Refactor auth to load token outside wrappers

This commit is contained in:
Ben Toogood 2020-05-14 11:06:22 +01:00
parent 0955671e45
commit 5764519f5b
7 changed files with 91 additions and 192 deletions

View File

@ -23,7 +23,6 @@ type svc struct {
auth pb.AuthService auth pb.AuthService
rule pb.RulesService rule pb.RulesService
jwt token.Provider jwt token.Provider
addrs []string
rules []*pb.Rule rules []*pb.Rule
sync.Mutex sync.Mutex
@ -71,7 +70,7 @@ func (s *svc) Generate(id string, opts ...auth.GenerateOption) (*auth.Account, e
Metadata: options.Metadata, Metadata: options.Metadata,
Provider: options.Provider, Provider: options.Provider,
Namespace: options.Namespace, Namespace: options.Namespace,
}, client.WithAddress(s.addrs...)) })
if err != nil { if err != nil {
return nil, err return nil, err
} }
@ -90,7 +89,7 @@ func (s *svc) Grant(role string, res *auth.Resource) error {
Name: res.Name, Name: res.Name,
Endpoint: res.Endpoint, Endpoint: res.Endpoint,
}, },
}, client.WithAddress(s.addrs...)) })
return err return err
} }
@ -105,7 +104,7 @@ func (s *svc) Revoke(role string, res *auth.Resource) error {
Name: res.Name, Name: res.Name,
Endpoint: res.Endpoint, Endpoint: res.Endpoint,
}, },
}, client.WithAddress(s.addrs...)) })
return err return err
} }
@ -175,7 +174,7 @@ func (s *svc) Inspect(token string) (*auth.Account, error) {
// the token is not a JWT or we do not have the keys to decode it, // the token is not a JWT or we do not have the keys to decode it,
// fall back to the auth service // fall back to the auth service
rsp, err := s.auth.Inspect(context.TODO(), &pb.InspectRequest{Token: token}, client.WithAddress(s.addrs...)) rsp, err := s.auth.Inspect(context.TODO(), &pb.InspectRequest{Token: token})
if err != nil { if err != nil {
return nil, err return nil, err
} }
@ -191,7 +190,7 @@ func (s *svc) Token(opts ...auth.TokenOption) (*auth.Token, error) {
Secret: options.Secret, Secret: options.Secret,
RefreshToken: options.RefreshToken, RefreshToken: options.RefreshToken,
TokenExpiry: int64(options.Expiry.Seconds()), TokenExpiry: int64(options.Expiry.Seconds()),
}, client.WithAddress(s.addrs...)) })
if err != nil { if err != nil {
return nil, err return nil, err
} }
@ -256,7 +255,7 @@ func (s *svc) listRules(filters ...string) []*pb.Rule {
// loadRules retrieves the rules from the auth service // loadRules retrieves the rules from the auth service
func (s *svc) loadRules() { func (s *svc) loadRules() {
rsp, err := s.rule.List(context.TODO(), &pb.ListRequest{}, client.WithAddress(s.addrs...)) rsp, err := s.rule.List(context.TODO(), &pb.ListRequest{})
s.Lock() s.Lock()
defer s.Unlock() defer s.Unlock()
@ -306,16 +305,10 @@ func NewAuth(opts ...auth.Option) auth.Auth {
options.Client = client.DefaultClient options.Client = client.DefaultClient
} }
addrs := options.Addrs
// if len(addrs) == 0 {
// addrs = []string{"127.0.0.1:8010"}
// }
service := &svc{ service := &svc{
auth: pb.NewAuthService("go.micro.auth", options.Client), auth: pb.NewAuthService("go.micro.auth", options.Client),
rule: pb.NewRulesService("go.micro.auth", options.Client), rule: pb.NewRulesService("go.micro.auth", options.Client),
options: options, options: options,
addrs: addrs,
} }
// load rules periodically from the auth service // load rules periodically from the auth service

