Auth Wrapper (#1174)

* Auth Wrapper * Tweak cmd flag * auth_excludes => auth_exclude * Make Auth.Excludes variadic * Use metadata.Get (passes through http and http2 it will go through various case formats) * fix auth wrapper auth.Auth interface initialisation Co-authored-by: Asim Aslam <asim@aslam.me>
2020-02-10 08:26:28 +00:00 · 2020-02-10 08:26:28 +00:00 · 4401c12e6c
commit 4401c12e6c
parent c706afcf04
9 changed files with 111 additions and 18 deletions
--- a/auth/auth.go
+++ b/auth/auth.go
@ -11,6 +11,8 @@ type Auth interface {
 	String() string
 	// Init the auth package
 	Init(opts ...Option) error
+	// Options returns the options set
+	Options() Options
 	// Generate a new auth Account
 	Generate(id string, opts ...GenerateOption) (*Account, error)
 	// Revoke an authorization Account
--- a/auth/default.go
+++ b/auth/default.go
@ -18,6 +18,11 @@ func (a *noop) Init(...Option) error {
 	return nil
 }

+// Options set in init
+func (a *noop) Options() Options {
+	return a.options
+}
+
 // Generate a new auth Account
 func (a *noop) Generate(id string, ops ...GenerateOption) (*Account, error) {
 	return nil, nil
--- a/auth/jwt/jwt.go
+++ b/auth/jwt/jwt.go
@ -33,6 +33,10 @@ func (s *svc) String() string {
 	return "jwt"
 }

+func (s *svc) Options() auth.Options {
+	return s.options
+}
+
 func (s *svc) Init(opts ...auth.Option) error {
 	for _, o := range opts {
 		o(&s.options)
--- a/auth/options.go
+++ b/auth/options.go
@ -7,10 +7,18 @@ import (
 type Options struct {
 	PublicKey  []byte
 	PrivateKey []byte
+	Excludes   []string
 }

 type Option func(o *Options)

+// Excludes endpoints from auth
+func Excludes(excludes ...string) Option {
+	return func(o *Options) {
+		o.Excludes = excludes
+	}
+}
+
 // PublicKey is the JWT public key
 func PublicKey(key string) Option {
 	return func(o *Options) {
--- a/auth/service/service.go
+++ b/auth/service/service.go
@ -37,6 +37,10 @@ func (s *svc) Init(opts ...auth.Option) error {
 	return nil
 }

+func (s *svc) Options() auth.Options {
+	return s.options
+}
+
 // Generate a new auth account
 func (s *svc) Generate(id string, opts ...auth.GenerateOption) (*auth.Account, error) {
 	// construct the request
--- a/config/cmd/cmd.go
+++ b/config/cmd/cmd.go
@ -254,6 +254,11 @@ var (
 			EnvVars: []string{"MICRO_AUTH_PRIVATE_KEY"},
 			Usage:   "Private key for JWT auth (base64 encoded PEM)",
 		},
+		&cli.StringSliceFlag{
+			Name:    "auth_exclude",
+			EnvVars: []string{"MICRO_AUTH_EXCLUDE"},
+			Usage:   "Comma-separated list of endpoints excluded from authentication",
+		},
 	}

 	DefaultBrokers = map[string]func(...broker.Option) broker.Broker{
@ -319,6 +324,7 @@ func init() {

 func newCmd(opts ...Option) Cmd {
 	options := Options{
+		Auth:      &auth.DefaultAuth,
 		Broker:    &broker.DefaultBroker,
 		Client:    &client.DefaultClient,
 		Registry:  &registry.DefaultRegistry,
@ -328,7 +334,6 @@ func newCmd(opts ...Option) Cmd {
 		Runtime:   &runtime.DefaultRuntime,
 		Store:     &store.DefaultStore,
 		Tracer:    &trace.DefaultTracer,
-		Auth:      &auth.DefaultAuth,

