Merge branch 'v5' into otel

# Conflicts:
#	go.sum
#	internal/cmd/serve.go
#	internal/http/http.go

Author: erickskrauch

internal/client/signer/local.go

@@ -0,0 +1,34 @@
+package signer
+
+import (
+	"context"
+	"io"
+	"strings"
+)
+
+type Signer interface {
+	Sign(data io.Reader) ([]byte, error)
+	GetPublicKey(format string) ([]byte, error)
+}
+
+type LocalSigner struct {
+	Signer
+}
+
+func (s *LocalSigner) Sign(ctx context.Context, data string) (string, error) {
+	signed, err := s.Signer.Sign(strings.NewReader(data))
+	if err != nil {
+		return "", err
+	}
+
+	return string(signed), nil
+}
+
+func (s *LocalSigner) GetPublicKey(ctx context.Context, format string) (string, error) {
+	publicKey, err := s.Signer.GetPublicKey(format)
+	if err != nil {
+		return "", err
+	}
+
+	return string(publicKey), nil
+}

internal/client/signer/local_test.go

@@ -0,0 +1,104 @@
+package signer
+
+import (
+	"context"
+	"errors"
+	"io"
+	"testing"
+
+	"github.com/stretchr/testify/mock"
+	"github.com/stretchr/testify/suite"
+)
+
+type SignerMock struct {
+	mock.Mock
+}
+
+func (m *SignerMock) Sign(data io.Reader) ([]byte, error) {
+	args := m.Called(data)
+	var result []byte
+	if casted, ok := args.Get(0).([]byte); ok {
+		result = casted
+	}
+
+	return result, args.Error(1)
+}
+
+func (m *SignerMock) GetPublicKey(format string) ([]byte, error) {
+	args := m.Called(format)
+	var result []byte
+	if casted, ok := args.Get(0).([]byte); ok {
+		result = casted
+	}
+
+	return result, args.Error(1)
+}
+
+type LocalSignerServiceTestSuite struct {
+	suite.Suite
+
+	Service *LocalSigner
+
+	Signer *SignerMock
+}
+
+func (t *LocalSignerServiceTestSuite) SetupSubTest() {
+	t.Signer = &SignerMock{}
+
+	t.Service = &LocalSigner{
+		Signer: t.Signer,
+	}
+}
+
+func (t *LocalSignerServiceTestSuite) TearDownSubTest() {
+	t.Signer.AssertExpectations(t.T())
+}
+
+func (t *LocalSignerServiceTestSuite) TestSign() {
+	t.Run("successfully sign", func() {
+		signature := []byte("mock signature")
+		t.Signer.On("Sign", mock.Anything).Return(signature, nil).Run(func(args mock.Arguments) {
+			r, _ := io.ReadAll(args.Get(0).(io.Reader))
+			t.Equal([]byte("mock body to sign"), r)
+		})
+
+		result, err := t.Service.Sign(context.Background(), "mock body to sign")
+		t.NoError(err)
+		t.Equal(string(signature), result)
+	})
+
+	t.Run("handle error during sign", func() {
+		expectedErr := errors.New("mock error")
+		t.Signer.On("Sign", mock.Anything).Return(nil, expectedErr)
+
+		result, err := t.Service.Sign(context.Background(), "mock body to sign")
+		t.Error(err)
+		t.Same(expectedErr, err)
+		t.Empty(result)
+	})
+}
+
+func (t *LocalSignerServiceTestSuite) TestGetPublicKey() {
+	t.Run("successfully get", func() {
+		publicKey := []byte("mock public key")
+		t.Signer.On("GetPublicKey", "pem").Return(publicKey, nil)
+
+		result, err := t.Service.GetPublicKey(context.Background(), "pem")
+		t.NoError(err)
+		t.Equal(string(publicKey), result)
+	})
+
+	t.Run("handle error", func() {
+		expectedErr := errors.New("mock error")
+		t.Signer.On("GetPublicKey", "pem").Return(nil, expectedErr)
+
+		result, err := t.Service.GetPublicKey(context.Background(), "pem")
+		t.Error(err)
+		t.Same(expectedErr, err)
+		t.Empty(result)
+	})
+}
+
+func TestLocalSignerService(t *testing.T) {
+	suite.Run(t, new(LocalSignerServiceTestSuite))
+}

