Enable Google OAuth and move API key to server-side

Author: Masayoshi Mizutani

api.go

@@ -4,6 +4,7 @@ import (
 	"net/http"
 	"net/http/httputil"
 	"net/url"
+	"strings"
 
 	"github.com/gin-gonic/gin"
 	"github.com/pkg/errors"
@@ -13,7 +14,7 @@ type roundTripper func(*http.Request) (*http.Response, error)
 
 func (f roundTripper) RoundTrip(req *http.Request) (*http.Response, error) { return f(req) }
 
-func reverseProxy(target string) (gin.HandlerFunc, error) {
+func reverseProxy(authz *authzService, apiKey, target string) (gin.HandlerFunc, error) {
 	logger.WithField("target", target).Info("proxy")
 	url, err := url.Parse(target)
 	if err != nil {
@@ -25,22 +26,42 @@ func reverseProxy(target string) (gin.HandlerFunc, error) {
 		return http.DefaultTransport.RoundTrip(req)
 	}
 
-	proxy := &httputil.ReverseProxy{
-		Transport: roundTripper(requestHandler),
-		Director: func(req *http.Request) {
-			req.URL.Host = url.Host
-			req.URL.Scheme = url.Scheme
-			req.URL.Path = url.Path + req.URL.Path
-		},
-	}
-
 	return func(c *gin.Context) {
-		proxy.ServeHTTP(c.Writer, c.Request)
+		userData, ok := c.Get("user")
+		if !ok {
+			c.JSON(http.StatusUnauthorized, gin.H{"msg": "Unauthenticated request"})
+			return
+		}
+
+		user := userData.(string)
+		allowed, ok := authz.AllowTable[user]
+		if !ok {
+			c.JSON(http.StatusUnauthorized, gin.H{"msg": "Unauthorized user", "user": user})
+			return
+		}
+
+		tags := strings.Join(allowed, ",")
+		if tags == "" {
+			tags = "*"
+		}
+
+		(&httputil.ReverseProxy{
+			Transport: roundTripper(requestHandler),
+			Director: func(req *http.Request) {
+				req.URL.Host = url.Host
+				req.URL.Scheme = url.Scheme
+				req.URL.Path = url.Path + req.URL.Path
+				req.Header.Set("x-api-key", apiKey)
+				req.Header.Set("minerva-allowed-tags", tags)
+				logger.WithField("header", req.Header).Info("API requet header")
+			},
+		}).ServeHTTP(c.Writer, c.Request)
+
 	}, nil
 }
 
-func setupAPI(ssnMgr *sessionManager, endpoint string, r *gin.RouterGroup) error {
-	proxy, err := reverseProxy(endpoint)
+func setupAPI(authz *authzService, apiKey, endpoint string, r *gin.RouterGroup) error {
+	proxy, err := reverseProxy(authz, apiKey, endpoint)
 	if err != nil {
 		return err
 	}

auth.go renamed to authn.go

@@ -26,9 +26,16 @@ type sessionManager struct {
 }
 
 func newSessionManager(jwtSecret string) *sessionManager {
-	return &sessionManager{
-		jwtSecret: []byte(jwtSecret),
+	mgr := &sessionManager{}
+
+	if jwtSecret == "" {
+		logger.Warn("jwt-secret is not set, then automatically generated")
+		mgr.jwtSecret = []byte(genRandomSecret())
+	} else {
+		mgr.jwtSecret = []byte(jwtSecret)
 	}
+
+	return mgr
 }
 
 func (x *sessionManager) sign(user strixUser, c *gin.Context) error {

authz.go

@@ -0,0 +1,39 @@
+package main
+
+import (
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+
+	"github.com/pkg/errors"
+)
+
+type authzService struct {
+	AllowTable map[string][]string `json:"allow"`
+}
+
+func newAuthzService(filePath string) (*authzService, error) {
+	raw, err := ioutil.ReadFile(filePath)
+	if err != nil {
+		return nil, errors.Wrapf(err, "Fail to load authz file: %s", filePath)
+	}
+
+	srv := authzService{
+		AllowTable: make(map[string][]string),
+	}
+	if err := json.Unmarshal(raw, &srv); err != nil {
+		return nil, errors.Wrapf(err, "Fail to parse authz file: %s", filePath)
+	}
+
+	logger.WithField("authz", srv.AllowTable).Info("Read authorization table")
+	return &srv, nil
+}
+
+func (x *authzService) allowedTags(user string) ([]string, error) {
+	allowed, ok := x.AllowTable[user]
+	if !ok {
+		return nil, fmt.Errorf("Not permitted")
+	}
+
+	return allowed, nil
+}