View File

@ -21,6 +21,7 @@ import (
"github.com/micro/go-micro/v2/debug/trace" "github.com/micro/go-micro/v2/debug/trace"
"github.com/micro/go-micro/v2/logger" "github.com/micro/go-micro/v2/logger"
"github.com/micro/go-micro/v2/registry" "github.com/micro/go-micro/v2/registry"
registrySrv "github.com/micro/go-micro/v2/registry/service"
"github.com/micro/go-micro/v2/runtime" "github.com/micro/go-micro/v2/runtime"
"github.com/micro/go-micro/v2/server" "github.com/micro/go-micro/v2/server"
"github.com/micro/go-micro/v2/store" "github.com/micro/go-micro/v2/store"
@ -468,6 +469,22 @@ func (c *cmd) Before(ctx *cli.Context) error {
var serverOpts []server.Option var serverOpts []server.Option
var clientOpts []client.Option var clientOpts []client.Option
// Set the client. This must be first since we use the client below
if name := ctx.String("client"); len(name) > 0 {
// only change if we have the client and type differs
if cl, ok := c.opts.Clients[name]; ok && (*c.opts.Client).String() != name {
*c.opts.Client = cl()
}
}
// Set the server
if name := ctx.String("server"); len(name) > 0 {
// only change if we have the server and type differs
if s, ok := c.opts.Servers[name]; ok && (*c.opts.Server).String() != name {
*c.opts.Server = s()
}
}
// Set the store // Set the store
if name := ctx.String("store"); len(name) > 0 { if name := ctx.String("store"); len(name) > 0 {
s, ok := c.opts.Stores[name] s, ok := c.opts.Stores[name]
@ -475,7 +492,7 @@ func (c *cmd) Before(ctx *cli.Context) error {
return fmt.Errorf("Unsupported store: %s", name) return fmt.Errorf("Unsupported store: %s", name)
} }
*c.opts.Store = s() *c.opts.Store = s(store.WithClient(*c.opts.Client))
} }
// Set the runtime // Set the runtime
@ -485,7 +502,7 @@ func (c *cmd) Before(ctx *cli.Context) error {
return fmt.Errorf("Unsupported runtime: %s", name) return fmt.Errorf("Unsupported runtime: %s", name)
} }
*c.opts.Runtime = r() *c.opts.Runtime = r(runtime.WithClient(*c.opts.Client))
} }
// Set the tracer // Set the tracer
@ -504,8 +521,7 @@ func (c *cmd) Before(ctx *cli.Context) error {
if !ok { if !ok {
return fmt.Errorf("Unsupported auth: %s", name) return fmt.Errorf("Unsupported auth: %s", name)
} }
*c.opts.Auth = a(auth.WithClient(*c.opts.Client))
*c.opts.Auth = a()
serverOpts = append(serverOpts, server.Auth(*c.opts.Auth)) serverOpts = append(serverOpts, server.Auth(*c.opts.Auth))
} }
@ -519,22 +535,6 @@ func (c *cmd) Before(ctx *cli.Context) error {
*c.opts.Profile = p() *c.opts.Profile = p()
} }
// Set the client
if name := ctx.String("client"); len(name) > 0 {
// only change if we have the client and type differs
if cl, ok := c.opts.Clients[name]; ok && (*c.opts.Client).String() != name {
*c.opts.Client = cl()
}
}
// Set the server
if name := ctx.String("server"); len(name) > 0 {
// only change if we have the server and type differs
if s, ok := c.opts.Servers[name]; ok && (*c.opts.Server).String() != name {
*c.opts.Server = s()
}
}
// Set the broker // Set the broker
if name := ctx.String("broker"); len(name) > 0 && (*c.opts.Broker).String() != name { if name := ctx.String("broker"); len(name) > 0 && (*c.opts.Broker).String() != name {
b, ok := c.opts.Brokers[name] b, ok := c.opts.Brokers[name]
@ -554,7 +554,7 @@ func (c *cmd) Before(ctx *cli.Context) error {
return fmt.Errorf("Registry %s not found", name) return fmt.Errorf("Registry %s not found", name)
} }
*c.opts.Registry = r() *c.opts.Registry = r(registrySrv.WithClient(*c.opts.Client))
serverOpts = append(serverOpts, server.Registry(*c.opts.Registry)) serverOpts = append(serverOpts, server.Registry(*c.opts.Registry))
clientOpts = append(clientOpts, client.Registry(*c.opts.Registry)) clientOpts = append(clientOpts, client.Registry(*c.opts.Registry))

