Merge pull request #6 from CodeCafeOpenShiftGame/whoareyou

Adding basic auth checking to POST to the API service

Author: dudash

README.md

@@ -80,6 +80,10 @@ Expose access to outside of cluster
 For more info on this way of deploying (and alternatives) [see the docs here](https://quarkus.io/guides/deploying-to-openshift-s2i).
 
 ## Other Things
+## The POST route for scores now has basic auth enabled on it
+* So you will need to pass username/password in to POST scores
+* You can disable it with an environment vairable (see the application.properties file)
+
 ## Running a MongoDB in OpenShift
 This service won't function until it can store its data into a MongoDB. We can easily deploy one on OpenShift and have OpenShift provide service discovery. And then we configure this app's deployment with the user/password details for connecting to the DB.
 > `oc new-app -e MONGODB_USER=thisisauser -e MONGODB_PASSWORD=thisis4password -e MONGODB_DATABASE=highscores -e MONGODB_ADMIN_PASSWORD=thisis4password mongodb:latest`
@@ -90,5 +94,15 @@ This service won't function until it can store its data into a MongoDB. We can e
 ## Hooking in 3scale API Management
 TBD - [3scale ref here](https://access.redhat.com/documentation/en-us/red_hat_3scale_api_management/2.7/html/providing_apis_in_the_developer_portal/create-new-service-openapi-specification#using_openapi_specification)
 
+
+## Testing POSTS with HTTPie
+I like to use a nice CLI tool called HTTPie. If you have it below are some useful commands.
+
+### Testing POST with basic auth turned on
+```
+http -a dudash:123456 POST http://localhost:5000/scores  score=1000 name=JAS
+```
+
+
 ## Thanks and Credit
 This service was built based on guidance from the [Quarkus example here](https://quarkus.io/guides/openapi-swaggerui#loading-openapi-schema-from-static-files).

src/main/java/io/nub3s/ScoresResource.java

@@ -1,20 +1,32 @@
 package io.nub3s;
 
+import java.nio.charset.StandardCharsets;
+import java.util.Base64;
 import io.vertx.axle.core.eventbus.EventBus;
-import io.vertx.axle.core.eventbus.Message;
 
 import javax.inject.Inject;
 import javax.ws.rs.Consumes;
 import javax.ws.rs.GET;
+import javax.ws.rs.HeaderParam;
 import javax.ws.rs.POST;
 import javax.ws.rs.Path;
 import javax.ws.rs.Produces;
 import javax.ws.rs.core.Response;
+
+import org.eclipse.microprofile.config.inject.ConfigProperty;
+
 import java.util.List;
 
 @Path("/scores")
 public class ScoresResource {
 
+    @ConfigProperty(name = "quickauthenforcing", defaultValue = "true")
+    protected boolean quickAuthEnforcing;
+    @ConfigProperty(name = "quickauthuser", defaultValue = "true")
+    protected String quickAuthUser;
+    @ConfigProperty(name = "quickauthpassword", defaultValue = "true")
+    protected String quickAuthPassword;
+
     @Inject EventBus bus;
 
     @GET
@@ -25,7 +37,20 @@ public List<Score> list(){
 
     @POST
     @Consumes("application/json")
-    public Response create(Score score) {
+    public Response create(@HeaderParam("Authorization") String authorization, Score score) {
+        if (quickAuthEnforcing) {
+            if (authorization == null) return Response.status(401).build();
+            if (!authorization.toLowerCase().startsWith("basic")) return Response.status(401).build();
+            String base64string = authorization.substring("Basic".length()).trim();
+            byte[] bytes = Base64.getDecoder().decode(base64string);
+            String credentials = new String(bytes, StandardCharsets.UTF_8);
+            final String[] keyValueCredentials = credentials.split(":", 2);
+            if (keyValueCredentials[0].compareTo(quickAuthUser)!=0) return Response.status(401).build();
+            if (keyValueCredentials[1].compareTo(quickAuthPassword)!=0) return Response.status(401).build();
+        }
+        else {
+            System.out.println("ignoring auth");
+        }
         score.persist();
         bus.publish("newscore", score.toString()); // tell NotifcationsWebSocket to broadcast an update
         bus.publish("topten", topTenList().toString()); // tell NotifcationsWebSocket to broadcast an update

src/main/resources/application.properties

@@ -2,6 +2,17 @@
 quarkus.http.port=8080
 %dev.quarkus.http.port=5000
 
+# Security 
+%dev.quickauthenforcing=false
+quickauthenforcing=${QUICKAUTH_ENFORCING:true}
+quickauthuser=${QUICKAUTH_USER:dudash}
+quickauthpassword=${QUICKAUTH_PASSWORD:123456}
+# TODO: Auth should be done with an IdentityProvider and vars below
+# quarkus.http.auth.basic=true
+# quarkus.http.auth.permission.api-permission-check1.paths=/scores                               
+# quarkus.http.auth.permission.api-permission-check1.policy=authenticated
+# quarkus.http.auth.permission.api-permission-check1.methods=POST
+
 # API Stuff
 # if doing a demo app, turn this on - make default off for security reasons
 quarkus.swagger-ui.always-include=false