feat(auth): ability to skip authentication for top-level api prefixes (…

…#1854) * feat(auth): ability to skip authentication for top-level api prefixes * fix(config): add mapstructure tags * fix(cmd/grpc): thread authentication options
flipt-io · Jul 11, 2023 · b17f109 · b17f109
1 parent 8098c1c
commit b17f109
Show file tree

Hide file tree

Showing 5 changed files with 52 additions and 9 deletions.
diff --git a/config/flipt.schema.cue b/config/flipt.schema.cue
@@ -26,6 +26,11 @@ import "strings"
 
 	#authentication: {
 		required?: bool | *false
+		exclude?: {
+			management: bool | *false
+			metadata:   bool | *false
+			evaluation: bool | *false
+		}
 		session?: {
 			domain?:        string
 			secure?:        bool

diff --git a/config/flipt.schema.json b/config/flipt.schema.json
@@ -52,6 +52,15 @@
           "type": "boolean",
           "default": false
         },
+        "exclude": {
+          "type": "object",
+          "properties": {
+            "management": { "type": "boolean", "default": false },
+            "metadata": { "type": "boolean", "default": false },
+            "evaluation": { "type": "boolean", "default": false }
+          },
+          "additionalProperties": false
+        },
         "session": {
           "type": "object",
           "properties": {

diff --git a/internal/cmd/auth.go b/internal/cmd/auth.go
@@ -30,6 +30,7 @@ func authenticationGRPC(
 	logger *zap.Logger,
 	cfg *config.Config,
 	forceMigrate bool,
+	authOpts ...containers.Option[auth.InterceptorOptions],
 ) (grpcRegisterers, []grpc.UnaryServerInterceptor, func(context.Context) error, error) {
 	// NOTE: we skip attempting to connect to any database in the situation that either the git or local
 	// FS backends are configured.
@@ -56,12 +57,11 @@ func authenticationGRPC(
 			public,
 			auth.NewServer(logger, store, auth.WithAuditLoggingEnabled(cfg.Audit.Enabled())),
 		}
-		authOpts = []containers.Option[auth.InterceptorOptions]{
-			auth.WithServerSkipsAuthentication(public),
-		}
 		interceptors []grpc.UnaryServerInterceptor
 	)
 
+	authOpts = append(authOpts, auth.WithServerSkipsAuthentication(public))
+
 	// register auth method token service
 	if authCfg.Methods.Token.Enabled {
 		opts := []storageauth.BootstrapOption{}

diff --git a/internal/cmd/grpc.go b/internal/cmd/grpc.go
@@ -17,6 +17,7 @@ import (
 	fliptserver "go.flipt.io/flipt/internal/server"
 	"go.flipt.io/flipt/internal/server/audit"
 	"go.flipt.io/flipt/internal/server/audit/logfile"
+	"go.flipt.io/flipt/internal/server/auth"
 	"go.flipt.io/flipt/internal/server/cache"
 	"go.flipt.io/flipt/internal/server/cache/memory"
 	"go.flipt.io/flipt/internal/server/cache/redis"
@@ -220,18 +221,40 @@ func NewGRPCServer(
 		logger.Debug("otel tracing enabled", zap.String("exporter", cfg.Tracing.Exporter.String()))
 	}
 
+	var (
+		fliptsrv           = fliptserver.New(logger, store)
+		metasrv            = metadata.NewServer(cfg, info)
+		evalsrv            = evaluation.New(logger, store)
+		authOpts           = []containers.Option[auth.InterceptorOptions]{}
+		skipAuthIfExcluded = func(server any, excluded bool) {
+			if excluded {
+				authOpts = append(authOpts, auth.WithServerSkipsAuthentication(server))
+			}
+		}
+	)
+
+	skipAuthIfExcluded(fliptsrv, cfg.Authentication.Exclude.Management)
+	skipAuthIfExcluded(metasrv, cfg.Authentication.Exclude.Metadata)
+	skipAuthIfExcluded(evalsrv, cfg.Authentication.Exclude.Evaluation)
+
 	register, authInterceptors, authShutdown, err := authenticationGRPC(
 		ctx,
 		logger,
 		cfg,
 		forceMigrate,
+		authOpts...,
 	)
 	if err != nil {
 		return nil, err
 	}
 
 	server.onShutdown(authShutdown)
 
+	// initialize server
+	register.Add(fliptsrv)
+	register.Add(metasrv)
+	register.Add(evalsrv)
+
 	// forward internal gRPC logging to zap
 	grpcLogLevel, err := zapcore.ParseLevel(cfg.Log.GRPCLevel)
 	if err != nil {
@@ -339,12 +362,6 @@ func NewGRPCServer(
 		grpcOpts = append(grpcOpts, grpc.Creds(creds))
 	}
 
-	// initialize server
-	register.Add(fliptserver.New(logger, store))
-	register.Add(metadata.NewServer(cfg, info))
-
-	register.Add(evaluation.New(logger, store))
-
 	// initialize grpc server
 	server.Server = grpc.NewServer(grpcOpts...)
 

diff --git a/internal/config/authentication.go b/internal/config/authentication.go
@@ -39,6 +39,18 @@ type AuthenticationConfig struct {
 	// Else, authentication is not required and Flipt's APIs are not secured.
 	Required bool `json:"required,omitempty" mapstructure:"required"`
 
+	// Exclude allows you to skip enforcing authentication on the different
+	// top-level sections of the API.
+	// By default, given required == true, the API is fully protected.
+	Exclude struct {
+		// Management refers to the section of the API with the prefix /api/v1
+		Management bool `json:"management,omitempty" mapstructure:"management"`
+		// Metadata refers to the section of the API with the prefix /meta
+		Metadata bool `json:"metadata,omitempty" mapstructure:"metadata"`
+		// Evaluation refers to the section of the API with the prefix /evaluation/v1
+		Evaluation bool `json:"evaluation,omitempty" mapstructure:"evaluation"`
+	} `json:"exclude,omitempty" mapstructure:"exclude"`
+
 	Session AuthenticationSession `json:"session,omitempty" mapstructure:"session"`
 	Methods AuthenticationMethods `json:"methods,omitempty" mapstructure:"methods"`
 }