Add support for will.iam in maestro (#95)

* Add WilliamAuth feature and tests

* Add william handler and middleware

* Add handler and middleware tests

* Add docs

* Bump minor version

* Add basicauth.enabled

Author: victor-carvalho

api/access_middleware.go

@@ -7,149 +7,104 @@
 package api
 
 import (
-	"context"
 	"fmt"
+	"github.com/topfreegames/extensions/middleware"
+	"github.com/topfreegames/maestro/api/auth"
 	"net/http"
 	"strings"
 
-	"github.com/topfreegames/extensions/middleware"
 	"github.com/topfreegames/maestro/errors"
-	"github.com/topfreegames/maestro/login"
 )
 
 //AccessMiddleware guarantees that the user is logged
 type AccessMiddleware struct {
-	App     *App
-	next    http.Handler
-	enabled bool
+	App  *App
+	next http.Handler
 }
 
 // NewAccessMiddleware returns an access middleware
 func NewAccessMiddleware(a *App) *AccessMiddleware {
-	enabled := a.Config.GetBool("oauth.enabled")
 	return &AccessMiddleware{
-		App:     a,
-		enabled: enabled,
-	}
-}
-
-const emailKey = contextKey("emailKey")
-
-func emailFromContext(ctx context.Context) string {
-	payload := ctx.Value(emailKey)
-	if payload == nil {
-		return ""
+		App: a,
 	}
-	return payload.(string)
-}
-
-// NewContextWithEmail adds the email from oauth into context
-func NewContextWithEmail(ctx context.Context, email string) context.Context {
-	c := context.WithValue(ctx, emailKey, email)
-	return c
 }
 
-func basicAuthWithXForwardedUserEmail(
-	basicAuthUser, basicAuthPass string, r *http.Request,
-) (string, bool) {
-	if basicAuthUser == "" && basicAuthPass == "" {
-		return "", false
-	}
-	user, pass, ok := r.BasicAuth()
-	if !ok || user != basicAuthUser || pass != basicAuthPass {
-		return "", false
-	}
-	email := r.Header.Get("x-forwarded-user-email")
-	if email == "" {
-		return "", false
-	}
-	return email, true
-}
+var emptyErr = fmt.Errorf("")
 
 //ServeHTTP methods
 func (m *AccessMiddleware) ServeHTTP(w http.ResponseWriter, r *http.Request) {
-	if !m.enabled {
-		m.next.ServeHTTP(w, r)
-		return
-	}
+	ctx := r.Context()
+	logger := middleware.GetLogger(ctx)
+	if m.App.Config.GetBool("basicauth.enabled") {
+		logger.Debug("checking basic auth")
+		authPresent, authValid, email := auth.CheckBasicAuth(m.App.Config, r)
+
+		// Basic Auth is valid, proceed to next handler
+		if authValid {
+			logger.Debug("basic auth ok")
+			ctx = auth.NewContextWithEmail(ctx, email)
+			ctx = auth.NewContextWithBasicAuthOK(ctx)
+			m.next.ServeHTTP(w, r.WithContext(ctx))
+			return
+		}
 
-	// checking basic auth in case of x-forwarded-user-email
-	basicAuthUser := m.App.Config.GetString("basicauth.username")
-	basicAuthPass := m.App.Config.GetString("basicauth.password")
-	if email, ok := basicAuthWithXForwardedUserEmail(
-		basicAuthUser, basicAuthPass, r,
-	); ok {
-		ctx := NewContextWithEmail(r.Context(), email)
-		m.next.ServeHTTP(w, r.WithContext(ctx))
-		return
-	}
+		// Basic Auth is invalid, return unauthorized
+		if authPresent {
+			logger.Debug("basic auth invalid")
+			m.App.HandleError(w, http.StatusUnauthorized, "authentication failed", fmt.Errorf("invalid basic auth"))
+			return
+		}
 
