feat: agent registry auth [WIP]

Signed-off-by: Jakob Steiner <[email protected]>

Author: kosmoz

internal/auth/authentication.go

@@ -6,8 +6,10 @@ import (
 	"github.com/getsentry/sentry-go"
 	"github.com/glasskube/distr/internal/authjwt"
 	"github.com/glasskube/distr/internal/authn"
+	"github.com/glasskube/distr/internal/authn/agent"
 	"github.com/glasskube/distr/internal/authn/authinfo"
 	"github.com/glasskube/distr/internal/authn/authkey"
+	"github.com/glasskube/distr/internal/authn/basic"
 	"github.com/glasskube/distr/internal/authn/jwt"
 	"github.com/glasskube/distr/internal/authn/token"
 	internalctx "github.com/glasskube/distr/internal/context"
@@ -44,14 +46,27 @@ var AgentAuthentication = authn.New(
 // ArtifactsAuthentication supports Basic auth login for OCI clients, where the password should be a PAT.
 // The given PAT is verified against the database, to make sure that the user still exists.
 var ArtifactsAuthentication = authn.New(
-	authn.Chain4(
-		token.NewExtractor(
-			token.WithExtractorFuncs(token.FromBasicAuth()),
-			token.WithErrorHeaders(map[string]string{"WWW-Authenticate": "Basic realm=\"Distr\""}),
+	authn.Alternative(
+		// Authenticate with Agent JWT
+		authn.Chain3(
+			token.NewExtractor(token.WithExtractorFuncs(token.FromHeader("Bearer"))),
+			jwt.Authenticator(authjwt.JWTAuth),
+			authinfo.AgentJWTAuthenticator(),
+		),
+		// Auhtenticate UserAccount with PAT via BasicAuth
+		authn.Chain3(
+			token.NewExtractor(
+				token.WithExtractorFuncs(token.FromBasicAuth()),
+				token.WithErrorHeaders(http.Header{"WWW-Authenticate": []string{"Basic realm=\"Distr\""}}),
+			),
+			authkey.Authenticator(),
+			authinfo.AuthKeyAuthenticator(),
+		),
+		// Authenticate Agent with ID and secret via BasicAuth
+		authn.Chain(
+			basic.Authenticator(),
+			agent.Authenticator(),
 		),
-		authkey.Authenticator(),
-		authinfo.AuthKeyAuthenticator(),
-		authinfo.DbAuthenticator(),
 	),
 )
 

internal/authn/agent/authenticator.go

@@ -0,0 +1,78 @@
+package agent
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+	"net/http"
+
+	"github.com/glasskube/distr/internal/authjwt"
+	"github.com/glasskube/distr/internal/authn"
+	"github.com/glasskube/distr/internal/authn/authinfo"
+	"github.com/glasskube/distr/internal/authn/basic"
+	"github.com/glasskube/distr/internal/db"
+	"github.com/glasskube/distr/internal/security"
+	"github.com/glasskube/distr/internal/types"
+	"github.com/google/uuid"
+)
+
+func Authenticator() authn.Authenticator[basic.Auth, authinfo.AuthInfo] {
+	fn := func(ctx context.Context, basic basic.Auth) (out authinfo.AuthInfo, err error) {
+		if targetID, err1 := uuid.Parse(basic.Username); err1 != nil {
+			err = fmt.Errorf("%w: %w", authn.ErrBadAuthentication, err1)
+		} else if target, err1 := db.GetDeploymentTarget(ctx, targetID, nil); err1 != nil {
+			err = err1
+		} else if target.AccessKeyHash == nil || target.AccessKeySalt == nil {
+			err = errors.New("access key or salt is nil")
+		} else if err1 :=
+			security.VerifyAccessKey(*target.AccessKeySalt, *target.AccessKeyHash, basic.Password); err1 != nil {
+			err = fmt.Errorf("%w: %w", authn.ErrBadAuthentication, err1)
+		} else if user, err1 := db.GetUserAccountByID(ctx, target.CreatedByUserAccountID); err1 != nil {
+			err = err1
+		} else if orgs, err1 := db.GetOrganizationsForUser(ctx, user.ID); err1 != nil {
+			err = err1
+		} else if len(orgs) != 1 {
+			err = fmt.Errorf("user must have exactly one organization")
+		} else if orgs[0].UserRole != types.UserRoleCustomer {
+			err = fmt.Errorf("user must have role customer")
+		} else if _, token, err1 := authjwt.GenerateDefaultToken(*user, orgs[0]); err1 != nil {
+			err = err1
+		} else {
+			err = &tokenError{Token: token}
+		}
+		return
+	}
+	return authn.AuthenticatorFunc[basic.Auth, authinfo.AuthInfo](fn)
+}
+
+type tokenError struct {
+	Token string `json:"token"`
+}
+
+var _ authn.WithResponseHeaders = &tokenError{}
+var _ authn.WithResponseStatus = &tokenError{}
+var _ authn.ResponseBodyWriter = &tokenError{}
+
+// Error implements error.
+func (t *tokenError) Error() string {
+	return "NOT AN ERROR: agent successful token auth" // :^)
+}
+
+// ResponseHeaders implements authn.WithResponseHeaders.
+func (t *tokenError) ResponseHeaders() http.Header {
+	result := http.Header{}
+	result.Add("Content-Type", "application/json")
+	return result
+}
+
+// ResponseStatus implements authn.WithResponseStatus.
+func (t *tokenError) ResponseStatus() int {
+	return http.StatusOK
+}
+
+// WriteResponse implements authn.ResponseBodyWriter.
+func (t *tokenError) WriteResponse(w io.Writer) {
+	_ = json.NewEncoder(w).Encode(t)
+}

internal/authn/authentication.go

@@ -4,6 +4,8 @@ import (
 	"context"
 	"errors"
 	"net/http"
+
+	"go.uber.org/multierr"
 )
 
 type contextKey struct{}
@@ -76,16 +78,34 @@ func (a *Authentication[T]) ValidatorMiddleware(fn func(value T) error) func(nex
 }
 
 func (a *Authentication[T]) handleError(w http.ResponseWriter, r *http.Request, err error) {
-	hhe := &HttpHeaderError{}
-	if errors.As(err, &hhe) {
-		hhe.WriteTo(w)
+	for _, err := range multierr.Errors(err) {
+		var rh WithResponseHeaders
+		if errors.As(err, &rh) {
+			for key, value := range rh.ResponseHeaders() {
+				for _, v := range value {
+					w.Header().Add(key, v)
+				}
+			}
+		}
 	}
 
-	if errors.Is(err, ErrBadAuthentication) || errors.Is(err, ErrNoAuthentication) {
-		http.Error(w, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized)
-	} else if a.unknownErrorHandler == nil {
-		http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
-	} else {
+	statusCode := http.StatusInternalServerError
+
+	var rs WithResponseStatus
+	if errors.As(err, &rs) {
+		statusCode = rs.ResponseStatus()
+	} else if errors.Is(err, ErrBadAuthentication) || errors.Is(err, ErrNoAuthentication) {
+		statusCode = http.StatusUnauthorized
+	} else if a.unknownErrorHandler != nil {
 		a.unknownErrorHandler(w, r, err)
+		return
+	}
+
+	var rw ResponseBodyWriter
+	if errors.As(err, &rw) {
+		w.WriteHeader(statusCode)
+		rw.WriteResponse(w)
+	} else {
+		http.Error(w, http.StatusText(statusCode), statusCode)
 	}
 }

internal/authn/authenticator.go

@@ -2,7 +2,10 @@ package authn
 
 import (
 	"context"
+	"errors"
 	"net/http"
+
+	"go.uber.org/multierr"
 )
 
 type Authenticator[IN any, OUT any] interface {
@@ -61,3 +64,23 @@ func Chain4[IN any, MID1 any, MID2 any, MID3 any, OUT any](
 		}
 	})
 }
+
+func Alternative[A any, B any](authenticators ...Authenticator[A, B]) Authenticator[A, B] {
+	return AuthenticatorFunc[A, B](func(ctx context.Context, in A) (result B, err error) {
+		for _, authenticator := range authenticators {
+			if out, err1 := authenticator.Authenticate(ctx, in); err1 != nil {
+				multierr.AppendInto(&err, err1)
+				if errors.Is(err, ErrNoAuthentication) || errors.Is(err, ErrBadAuthentication) {
+					continue
+				} else {
+					break
+				}
+			} else {
+				result = out
+				err = nil
+				break
+			}
+		}
+		return
+	})
+}

