Authentication processor 2/4 - Add auth context and interface #1808
Prev
Previous commit
Authentication processor 2/4 - Add auth context and interface
Signed-off-by: Juraci Paixão Kröhling <[email protected]>
- Loading branch information
commit 2214d1ede285115a516282906f768e45ee3ec845
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,95 @@ | ||
| // Copyright The OpenTelemetry Authors | ||
| // | ||
| // Licensed under the Apache License, Version 2.0 (the "License"); | ||
| // you may not use this file except in compliance with the License. | ||
| // You may obtain a copy of the License at | ||
| // | ||
| // http://www.apache.org/licenses/LICENSE-2.0 | ||
| // | ||
| // Unless required by applicable law or agreed to in writing, software | ||
| // distributed under the License is distributed on an "AS IS" BASIS, | ||
| // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| // See the License for the specific language governing permissions and | ||
| // limitations under the License. | ||
|
|
||
| package auth | ||
|
|
||
| import ( | ||
| "context" | ||
| "errors" | ||
| "io" | ||
|
|
||
| "google.golang.org/grpc" | ||
| "google.golang.org/grpc/metadata" | ||
|
|
||
| "go.opentelemetry.io/collector/config/configauth" | ||
| ) | ||
|
|
||
| var ( | ||
| errNoOIDCProvided = errors.New("no OIDC information provided") | ||
| errMetadataNotFound = errors.New("no request metadata found") | ||
| errNotImplemented = errors.New("not implemented") | ||
| defaultAttribute = "authorization" | ||
| ) | ||
|
|
||
| // Authenticator will authenticate the incoming request/RPC | ||
| type Authenticator interface { | ||
| io.Closer | ||
|
|
||
| // Authenticate checks whether the given context contains valid auth data. Successfully authenticated calls will always return a nil error and a context with the auth data. | ||
| Authenticate(context.Context, map[string][]string) (context.Context, error) | ||
|
|
||
| // Start will | ||
| Start(context.Context) error | ||
|
|
||
| // UnaryInterceptor is a helper method to provide a gRPC-compatible UnaryInterceptor, typically calling the authenticator's Authenticate method. | ||
| UnaryInterceptor(context.Context, interface{}, *grpc.UnaryServerInfo, grpc.UnaryHandler) (interface{}, error) | ||
|
|
||
| // StreamInterceptor is a helper method to provide a gRPC-compatible StreamInterceptor, typically calling the authenticator's Authenticate method. | ||
| StreamInterceptor(interface{}, grpc.ServerStream, *grpc.StreamServerInfo, grpc.StreamHandler) error | ||
| } | ||
|
|
||
| type authenticateFunc func(context.Context, map[string][]string) (context.Context, error) | ||
|
|
||
| // New creates an authenticator based on the given configuration | ||
| func New(cfg configauth.Authentication) (Authenticator, error) { | ||
| if cfg.OIDC == nil { | ||
| return nil, errNoOIDCProvided | ||
| } | ||
|
|
||
| if len(cfg.Attribute) == 0 { | ||
| cfg.Attribute = defaultAttribute | ||
| } | ||
|
|
||
| return nil, errNotImplemented | ||
| } | ||
|
|
||
| func defaultUnaryInterceptor(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler, authenticate authenticateFunc) (interface{}, error) { | ||
| headers, ok := metadata.FromIncomingContext(ctx) | ||
| if !ok { | ||
| return nil, errMetadataNotFound | ||
| } | ||
|
|
||
| ctx, err := authenticate(ctx, headers) | ||
| if err != nil { | ||
| return nil, err | ||
| } | ||
|
|
||
| return handler(ctx, req) | ||
| } | ||
|
|
||
| func defaultStreamInterceptor(srv interface{}, stream grpc.ServerStream, info *grpc.StreamServerInfo, handler grpc.StreamHandler, authenticate authenticateFunc) error { | ||
| ctx := stream.Context() | ||
| headers, ok := metadata.FromIncomingContext(ctx) | ||
| if !ok { | ||
| return errMetadataNotFound | ||
| } | ||
|
|
||
| // TODO: how to replace the context from the stream? | ||
| _, err := authenticate(ctx, headers) | ||
| if err != nil { | ||
| return err | ||
| } | ||
|
|
||
| return handler(srv, stream) | ||
| } | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,197 @@ | ||
| // Copyright The OpenTelemetry Authors | ||
| // | ||
| // Licensed under the Apache License, Version 2.0 (the "License"); | ||
| // you may not use this file except in compliance with the License. | ||
| // You may obtain a copy of the License at | ||
| // | ||
| // http://www.apache.org/licenses/LICENSE-2.0 | ||
| // | ||
| // Unless required by applicable law or agreed to in writing, software | ||
| // distributed under the License is distributed on an "AS IS" BASIS, | ||
| // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| // See the License for the specific language governing permissions and | ||
| // limitations under the License. | ||
|
|
||
| package auth | ||
|
|
||
| import ( | ||
| "context" | ||
| "fmt" | ||
| "testing" | ||
|
|
||
| "github.com/stretchr/testify/assert" | ||
| "google.golang.org/grpc" | ||
| "google.golang.org/grpc/metadata" | ||
|
|
||
| "go.opentelemetry.io/collector/config/configauth" | ||
| ) | ||
|
|
||
| func TestNew(t *testing.T) { | ||
| // test | ||
| p, err := New(configauth.Authentication{ | ||
| OIDC: &configauth.OIDC{ | ||
| Audience: "some-audience", | ||
| IssuerURL: "http://example.com", | ||
| }, | ||
| }) | ||
|
|
||
| // verify | ||
| assert.Nil(t, p) | ||
| assert.Equal(t, errNotImplemented, err) | ||
| } | ||
|
|
||
| func TestMissingOIDC(t *testing.T) { | ||
| // test | ||
| p, err := New(configauth.Authentication{}) | ||
|
|
||
| // verify | ||
| assert.Nil(t, p) | ||
| assert.Equal(t, errNoOIDCProvided, err) | ||
| } | ||
|
|
||
| func TestDefaultUnaryInterceptorAuthSucceeded(t *testing.T) { | ||
| // prepare | ||
| handlerCalled := false | ||
| authCalled := false | ||
| authFunc := func(context.Context, map[string][]string) (context.Context, error) { | ||
| authCalled = true | ||
| return context.Background(), nil | ||
| } | ||
| handler := func(ctx context.Context, req interface{}) (interface{}, error) { | ||
| handlerCalled = true | ||
| return nil, nil | ||
| } | ||
| ctx := metadata.NewIncomingContext(context.Background(), metadata.Pairs("authorization", "some-auth-data")) | ||
|
|
||
| // test | ||
| res, err := defaultUnaryInterceptor(ctx, nil, &grpc.UnaryServerInfo{}, handler, authFunc) | ||
|
|
||
| // verify | ||
| assert.Nil(t, res) | ||
| assert.NoError(t, err) | ||
| assert.True(t, authCalled) | ||
| assert.True(t, handlerCalled) | ||
| } | ||
|
|
||
| func TestDefaultUnaryInterceptorAuthFailure(t *testing.T) { | ||
| // prepare | ||
| authCalled := false | ||
| expectedErr := fmt.Errorf("not authenticated") | ||
| authFunc := func(context.Context, map[string][]string) (context.Context, error) { | ||
| authCalled = true | ||
| return context.Background(), expectedErr | ||
| } | ||
| handler := func(ctx context.Context, req interface{}) (interface{}, error) { | ||
| assert.FailNow(t, "the handler should not have been called on auth failure!") | ||
| return nil, nil | ||
| } | ||
| ctx := metadata.NewIncomingContext(context.Background(), metadata.Pairs("authorization", "some-auth-data")) | ||
|
|
||
| // test | ||
| res, err := defaultUnaryInterceptor(ctx, nil, &grpc.UnaryServerInfo{}, handler, authFunc) | ||
|
|
||
| // verify | ||
| assert.Nil(t, res) | ||
| assert.Equal(t, expectedErr, err) | ||
| assert.True(t, authCalled) | ||
| } | ||
|
|
||
| func TestDefaultUnaryInterceptorMissingMetadata(t *testing.T) { | ||
| // prepare | ||
| authFunc := func(context.Context, map[string][]string) (context.Context, error) { | ||
| assert.FailNow(t, "the auth func should not have been called!") | ||
| return context.Background(), nil | ||
| } | ||
| handler := func(ctx context.Context, req interface{}) (interface{}, error) { | ||
| assert.FailNow(t, "the handler should not have been called!") | ||
| return nil, nil | ||
| } | ||
|
|
||
| // test | ||
| res, err := defaultUnaryInterceptor(context.Background(), nil, &grpc.UnaryServerInfo{}, handler, authFunc) | ||
|
|
||
| // verify | ||
| assert.Nil(t, res) | ||
| assert.Equal(t, errMetadataNotFound, err) | ||
| } | ||
|
|
||
| func TestDefaultStreamInterceptorAuthSucceeded(t *testing.T) { | ||
| // prepare | ||
| handlerCalled := false | ||
| authCalled := false | ||
| authFunc := func(context.Context, map[string][]string) (context.Context, error) { | ||
| authCalled = true | ||
| return context.Background(), nil | ||
| } | ||
| handler := func(srv interface{}, stream grpc.ServerStream) error { | ||
| handlerCalled = true | ||
| return nil | ||
| } | ||
| ctx := metadata.NewIncomingContext(context.Background(), metadata.Pairs("authorization", "some-auth-data")) | ||
| streamServer := &mockServerStream{ | ||
| ctx: ctx, | ||
| } | ||
|
|
||
| // test | ||
| err := defaultStreamInterceptor(nil, streamServer, &grpc.StreamServerInfo{}, handler, authFunc) | ||
|
|
||
| // verify | ||
| assert.NoError(t, err) | ||
| assert.True(t, authCalled) | ||
| assert.True(t, handlerCalled) | ||
| } | ||
|
|
||
| func TestDefaultStreamInterceptorAuthFailure(t *testing.T) { | ||