-	logger := middleware.GetLogger(r.Context())
-	logger.Debug("Checking access token")
+		logger.Debug("basic auth missing")
+		// If basic auth is missing and `basicAuth.tryOauthIfUnset` is false return unauthorized
+		if !m.App.Config.GetBool("basicAuth.tryOauthIfUnset") {
+			logger.Debug("basic auth tryOauthIfUnset is false so unauthorized")
+			m.App.HandleError(w, http.StatusUnauthorized, "authentication failed", fmt.Errorf("no basic auth sent"))
+			return
+		}
+	}
 
-	accessToken := r.Header.Get("Authorization")
-	accessToken = strings.TrimPrefix(accessToken, "Bearer ")
+	if m.App.Config.GetBool("william.enabled") {
+		logger.Debug("william enabled, checking token")
+		token := r.Header.Get("Authorization")
+		if len(token) == 0 {
+			logger.Debug("token empty")
+			m.App.HandleError(w, http.StatusUnauthorized, "", errors.NewAccessError("missing access token", emptyErr))
+			return
+		}
 
-	token, err := login.GetToken(accessToken, m.App.DBClient.WithContext(r.Context()))
-	if err != nil {
-		m.App.HandleError(w, http.StatusInternalServerError, "", err)
-		return
-	}
-	if token.RefreshToken == "" {
-		m.App.HandleError(
-			w,
-			http.StatusUnauthorized,
-			"",
-			errors.NewAccessError("access token was not found on db", fmt.Errorf("access token error")),
-		)
-		return
-	}
+		token = strings.TrimPrefix(token, "Bearer ")
 
-	msg, status, err := m.App.Login.Authenticate(token, m.App.DBClient.WithContext(r.Context()))
-	if err != nil {
-		logger.WithError(err).Error("error fetching googleapis")
-		m.App.HandleError(w, http.StatusInternalServerError, "Error fetching googleapis", err)
-		return
-	}
+		if len(token) == 0 {
+			logger.Debug("no bearer token")
+			m.App.HandleError(w, http.StatusUnauthorized, "", errors.NewAccessError("Unauthorized access token", emptyErr))
+			return
+		}
 
-	if status == http.StatusBadRequest {
-		logger.WithError(err).Error("error validating access token")
-		err := errors.NewAccessError("Unauthorized access token", fmt.Errorf(msg))
-		m.App.HandleError(w, http.StatusUnauthorized, "Unauthorized access token", err)
-		return
-	}
+		logger.Debug("token received")
+	} else if m.App.Config.GetBool("oauth.enabled") {
+		logger.Debug("oauth enabled, checking token")
+
+		email, err := auth.CheckOauthToken(m.App.Login, m.App.DBClient.WithContext(ctx), logger, r, m.App.EmailDomains)
+		if err != nil {
+			if _, ok := err.(*errors.AccessError); ok {
+				logger.Debug("authentication invalid")
+				m.App.HandleError(w, http.StatusUnauthorized, "", err)
+			} else {
+				logger.Debug("authentication error")
+				m.App.HandleError(w, http.StatusInternalServerError, "", err)
+			}
+			return
+		}
 
-	if status != http.StatusOK {
-		logger.WithError(err).Error("invalid access token")
-		err := errors.NewAccessError("invalid access token", fmt.Errorf(msg))
-		m.App.HandleError(w, status, "error validating access token", err)
-		return
-	}
+		logger.Debug("token authenticated, putting email on context", email)
 
-	email := msg
-	if !verifyEmailDomain(email, m.App.EmailDomains) {
-		logger.WithError(err).Error("Invalid email")
-		err := errors.NewAccessError(
-			"authorization access error",
-			fmt.Errorf("the email on OAuth authorization is not from domain %s", m.App.EmailDomains),
-		)
-		m.App.HandleError(w, http.StatusUnauthorized, "error validating access token", err)
+		ctx = auth.NewContextWithEmail(r.Context(), email)
+		m.next.ServeHTTP(w, r.WithContext(ctx))
 		return
 	}
 
