Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(auth): ability to skip authentication for top-level api prefixes #1854

Merged
merged 5 commits into from
Jul 11, 2023
Merged

feat(auth): ability to skip authentication for top-level api prefixes #1854

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
be1c23b
feat(auth): ability to skip authentication for top-level api prefixes
GeorgeMac Jul 11, 2023
e553691
fix(config): add mapstructure tags
GeorgeMac Jul 11, 2023
2b14af2
fix(cmd/grpc): thread authentication options
GeorgeMac Jul 11, 2023
cbfca50
Merge branch 'eval-v2' into gm/authentication-exclude
GeorgeMac Jul 11, 2023
0634708
Merge branch 'eval-v2' into gm/authentication-exclude
GeorgeMac Jul 11, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions config/flipt.schema.cue
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,11 @@ import "strings"

#authentication: {
required?: bool | *false
exclude?: {
management: bool | *false
metadata: bool | *false
evaluation: bool | *false
}
session?: {
domain?: string
secure?: bool
Expand Down
9 changes: 9 additions & 0 deletions config/flipt.schema.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,15 @@
"type": "boolean",
"default": false
},
"exclude": {
"type": "object",
"properties": {
"management": { "type": "boolean", "default": false },
"metadata": { "type": "boolean", "default": false },
"evaluation": { "type": "boolean", "default": false }
},
"additionalProperties": false
},
"session": {
"type": "object",
"properties": {
Expand Down
6 changes: 3 additions & 3 deletions internal/cmd/auth.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@
logger *zap.Logger,
cfg *config.Config,
forceMigrate bool,
authOpts ...containers.Option[auth.InterceptorOptions],
) (grpcRegisterers, []grpc.UnaryServerInterceptor, func(context.Context) error, error) {
// NOTE: we skip attempting to connect to any database in the situation that either the git or local
// FS backends are configured.
Expand All @@ -56,12 +57,11 @@
public,
auth.NewServer(logger, store, auth.WithAuditLoggingEnabled(cfg.Audit.Enabled())),
}
authOpts = []containers.Option[auth.InterceptorOptions]{
auth.WithServerSkipsAuthentication(public),
}
interceptors []grpc.UnaryServerInterceptor
)

authOpts = append(authOpts, auth.WithServerSkipsAuthentication(public))

Check warning on line 64 in internal/cmd/auth.go

View check run for this annotation

Codecov / codecov/patch

internal/cmd/auth.go#L63-L64 

Added lines #L63 - L64 were not covered by tests
// register auth method token service
if authCfg.Methods.Token.Enabled {
opts := []storageauth.BootstrapOption{}
Expand Down
29 changes: 23 additions & 6 deletions internal/cmd/grpc.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@
fliptserver "go.flipt.io/flipt/internal/server"
"go.flipt.io/flipt/internal/server/audit"
"go.flipt.io/flipt/internal/server/audit/logfile"
"go.flipt.io/flipt/internal/server/auth"
"go.flipt.io/flipt/internal/server/cache"
"go.flipt.io/flipt/internal/server/cache/memory"
"go.flipt.io/flipt/internal/server/cache/redis"
Expand Down Expand Up @@ -220,18 +221,40 @@
logger.Debug("otel tracing enabled", zap.String("exporter", cfg.Tracing.Exporter.String()))
}

var (
fliptsrv = fliptserver.New(logger, store)
metasrv = metadata.NewServer(cfg, info)
evalsrv = evaluation.New(logger, store)
authOpts = []containers.Option[auth.InterceptorOptions]{}
skipAuthIfExcluded = func(server any, excluded bool) {
if excluded {
authOpts = append(authOpts, auth.WithServerSkipsAuthentication(server))
}

Check warning on line 232 in internal/cmd/grpc.go

View check run for this annotation

Codecov / codecov/patch

internal/cmd/grpc.go#L224-L232 

Added lines #L224 - L232 were not covered by tests
}
)

skipAuthIfExcluded(fliptsrv, cfg.Authentication.Exclude.Management)
skipAuthIfExcluded(metasrv, cfg.Authentication.Exclude.Metadata)
skipAuthIfExcluded(evalsrv, cfg.Authentication.Exclude.Evaluation)

Check warning on line 239 in internal/cmd/grpc.go

View check run for this annotation

Codecov / codecov/patch

internal/cmd/grpc.go#L236-L239 

Added lines #L236 - L239 were not covered by tests
register, authInterceptors, authShutdown, err := authenticationGRPC(
ctx,
logger,
cfg,
forceMigrate,
authOpts...,

Check warning on line 245 in internal/cmd/grpc.go

View check run for this annotation

Codecov / codecov/patch

internal/cmd/grpc.go#L245 

Added line #L245 was not covered by tests
)
if err != nil {
return nil, err
}

server.onShutdown(authShutdown)

// initialize server
register.Add(fliptsrv)
register.Add(metasrv)
register.Add(evalsrv)

Check warning on line 257 in internal/cmd/grpc.go

View check run for this annotation

Codecov / codecov/patch

internal/cmd/grpc.go#L253-L257 

Added lines #L253 - L257 were not covered by tests
// forward internal gRPC logging to zap
grpcLogLevel, err := zapcore.ParseLevel(cfg.Log.GRPCLevel)
if err != nil {
Expand Down Expand Up @@ -339,12 +362,6 @@
grpcOpts = append(grpcOpts, grpc.Creds(creds))
}

// initialize server
register.Add(fliptserver.New(logger, store))
register.Add(metadata.NewServer(cfg, info))

register.Add(evaluation.New(logger, store))

// initialize grpc server
server.Server = grpc.NewServer(grpcOpts...)

Expand Down
12 changes: 12 additions & 0 deletions internal/config/authentication.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,18 @@ type AuthenticationConfig struct {
// Else, authentication is not required and Flipt's APIs are not secured.
Required bool `json:"required,omitempty" mapstructure:"required"`

// Exclude allows you to skip enforcing authentication on the different
// top-level sections of the API.
// By default, given required == true, the API is fully protected.
Exclude struct {
// Management refers to the section of the API with the prefix /api/v1
Management bool `json:"management,omitempty" mapstructure:"management"`
// Metadata refers to the section of the API with the prefix /meta
Metadata bool `json:"metadata,omitempty" mapstructure:"metadata"`
// Evaluation refers to the section of the API with the prefix /evaluation/v1
Evaluation bool `json:"evaluation,omitempty" mapstructure:"evaluation"`
} `json:"exclude,omitempty" mapstructure:"exclude"`

Session AuthenticationSession `json:"session,omitempty" mapstructure:"session"`
Methods AuthenticationMethods `json:"methods,omitempty" mapstructure:"methods"`
}
Expand Down
Loading