1
go.mod
View File

@ -47,6 +47,7 @@ require (
github.com/stretchr/testify v1.4.0 github.com/stretchr/testify v1.4.0
github.com/tmc/grpc-websocket-proxy v0.0.0-20200122045848-3419fae592fc // indirect github.com/tmc/grpc-websocket-proxy v0.0.0-20200122045848-3419fae592fc // indirect
go.etcd.io/bbolt v1.3.4 go.etcd.io/bbolt v1.3.4
go.etcd.io/etcd v3.3.20+incompatible
go.uber.org/zap v1.13.0 go.uber.org/zap v1.13.0
golang.org/x/crypto v0.0.0-20200323165209-0ec3e9974c59 golang.org/x/crypto v0.0.0-20200323165209-0ec3e9974c59
golang.org/x/net v0.0.0-20200301022130-244492dfa37a golang.org/x/net v0.0.0-20200301022130-244492dfa37a

2
go.sum
View File

@ -499,6 +499,8 @@ github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q
go.etcd.io/bbolt v1.3.3/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU= go.etcd.io/bbolt v1.3.3/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU=
go.etcd.io/bbolt v1.3.4 h1:hi1bXHMVrlQh6WwxAy+qZCV/SYIlqo+Ushwdpa4tAKg= go.etcd.io/bbolt v1.3.4 h1:hi1bXHMVrlQh6WwxAy+qZCV/SYIlqo+Ushwdpa4tAKg=
go.etcd.io/bbolt v1.3.4/go.mod h1:G5EMThwa9y8QZGBClrRx5EY+Yw9kAhnjy3bSjsnlVTQ= go.etcd.io/bbolt v1.3.4/go.mod h1:G5EMThwa9y8QZGBClrRx5EY+Yw9kAhnjy3bSjsnlVTQ=
go.etcd.io/etcd v3.3.20+incompatible h1:EyOVslCepyFB2JcbYXvqcYdBTh7cyBKU2NYdKfgTSC0=
go.etcd.io/etcd v3.3.20+incompatible/go.mod h1:yaeTdrJi5lOmYerz05bd8+V7KubZs8YSFZfzsF9A6aI=
go.opencensus.io v0.20.1/go.mod h1:6WKK9ahsWS3RSO+PY9ZHZUfv2irvY6gN279GOPZjmmk= go.opencensus.io v0.20.1/go.mod h1:6WKK9ahsWS3RSO+PY9ZHZUfv2irvY6gN279GOPZjmmk=
go.opencensus.io v0.20.2/go.mod h1:6WKK9ahsWS3RSO+PY9ZHZUfv2irvY6gN279GOPZjmmk= go.opencensus.io v0.20.2/go.mod h1:6WKK9ahsWS3RSO+PY9ZHZUfv2irvY6gN279GOPZjmmk=
go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=