-	ctx := NewContextWithEmail(r.Context(), email)
-
-	logger.Debug("Access token checked")
-	m.next.ServeHTTP(w, r.WithContext(ctx))
-}
-
-func verifyEmailDomain(email string, emailDomains []string) bool {
-	for _, domain := range emailDomains {
-		if strings.HasSuffix(email, domain) {
-			return true
-		}
-	}
-	return false
+	m.next.ServeHTTP(w, r)
 }
 
 //SetNext handler

api/access_middleware_test.go

@@ -29,70 +29,70 @@ var _ = Describe("AccessMiddleware", func() {
 	)
 
 	yamlString = `{
-  "name": "scheduler-name",
-  "game": "game-name",
-  "image": "somens/someimage:v123",
-  "ports": [
-    {
-      "containerPort": 5050,
-      "protocol": "UDP",
-      "name": "port1"
-    },
-    {
-      "containerPort": 8888,
-      "protocol": "TCP",
-      "name": "port2"
-    }
-  ],
-  "limits": {
-    "memory": "128Mi",
-    "cpu": "1"
-  },
-  "shutdownTimeout": 180,
-  "autoscaling": {
-    "min": 100,
-    "up": {
-      "delta": 10,
-      "trigger": {
-        "usage": 70,
-        "time": 600
-      },
-      "cooldown": 300
-    },
-    "down": {
-      "delta": 2,
-      "trigger": {
-        "usage": 50,
-        "time": 900
-      },
-      "cooldown": 300
-    }
-  },
-  "env": [
-    {
-      "name": "EXAMPLE_ENV_VAR",
-      "value": "examplevalue"
-    },
-    {
-      "name": "ANOTHER_ENV_VAR",
-      "value": "anothervalue"
-    }
-  ],
-  "cmd": [
-    "./room-binary",
-    "-serverType",
-    "6a8e136b-2dc1-417e-bbe8-0f0a2d2df431"
-  ],
-  "forwarders": {
-    "mockplugin": {
-      "mockfwd": {
-        "enabled": true,
-        "medatada": {
-          "send": "me"
-        }
-      }
-    }
-  }
+ "name": "scheduler-name",
+ "game": "game-name",
+ "image": "somens/someimage:v123",
+ "ports": [
+   {
+     "containerPort": 5050,
+     "protocol": "UDP",
+     "name": "port1"
+   },
+   {
+     "containerPort": 8888,
+     "protocol": "TCP",
+     "name": "port2"
+   }
+ ],
+ "limits": {
+   "memory": "128Mi",
+   "cpu": "1"
+ },
+ "shutdownTimeout": 180,
+ "autoscaling": {
+   "min": 100,
+   "up": {
+     "delta": 10,
+     "trigger": {
+       "usage": 70,
+       "time": 600
+     },
+     "cooldown": 300
+   },
+   "down": {
+     "delta": 2,
+     "trigger": {
+       "usage": 50,
+       "time": 900
+     },
+     "cooldown": 300
+   }
+ },
+ "env": [
+   {
+     "name": "EXAMPLE_ENV_VAR",
+     "value": "examplevalue"
+   },
+   {
+     "name": "ANOTHER_ENV_VAR",
+     "value": "anothervalue"
+   }
+ ],
+ "cmd": [
+   "./room-binary",
+   "-serverType",
+   "6a8e136b-2dc1-417e-bbe8-0f0a2d2df431"
+ ],
+ "forwarders": {
+   "mockplugin": {
+     "mockfwd": {
+       "enabled": true,
+       "medatada": {
+         "send": "me"
+       }
+     }
+   }
+ }
 }`
 
 	BeforeEach(func() {
@@ -123,6 +123,8 @@ var _ = Describe("AccessMiddleware", func() {
 
 				url := fmt.Sprintf("http://%s/scheduler", app.Address)
 				request, err := http.NewRequest("GET", url, nil)
+				Expect(err).ToNot(HaveOccurred())
+
 				user := app.Config.GetString("basicauth.username")
 				pass := app.Config.GetString("basicauth.password")
 				request.Header.Add("X-Forwarded-User-Email", "[email protected]")