Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add token based authorization #90

Draft
wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

Add token based authorization #90

wants to merge 2 commits into from

Conversation

sanfern
Copy link
Contributor

@sanfern sanfern commented Jul 14, 2022

Signed-off-by: Santhosh Fernandes [email protected]

It enables token-based authorization. Env variables or vaults can be used to store secrets.

@sanfern
Add token based authorization
b953a74 
Signed-off-by: Santhosh Fernandes <[email protected]>
@sanfern sanfern force-pushed the sanfern-dev-auth-token branch from 37b0999 to 1eefbeb Compare July 14, 2022 12:32
jniesz
jniesz reviewed Jul 14, 2022
View reviewed changes
Copy link
Contributor

@jniesz jniesz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We need to discuss overall approach for the secret store implementation and JWT auth. Once we agree on that we will also need to add tests to this PR.

apis/handlers/updateconfig.go

valid, statusCode := utils.ValidateToken(ctx, kfcfg.HostConfig, reqToken)
if !valid {
return
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't we set a status code above this indicating Unauthorized?

apis/handlers/utils/validate_token.go Outdated
"net/http"
"os"

jwt "github.com/dgrijalva/jwt-go"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This repo is no longer maintained, we should use the maintained one here:
https://github.com/golang-jwt/jwt

apis/handlers/utils/validate_token.go

var jwtSecretKey string
if conf.SecretsType == "ENV" {
jwtSecretKey = os.Getenv(conf.SecretsKey)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We probably should be clear and call this "SecreteKeyName" or something like that as it is not the actual key, but just the name of the secret key to retrieve

apis/handlers/utils/validate_token.go
}

token, err := jwt.Parse(reqToken, func(token *jwt.Token) (interface{}, error) {
return []byte(jwtSecretKey), nil
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what about algorithm validation (SigningMethodHMAC)?

apis/handlers/updateconfig.go
return
}

valid, statusCode := utils.ValidateToken(ctx, kfcfg.HostConfig, reqToken)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What about moving jwt validation to chi and use protected routes? I think this would be better than implementing here. https://github.com/go-chi/jwtauth

config/config.go

// secrets
SecretsKey string
SecretsType string
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For supporting different secret stores it seems like the secrets package would provide more backend support. Otherwise we will have to keep implementing backends for different cloud platforms ourself.
https://pkg.go.dev/gocloud.dev/secrets

@sanfern sanfern force-pushed the sanfern-dev-auth-token branch from 1eefbeb to 3b10f32 Compare July 15, 2022 07:15
@sanfern
update conflicts
0b35c4b 
Signed-off-by: Santhosh Fernandes <[email protected]>
@sanfern sanfern force-pushed the sanfern-dev-auth-token branch from 3b10f32 to 0b35c4b Compare August 6, 2022 15:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jniesz jniesz jniesz left review comments

@charleskbliu0 charleskbliu0 Awaiting requested review from charleskbliu0 charleskbliu0 will be requested when the pull request is marked ready for review charleskbliu0 is a code owner

@dalalkaran dalalkaran Awaiting requested review from dalalkaran dalalkaran will be requested when the pull request is marked ready for review dalalkaran is a code owner

@pmoroney pmoroney Awaiting requested review from pmoroney pmoroney will be requested when the pull request is marked ready for review pmoroney is a code owner

At least 2 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@sanfern @jniesz