internal/cmd/serve.go

@@ -7,6 +7,7 @@ import (
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
 
+	"ely.by/chrly/internal/di"
 	"ely.by/chrly/internal/http"
 	"ely.by/chrly/internal/otel"
 )
@@ -15,7 +16,7 @@ var serveCmd = &cobra.Command{
 	Use:   "serve",
 	Short: "Starts HTTP handler for the skins system",
 	RunE: func(cmd *cobra.Command, args []string) error {
-		return startServer("skinsystem", "api")
+		return startServer(di.ModuleSkinsystem, di.ModuleProfiles, di.ModuleSigner)
 	},
 }
 

internal/cmd/token.go

@@ -9,8 +9,10 @@ import (
 )
 
 var tokenCmd = &cobra.Command{
-	Use:   "token",
-	Short: "Creates a new token, which allows to interact with Chrly API",
+	Use:       "token scope1 ...",
+	Example:   "token profiles sign",
+	Short:     "Creates a new token, which allows to interact with Chrly API",
+	ValidArgs: []string{string(security.ProfilesScope), string(security.SignScope)},
 	RunE: func(cmd *cobra.Command, args []string) error {
 		container := shouldGetContainer()
 		var auth *security.Jwt
@@ -19,7 +21,12 @@ var tokenCmd = &cobra.Command{
 			return err
 		}
 
-		token, err := auth.NewToken(security.ProfileScope)
+		scopes := make([]security.Scope, len(args))
+		for i := range args {
+			scopes[i] = security.Scope(args[i])
+		}
+
+		token, err := auth.NewToken(scopes...)
 		if err != nil {
 			return fmt.Errorf("Unable to create a new token. The error is %v\n", err)
 		}

internal/di/config.go

@@ -6,9 +6,5 @@ import (
 )
 
 var configDiOptions = di.Options(
-	di.Provide(newConfig),
+	di.Provide(viper.GetViper),
 )
-
-func newConfig() *viper.Viper {
-	return viper.GetViper()
-}

internal/di/handlers.go

@@ -12,12 +12,18 @@ import (
 	"go.opentelemetry.io/contrib/instrumentation/github.com/gorilla/mux/otelmux"
 
 	. "ely.by/chrly/internal/http"
+	"ely.by/chrly/internal/security"
 )
 
+const ModuleSkinsystem = "skinsystem"
+const ModuleProfiles = "profiles"
+const ModuleSigner = "signer"
+
 var handlersDiOptions = di.Options(
 	di.Provide(newHandlerFactory, di.As(new(http.Handler))),
-	di.Provide(newSkinsystemHandler, di.WithName("skinsystem")),
-	di.Provide(newApiHandler, di.WithName("api")),
+	di.Provide(newSkinsystemHandler, di.WithName(ModuleSkinsystem)),
+	di.Provide(newProfilesApiHandler, di.WithName(ModuleProfiles)),
+	di.Provide(newSignerApiHandler, di.WithName(ModuleSigner)),
 )
 
 func newHandlerFactory(
@@ -31,8 +37,8 @@ func newHandlerFactory(
 	// if you set an empty prefix. Since the main application should be mounted at the root prefix,
 	// we use it as the base router
 	var router *mux.Router
-	if slices.Contains(enabledModules, "skinsystem") {
-		if err := container.Resolve(&router, di.Name("skinsystem")); err != nil {
+	if slices.Contains(enabledModules, ModuleSkinsystem) {
+		if err := container.Resolve(&router, di.Name(ModuleSkinsystem)); err != nil {
 			return nil, err
 		}
 	} else {
@@ -43,9 +49,9 @@ func newHandlerFactory(
 	router.Use(otelmux.Middleware("chrly"))
 	router.NotFoundHandler = http.HandlerFunc(NotFoundHandler)
 
-	if slices.Contains(enabledModules, "api") {
-		var apiRouter *mux.Router
-		if err := container.Resolve(&apiRouter, di.Name("api")); err != nil {
+	if slices.Contains(enabledModules, ModuleProfiles) {
+		var profilesApiRouter *mux.Router
+		if err := container.Resolve(&profilesApiRouter, di.Name(ModuleProfiles)); err != nil {
 			return nil, err
 		}
 
@@ -54,9 +60,29 @@ func newHandlerFactory(
 			return nil, err
 		}
 
-		apiRouter.Use(CreateAuthenticationMiddleware(authenticator))
+		profilesApiRouter.Use(NewAuthenticationMiddleware(authenticator, security.ProfilesScope))
 