View File

@ -7,6 +7,7 @@ import (
rtime "runtime" rtime "runtime"
"strings" "strings"
"sync" "sync"
"time"
"github.com/micro/go-micro/v2/auth" "github.com/micro/go-micro/v2/auth"
"github.com/micro/go-micro/v2/client" "github.com/micro/go-micro/v2/client"
@ -51,12 +52,6 @@ func newService(opts ...Option) Service {
server.WrapHandler(wrapper.AuthHandler(authFn)), server.WrapHandler(wrapper.AuthHandler(authFn)),
) )
// set the client in the service implementations
// options.Auth.Init(auth.WithClient(options.Client))
// options.Registry.Init(registrySrv.WithClient(options.Client))
// options.Runtime.Init(runtime.WithClient(options.Client))
// options.Store.Init(store.WithClient(options.Client))
// set opts // set opts
service.opts = options service.opts = options
@ -119,15 +114,6 @@ func (s *service) Init(opts ...Option) {
// Explicitly set the table name to the service name // Explicitly set the table name to the service name
name := s.opts.Cmd.App().Name name := s.opts.Cmd.App().Name
s.opts.Store.Init(store.Table(name)) s.opts.Store.Init(store.Table(name))
// Reset the clients for the micro services, this is done
// previously in newService for micro (since init is never called)
// however it needs to be done again here since for normal go-micro
// services the implementation may have changed by CLI flags.
// s.opts.Auth.Init(auth.WithClient(s.Client()))
// s.opts.Registry.Init(registrySrv.WithClient(s.Client()))
// s.opts.Runtime.Init(runtime.WithClient(s.Client()))
// s.opts.Store.Init(store.WithClient(s.Client()))
}) })
} }
@ -240,25 +226,70 @@ func (s *service) Run() error {
} }
func (s *service) generateAccount() error { func (s *service) generateAccount() error {
// generate a new auth account for the service // extract the account creds from options, these can be set by flags
name := fmt.Sprintf("%v-%v", s.Name(), s.Server().Options().Id) accID := s.Options().Auth.Options().ID
opts := []auth.GenerateOption{ accSecret := s.Options().Auth.Options().Secret
auth.WithType("service"),
auth.WithRoles("service"), // if no credentials were provided, generate an account
auth.WithNamespace(s.Options().Auth.Options().Namespace), if len(accID) == 0 || len(accSecret) == 0 {
name := fmt.Sprintf("%v-%v", s.Name(), s.Server().Options().Id)
opts := []auth.GenerateOption{
auth.WithType("service"),
auth.WithRoles("service"),
auth.WithNamespace(s.Options().Auth.Options().Namespace),
}
acc, err := s.Options().Auth.Generate(name, opts...)
if err != nil {
return err
}
logger.Infof("Auth [%v] Authenticated as %v", s.Options().Auth, name)
accID = acc.ID
accSecret = acc.Secret
} }
acc, err := s.Options().Auth.Generate(name, opts...)
// generate the first token
token, err := s.Options().Auth.Token(
auth.WithCredentials(accID, accSecret),
auth.WithExpiry(time.Minute*15),
)
if err != nil { if err != nil {
return err return err
} }
// generate a token // set the credentials and token in auth options
token, err := s.Options().Auth.Token(auth.WithCredentials(acc.ID, acc.Secret)) s.Options().Auth.Init(
if err != nil { auth.ClientToken(token),
return err auth.Credentials(accID, accSecret),
} )
// periodically check to see if the token needs refreshing
go func() {
timer := time.NewTicker(time.Second * 15)
for {
<-timer.C
// don't refresh the token if it's not close to expiring
if token.Expiry.Unix() > time.Now().Add(time.Minute).Unix() {
continue
}
// generate the first token
token, err := s.Options().Auth.Token(
auth.WithCredentials(accID, accSecret),
auth.WithExpiry(time.Minute*15),
)
if err != nil {
logger.Warnf("[Auth] Error refreshing token: %v", err)
continue
}
// set the token
s.Options().Auth.Init(auth.ClientToken(token))
}
}()
s.Options().Auth.Init(auth.ClientToken(token), auth.Credentials(acc.ID, acc.Secret))
logger.Infof("Auth [%v] Authenticated as %v", s.Options().Auth, name)
return nil return nil
} }

