Merge branch 'main' into authz

flipt-io · May 27, 2024 · 762da37 · 762da37
2 parents a859ef9 + bfd36c1
commit 762da37
Show file tree

Hide file tree

Showing 28 changed files with 578 additions and 74 deletions.
diff --git a/.all-contributorsrc b/.all-contributorsrc
@@ -402,6 +402,15 @@
       "contributions": [
         "code"
       ]
+    },
+    {
+      "login": "vk-rv",
+      "name": "Oleg",
+      "avatar_url": "https://avatars.githubusercontent.com/u/77097900?v=4",
+      "profile": "https://github.com/vk-rv",
+      "contributions": [
+        "code"
+      ]
     }
   ],
   "contributorsPerLine": 7,

diff --git a/.github/workflows/integration-test.yml b/.github/workflows/integration-test.yml
@@ -57,6 +57,7 @@ jobs:
             "api/mysql",
             "api/cockroach",
             "api/cache",
+            "api/cachetls",
             "fs/git",
             "fs/local",
             "fs/s3",

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -41,7 +41,7 @@ jobs:
         run: mage dagger:run "test:unit"
 
       - name: Upload Coverage
-        uses: codecov/[email protected].0
+        uses: codecov/[email protected].1
 
   test-darwin:
     name: "Tests (Go - Darwin)"

diff --git a/README.md b/README.md
@@ -391,6 +391,7 @@ Thanks goes to these wonderful people ([emoji key](https://allcontributors.org/d
     <tr>
       <td align="center" valign="top" width="14.28%"><a href="https://github.com/tegorov"><img src="https://avatars.githubusercontent.com/u/42921436?v=4?s=100" width="100px;" alt="Taras Egorov"/><br /><sub><b>Taras Egorov</b></sub></a><br /><a href="https://github.com/flipt-io/flipt/commits?author=tegorov" title="Code">💻</a></td>
       <td align="center" valign="top" width="14.28%"><a href="https://about.me/elliotpahl"><img src="https://avatars.githubusercontent.com/u/113981?v=4?s=100" width="100px;" alt="Elliot Pahl"/><br /><sub><b>Elliot Pahl</b></sub></a><br /><a href="https://github.com/flipt-io/flipt/commits?author=halcyonCorsair" title="Code">💻</a></td>
+      <td align="center" valign="top" width="14.28%"><a href="https://github.com/vk-rv"><img src="https://avatars.githubusercontent.com/u/77097900?v=4?s=100" width="100px;" alt="Oleg"/><br /><sub><b>Oleg</b></sub></a><br /><a href="https://github.com/flipt-io/flipt/commits?author=vk-rv" title="Code">💻</a></td>
     </tr>
   </tbody>
 </table>

diff --git a/build/testing/integration.go b/build/testing/integration.go
@@ -57,6 +57,7 @@ var (
 		"api/mysql":     withMySQL(api),
 		"api/cockroach": withCockroach(api),
 		"api/cache":     cache,
+		"api/cachetls":  cacheWithTLS,
 		"fs/git":        git,
 		"fs/local":      local,
 		"fs/s3":         s3,
@@ -338,6 +339,62 @@ func cache(ctx context.Context, _ *dagger.Client, base, flipt *dagger.Container,
 	return suite(ctx, "api", base, flipt.WithExec(nil), conf)
 }
 