 		Brokers:    DefaultBrokers,
 		Clients:    DefaultClients,
@ -379,6 +384,7 @@ func (c *cmd) Options() Options {

 func (c *cmd) Before(ctx *cli.Context) error {
 	// If flags are set then use them otherwise do nothing
+	var authOpts []auth.Option
 	var serverOpts []server.Option
 	var clientOpts []client.Option

@ -414,12 +420,12 @@ func (c *cmd) Before(ctx *cli.Context) error {

 	// Set the auth
 	if name := ctx.String("auth"); len(name) > 0 {
-		r, ok := c.opts.Auths[name]
+		a, ok := c.opts.Auths[name]
 		if !ok {
 			return fmt.Errorf("Unsupported auth: %s", name)
 		}

-		*c.opts.Auth = r()
+		*c.opts.Auth = a()
 	}

 	// Set the client
@ -571,24 +577,30 @@ func (c *cmd) Before(ctx *cli.Context) error {
 		serverOpts = append(serverOpts, server.RegisterInterval(val*time.Second))
 	}

-	if len(ctx.String("auth_public_key")) > 0 {
-		if err := (*c.opts.Auth).Init(auth.PublicKey(ctx.String("auth_public_key"))); err != nil {
-			log.Fatalf("Error configuring auth: %v", err)
-		}
-	}
-
-	if len(ctx.String("auth_private_key")) > 0 {
-		if err := (*c.opts.Auth).Init(auth.PrivateKey(ctx.String("auth_private_key"))); err != nil {
-			log.Fatalf("Error configuring auth: %v", err)
-		}
-	}
-
 	if len(ctx.String("runtime_source")) > 0 {
 		if err := (*c.opts.Runtime).Init(runtime.WithSource(ctx.String("runtime_source"))); err != nil {
 			log.Fatalf("Error configuring runtime: %v", err)
 		}
 	}

+	if len(ctx.String("auth_public_key")) > 0 {
+		authOpts = append(authOpts, auth.PublicKey(ctx.String("auth_public_key")))
+	}
+
+	if len(ctx.String("auth_private_key")) > 0 {
+		authOpts = append(authOpts, auth.PrivateKey(ctx.String("auth_private_key")))
+	}
+
+	if len(ctx.StringSlice("auth_exclude")) > 0 {
+		authOpts = append(authOpts, auth.Excludes(ctx.StringSlice("auth_exclude")...))
+	}
+
+	if len(authOpts) > 0 {
+		if err := (*c.opts.Auth).Init(authOpts...); err != nil {
+			log.Fatalf("Error configuring auth: %v", err)
+		}
+	}
+
 	// client opts
 	if r := ctx.Int("client_retries"); r >= 0 {
 		clientOpts = append(clientOpts, client.Retries(r))
--- a/options.go
+++ b/options.go
@ -18,6 +18,7 @@ import (

 // Options for micro service
 type Options struct {
+	Auth      auth.Auth
 	Broker    broker.Broker
 	Cmd       cmd.Cmd
 	Client    client.Client
@ -40,6 +41,7 @@ type Options struct {

 func newOptions(opts ...Option) Options {
 	opt := Options{
+		Auth:      auth.DefaultAuth,
 		Broker:    broker.DefaultBroker,
 		Cmd:       cmd.DefaultCmd,
 		Client:    client.DefaultClient,
@ -127,6 +129,7 @@ func Tracer(t trace.Tracer) Option {
 // Auth sets the auth for the service
 func Auth(a auth.Auth) Option {
 	return func(o *Options) {
+		o.Auth = a
 		o.Server.Init(server.Auth(a))
 	}
 }
--- a/service.go
+++ b/service.go
@ -8,6 +8,7 @@ import (
 	"sync"
 	"syscall"

+	"github.com/micro/go-micro/v2/auth"
 	"github.com/micro/go-micro/v2/client"
 	"github.com/micro/go-micro/v2/config/cmd"
 	"github.com/micro/go-micro/v2/debug/profile"
@ -29,11 +30,15 @@ type service struct {
 }

 func newService(opts ...Option) Service {
+	service := new(service)
 	options := newOptions(opts...)

