Add auth token propagation for metrics reader

plugin/metrics/prometheus/metricsstore/reader.go

@@ -35,6 +35,7 @@ import (
 	"github.com/jaegertracing/jaeger/plugin/metrics/prometheus/metricsstore/dbmodel"
 	"github.com/jaegertracing/jaeger/proto-gen/api_v2/metrics"
 	"github.com/jaegertracing/jaeger/storage/metricsstore"
+	"github.com/jaegertracing/jaeger/storage/spanstore"
 )
 
 const (
@@ -253,13 +254,30 @@ func getHTTPRoundTripper(c *config.Configuration, logger *zap.Logger) (rt http.R
 
 	// KeepAlive and TLSHandshake timeouts are kept to existing Prometheus client's
 	// DefaultRoundTripper to simplify user configuration and may be made configurable when required.
-	return &http.Transport{
+	httpTransport := &http.Transport{
 		Proxy: http.ProxyFromEnvironment,
 		DialContext: (&net.Dialer{
 			Timeout:   c.ConnectTimeout,
 			KeepAlive: 30 * time.Second,
 		}).DialContext,
 		TLSHandshakeTimeout: 10 * time.Second,
 		TLSClientConfig:     ctlsConfig,
+	}
+	return &tokenAuthTransport{
+		wrapped: httpTransport,
 	}, nil
 }
+
+// tokenAuthTransport wraps an instance of http.Transport for the purpose of
+// propagating an Authorization token from inbound to outbound HTTP requests.
+type tokenAuthTransport struct {
+	wrapped *http.Transport
+}
+
+// RoundTrip implements the http.RoundTripper interface, injecting the outbound
+// Authorization header with the token provided in the inbound request.
+func (tr *tokenAuthTransport) RoundTrip(r *http.Request) (*http.Response, error) {
+	headerToken, _ := spanstore.GetBearerToken(r.Context())
+	r.Header.Set("Authorization", "Bearer "+headerToken)
+	return tr.wrapped.RoundTrip(r)
+}

plugin/metrics/prometheus/metricsstore/reader_test.go

@@ -35,6 +35,7 @@ import (
 	"github.com/jaegertracing/jaeger/pkg/prometheus/config"
 	"github.com/jaegertracing/jaeger/proto-gen/api_v2/metrics"
 	"github.com/jaegertracing/jaeger/storage/metricsstore"
+	"github.com/jaegertracing/jaeger/storage/spanstore"
 )
 
 type (
@@ -331,12 +332,33 @@ func TestGetRoundTripper(t *testing.T) {
 				},
 			}, logger)
 			require.NoError(t, err)
-			assert.IsType(t, &http.Transport{}, rt)
+			assert.IsType(t, &tokenAuthTransport{}, rt)
 			if tc.tlsEnabled {
-				assert.NotNil(t, rt.(*http.Transport).TLSClientConfig)
+				assert.NotNil(t, rt.(*tokenAuthTransport).wrapped.TLSClientConfig)
 			} else {
-				assert.Nil(t, rt.(*http.Transport).TLSClientConfig)
+				assert.Nil(t, rt.(*tokenAuthTransport).wrapped.TLSClientConfig)
 			}
+
+			server := httptest.NewServer(
+				http.HandlerFunc(
+					func(w http.ResponseWriter, r *http.Request) {
+						assert.Equal(t, "Bearer foo", r.Header.Get("Authorization"))
+					},
+				),
+			)
+			defer server.Close()
+
+			req, err := http.NewRequestWithContext(
+				spanstore.ContextWithBearerToken(context.Background(), "foo"),
+				http.MethodGet,
+				server.URL,
+				nil,
+			)
+			require.NoError(t, err)
+
+			resp, err := rt.RoundTrip(req)
+			require.NoError(t, err)
+			assert.Equal(t, http.StatusOK, resp.StatusCode)
 		})
 	}
 }