+func cacheWithTLS(ctx context.Context, client *dagger.Client, base, flipt *dagger.Container, conf testConfig) func() error {
+	serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
+	serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
+	if err != nil {
+		return func() error { return err }
+	}
+	template := &x509.Certificate{
+		SerialNumber: serialNumber,
+		IsCA:         true,
+		NotBefore:    time.Now(),
+		NotAfter:     time.Now().Add(time.Hour),
+		DNSNames:     []string{"redis"},
+	}
+
+	key, err := rsa.GenerateKey(rand.Reader, 2048)
+	if err != nil {
+		return func() error { return err }
+	}
+	bytes, err := x509.CreateCertificate(rand.Reader, template, template, &key.PublicKey, key)
+	if err != nil {
+		return func() error { return err }
+	}
+	crtBytes := pem.EncodeToMemory(&pem.Block{
+		Type:  "CERTIFICATE",
+		Bytes: bytes,
+	})
+
+	keyBytes := pem.EncodeToMemory(&pem.Block{
+		Type:  "RSA PRIVATE KEY",
+		Bytes: x509.MarshalPKCS1PrivateKey(key),
+	})
+
+	redis := client.Container().
+		From("redis:alpine").
+		WithExposedPort(6379).
+		WithNewFile("/opt/tls/key", dagger.ContainerWithNewFileOpts{Contents: string(keyBytes)}).
+		WithNewFile("/opt/tls/crt", dagger.ContainerWithNewFileOpts{Contents: string(crtBytes)}).
+		WithExec([]string{
+			"redis-server", "--tls-port", "6379", "--port", "0",
+			"--tls-key-file", "/opt/tls/key", "--tls-cert-file",
+			"/opt/tls/crt", "--tls-ca-cert-file", "/opt/tls/crt",
+			"--tls-auth-clients", "no"}).
+		AsService()
+
+	flipt = flipt.
+		WithEnvVariable("FLIPT_LOG_LEVEL", "DEBUG").
+		WithEnvVariable("FLIPT_CACHE_ENABLED", "true").
+		WithEnvVariable("FLIPT_CACHE_BACKEND", "redis").
+		WithEnvVariable("FLIPT_CACHE_REDIS_REQUIRE_TLS", "true").
+		WithEnvVariable("FLIPT_CACHE_REDIS_HOST", "redis").
+		WithEnvVariable("FLIPT_CACHE_REDIS_CA_CERT_PATH", "/opt/tls/crt").
+		WithNewFile("/opt/tls/crt", dagger.ContainerWithNewFileOpts{Contents: string(crtBytes)}).
+		WithServiceBinding("redis", redis)
+	return suite(ctx, "api", base, flipt.WithExec(nil), conf)
+}
+
 const (
 	rootTestdataDir           = "build/testing/integration/readonly/testdata"
 	singleRevisionTestdataDir = rootTestdataDir + "/main"

diff --git a/cmd/flipt/cloud.go b/cmd/flipt/cloud.go
@@ -196,7 +196,7 @@ func (c *cloudCommand) serve(cmd *cobra.Command, args []string) error {
 	f, err := os.ReadFile(cloudAuthFile)
 	if err != nil {
 		if errors.Is(err, os.ErrNotExist) {
-			fmt.Println("No cloud authentication token found. Please run 'flipt cloud login' to authenticate with Flipt Cloud.")
+			fmt.Println("\n✗ No cloud authentication token found. Please run 'flipt cloud login' to authenticate.")
 			return nil
 		}
 
@@ -221,6 +221,11 @@ func (c *cloudCommand) serve(cmd *cobra.Command, args []string) error {
 
 	parsed, err := jwt.Parse(auth.Token, k.Keyfunc, jwt.WithExpirationRequired())
 	if err != nil {
+		if errors.Is(err, jwt.ErrTokenExpired) {
+			fmt.Println("✗ Existing cloud authentication token expired. Please run 'flipt cloud login' to re-authenticate.")
+			return nil
+		}
+
 		return fmt.Errorf("parsing JWT: %w", err)
 	}
 
@@ -364,6 +369,7 @@ func (c *cloudCommand) serve(cmd *cobra.Command, args []string) error {
 	cfg.Cloud.Host = u.Hostname()
 	cfg.Cloud.Instance = instance.Instance
 	cfg.Cloud.Organization = instance.Organization
+	cfg.Cloud.Authentication.ApiKey = "" // clear API key if present to use JWT
 	cfg.Server.Cloud.Enabled = true
 	cfg.Authentication.Session.Domain = u.Host
 

diff --git a/cmd/flipt/main.go b/cmd/flipt/main.go
@@ -257,6 +257,15 @@ func buildConfig(ctx context.Context) (*zap.Logger, *config.Config, error) {
 	return logger, cfg, nil
 }
 