| // prepare | ||
| authCalled := false | ||
| expectedErr := fmt.Errorf("not authenticated") | ||
| authFunc := func(context.Context, map[string][]string) (context.Context, error) { | ||
| authCalled = true | ||
| return context.Background(), expectedErr | ||
| } | ||
| handler := func(srv interface{}, stream grpc.ServerStream) error { | ||
| assert.FailNow(t, "the handler should not have been called on auth failure!") | ||
| return nil | ||
| } | ||
| ctx := metadata.NewIncomingContext(context.Background(), metadata.Pairs("authorization", "some-auth-data")) | ||
| streamServer := &mockServerStream{ | ||
| ctx: ctx, | ||
| } | ||
|
|
||
| // test | ||
| err := defaultStreamInterceptor(nil, streamServer, &grpc.StreamServerInfo{}, handler, authFunc) | ||
|
|
||
| // verify | ||
| assert.Equal(t, expectedErr, err) | ||
| assert.True(t, authCalled) | ||
| } | ||
|
|
||
| func TestDefaultStreamInterceptorMissingMetadata(t *testing.T) { | ||
| // prepare | ||
| authFunc := func(context.Context, map[string][]string) (context.Context, error) { | ||
| assert.FailNow(t, "the auth func should not have been called!") | ||
| return context.Background(), nil | ||
| } | ||
| handler := func(srv interface{}, stream grpc.ServerStream) error { | ||
| assert.FailNow(t, "the handler should not have been called!") | ||
| return nil | ||
| } | ||
| streamServer := &mockServerStream{ | ||
| ctx: context.Background(), | ||
| } | ||
|
|
||
| // test | ||
| err := defaultStreamInterceptor(nil, streamServer, &grpc.StreamServerInfo{}, handler, authFunc) | ||
|
|
||
| // verify | ||
| assert.Equal(t, errMetadataNotFound, err) | ||
| } | ||
|
|
||
| type mockServerStream struct { | ||
| grpc.ServerStream | ||
| ctx context.Context | ||
| } | ||
|
|
||
| func (m *mockServerStream) Context() context.Context { | ||
| return m.ctx | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,37 @@ | ||
| // Copyright The OpenTelemetry Authors | ||
| // | ||
| // Licensed under the Apache License, Version 2.0 (the "License"); | ||
| // you may not use this file except in compliance with the License. | ||
| // You may obtain a copy of the License at | ||
| // | ||
| // http://www.apache.org/licenses/LICENSE-2.0 | ||
| // | ||
| // Unless required by applicable law or agreed to in writing, software | ||
| // distributed under the License is distributed on an "AS IS" BASIS, | ||
| // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| // See the License for the specific language governing permissions and | ||
| // limitations under the License. | ||
|
|
||
| package auth | ||
|
|
||
| import "context" | ||
|
|
||
| var ( | ||
| subjectKey = subjectType{} | ||
| groupsKey = groupsType{} | ||
| ) | ||
|
|
||
| type subjectType struct{} | ||
| type groupsType struct{} | ||
|
|
||
| // SubjectFromContext returns a list of groups the subject in the context belongs to | ||
| func SubjectFromContext(ctx context.Context) (string, bool) { | ||
| value, ok := ctx.Value(subjectKey).(string) | ||
| return value, ok | ||
| } | ||
|
|
||
| // GroupsFromContext returns a list of groups the subject in the context belongs to | ||
| func GroupsFromContext(ctx context.Context) ([]string, bool) { | ||
| value, ok := ctx.Value(groupsKey).([]string) | ||
| return value, ok | ||
| } |
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can this file be in
config/configauth/internal/?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Only the interface, or the whole package? In any case, I would prefer to keep the config package clean from the implementation, as seems to be the case today.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
that's why I am suggesting an internal package inside the configauth which will not be exported. But this way we have localization, the current internal/auth is only used by
configauthThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Except that the gRPC and HTTP receivers will use a default implementation for the interceptors/handlers, also located in this package.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok, let's move forward with this (I don't believe that we cannot just have it in the internal here). But let's see.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'll collect the non-blocking comments in an issue, so that I can solve them in a follow-up PR. To be honest, my biggest contention right now in changing this PR is in rebasing the other two PRs again.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Tracker: #1824