Bypass authentication check for /_up (#2411)

Add config variable chttpd.require_valid_user_except_for_up defaulting
to false.

This will allow various automated health check systems to hit /_up
without having to provide a username/password pair when the
chttpd.require_valid_user config setting is true. Apparently, many
of these health check providers do not even allow supplying creds
for such a purpose...

Closes #823

Co-authored-by: Joan Touzet <wohali@users.noreply.github.com>

2 files changed, 6 insertions, 0 deletions

diff --git a/rel/overlay/etc/default.ini b/rel/overlay/etc/default.ini
index 669977ee0..5fc8e0761 100644
--- a/rel/overlay/etc/default.ini
+++ b/rel/overlay/etc/default.ini
@@ -118,6 +118,7 @@ backlog = 512
 socket_options = [{sndbuf, 262144}, {nodelay, true}]
 server_options = [{recbuf, undefined}]
 require_valid_user = false
+; require_valid_user_except_for_up = false
 ; List of headers that will be kept when the header Prefer: return=minimal is included in a request.
 ; If Server header is left out, Mochiweb will add its own one in.
 prefer_minimal = Cache-Control, Content-Length, Content-Range, Content-Type, ETag, Server, Transfer-Encoding, Vary
diff --git a/src/couch/src/couch_httpd_auth.erl b/src/couch/src/couch_httpd_auth.erl
index b5195349b..515ce6132 100644
--- a/src/couch/src/couch_httpd_auth.erl
+++ b/src/couch/src/couch_httpd_auth.erl
@@ -88,6 +88,11 @@ basic_name_pw(Req) ->
 default_authentication_handler(Req) ->
     default_authentication_handler(Req, couch_auth_cache).
 
+default_authentication_handler(#httpd{path_parts=[<<"_up">>]}=Req, AuthModule) ->
+    case config:get_boolean("chttpd", "require_valid_user_except_for_up", false) of
+        true -> Req#httpd{user_ctx=?ADMIN_USER};
+        _False -> default_authentication_handler(Req, AuthModule)
+    end;
 default_authentication_handler(Req, AuthModule) ->
     case basic_name_pw(Req) of
     {User, Pass} ->