 	// service name
 	serviceName := options.Server.Options().Name

+	// TODO: better accessors
+	authFn := func() auth.Auth { return service.opts.Auth }
+
 	// wrap client to inject From-Service header on any calls
 	options.Client = wrapper.FromService(serviceName, options.Client)
 	options.Client = wrapper.TraceCall(serviceName, trace.DefaultTracer, options.Client)
@ -42,11 +47,13 @@ func newService(opts ...Option) Service {
 	options.Server.Init(
 		server.WrapHandler(wrapper.HandlerStats(stats.DefaultStats)),
 		server.WrapHandler(wrapper.TraceHandler(trace.DefaultTracer)),
+		server.WrapHandler(wrapper.AuthHandler(authFn)),
 	)

-	return &service{
-		opts: options,
-	}
+	// set opts
+	service.opts = options
+
+	return service
 }

 func (s *service) Name() string {
@ -88,6 +95,7 @@ func (s *service) Init(opts ...Option) {

 		// Initialise the command flags, overriding new service
 		if err := s.opts.Cmd.Init(
+			cmd.Auth(&s.opts.Auth),
 			cmd.Broker(&s.opts.Broker),
 			cmd.Registry(&s.opts.Registry),
 			cmd.Transport(&s.opts.Transport),
--- a/util/wrapper/wrapper.go
+++ b/util/wrapper/wrapper.go
@ -4,9 +4,11 @@ import (
 	"context"
 	"strings"

+	"github.com/micro/go-micro/v2/auth"
 	"github.com/micro/go-micro/v2/client"
 	"github.com/micro/go-micro/v2/debug/stats"
 	"github.com/micro/go-micro/v2/debug/trace"
+	"github.com/micro/go-micro/v2/errors"
 	"github.com/micro/go-micro/v2/metadata"
 	"github.com/micro/go-micro/v2/server"
 )
@ -25,6 +27,7 @@ type traceWrapper struct {

 var (
 	HeaderPrefix = "Micro-"
+	BearerSchema = "Bearer "
 )

 func (c *clientWrapper) setHeaders(ctx context.Context) context.Context {
@ -132,3 +135,47 @@ func TraceHandler(t trace.Tracer) server.HandlerWrapper {
 		}
 	}
 }
+
+// AuthHandler wraps a server handler to perform auth
+func AuthHandler(fn func() auth.Auth) server.HandlerWrapper {
+	return func(h server.HandlerFunc) server.HandlerFunc {
+		return func(ctx context.Context, req server.Request, rsp interface{}) error {
+			// get the auth.Auth interface
+			a := fn()
+
+			// Extract endpoint and remove service name prefix
+			// (e.g. Platform.ListServices => ListServices)
+			var endpoint string
+			if ec := strings.Split(req.Endpoint(), "."); len(ec) == 2 {
+				endpoint = ec[1]
+			}
+
+			// Check for endpoints excluded from auth. If the endpoint
+			// matches, execute the handler and return
+			for _, e := range a.Options().Excludes {
+				if e == endpoint {
+					return h(ctx, req, rsp)
+				}
+			}
+
+			// Extract the token if present. Note: if noop is being used
+			// then the token can be blank without erroring
+			var token string
+			if header, ok := metadata.Get(ctx, "Authorization"); ok {
+				// Ensure the correct scheme is being used
+				if !strings.HasPrefix(header, BearerSchema) {
+					return errors.Unauthorized("go.micro.auth", "invalid authorization header. expected Bearer schema")
+				}
+
+				token = header[len(BearerSchema):]
+			}
+
+			// Validate the token
+			if _, err := a.Validate(token); err != nil {
+				return err
+			}
+
+			return h(ctx, req, rsp)
+		}
+	}
+}