Authenticator improvements (#32)

RSA and EC support added.
Clock skew tolerance support added.

Author: kaancfidan

main.go

@@ -9,21 +9,24 @@ import (
 	"net/http/httputil"
 	"net/url"
 	"os"
+	"strconv"
 
 	"github.com/kaancfidan/bouncer/services"
 )
 
 const version = "0.0.0-VERSION" // to be replaced in CI
 
 type flags struct {
-	hmacKey       string
+	signingKey    string
+	signingMethod string
 	configPath    string
 	upstreamURL   string
 	listenAddress string
 	validIssuer   string
 	validAudience string
 	expRequired   string
 	nbfRequired   string
+	clockSkew     string
 }
 
 func main() {
@@ -37,7 +40,7 @@ func main() {
 
 	server, err := newServer(f, configReader)
 	if err != nil {
-		log.Fatalf("server could not be created: %v", err)
+		log.Fatalf("could not create server: %v", err)
 	}
 
 	http.HandleFunc("/", server.Handle)
@@ -77,16 +80,34 @@ func newServer(f *flags, configReader io.Reader) (*services.Server, error) {
 		return nil, fmt.Errorf("invalid config: %w", err)
 	}
 
+	var clockSkew int
+	if f.clockSkew != "" {
+		clockSkew, err = strconv.Atoi(f.clockSkew)
+		if err != nil {
+			return nil, fmt.Errorf("clock skew flag %s cannot be converted to integer", f.clockSkew)
+		}
+	} else {
+		clockSkew = 0
+	}
+
+	authenticator, err := services.NewAuthenticator(
+		[]byte(f.signingKey),
+		f.signingMethod,
+		f.validIssuer,
+		f.validAudience,
+		f.expRequired != "false",
+		f.nbfRequired != "false",
+		clockSkew)
+
+	if err != nil {
+		return nil, fmt.Errorf("could not create authenticator: %w", err)
+	}
+
 	s := services.NewServer(
 		upstream,
 		services.NewRouteMatcher(cfg.RoutePolicies),
 		services.NewAuthorizer(cfg.ClaimPolicies),
-		services.NewAuthenticator(
-			[]byte(f.hmacKey),
-			f.validIssuer,
-			f.validAudience,
-			f.expRequired != "false",
-			f.nbfRequired != "false"))
+		authenticator)
 
 	return s, nil
 }
@@ -99,9 +120,13 @@ func parseFlags() *flags {
 		nbfRequired:   "true",
 	}
 
-	flag.StringVar(&f.hmacKey, "k",
+	flag.StringVar(&f.signingKey, "k",
 		lookupEnv("BOUNCER_SIGNING_KEY", ""),
-		"symmetric signing key to validate tokens")
+		"cryptographic signing key")
+
+	flag.StringVar(&f.signingMethod, "m",
+		lookupEnv("BOUNCER_SIGNING_METHOD", ""),
+		"signing method, accepted values = [HMAC, RSA, EC]")
 
 	flag.StringVar(&f.configPath, "p",
 		lookupEnv("BOUNCER_CONFIG_PATH", f.configPath),
@@ -131,6 +156,10 @@ func parseFlags() *flags {
 		lookupEnv("BOUNCER_REQUIRE_NOT_BEFORE", f.nbfRequired),
 		fmt.Sprintf("require token not before timestamp claims, default = %s", f.nbfRequired))
 
+	flag.StringVar(&f.clockSkew, "clk",
+		lookupEnv("BOUNCER_CLOCK_SKEW", f.clockSkew),
+		fmt.Sprintf("require token not before timestamp claims, default = %s", f.nbfRequired))
+
 	flag.Parse()
 
 	return &f

main_test.go

@@ -15,65 +15,105 @@ func TestNewServer(t *testing.T) {
 		{
 			name: "happy path",
 			flags: &flags{
-				hmacKey:     "SuperSecretKey123!",
-				upstreamURL: "http://localhost:8080",
+				signingKey:    "SuperSecretKey123!",
+				signingMethod: "HMAC",
 			},
 			cfgContent: "claimPolicies: {}\nroutePolicies: []",
 			wantErr:    false,
 		},
 		{
 			name: "no config",
 			flags: &flags{
-				hmacKey:     "SuperSecretKey123!",
-				upstreamURL: "http://localhost:8080",
+				signingKey:    "SuperSecretKey123!",
+				signingMethod: "HMAC",
 			},
 			cfgContent: "",
 			wantErr:    true,
 		},
 		{
-			name: "auth server without proxy",
+			name: "reverse proxy",
 			flags: &flags{
-				hmacKey: "SuperSecretKey123!",
+				signingKey:    "SuperSecretKey123!",
+				signingMethod: "HMAC",
+				upstreamURL:   "http://localhost:8080",
+			},
+			cfgContent: "claimPolicies: {}\nroutePolicies: []",
+			wantErr:    false,
+		},
+		{
+			name: "clock skewed",
+			flags: &flags{
+				signingKey:    "SuperSecretKey123!",
+				signingMethod: "HMAC",
+				clockSkew:     "10",
 			},
 			cfgContent: "claimPolicies: {}\nroutePolicies: []",
 			wantErr:    false,
 		},
 		{
 			name: "invalid url scheme",
 			flags: &flags{
-				hmacKey:     "SuperSecretKey123!",
-				upstreamURL: "tcp://localhost:8080",
+				signingKey:    "SuperSecretKey123!",
+				signingMethod: "HMAC",
+				upstreamURL:   "tcp://localhost:8080",
 			},
 			cfgContent: "claimPolicies: {}\nroutePolicies: []",
 			wantErr:    true,
 		},
 		{
 			name: "malformed url",
 			flags: &flags{
-				hmacKey:     "SuperSecretKey123!",
-				upstreamURL: "!!http://localhost:8080",
+				signingKey:    "SuperSecretKey123!",
+				signingMethod: "HMAC",
+				upstreamURL:   "!!http://localhost:8080",
 			},
 			cfgContent: "claimPolicies: {}\nroutePolicies: []",
 			wantErr:    true,
 		},
 		{
 			name: "invalid config yaml",
 			flags: &flags{
-				hmacKey:     "SuperSecretKey123!",
-				upstreamURL: "http://localhost:8080",
+				signingKey:    "SuperSecretKey123!",
+				signingMethod: "HMAC",
 			},
 			cfgContent: ": invalid",
 			wantErr:    true,
 		},
 		{
 			name: "invalid config content",
 			flags: &flags{
-				hmacKey:     "SuperSecretKey123!",
-				upstreamURL: "http://localhost:8080",
+				signingKey:    "SuperSecretKey123!",
+				signingMethod: "HMAC",
 			},
 			cfgContent: "claimPolicies:\n PolicyWithoutClaim:\n  - value: test\nroutePolicies: []",
 			wantErr:    true,
 		},
+		{
+			name: "no signing key",
+			flags: &flags{
+				signingMethod: "HMAC",
+			},
+			cfgContent: "claimPolicies: {}\nroutePolicies: []",
+			wantErr:    true,
+		},
+		{
+			name: "no signing method",
+			flags: &flags{
+				signingKey: "SuperSecretKey123!",
+			},
+			cfgContent: "claimPolicies: {}\nroutePolicies: []",
+			wantErr:    true,
+		},
+		{
+			name: "invalid clock skew flag",
+			flags: &flags{
+				signingKey:    "SuperSecretKey123!",
+				signingMethod: "HMAC",
+				clockSkew:     "not a number",
+			},
+			cfgContent: "claimPolicies: {}\nroutePolicies: []",
+			wantErr:    true,
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {