Merge pull request linuxfoundation#17 from mauriciozanettisalomao/feat/lfxv2-475-jwt-auth-refactoring

[LFXV2-475] Refactor JWT authentication for consistency with other services

Author: mauriciozanettisalomao

README.md

@@ -20,7 +20,7 @@ The implementation follows the clean architecture principles where:
 ├── design/                         # GOA design specification files
 ├── gen/                            # GOA generated code (HTTP server, client, OpenAPI)
 ├── cmd/                            # Services (main packages)
-│   └── query_svc/                  # Query service implementation
+│   └── service/                    # Service implementation
 ├── internal/                       # Internal service packages
 │   ├── domain/                     # Domain logic layer
 │   │   ├── model/                  # Domain models and entities
@@ -45,7 +45,9 @@ The implementation follows the clean architecture principles where:
 #### Ports (`internal/domain/port/`)
 
 - **ResourceSearcher Interface**: Defines the contract for resource search operations
+- **OrganizationSearcher Interface**: Defines the contract for organization search operations  
 - **AccessControlChecker Interface**: Defines the contract for access control operations
+- **Authenticator Interface**: Defines the contract for authentication operations
 
 ### Service Layer (`internal/service/`)
 
@@ -54,6 +56,26 @@ The implementation follows the clean architecture principles where:
 
 ### Infrastructure Layer (`internal/infrastructure/`)
 
+#### Authentication Implementation
+
+The authentication system provides JWT-based authentication with support for Heimdall tokens:
+
+- **JWT Authentication (`internal/infrastructure/auth/jwt.go`)**:
+  - Validates JWT tokens using JWKS (JSON Web Key Set)
+  - Extracts custom claims including principal and email
+  - Supports PS256 signature algorithm (default for Heimdall)
+  - Configurable JWKS URL and audience
+
+- **Mock Authentication (`internal/infrastructure/mock/auth.go`)**:
+  - Uses environment variable for mock principal
+  - Bypasses JWT validation for local development
+
+**Authentication Configuration:**
+- `AUTH_SOURCE`: Choose between "mock" or "jwt" (default: "jwt")
+- `JWKS_URL`: JSON Web Key Set endpoint URL
+- `JWT_AUDIENCE`: Intended audience for JWT tokens
+- `JWT_AUTH_DISABLED_MOCK_LOCAL_PRINCIPAL`: Mock principal for development
+
 #### OpenSearch Implementation
 
 The OpenSearch implementation includes query templates, a searcher, and a client for interacting with the OpenSearch cluster.
@@ -162,6 +184,13 @@ go run cmd/main.go
 - `CLEARBIT_MAX_RETRIES`: Maximum number of retry attempts for failed requests (default: "3")
 - `CLEARBIT_RETRY_DELAY`: Delay between retry attempts (default: "1s")
 
+**Authentication Configuration:**
+
+- `AUTH_SOURCE`: Choose between "mock" or "jwt" 
+- `JWKS_URL`: JSON Web Key Set endpoint URL
+- `JWT_AUDIENCE`: Intended audience for JWT tokens 
+- `JWT_AUTH_DISABLED_MOCK_LOCAL_PRINCIPAL`: Mock principal for development (required when AUTH_SOURCE=mock)
+
 **Server Configuration:**
 
 - `-p`: HTTP port (default: "8080")
@@ -170,10 +199,13 @@ go run cmd/main.go
 
 ### API Usage
 
-The service exposes a RESTful API through the Goa framework:
+The service exposes a RESTful API through the Goa framework with JWT authentication:
+
+#### Resource Search API
 
 ```
 GET /query/resources?name=committee&type=committee&v=1
+Authorization: Bearer <jwt_token>
 ```
 
