Added basic authentication to reconfigure request (closes #61)

Author: vfarcic

README.md

@@ -84,6 +84,7 @@ The following query arguments can be used to send as a *reconfigure* request to
 |serviceName  |The name of the service. It must match the name stored in Consul.               |Yes     |       |go-demo      |
 |servicePath  |The URL path of the service. Multiple values should be separated by a comma (,).|Yes (unless consulTemplatePath is present)||/api/v1/books|
 |skipCheck    |Whether to skip adding proxy checks. This option is used only in the *default* mode.|No      |false  |true         |
+|users        |A comma-separated list of credentials(<user>:<pass>) for HTTP basic auth, which applies only to the service that will be reconfigured.|No||user1:pass1,user2:pass2|
 
 ### Remove
 

TODO.md

@@ -1,29 +1,16 @@
 # TODO
 
-## Certs
+## Authentication
 
-* Remove cert API (file and name)
-* Load existing certs from labels on init
-* Fix TODOs
-* Document
+[X] Make global authentication from env variables
+[X] Add per-service authentication
+[X] Propagate users from reconfigure server request
+[X] Add integration tests
+[ ] Test manually
+[X] Update README with env. var. *USERS*
+[X] Update README with reconfigure param *users*
+[ ] Update README with an article about authentication with the proxy and the listener
 
-  * API: PUT /v1/docker-flow-proxy/cert
+## Videos
 
-
-```bash
-curl -i -XPUT \
-    -d 'Content of my certificate PEM file' \
-    $(docker-machine ip docker-flow-proxy-tests):8080/v1/docker-flow-proxy/cert?certName=viktor.pem
-```
-
-## ACL Ordering
-
-[X] Use ACL instead service name with templates
-[X] Save templates as ACL names
-[X] Load ACL templates in alphabetic order
-[X] Use ACL name to remove a template
-[ ] Confirm that server invokes reconfigure and remove with AclName param
-
-## Content
-
-* https://www.youtube.com/watch?v=oP0_H_UkkGA
+[ ] Wilde: https://www.youtube.com/watch?v=oP0_H_UkkGA

docker-compose-test.yml

@@ -15,6 +15,9 @@ services:
     environment:
       - CONSUL_ADDRESS=${HOST_IP}:8500
       - PROXY_INSTANCE_NAME=proxy-test-instance
+      - USERS=user1:pass1,user2:pass2
+      - STATS_USER=stats
+      - STATS_PASS=pass
     ports:
       - 80:80
       - 443:443

integration_tests/integration_test.go

@@ -88,6 +88,83 @@ func (s IntegrationTestSuite) Test_Reconfigure_MultiplePaths() {
 	s.verifyReconfigure(2)
 }
 
+func (s IntegrationTestSuite) Test_Global_Auth() {
+	s.reconfigure("", "", "", "/v1/test")
+
+	// Returns status 401 if no auth is provided
+
+	testAddr := fmt.Sprintf("http://%s/v1/test", os.Getenv("DOCKER_IP"))
+	log.Printf(">> Sending verify request to %s", testAddr)
+	client := &http.Client{}
+	request, _ := http.NewRequest("GET", testAddr, nil)
+	resp, err := client.Do(request)
+
+	s.NoError(err)
+	s.Equal(401, resp.StatusCode)
+
+	// Returns status 200 if auth is provided
+
+	request.SetBasicAuth("user1", "pass1")
+	resp, err = client.Do(request)
+
+	s.NoError(err)
+	s.Equal(200, resp.StatusCode)
+}
+
+func (s IntegrationTestSuite) Test_Reconfigure_Auth() {
+	var address string
+	address = fmt.Sprintf(
+		"http://%s:8080/v1/docker-flow-proxy/reconfigure?serviceName=%s&servicePath=%s&users=%s",
+		os.Getenv("DOCKER_IP"),
+		s.serviceName,
+		"/v1/test",
+		"serv-user-1:serv-pass-1",
+	)
+	log.Printf(">> Sending reconfigure request to %s", address)
+	_, err := http.Get(address)
+	s.NoError(err)
+
+	// Returns status 401 if no auth is provided
+
+	testAddr := fmt.Sprintf("http://%s/v1/test", os.Getenv("DOCKER_IP"))
+	log.Printf(">> Sending verify request to %s", testAddr)
+	client := &http.Client{}
+	request, _ := http.NewRequest("GET", testAddr, nil)
+	resp, err := client.Do(request)
+
+	s.NoError(err)
+	s.Equal(401, resp.StatusCode)
+
+	// Returns status 200 if auth is provided
+
+	request.SetBasicAuth("serv-user-1", "serv-pass-1")
+	resp, err = client.Do(request)
+
+	s.NoError(err)
+	s.Equal(200, resp.StatusCode)
+}
+
+func (s IntegrationTestSuite) Test_Stats_Auth() {
+	// Returns status 401 if no auth is provided
+
+	testAddr := fmt.Sprintf("http://%s/admin?stats", os.Getenv("DOCKER_IP"))
+	log.Printf(">> Sending verify request to %s", testAddr)
+	client := &http.Client{}
+	request, _ := http.NewRequest("GET", testAddr, nil)
+	resp, err := client.Do(request)
+
+	s.NoError(err)
+	s.Equal(401, resp.StatusCode)
+
+	// Returns status 200 if auth is provided
+
+	request.SetBasicAuth("stats", "pass")
+	resp, err = client.Do(request)
+
+	s.NoError(err)
+	s.Equal(200, resp.StatusCode)
+}
+
 func (s IntegrationTestSuite) Test_Remove() {
 	aclName := "my-acl"
 	// curl "http://$(docker-machine tests):8080/v1/docker-flow-proxy/reconfigure?serviceName=test-service&servicePath=%s&aclName=%s"
@@ -216,7 +293,10 @@ func (s IntegrationTestSuite) Test_Certs() {
 func (s IntegrationTestSuite) verifyReconfigure(version int) {
 	address := fmt.Sprintf("http://%s/v%d/test", os.Getenv("DOCKER_IP"), version)
 	log.Printf(">> Sending verify request to %s", address)
-	resp, err := http.Get(address)
+	client := &http.Client{}
+	request, _ := http.NewRequest("GET", address, nil)
+	request.SetBasicAuth("user1", "pass1")
+	resp, err := client.Do(request)
 