+const (
+	dntVar = "DO_NOT_TRACK"
+	ciVar  = "CI"
+)
+
+func isSet(env string) bool {
+	return os.Getenv(env) == "true" || os.Getenv(env) == "1"
+}
+
 func run(ctx context.Context, logger *zap.Logger, cfg *config.Config) error {
 	isConsole := cfg.Log.Encoding == config.LogEncodingConsole
 
@@ -298,12 +307,12 @@ func run(ctx context.Context, logger *zap.Logger, cfg *config.Config) error {
 	}
 
 	// see: https://consoledonottrack.com/
-	if (os.Getenv("DO_NOT_TRACK") == "true" || os.Getenv("DO_NOT_TRACK") == "1") && cfg.Meta.TelemetryEnabled {
+	if isSet(dntVar) && cfg.Meta.TelemetryEnabled {
 		logger.Debug("DO_NOT_TRACK environment variable set, disabling telemetry")
 		cfg.Meta.TelemetryEnabled = false
 	}
 
-	if (os.Getenv("CI") == "true" || os.Getenv("CI") == "1") && cfg.Meta.TelemetryEnabled {
+	if isSet(ciVar) && cfg.Meta.TelemetryEnabled {
 		logger.Debug("CI detected, disabling telemetry")
 		cfg.Meta.TelemetryEnabled = false
 	}

diff --git a/config/flipt.schema.cue b/config/flipt.schema.cue
@@ -146,6 +146,9 @@ import "strings"
 			min_idle_conn?:      int | *0
 			conn_max_idle_time?: =~#duration | int | *0
 			net_timeout?:        =~#duration | int | *0
+			ca_cert_path?:       string
+			ca_cert_bytes?:      string
+			insecure_skip_tls?:  bool | *false
 		}
 
 		memory?: {
@@ -190,6 +193,7 @@ import "strings"
 		local?: path: string | *"."
 		git?: {
 			repository:         string
+			backend?:           *"memory" | "local"
 			ref?:               string | *"main"
 			ref_type?:          *"static" | "semver"
 			directory?:         string

diff --git a/config/flipt.schema.json b/config/flipt.schema.json
@@ -441,6 +441,16 @@
                 }
               ],
               "default": 0
+            },
+            "ca_cert_path": {
+              "type": "string"
+            },
+            "ca_cert_bytes": {
+              "type": "string"
+            },
+            "insecure_skip_tls": {
+              "type": "boolean",
+              "default": "false"
             }
           },
           "required": [],
@@ -641,6 +651,11 @@
             "repository": {
               "type": "string"
             },
+            "backend": {
+              "type": "string",
+              "enum": ["memory", "local"],
+              "default": "local"
+            },
             "ref": {
               "type": "string",
               "default": "main"

diff --git a/go.mod b/go.mod
@@ -17,7 +17,7 @@ require (
 	github.com/XSAM/otelsql v0.31.0
 	github.com/aws/aws-sdk-go-v2/config v1.27.11
 	github.com/aws/aws-sdk-go-v2/service/ecr v1.27.4
-	github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.23.5
+	github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.23.8
 	github.com/aws/aws-sdk-go-v2/service/s3 v1.53.1
 	github.com/blang/semver/v4 v4.0.0
 	github.com/cenkalti/backoff/v4 v4.3.0
@@ -129,13 +129,13 @@ require (
 	github.com/andybalholm/brotli v1.1.0 // indirect
 	github.com/antlr/antlr4/runtime/Go/antlr/v4 v4.0.0-20230512164433-5d1fd1a340c9 // indirect
 	github.com/aws/aws-sdk-go v1.50.36 // indirect
-	github.com/aws/aws-sdk-go-v2 v1.26.1 // indirect
+	github.com/aws/aws-sdk-go-v2 v1.27.0 // indirect
 	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.2 // indirect
 	github.com/aws/aws-sdk-go-v2/credentials v1.17.11 // indirect
 	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.1 // indirect
 	github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.16.9 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.5 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.5 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.7 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.7 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.5 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2 // indirect

