From 82a3e203580e10e010cf41938f69e6b269508026 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?L=C3=A9na=C3=AFc=20Huard?= <L3n41c@users.noreply.github.com>
Date: Wed, 29 Dec 2021 08:46:17 +0100
Subject: [PATCH] Update the default value of the `bearer_token` parameter
 (#10706)

to send the bearer token only to secure https endpoints and not to clear text http endpoints.
---
 .../base/checks/openmetrics/mixins.py            | 14 +++++++++-----
 .../openmetrics/test_openmetrics_base_check.py   | 16 ++++++++++++++++
 2 files changed, 25 insertions(+), 5 deletions(-)

diff --git a/datadog_checks_base/datadog_checks/base/checks/openmetrics/mixins.py b/datadog_checks_base/datadog_checks/base/checks/openmetrics/mixins.py
index fd22469dc590d..b4089e7cf4eb9 100644
--- a/datadog_checks_base/datadog_checks/base/checks/openmetrics/mixins.py
+++ b/datadog_checks_base/datadog_checks/base/checks/openmetrics/mixins.py
@@ -348,12 +348,16 @@ def _get_setting(name, default):
         # INTERNAL FEATURE, might be removed in future versions
         config['_text_filter_blacklist'] = []
 
-        # Whether or not to use the service account bearer token for authentication
-        # if 'bearer_token_path' is not set, we use /var/run/secrets/kubernetes.io/serviceaccount/token
+        # Whether or not to use the service account bearer token for authentication.
+        # Can be explicitly set to true or false to send or not the bearer token.
+        # If set to the `tls_only` value, the bearer token will be sent only to https endpoints.
+        # If 'bearer_token_path' is not set, we use /var/run/secrets/kubernetes.io/serviceaccount/token
         # as a default path to get the token.
-        config['bearer_token_auth'] = is_affirmative(
-            instance.get('bearer_token_auth', default_instance.get('bearer_token_auth', False))
-        )
+        bearer_token_auth = _get_setting('bearer_token_auth', False)
+        if bearer_token_auth == 'tls_only':
+            config['bearer_token_auth'] = config['prometheus_url'].startswith("https://")
+        else:
+            config['bearer_token_auth'] = is_affirmative(bearer_token_auth)
 
         # Can be used to get a service account bearer token from files
         # other than /var/run/secrets/kubernetes.io/serviceaccount/token
diff --git a/datadog_checks_base/tests/base/checks/openmetrics/test_openmetrics_base_check.py b/datadog_checks_base/tests/base/checks/openmetrics/test_openmetrics_base_check.py
index f9136bb292db9..04d86162f2d9a 100644
--- a/datadog_checks_base/tests/base/checks/openmetrics/test_openmetrics_base_check.py
+++ b/datadog_checks_base/tests/base/checks/openmetrics/test_openmetrics_base_check.py
@@ -198,3 +198,19 @@ def test_bearer_token_not_found():
     }
     with pytest.raises(IOError):
         OpenMetricsBaseCheck('prometheus_check', {}, {}, [instance])
+
+
+def test_bearer_token_auto_http():
+    endpoint = "http://localhost:12345/metrics"
+    instance = {'prometheus_url': endpoint, 'namespace': 'default_namespace', 'bearer_token_auth': 'tls_only'}
+    with patch.object(OpenMetricsBaseCheck, 'KUBERNETES_TOKEN_PATH', os.path.join(FIXTURE_PATH, 'default_token')):
+        check = OpenMetricsBaseCheck('prometheus_check', {}, {}, [instance])
+        assert check.get_scraper_config(instance)['_bearer_token'] is None
+
+
+def test_bearer_token_auto_https():
+    endpoint = "https://localhost:12345/metrics"
+    instance = {'prometheus_url': endpoint, 'namespace': 'default_namespace', 'bearer_token_auth': 'tls_only'}
+    with patch.object(OpenMetricsBaseCheck, 'KUBERNETES_TOKEN_PATH', os.path.join(FIXTURE_PATH, 'default_token')):
+        check = OpenMetricsBaseCheck('prometheus_check', {}, {}, [instance])
+        assert check.get_scraper_config(instance)['_bearer_token'] == 'my default token'