 	s.NoError(err)
 	s.Equal(200, resp.StatusCode)
@@ -246,6 +326,17 @@ func (s IntegrationTestSuite) reconfigure(pathType, consulTemplateFePath, consul
 	s.NoError(err)
 }
 
+func (s IntegrationTestSuite) printConf() {
+	configAddr := fmt.Sprintf(
+		"http://%s:8080/v1/docker-flow-proxy/config",
+		os.Getenv("DOCKER_IP"),
+	)
+	resp, _ := http.Get(configAddr)
+	defer resp.Body.Close()
+	body, _ := ioutil.ReadAll(resp.Body)
+	println(string(body))
+}
+
 // Suite
 
 func TestGeneralIntegrationTestSuite(t *testing.T) {

reconfigure.go

@@ -32,6 +32,11 @@ type Reconfigure struct {
 	ServiceReconfigure
 }
 
+type User struct {
+	Username string
+	Password string
+}
+
 type ServiceReconfigure struct {
 	ServiceName          string   `short:"s" long:"service-name" required:"true" description:"The name of the service that should be reconfigured (e.g. my-service)."`
 	ServiceColor         string   `short:"C" long:"service-color" description:"The color of the service release in case blue-green deployment is performed (e.g. blue)."`
@@ -47,6 +52,7 @@ type ServiceReconfigure struct {
 	Acl                  string
 	AclName              string
 	AclCondition         string
+	Users                []User
 	FullServiceName      string
 	Distribute           bool
 	LookupRetry          int
@@ -303,7 +309,14 @@ func (m *Reconfigure) getTemplateFromGo(sr ServiceReconfigure) (frontend, backen
 	srcFront := `
     acl url_{{.ServiceName}}{{range .ServicePath}} {{$.PathType}} {{.}}{{end}}{{.Acl}}
     use_backend {{.AclName}}-be if url_{{.ServiceName}}{{.AclCondition}}`
-	srcBack := `backend {{.AclName}}-be
+	srcBack := ""
+	if len(sr.Users) > 0 {
+		srcBack += `userlist {{.ServiceName}}Users{{range .Users}}
+    user {{.Username}} insecure-password {{.Password}}{{end}}
+
+`
+	}
+	srcBack += `backend {{.AclName}}-be
     mode http`
 	if strings.EqualFold(sr.Mode, "service") || strings.EqualFold(sr.Mode, "swarm") {
 		srcBack += `
@@ -314,7 +327,11 @@ func (m *Reconfigure) getTemplateFromGo(sr ServiceReconfigure) (frontend, backen
     server {{"{{$e.Node}}_{{$i}}_{{$e.Port}} {{$e.Address}}:{{$e.Port}}"}}{{if eq .SkipCheck false}} check{{end}}
     {{"{{end}}"}}`
 	}
-	if len(os.Getenv("USERS")) > 0 {
+	if len(sr.Users) > 0 {
+		srcBack += `
+    acl {{.ServiceName}}UsersAcl http_auth({{.ServiceName}}Users)
+    http-request auth realm {{.ServiceName}}Realm if !{{.ServiceName}}UsersAcl`
+	} else 	if len(os.Getenv("USERS")) > 0 {
 		srcBack += `
     acl defaultUsersAcl http_auth(defaultUsers)
     http-request auth realm defaultRealm if !defaultUsersAcl`

reconfigure_test.go

@@ -90,6 +90,28 @@ func (s ReconfigureTestSuite) Test_GetTemplate_AddsHttpAuth_WhenUsersEnvIsPresen
 	s.Equal(expected, back)
 }
 