internal/authn/basic/authenticator.go

@@ -0,0 +1,35 @@
+package basic
+
+import (
+	"context"
+	"net/http"
+
+	"github.com/glasskube/distr/internal/authn"
+)
+
+type Auth struct {
+	Username, Password string
+}
+
+func Authenticator() authn.RequestAuthenticator[Auth] {
+	fn := func(ctx context.Context, r *http.Request) (result Auth, err error) {
+		if username, password, ok := r.BasicAuth(); !ok {
+			err = authn.NewHttpHeaderError(
+				authn.ErrNoAuthentication,
+				http.Header{
+					"WWW-Authenticate": []string{`Bearer realm="http://localhost:8585/v2/",service="localhost:8585"`, `Basic realm="Distr"`},
+				},
+			)
+		} else {
+			result = Auth{Username: username, Password: password}
+		}
+		return
+	}
+	return authn.AuthenticatorFunc[*http.Request, Auth](fn)
+}
+
+func Password() authn.Authenticator[Auth, string] {
+	return authn.AuthenticatorFunc[Auth, string](func(ctx context.Context, basic Auth) (string, error) {
+		return basic.Password, nil
+	})
+}

internal/authn/errors.go

@@ -15,10 +15,17 @@ var ErrBadAuthentication = errors.New("bad authentication")
 
 type HttpHeaderError struct {
 	wrapped error
-	headers map[string]string
+	headers http.Header
 }
 
-func NewHttpHeaderError(err error, headers map[string]string) error {
+// ResponseHEaders implements WithResponseHeaders.
+func (err *HttpHeaderError) ResponseHeaders() http.Header {
+	return err.headers
+}
+
+var _ WithResponseHeaders = &HttpHeaderError{}
+
+func NewHttpHeaderError(err error, headers http.Header) error {
 	return &HttpHeaderError{
 		wrapped: err,
 		headers: headers,
@@ -32,9 +39,3 @@ func (err *HttpHeaderError) Error() string {
 func (err *HttpHeaderError) Unwrap() error {
 	return err.wrapped
 }
-
-func (err *HttpHeaderError) WriteTo(w http.ResponseWriter) {
-	for k, v := range err.headers {
-		w.Header().Set(k, v)
-	}
-}

internal/authn/response.go

@@ -0,0 +1,18 @@
+package authn
+
+import (
+	"io"
+	"net/http"
+)
+
+type WithResponseHeaders interface {
+	ResponseHeaders() http.Header
+}
+
+type WithResponseStatus interface {
+	ResponseStatus() int
+}
+
+type ResponseBodyWriter interface {
+	WriteResponse(w io.Writer)
+}

internal/authn/token/token.go

@@ -12,7 +12,7 @@ type TokenExtractorFunc func(r *http.Request) string
 
 type TokenExtractor struct {
 	fns     []TokenExtractorFunc
-	headers map[string]string
+	headers http.Header
 }
 
 // Authenticate implements Provider.
@@ -35,7 +35,7 @@ func WithExtractorFuncs(fns ...TokenExtractorFunc) ExtractorOption {
 	}
 }
 
-func WithErrorHeaders(headers map[string]string) ExtractorOption {
+func WithErrorHeaders(headers http.Header) ExtractorOption {
 	return func(te *TokenExtractor) {
 		te.headers = headers
 	}

internal/db/organization.go

@@ -58,7 +58,7 @@ func UpdateOrganization(ctx context.Context, org *types.Organization) error {
 	}
 }
 
-func GetOrganizationsForUser(ctx context.Context, userID uuid.UUID) ([]*types.OrganizationWithUserRole, error) {
+func GetOrganizationsForUser(ctx context.Context, userID uuid.UUID) ([]types.OrganizationWithUserRole, error) {
 	db := internalctx.GetDb(ctx)
 	rows, err := db.Query(ctx, `
 		SELECT`+organizationOutputExpr+`, j.user_role
@@ -70,7 +70,7 @@ func GetOrganizationsForUser(ctx context.Context, userID uuid.UUID) ([]*types.Or
 	if err != nil {
 		return nil, err
 	}
-	result, err := pgx.CollectRows(rows, pgx.RowToAddrOfStructByName[types.OrganizationWithUserRole])
+	result, err := pgx.CollectRows(rows, pgx.RowToStructByName[types.OrganizationWithUserRole])
 	if err != nil {
 		return nil, err
 	} else {

internal/handlers/auth.go

@@ -71,7 +71,7 @@ func authLoginHandler(w http.ResponseWriter, r *http.Request) {
 		}
 		org := orgs[0]
 
-		if _, tokenString, err := authjwt.GenerateDefaultToken(*user, *org); err != nil {
+		if _, tokenString, err := authjwt.GenerateDefaultToken(*user, org); err != nil {
 			return fmt.Errorf("token creation failed: %w", err)
 		} else if err = db.UpdateUserAccountLastLoggedIn(ctx, user.ID); err != nil {
 			return err