logger.go

@@ -0,0 +1,28 @@
+package main
+
+import (
+	"fmt"
+
+	"github.com/sirupsen/logrus"
+)
+
+var logger = logrus.New()
+
+var logLevelMap = map[string]logrus.Level{
+	"trace": logrus.TraceLevel,
+	"debug": logrus.DebugLevel,
+	"info":  logrus.InfoLevel,
+	"warn":  logrus.WarnLevel,
+	"error": logrus.ErrorLevel,
+}
+
+func setupLogger(logLevel string) error {
+	level, ok := logLevelMap[logLevel]
+	if !ok {
+		return fmt.Errorf("Invalid log level: %s", logLevel)
+	}
+	logger.SetLevel(level)
+	logger.SetFormatter(&logrus.JSONFormatter{})
+
+	return nil
+}

main.go

@@ -6,95 +6,9 @@ import (
 	"os"
 	"time"
 
-	"github.com/gin-contrib/static"
-	"github.com/gin-gonic/gin"
-	"github.com/sirupsen/logrus"
 	"github.com/urfave/cli"
-
-	"github.com/gin-contrib/sessions"
-	"github.com/gin-contrib/sessions/cookie"
 )
 
-var logger = logrus.New()
-
-var logLevelMap = map[string]logrus.Level{
-	"trace": logrus.TraceLevel,
-	"debug": logrus.DebugLevel,
-	"info":  logrus.InfoLevel,
-	"warn":  logrus.WarnLevel,
-	"error": logrus.ErrorLevel,
-}
-
-type arguments struct {
-	LogLevel       string
-	Endpoint       string
-	BindAddress    string
-	BindPort       int
-	StaticContents string
-
-	// Google OAuth options
-	GoogleOAuthConfig string
-
-	// JWT
-	JWTSecret string
-}
-
-func runServer(args arguments) error {
-	level, ok := logLevelMap[args.LogLevel]
-	if !ok {
-		return fmt.Errorf("Invalid log level: %s", args.LogLevel)
-	}
-	logger.SetLevel(level)
-	logger.SetFormatter(&logrus.JSONFormatter{})
-	logger.WithFields(logrus.Fields{
-		"args": args,
-	}).Info("Given options")
-
-	helloReply := os.Getenv("HELLO_REPLY")
-	if helloReply == "" {
-		helloReply = time.Now().String()
-	}
-
-	r := gin.Default()
-	store := cookie.NewStore([]byte("auth"))
-	r.Use(sessions.Sessions("strix", store))
-	r.Use(static.Serve("/", static.LocalFile(args.StaticContents, false)))
-	/*
-		r.LoadHTMLGlob(path.Join(args.TemplatePath, "*"))
-		r.GET("/", func(c *gin.Context) {
-			c.HTML(http.StatusOK, "index.html", gin.H{
-				"googleOAuth": (args.GoogleOAuthConfig != ""),
-			})
-		})
-	*/
-	r.GET("/hello/revision", func(c *gin.Context) {
-		c.String(200, helloReply)
-	})
-
-	ssnMgr := newSessionManager(args.JWTSecret)
-
-	authGroup := r.Group("/auth")
-	if err := setupAuth(ssnMgr, authGroup); err != nil {
-		return err
-	}
-	if args.GoogleOAuthConfig != "" {
-		if err := setupAuthGoogle(ssnMgr, args.GoogleOAuthConfig, authGroup); err != nil {
-			return err
-		}
-	}
-
-	apiGroup := r.Group("/api/v1")
-	if err := setupAPI(ssnMgr, args.Endpoint, apiGroup); err != nil {
-		return err
-	}
-
-	if err := r.Run(fmt.Sprintf("%s:%d", args.BindAddress, args.BindPort)); err != nil {
-		return err
-	}
-
-	return nil
-}
-
 func genRandomSecret() string {
 	const randomSecretLength = 32
 	letters := "abcdefghijklmnopqrstuvwxyz" +
@@ -147,6 +61,11 @@ func main() {
 			Usage:       "Static contents path",
 			Destination: &args.StaticContents,
 		},
+		cli.StringFlag{
+			Name: "hello-reply, r", Value: time.Now().String(),
+			Usage:       "Reply message for /hello/revision",
+			Destination: &args.HelloReply,
+		},
 