+func (s ReconfigureTestSuite) Test_GetTemplate_AddsHttpAuth_WhenUsersIsPresent() {
+	s.reconfigure.Users = []User{
+		{ Username: "user-1", Password: "pass-1" },
+		{ Username: "user-2", Password: "pass-2" },
+	}
+	expected := `userlist myServiceUsers
+    user user-1 insecure-password pass-1
+    user user-2 insecure-password pass-2
+
+backend myService-be
+    mode http
+    {{range $i, $e := service "myService" "any"}}
+    server {{$e.Node}}_{{$i}}_{{$e.Port}} {{$e.Address}}:{{$e.Port}} check
+    {{end}}
+    acl myServiceUsersAcl http_auth(myServiceUsers)
+    http-request auth realm myServiceRealm if !myServiceUsersAcl`
+
+	_, back, _ := s.reconfigure.GetTemplates(s.reconfigure.ServiceReconfigure)
+
+	s.Equal(expected, back)
+}
+
 func (s ReconfigureTestSuite) Test_GetTemplate_ReturnsFormattedContent_WhenModeIsSwarm() {
 	modes := []string{"service", "sWARm"}
 	for _, mode := range modes {
@@ -122,6 +144,28 @@ func (s ReconfigureTestSuite) Test_GetTemplate_AddsHttpAuth_WhenModeIsSwarmAndUs
 	s.Equal(expected, actual)
 }
 
+func (s ReconfigureTestSuite) Test_GetTemplate_AddsHttpAuth_WhenModeIsSwarmAndUsersIsPresent() {
+	s.reconfigure.Users = []User{
+		{ Username: "user-1", Password: "pass-1" },
+		{ Username: "user-2", Password: "pass-2" },
+	}
+	s.reconfigure.ServiceReconfigure.Mode = "swarm"
+	s.reconfigure.ServiceReconfigure.Port = "1234"
+	expected := `userlist myServiceUsers
+    user user-1 insecure-password pass-1
+    user user-2 insecure-password pass-2
+
+backend myService-be
+    mode http
+    server myService myService:1234
+    acl myServiceUsersAcl http_auth(myServiceUsers)
+    http-request auth realm myServiceRealm if !myServiceUsersAcl`
+
+	_, actual, _ := s.reconfigure.GetTemplates(s.reconfigure.ServiceReconfigure)
+
+	s.Equal(expected, actual)
+}
+
 func (s ReconfigureTestSuite) Test_GetTemplate_AddsHost() {
 	s.ConsulTemplateFe = `
     acl url_myService path_beg path/to/my/service/api path_beg path/to/my/other/service/api

server.go

@@ -47,6 +47,7 @@ type Response struct {
 	Mode                 string
 	Port                 string
 	Distribute           bool
+	Users                []User
 }
 
 func (m *Serve) Execute(args []string) error {
@@ -140,6 +141,13 @@ func (m *Serve) reconfigure(w http.ResponseWriter, req *http.Request) {
 	if len(req.URL.Query().Get("distribute")) > 0 {
 		sr.Distribute, _ = strconv.ParseBool(req.URL.Query().Get("distribute"))
 	}
+	if len(req.URL.Query().Get("users")) > 0 {
+		users := strings.Split(req.URL.Query().Get("users"), ",")
+		for _, user := range users {
+			userPass := strings.Split(user, ":")
+			sr.Users = append(sr.Users, User{Username: userPass[0], Password: userPass[1]})
+		}
+	}
 	response := Response{
 		Status:               "OK",
 		ServiceName:          sr.ServiceName,
@@ -154,6 +162,7 @@ func (m *Serve) reconfigure(w http.ResponseWriter, req *http.Request) {
 		Mode:                 sr.Mode,
 		Port:                 sr.Port,
 		Distribute:           sr.Distribute,
+		Users:                sr.Users,
 	}
 	if m.isValidReconf(sr.ServiceName, sr.ServicePath, sr.ConsulTemplateFePath) {
 		if (strings.EqualFold("service", m.Mode) || strings.EqualFold("swarm", m.Mode)) && len(sr.Port) == 0 {

server_test.go

@@ -415,6 +415,27 @@ func (s *ServerTestSuite) Test_ServeHTTP_ReturnsJsonWithPathType_WhenPresent() {
 	s.ResponseWriter.AssertCalled(s.T(), "Write", []byte(expected))
 }
 
+func (s *ServerTestSuite) Test_ServeHTTP_ReturnsJsonWithUsers_WhenPresent() {
+	users := []User {
+		{ Username: "user1", Password: "pass1" },
+		{ Username: "user2", Password: "pass2" },
+	}
+	req, _ := http.NewRequest("GET", s.ReconfigureUrl+"&users=user1:pass1,user2:pass2", nil)
+	expected, _ := json.Marshal(Response{
+		Status:        "OK",
+		ServiceName:   s.ServiceName,
+		ServiceColor:  s.ServiceColor,
+		ServicePath:   s.ServicePath,
+		ServiceDomain: s.ServiceDomain,
+		Users:         users,
+	})
+
+	srv := Serve{}
+	srv.ServeHTTP(s.ResponseWriter, req)
+
+	s.ResponseWriter.AssertCalled(s.T(), "Write", []byte(expected))
+}
+
 func (s *ServerTestSuite) Test_ServeHTTP_ReturnsJsonWithPort_WhenPresent() {
 	port := "1234"
 	mode := "swaRM"