diff --git a/go.sum b/go.sum
@@ -83,8 +83,8 @@ github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPd
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
 github.com/aws/aws-sdk-go v1.50.36 h1:PjWXHwZPuTLMR1NIb8nEjLucZBMzmf84TLoLbD8BZqk=
 github.com/aws/aws-sdk-go v1.50.36/go.mod h1:LF8svs817+Nz+DmiMQKTO3ubZ/6IaTpq3TjupRn3Eqk=
-github.com/aws/aws-sdk-go-v2 v1.26.1 h1:5554eUqIYVWpU0YmeeYZ0wU64H2VLBs8TlhRB2L+EkA=
-github.com/aws/aws-sdk-go-v2 v1.26.1/go.mod h1:ffIFB97e2yNsv4aTSGkqtHnppsIJzw7G7BReUZ3jCXM=
+github.com/aws/aws-sdk-go-v2 v1.27.0 h1:7bZWKoXhzI+mMR/HjdMx8ZCC5+6fY0lS5tr0bbgiLlo=
+github.com/aws/aws-sdk-go-v2 v1.27.0/go.mod h1:ffIFB97e2yNsv4aTSGkqtHnppsIJzw7G7BReUZ3jCXM=
 github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.2 h1:x6xsQXGSmW6frevwDA+vi/wqhp1ct18mVXYN08/93to=
 github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.2/go.mod h1:lPprDr1e6cJdyYeGXnRaJoP4Md+cDBvi2eOj00BlGmg=
 github.com/aws/aws-sdk-go-v2/config v1.27.11 h1:f47rANd2LQEYHda2ddSCKYId18/8BhSRM4BULGmfgNA=
@@ -95,18 +95,18 @@ github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.1 h1:FVJ0r5XTHSmIHJV6KuDmdYh
 github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.1/go.mod h1:zusuAeqezXzAB24LGuzuekqMAEgWkVYukBec3kr3jUg=
 github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.16.9 h1:vXY/Hq1XdxHBIYgBUmug/AbMyIe1AKulPYS2/VE1X70=
 github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.16.9/go.mod h1:GyJJTZoHVuENM4TeJEl5Ffs4W9m19u+4wKJcDi/GZ4A=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.5 h1:aw39xVGeRWlWx9EzGVnhOR4yOjQDHPQ6o6NmBlscyQg=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.5/go.mod h1:FSaRudD0dXiMPK2UjknVwwTYyZMRsHv3TtkabsZih5I=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.5 h1:PG1F3OD1szkuQPzDw3CIQsRIrtTlUC3lP84taWzHlq0=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.5/go.mod h1:jU1li6RFryMz+so64PpKtudI+QzbKoIEivqdf6LNpOc=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.7 h1:lf/8VTF2cM+N4SLzaYJERKEWAXq8MOMpZfU6wEPWsPk=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.7/go.mod h1:4SjkU7QiqK2M9oozyMzfZ/23LmUY+h3oFqhdeP5OMiI=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.7 h1:4OYVp0705xu8yjdyoWix0r9wPIRXnIzzOoUpQVHIJ/g=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.7/go.mod h1:vd7ESTEvI76T2Na050gODNmNU7+OyKrIKroYTu4ABiI=
 github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 h1:hT8rVHwugYE2lEfdFE0QWVo81lF7jMrYJVDWI+f+VxU=
 github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0/go.mod h1:8tu/lYfQfFe6IGnaOdrpVgEL2IrrDOf6/m9RQum4NkY=
 github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.5 h1:81KE7vaZzrl7yHBYHVEzYB8sypz11NMOZ40YlWvPxsU=
 github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.5/go.mod h1:LIt2rg7Mcgn09Ygbdh/RdIm0rQ+3BNkbP1gyVMFtRK0=
 github.com/aws/aws-sdk-go-v2/service/ecr v1.27.4 h1:Qr9W21mzWT3RhfYn9iAux7CeRIdbnTAqmiOlASqQgZI=
 github.com/aws/aws-sdk-go-v2/service/ecr v1.27.4/go.mod h1:if7ybzzjOmDB8pat9FE35AHTY6ZxlYSy3YviSmFZv8c=
-github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.23.5 h1:452e/nFuqPvwPg+1OD2CG/v29R9MH8egJSJKh2Qduv8=
-github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.23.5/go.mod h1:8pvvNAklmq+hKmqyvFoMRg0bwg9sdGOvdwximmKiKP0=
+github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.23.8 h1:TUUD/99lvNFDTAPT5aR58Yu+Yn7z8lZtaiiXQJRWhMs=
+github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.23.8/go.mod h1:g7If3uXj+mKcmIuxh08qh8I9ju6f/aOSWMyc6hEEi58=
 github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2 h1:Ji0DY1xUsUr3I8cHps0G+XM3WWU16lP6yG8qu1GAZAs=
 github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2/go.mod h1:5CsjAbs3NlGQyZNFACh+zztPDI7fU6eW9QsxjfnuBKg=
 github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.3.7 h1:ZMeFZ5yk+Ek+jNr1+uwCd2tG89t6oTS5yVWpa6yy2es=