 		cli.StringFlag{
 			Name:        "google-oauth-config, g",
@@ -155,9 +74,24 @@ func main() {
 		},
 		cli.StringFlag{
 			Name:        "jwt-secret, j",
-			Value:       genRandomSecret(),
 			Usage:       "JWT secret to sign and validate token",
-			Destination: &args.GoogleOAuthConfig,
+			Destination: &args.JWTSecret,
+		},
+		cli.StringFlag{
+			Name:        "api-key, k",
+			Usage:       "API Key of Minerva",
+			Destination: &args.APIKey,
+		},
+
+		cli.StringFlag{
+			Name:        "authz-path, z",
+			Usage:       "Authorization list json file path",
+			Destination: &args.AuthzFilePath,
+		},
+		cli.StringFlag{
+			Name:        "secret-arn",
+			Usage:       "Secret ARN of SecretsManager",
+			Destination: &args.SecretArn,
 		},
 	}
 	app.ArgsUsage = "[endpoint]"

server.go

@@ -0,0 +1,92 @@
+package main
+
+import (
+	"fmt"
+	"net/http"
+
+	"github.com/gin-contrib/sessions"
+	"github.com/gin-contrib/sessions/cookie"
+	"github.com/gin-contrib/static"
+	"github.com/gin-gonic/gin"
+	"github.com/sirupsen/logrus"
+)
+
+type arguments struct {
+	LogLevel       string
+	Endpoint       string
+	BindAddress    string
+	BindPort       int
+	StaticContents string
+	HelloReply     string
+	APIKey         string
+	SecretArn      string
+	AuthzFilePath  string
+
+	// Google OAuth options
+	GoogleOAuthConfig string
+
+	// JWT
+	JWTSecret string
+}
+
+func runServer(args arguments) error {
+	if err := setupLogger(args.LogLevel); err != nil {
+		return err
+	}
+
+	logger.WithFields(logrus.Fields{
+		"args": args,
+	}).Info("Given options")
+
+	r := gin.Default()
+	store := cookie.NewStore([]byte("auth"))
+	r.Use(sessions.Sessions("strix", store))
+	r.Use(static.Serve("/", static.LocalFile(args.StaticContents, false)))
+
+	r.GET("/hello/revision", func(c *gin.Context) {
+		c.String(200, args.HelloReply)
+	})
+
+	// Setup session manager
+	authz, err := newAuthzService(args.AuthzFilePath)
+	if err != nil {
+		return err
+	}
+
+	ssnMgr := newSessionManager(args.JWTSecret)
+	authCheck := func(c *gin.Context) {
+		user, err := ssnMgr.validate(c)
+		if err != nil {
+			logger.WithError(err).Warn("Authentication Fail")
+			c.JSON(http.StatusUnauthorized, gin.H{"msg": "Authentication failed"})
+		} else {
+			c.Set("user", user.UserID)
+			c.Next()
+		}
+	}
+
+	// Auth route group
+	authGroup := r.Group("/auth")
+	if err := setupAuth(ssnMgr, authGroup); err != nil {
+		return err
+	}
+	if args.GoogleOAuthConfig != "" {
+		if err := setupAuthGoogle(ssnMgr, args.GoogleOAuthConfig, authGroup); err != nil {
+			return err
+		}
+	}
+
+	// API route group
+	apiGroup := r.Group("/api/v1")
+	apiGroup.Use(authCheck)
+	if err := setupAPI(authz, args.APIKey, args.Endpoint, apiGroup); err != nil {
+		return err
+	}
+
+	// Start server
+	if err := r.Run(fmt.Sprintf("%s:%d", args.BindAddress, args.BindPort)); err != nil {
+		return err
+	}
+
+	return nil
+}

src/js/header.vue

@@ -7,9 +7,6 @@
         </h1>
       </div>
     </nav>
-    <div class="msgbox login">
-      <a href="/auth/google">Google</a>
-    </div>
   </div>
 </template>