Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: token-based authentication #1097

Merged
merged 9 commits into from
Nov 9, 2022
Merged

feat: token-based authentication #1097

merged 9 commits into from
Nov 9, 2022

Conversation

GeorgeMac
Copy link
Contributor

@GeorgeMac GeorgeMac commented Oct 26, 2022
edited
Loading

Supports #779

This is a (relatively) long-standing branch and PR. It is now ready for final review.
Each of the constituent PRs were reviewed into this branch though.

Here is the overview:

  1. The ability to enable authentication requirement for API routes via configuration.
authentication:
  required: true
  methods:
    token:
      enabled: true
  1. Initial support for static API tokens via Authentication: Bearer ... header.
  2. When no token has been created, an initial token is created and emitted to logs (bootstrapping).

PRs

@codecov-commenter
Copy link

codecov-commenter commented Oct 26, 2022
edited
Loading

Codecov Report

Merging #1097 (7b972f2) into main (cca7c47) will decrease coverage by 1.37%.
The diff coverage is 74.34%.

@@            Coverage Diff             @@
##             main    #1097      +/-   ##
==========================================
- Coverage   81.00%   79.62%   -1.38%     
==========================================
  Files          26       35       +9     
  Lines        1927     2425     +498     
==========================================
+ Hits         1561     1931     +370     
- Misses        287      400     +113     
- Partials       79       94      +15
Impacted Files Coverage Δ
internal/config/config.go 80.00% <ø> (ø)
internal/storage/auth/bootstrap.go 0.00% <0.00%> (ø)
internal/storage/sql/migrator.go 23.45% <10.00%> (-2.94%) ⬇️
internal/storage/sql/fields.go 18.42% <18.42%> (ø)
internal/storage/auth/auth.go 35.71% <35.71%> (ø)
internal/storage/auth/memory/store.go 71.87% <71.87%> (ø)
internal/storage/auth/sql/store.go 88.20% <88.20%> (ø)
internal/storage/sql/errors.go 98.24% <98.24%> (ø)
internal/config/authentication.go 100.00% <100.00%> (ø)
internal/server/auth/method/token/server.go 100.00% <100.00%> (ø)
... and 1 more

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

@GeorgeMac
feat(rpc): define auth protobuf package and Authentication model
a4a3175 
chore(rpc): remove unused empty proto import

feat(rpc/flipt/auth): add METHOD_NONE to Method enum

feat(rpc/flipt/auth): drop METHOD_ prefix from enum names
@GeorgeMac
feat(sql/auth): base authentication storage implementation (#1095)
b68d380 
fix(sql/auth): use crypto/rand.Reader in place of math/rand.New

fix(sql/auth): capture test parameters in loop-body variables

chore(migrations): drop index before dropping authentications table

fix(import): run down migrations on --drop

fix(migrations/sqlite3): syntax error in uniqueness constraint on temp table in down

test(sql/auth): fuzz hashClientToken

chore(sql/auth): more fuzzing seeds

fix(sql/auth): map driver constraint errors to internal error representation

chore(sql/auth): remove underscore from Fuzz test name

chore(storage/sql): remove dead code

refactor(migrations): change authentications method from string to integer

refactor(storage/sql): move common field utilities into sql package

chore(storage/sql): use keyed field in struct literals
@GeorgeMac
feat(authentication): gRPC service definition for AuthenticationMetho…
7f70991 
…dTokenService (#1102)

feat(auth/method/token): initial gRPC server implementation

test(server/auth/method/token): assert token creation via API

chore(server/auth): synchronize server stop and fatal on error

fix(storage): use flipt/errors package

chore(server/auth): validate invalid error adapts appropriately

feat(authentication): wire up grpc service and gateway

feat(server/auth): define unary server interceptor

feat(storage/auth): implement list authentications

feat(storage/auth): list with method predicate

feat(auth): configure initial token bootstrap process

chore(auth): correct documentation typos

fix(proto): change create token http method PUT to POST
@GeorgeMac
feat(server/auth): define unary server interceptor (#1110)
1897f17 
chore: empty commit to kick ci

fix(auth/sql): add auth package qualifier when calling ListWithMethod

chore(auth/sql): remove duplicate imports

chore(auth/sql): adjust import naming to be consistent

fix(sq/auth): ensure order defaults to ascending

fix(sql): truncate timestamps to microseconds when inserting into database

fix(sql): use precision 6 for mysql timestamp columns
@GeorgeMac
feat(auth): bootstrapping process for first token (#1114)
1b626c4 
fix: ensure authentication store is always instantiated

refactor(storage): rename query params Validate or Normalize

chore(rpc/auth): prefix method enum values with METHOD_

chore(sql/testing): use wait.ForSQL during mysql testcontainer boot

chore(storage): increase list limit from 10 to 25

feat(openapi): add Authorization header security requirements

feat(openapi): add security requirements
@GeorgeMac GeorgeMac changed the title WIP: token based authentication feat: token-based authentication Nov 8, 2022
@GeorgeMac GeorgeMac marked this pull request as ready for review November 8, 2022 18:11
markphelps
markphelps reviewed Nov 9, 2022
View reviewed changes
Copy link
Collaborator

@markphelps markphelps left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

mostly minor nitpicks, one comment around checking expiry

internal/server/auth/middleware.go Show resolved Hide resolved
internal/storage/auth/bootstrap.go Outdated Show resolved Hide resolved
internal/storage/auth/sql/store.go Outdated Show resolved Hide resolved
markphelps
markphelps approved these changes Nov 9, 2022
View reviewed changes
Copy link
Collaborator

@markphelps markphelps left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we have wift off 🚀

@GeorgeMac GeorgeMac merged commit 9011ac9 into main Nov 9, 2022
@GeorgeMac GeorgeMac deleted the authentication branch November 9, 2022 17:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@markphelps markphelps markphelps approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@GeorgeMac @codecov-commenter @markphelps