View File

@ -1,90 +0,0 @@
package config
import (
"io/ioutil"
"os"
"os/user"
"path/filepath"
"strings"
conf "github.com/micro/go-micro/v2/config"
"github.com/micro/go-micro/v2/config/source/file"
"github.com/micro/go-micro/v2/util/log"
)
// FileName for global micro config
const FileName = ".micro"
// config is a singleton which is required to ensure
// each function call doesn't load the .micro file
// from disk
var config = newConfig()
// Get a value from the .micro file
func Get(path ...string) (string, error) {
tk := config.Get(path...).String("")
return strings.TrimSpace(tk), nil
}
// Set a value in the .micro file
func Set(value string, path ...string) error {
// get the filepath
fp, err := filePath()
if err != nil {
return err
}
// set the value
config.Set(value, path...)
// write to the file
return ioutil.WriteFile(fp, config.Bytes(), 0644)
}
func filePath() (string, error) {
usr, err := user.Current()
if err != nil {
return "", err
}
return filepath.Join(usr.HomeDir, FileName), nil
}
// newConfig returns a loaded config
func newConfig() conf.Config {
// get the filepath
fp, err := filePath()
if err != nil {
log.Error(err)
return conf.DefaultConfig
}
// write the file if it does not exist
if _, err := os.Stat(fp); os.IsNotExist(err) {
ioutil.WriteFile(fp, []byte{}, 0644)
} else if err != nil {
log.Error(err)
return conf.DefaultConfig
}
// create a new config
c, err := conf.NewConfig(
conf.WithSource(
file.NewSource(
file.WithPath(fp),
),
),
)
if err != nil {
log.Error(err)
return conf.DefaultConfig
}
// load the config
if err := c.Load(); err != nil {
log.Error(err)
return conf.DefaultConfig
}
// return the conf
return c
}

View File

@ -12,7 +12,6 @@ import (
"github.com/micro/go-micro/v2/errors" "github.com/micro/go-micro/v2/errors"
"github.com/micro/go-micro/v2/metadata" "github.com/micro/go-micro/v2/metadata"
"github.com/micro/go-micro/v2/server" "github.com/micro/go-micro/v2/server"
"github.com/micro/go-micro/v2/util/config"
) )
type fromServiceWrapper struct { type fromServiceWrapper struct {
@ -159,50 +158,13 @@ func (a *authWrapper) Call(ctx context.Context, req client.Request, rsp interfac
return a.Client.Call(ctx, req, rsp, opts...) return a.Client.Call(ctx, req, rsp, opts...)
} }
// performs the call with the authorization token provided
callWithToken := func(token string) error {
ctx := metadata.Set(ctx, "Authorization", auth.BearerScheme+token)
return a.Client.Call(ctx, req, rsp, opts...)
}
// check to see if we have a valid access token // check to see if we have a valid access token
aaOpts := aa.Options() aaOpts := aa.Options()
if aaOpts.Token != nil && aaOpts.Token.Expiry.Unix() > time.Now().Unix() { if aaOpts.Token != nil && aaOpts.Token.Expiry.Unix() > time.Now().Unix() {
return callWithToken(aaOpts.Token.AccessToken) ctx = metadata.Set(ctx, "Authorization", auth.BearerScheme+aaOpts.Token.AccessToken)
}
// check to ensure we're not calling auth, since this will result in
// an endless loop
if req.Service() == "go.micro.auth" {
return a.Client.Call(ctx, req, rsp, opts...) return a.Client.Call(ctx, req, rsp, opts...)
} }
// if we have a refresh token we can use this to generate another access token
if aaOpts.Token != nil {
tok, err := aa.Token(auth.WithToken(aaOpts.Token.RefreshToken))
if err != nil {
return err
}
aa.Init(auth.ClientToken(tok))
return callWithToken(tok.AccessToken)
}
// generate a new token if we have credentials
if len(aaOpts.ID) > 0 && len(aaOpts.Secret) > 0 {
tok, err := aa.Token(auth.WithCredentials(aaOpts.ID, aaOpts.Secret))
if err != nil {
return err
}
aa.Init(auth.ClientToken(tok))
return callWithToken(tok.AccessToken)
}
// check to see if a token was provided in config, this is normally used for
// setting the token when calling via the cli
if token, err := config.Get("micro", "auth", "token"); err == nil && len(token) > 0 {
return callWithToken(token)
}
// call without an auth token // call without an auth token
return a.Client.Call(ctx, req, rsp, opts...) return a.Client.Call(ctx, req, rsp, opts...)
} }