
	commit_index = 1475
	fsm_pending = 0
	last_contact = 0
	last_log_index = 1475
	last_log_term = 2
	last_snapshot_index = 0
	last_snapshot_term = 0
	latest_configuration = [{Suffrage:Voter ID:36897075-955d-c42f-314a-e1540c3af1ae Address:127.0.0.1:8300}]
	latest_configuration_index = 1
	num_peers = 0
	protocol_version = 3
	protocol_version_max = 3
	protocol_version_min = 0
	snapshot_version_max = 1
	snapshot_version_min = 0
	state = Leader
	term = 2
runtime:
	arch = amd64
	cpu_count = 6
	goroutines = 82
	max_procs = 6
	os = linux
	version = go1.12.1
serf_lan:
	coordinate_resets = 0
	encrypted = false
	event_queue = 1
	event_time = 2
	failed = 0
	health_score = 0
	intent_queue = 0
	left = 0
	member_time = 1
	members = 1
	query_queue = 0
	query_time = 1
serf_wan:
	coordinate_resets = 0
	encrypted = false
	event_queue = 0
	event_time = 1
	failed = 0
	health_score = 0
	intent_queue = 0
	left = 0
	member_time = 1
	members = 1
	query_queue = 0
	query_time = 1

Server info

agent:
	check_monitors = 0
	check_ttls = 0
	checks = 0
	services = 0
build:
	prerelease =
	revision = 9be6dfc3
	version = 1.6.1
consul:
	acl = enabled
	bootstrap = false
	known_datacenters = 1
	leader = true
	leader_addr = 127.0.0.1:8300
	server = true
raft:
	applied_index = 1475
	commit_index = 1475
	fsm_pending = 0
	last_contact = 0
	last_log_index = 1475
	last_log_term = 2
	last_snapshot_index = 0
	last_snapshot_term = 0
	latest_configuration = [{Suffrage:Voter ID:36897075-955d-c42f-314a-e1540c3af1ae Address:127.0.0.1:8300}]
	latest_configuration_index = 1
	num_peers = 0
	protocol_version = 3
	protocol_version_max = 3
	protocol_version_min = 0
	snapshot_version_max = 1
	snapshot_version_min = 0
	state = Leader
	term = 2
runtime:
	arch = amd64
	cpu_count = 6
	goroutines = 82
	max_procs = 6
	os = linux
	version = go1.12.1
serf_lan:
	coordinate_resets = 0
	encrypted = false
	event_queue = 1
	event_time = 2
	failed = 0
	health_score = 0
	intent_queue = 0
	left = 0
	member_time = 1
	members = 1
	query_queue = 0
	query_time = 1
serf_wan:
	coordinate_resets = 0
	encrypted = false
	event_queue = 0
	event_time = 1
	failed = 0
	health_score = 0
	intent_queue = 0
	left = 0
	member_time = 1
	members = 1
	query_queue = 0
	query_time = 1

Operating system and Environment details

Server is a unclustered docker container running consul:1.6

Log Fragments

I don't have the log-level turned up currently, so the consul server logs are scant. I can probably provide more detailed logs later on tonight if required.

consul-testing_1     |     2019/10/02 12:01:36 [WARN] agent: Coordinate update blocked by ACLs
consul-testing_1     |     2019/10/02 12:01:39 [ERR] http: Request GET /v1/acl/token/self, error: ACL not found from=172.26.0.1:43960
consul-testing_1     |     2019/10/02 12:01:39 [DEBUG] http: Request GET /v1/acl/token/self (419.6?s) from=172.26.0.1:43960

The client is a hand-rolled HTTP python client so the logs are custom:

[2019-10-02 08:00:56,688] INFO     projector.api.DeleteAction: deleting consul token in testing
[2019-10-02 08:00:56,688] INFO     projector.consul.destroy_token: retrieving token information
[2019-10-02 08:00:56,688] DEBUG    projector.consul.destroy_token: for token 2010ed85-cdf7-0527-c012-7a644081717a
[2019-10-02 08:00:56,688] DEBUG    projector.http.fetch: sending GET request to http://127.0.0.1:32808/v1/acl/token/self with: auth 'bearer 43d22af1-bf61-4749-2a1a-1988120224ea' body None
[2019-10-02 08:00:56,691] ERROR    projector.api.DeleteAction: failed to delete consul token in testing: HTTP 403: Forbidden

The bearer token is shown using python's repr syntax on the fifth line so the single-quotes indicate that it is a string and ARE NOT included in the header. If I change the bearer to Bearer, then it works like a charm.

[mkeeler]

Closing as the fix was merged.