-		mount(router, "/api", apiRouter)
+		mount(router, "/api/profiles", profilesApiRouter)
+	}
+
+	if slices.Contains(enabledModules, ModuleSigner) {
+		var signerApiRouter *mux.Router
+		if err := container.Resolve(&signerApiRouter, di.Name(ModuleSigner)); err != nil {
+			return nil, err
+		}
+
+		var authenticator Authenticator
+		if err := container.Resolve(&authenticator); err != nil {
+			return nil, err
+		}
+
+		authMiddleware := NewAuthenticationMiddleware(authenticator, security.SignScope)
+		conditionalAuth := NewConditionalMiddleware(func(req *http.Request) bool {
+			return req.Method != "GET"
+		}, authMiddleware)
+		signerApiRouter.Use(conditionalAuth)
+
+		mount(router, "/api/signer", signerApiRouter)
 	}
 
 	// Resolve health checkers last, because all the services required by the application
@@ -81,25 +107,31 @@ func newHandlerFactory(
 func newSkinsystemHandler(
 	config *viper.Viper,
 	profilesProvider ProfilesProvider,
-	texturesSigner TexturesSigner,
+	texturesSigner SignerService,
 ) *mux.Router {
 	config.SetDefault("textures.extra_param_name", "chrly")
 	config.SetDefault("textures.extra_param_value", "how do you tame a horse in Minecraft?")
 
 	return (&Skinsystem{
 		ProfilesProvider:        profilesProvider,
-		TexturesSigner:          texturesSigner,
+		SignerService:           texturesSigner,
 		TexturesExtraParamName:  config.GetString("textures.extra_param_name"),
 		TexturesExtraParamValue: config.GetString("textures.extra_param_value"),
 	}).Handler()
 }
 
-func newApiHandler(profilesManager ProfilesManager) *mux.Router {
-	return (&Api{
+func newProfilesApiHandler(profilesManager ProfilesManager) *mux.Router {
+	return (&ProfilesApi{
 		ProfilesManager: profilesManager,
 	}).Handler()
 }
 
+func newSignerApiHandler(signer Signer) *mux.Router {
+	return (&SignerApi{
+		Signer: signer,
+	}).Handler()
+}
+
 func mount(router *mux.Router, path string, handler http.Handler) {
 	router.PathPrefix(path).Handler(
 		http.StripPrefix(

internal/di/security.go

@@ -4,10 +4,11 @@ import (
 	"crypto/rand"
 	"crypto/rsa"
 	"crypto/x509"
-	"encoding/base64"
 	"encoding/pem"
-	"strings"
+	"errors"
+	"log/slog"
 
+	"ely.by/chrly/internal/client/signer"
 	"ely.by/chrly/internal/http"
 	"ely.by/chrly/internal/security"
 
@@ -16,41 +17,43 @@ import (
 )
 
 var securityDiOptions = di.Options(
-	di.Provide(newTexturesSigner,
-		di.As(new(http.TexturesSigner)),
+	di.Provide(newSigner,
+		di.As(new(http.Signer)),
+		di.As(new(signer.Signer)),
 	),
+	di.Provide(newSignerService),
 )
 
-func newTexturesSigner(config *viper.Viper) (*security.Signer, error) {
+func newSigner(config *viper.Viper) (*security.Signer, error) {
+	var privateKey *rsa.PrivateKey
+	var err error
+
 	keyStr := config.GetString("chrly.signing.key")
 	if keyStr == "" {
-		// TODO: log a message about the generated signing key and the way to specify it permanently
-		privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
+		privateKey, err = rsa.GenerateKey(rand.Reader, 2048)
 		if err != nil {
 			return nil, err
 		}
 
-		return security.NewSigner(privateKey), nil
-	}
+		slog.Warn("A private signing key has been generated. To make it permanent, specify the valid RSA private key in the config parameter chrly.signing.key")
+	} else {
+		keyBytes := []byte(keyStr)
+		rawPem, _ := pem.Decode(keyBytes)
+		if rawPem == nil {
+			return nil, errors.New("unable to decode pem key")
+		}
 
-	var keyBytes []byte
-	if strings.HasPrefix(keyStr, "base64:") {
-		base64Value := keyStr[7:]
-		decodedKey, err := base64.URLEncoding.DecodeString(base64Value)
+		privateKey, err = x509.ParsePKCS1PrivateKey(rawPem.Bytes)
 		if err != nil {
 			return nil, err
 		}
-
-		keyBytes = decodedKey
-	} else {
-		keyBytes = []byte(keyStr)
-	}
-
-	rawPem, _ := pem.Decode(keyBytes)
-	privateKey, err := x509.ParsePKCS1PrivateKey(rawPem.Bytes)
-	if err != nil {
-		return nil, err
 	}
 
 	return security.NewSigner(privateKey), nil
 }
+
+func newSignerService(s signer.Signer) http.SignerService {
+	return &signer.LocalSigner{
+		Signer: s,
+	}
+}