diff --git a/internal/cache/redis/client.go b/internal/cache/redis/client.go
@@ -0,0 +1,61 @@
+package redis
+
+import (
+	"crypto/tls"
+	"crypto/x509"
+	"fmt"
+	"os"
+
+	goredis "github.com/redis/go-redis/v9"
+	"go.flipt.io/flipt/internal/config"
+)
+
+func NewClient(cfg config.RedisCacheConfig) (*goredis.Client, error) {
+	var tlsConfig *tls.Config
+	if cfg.RequireTLS {
+		tlsConfig = &tls.Config{MinVersion: tls.VersionTLS12}
+		tlsConfig.InsecureSkipVerify = cfg.InsecureSkipTLS
+		caBundle, err := caBundle(cfg)
+		if err != nil {
+			return nil, err
+		}
+		if len(caBundle) > 0 {
+			rootCAs, err := x509.SystemCertPool()
+			if err != nil {
+				return nil, err
+			}
+			rootCAs.AppendCertsFromPEM(caBundle)
+			tlsConfig.RootCAs = rootCAs
+		}
+	}
+
+	rdb := goredis.NewClient(&goredis.Options{
+		Addr:            fmt.Sprintf("%s:%d", cfg.Host, cfg.Port),
+		TLSConfig:       tlsConfig,
+		Username:        cfg.Username,
+		Password:        cfg.Password,
+		DB:              cfg.DB,
+		PoolSize:        cfg.PoolSize,
+		MinIdleConns:    cfg.MinIdleConn,
+		ConnMaxIdleTime: cfg.ConnMaxIdleTime,
+		DialTimeout:     cfg.NetTimeout,
+		ReadTimeout:     cfg.NetTimeout * 2,
+		WriteTimeout:    cfg.NetTimeout * 2,
+		PoolTimeout:     cfg.NetTimeout * 2,
+	})
+	return rdb, nil
+}
+
+func caBundle(cfg config.RedisCacheConfig) ([]byte, error) {
+	if cfg.CaCertBytes != "" {
+		return []byte(cfg.CaCertBytes), nil
+	}
+	if cfg.CaCertPath != "" {
+		bytes, err := os.ReadFile(cfg.CaCertPath)
+		if err != nil {
+			return nil, err
+		}
+		return bytes, nil
+	}
+	return []byte{}, nil
+}