 **Parameters:**
@@ -206,6 +238,59 @@ GET /query/resources?name=committee&type=committee&v=1
 }
 ```
 
+#### Organization Search API
+
+**Query Organizations:**
+
+```
+GET /query/orgs?name=Linux Foundation&domain=linuxfoundation.org&v=1
+Authorization: Bearer <jwt_token>
+```
+
+**Parameters:**
+
+- `name`: Organization name (optional)
+- `domain`: Organization domain or website URL (optional)
+- `v`: API version (required)
+
+**Response:**
+
+```json
+{
+  "name": "Linux Foundation",
+  "domain": "linuxfoundation.org",
+  "industry": "Non-Profit",
+  "sector": "Technology",
+  "employees": "100-499"
+}
+```
+
+**Organization Suggestions API:**
+
+```
+GET /query/orgs/suggest?query=linux&v=1
+Authorization: Bearer <jwt_token>
+```
+
+**Parameters:**
+
+- `query`: Search query for organization suggestions (required, minimum 1 character)
+- `v`: API version (required)
+
+**Response:**
+
+```json
+{
+  "suggestions": [
+    {
+      "name": "Linux Foundation",
+      "domain": "linuxfoundation.org",
+      "logo": "https://example.com/logo.png"
+    }
+  ]
+}
+```
+
 ## Clearbit API Integration
 
 The service integrates with Clearbit's Company API to provide enriched organization data for search operations. This integration allows the service to fetch detailed company information including industry classification, employee count, and domain information.

charts/lfx-v2-query-service/Chart.yaml

@@ -5,5 +5,5 @@ apiVersion: v2
 name: lfx-v2-query-service
 description: LFX Platform V2 Query Service chart
 type: application
-version: 0.4.1
+version: 0.4.2
 appVersion: "latest"

charts/lfx-v2-query-service/values.yaml

@@ -28,7 +28,9 @@ app:
         secretKeyRef:
           name: lfx-v2-query-service-secrets
           key: PAGE_TOKEN_SECRET
-    # CLEARBIT_CREDENTIAL is optional
+    ## In case of clearbit, the value is required to be set.
+    ## Optionally, it's possible to use a mock implementation.
+    ## In case of mock, please set the ORG_SEARCH_SOURCE to mock.
     CLEARBIT_CREDENTIAL:
       value: null
 

cmd/main.go

@@ -58,13 +58,14 @@ func main() {
 	resourceSearcher := service.SearcherImpl(ctx)
 	accessControlChecker := service.AccessControlCheckerImpl(ctx)
 	organizationSearcher := service.OrganizationSearcherImpl(ctx)
+	authService := service.AuthServiceImpl(ctx)
 
 	// Initialize the services.
 	var (
 		querySvcSvc querysvc.Service
 	)
 	{
-		querySvcSvc = service.NewQuerySvc(resourceSearcher, accessControlChecker, organizationSearcher)
+		querySvcSvc = service.NewQuerySvc(resourceSearcher, accessControlChecker, organizationSearcher, authService)
 	}
 
 	// Wrap the services in endpoints that can be invoked from other services
@@ -87,9 +88,6 @@ func main() {
 	var wg sync.WaitGroup
 	ctx, cancel := context.WithCancel(ctx)
 
-	// Setup the JWT authentication which validates and parses the JWT token.
-	service.SetupJWTAuth(ctx)
-
 	// Start the servers and send errors (if any) to the error channel.
 	addr := ":" + *port
 	if *bind != "*" {

cmd/service/providers.go

@@ -12,12 +12,45 @@ import (
 	"time"
 
 	"github.com/linuxfoundation/lfx-v2-query-service/internal/domain/port"
+	"github.com/linuxfoundation/lfx-v2-query-service/internal/infrastructure/auth"
 	"github.com/linuxfoundation/lfx-v2-query-service/internal/infrastructure/clearbit"
 	"github.com/linuxfoundation/lfx-v2-query-service/internal/infrastructure/mock"
 	"github.com/linuxfoundation/lfx-v2-query-service/internal/infrastructure/nats"
 	"github.com/linuxfoundation/lfx-v2-query-service/internal/infrastructure/opensearch"
 )
 
+// AuthServiceImpl initializes the authentication service implementation
+func AuthServiceImpl(ctx context.Context) port.Authenticator {
+	var authService port.Authenticator
+
+	// Repository implementation configuration
+	authSource := os.Getenv("AUTH_SOURCE")
+	if authSource == "" {
+		authSource = "jwt"
+	}
+
+	switch authSource {
+	case "mock":
+		slog.InfoContext(ctx, "initializing mock authentication service")
+		authService = mock.NewMockAuthService()
+	case "jwt":
+		slog.InfoContext(ctx, "initializing JWT authentication service")
+		jwtConfig := auth.JWTAuthConfig{
+			JWKSURL:  os.Getenv("JWKS_URL"),
+			Audience: os.Getenv("JWT_AUDIENCE"),
+		}
+		jwtAuth, err := auth.NewJWTAuth(jwtConfig)
+		if err != nil {
+			log.Fatalf("failed to initialize JWT authentication service: %v", err)
+		}
+		authService = jwtAuth
+	default:
+		log.Fatalf("unsupported authentication service implementation: %s", authSource)
+	}
+
+	return authService
+}
+
 // SearcherImpl injects the resource searcher implementation
 func SearcherImpl(ctx context.Context) port.ResourceSearcher {
 

cmd/service/service.go

@@ -20,16 +20,17 @@ import (
 type querySvcsrvc struct {
 	resourceService     service.ResourceSearcher
 	organizationService service.OrganizationSearcher
+	auth                port.Authenticator
 }
 
 // JWTAuth implements the authorization logic for service "query-svc" for the
 // "jwt" security scheme.
 func (s *querySvcsrvc) JWTAuth(ctx context.Context, token string, scheme *security.JWTScheme) (context.Context, error) {
 
 	// Parse the Heimdall-authorized principal from the token.
-	principal, err := ParsePrincipal(ctx, token)
+	principal, err := s.auth.ParsePrincipal(ctx, token, slog.Default())
 	if err != nil {
-		return ctx, err
+		return ctx, wrapError(ctx, err)
 	}
 
 	// Log the principal for debugging purposes in all logs for this request.
@@ -132,11 +133,13 @@ func (s *querySvcsrvc) Livez(ctx context.Context) (res []byte, err error) {
 func NewQuerySvc(resourceSearcher port.ResourceSearcher,
 	accessControlChecker port.AccessControlChecker,
 	organizationSearcher port.OrganizationSearcher,
+	auth port.Authenticator,
 ) querysvc.Service {
 	resourceService := service.NewResourceSearch(resourceSearcher, accessControlChecker)
 	organizationService := service.NewOrganizationSearch(organizationSearcher)
 	return &querySvcsrvc{
 		resourceService:     resourceService,
 		organizationService: organizationService,
+		auth:                auth,
 	}
 }

internal/domain/port/auth.go

@@ -0,0 +1,15 @@
+// Copyright The Linux Foundation and each contributor to LFX.
+// SPDX-License-Identifier: MIT
+
+package port
+
+import (
+	"context"
+	"log/slog"
+)
+
+// Authenticator defines the interface for authentication operations
+type Authenticator interface {
+	// ParsePrincipal parses and validates a JWT token, returning the principal
+	ParsePrincipal(ctx context.Context, token string, logger *slog.Logger) (string, error)
+}