Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feat: Add authentication for the test report page #67

Merged
merged 31 commits into from
Jul 3, 2024
Merged

Feat: Add authentication for the test report page #67

merged 31 commits into from
Jul 3, 2024

Conversation

marius-williams
Copy link
Contributor

Implement Fern Auth

Description:

This pull request introduces authentication functionalities to fern. This is made possible by using the middleware functionality of the Gin framework to intercept all API calls and perform JWT validation using JWKS.

Changes Included:

  • A variable in the config yaml for housing the keys endpoint used by the auth middleware
  • In main, a call to the function that retrieves the most up-to-date JWKS on server startup
  • Middleware that does all the necessary validation for the JWT using the JWKS
  • A README
  • Tests

@marius-williams marius-williams changed the title Feat/auth Feat: Add authentication for the test report page #34 May 14, 2024
@marius-williams marius-williams changed the title Feat: Add authentication for the test report page #34 Feat: Add authentication for the test report page May 14, 2024
@marius-williams
Copy link
Contributor Author

A few things we need to address:

  • Scopes: If it is going to be generic enough for open source, I believe we should use a custom claim. We could take in the name of the custom claim as an input parameter as they follow this format.
{
   "appID-a": ["read", "write"],
   "appID-b": ["read"],
   "appID-c": ["admin"],
    "admin": ["admin"](A special case for someone who can perform CRUD on any app that reports using Fern),
}
  • TLS Certificates for the HTTP client used in the auth package. Currently, it is ignoring TLS certs when calling the JWKS endpoint. We need a way that allows the HTTP client to have TLS enabled during local development as well.

jjchambl
jjchambl reviewed May 14, 2024
View reviewed changes
main.go Outdated
Comment on lines 42 to 48

authConfig := config.GetAuth()
if err := auth.UpdateJWKS(authConfig.KeysEndpoint); err != nil {
log.Fatalf("error getting JWKs: %v", err)
}
router.Use(auth.JWTAuthMiddleware(authConfig.KeysEndpoint))
router.Use(cors.New(cors.Config{
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this fail if the user doesn't provide an endpoint?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If so, how can local testing be done? This would make the product exclusively tied to OAuth.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We probably need to set an env variable through which we can disable OAuth? or @bsekar is there a better way to do integration and acceptance tests?

github-advanced-security[bot]
github-advanced-security bot found potential problems May 14, 2024
View reviewed changes
pkg/auth/middleware.go Fixed Show resolved Hide resolved
marius-williams
marius-williams commented May 15, 2024
View reviewed changes
pkg/auth/middleware_test.go Outdated
Comment on lines 35 to 48
ghttp.RespondWithJSONEncoded(http.StatusOK, map[string]interface{}{
"keys": []interface{}{
map[string]interface{}{
"kty": "RSA",
"alg": "RS256",
"kid": "mAMF03ZNwGBz54bjNJLGtlTC9oP8zJSLrpkfBIH1R-E",
"use": "sig",
"e": "AQAB",
"n": "2uCExuw6kt86vt28clwQ8d0C1UHMUFUbBlthwiOpTTQYkFSbBUQKBJ16P9pnBrVwVr6-s1-84SKGnJnK6EX6IuiTKJQeEurV67ivoahtZXFBk02fBWd8LrkmDdCE59EsVB8zmHycYMCjm133n1THXjcpjQXKHWmTr3D7mP0jgGZWSdxTgGuWbglX5_OhqEZy7LNQQQYwBnGTsBxCm9Fr6g9b_dWz7l_pXpuVuaesMhL7zahwwCBE6d-tpcN_jhujTT6UhRB63uQsehchAot1BWNdBRsOtQtt4OW9EGqUD8ebVtAt8wchRi6wjCva9MLXQQNWehQftSTRqHZ8HNIOsw",
},
},
}),
),
)
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would be cleaner to use the JWK struct here, instead of map[string]interface{} inline.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was changed in the refactor.

anoop2811
anoop2811 reviewed May 18, 2024
View reviewed changes
Copy link
Contributor

@anoop2811 anoop2811 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@bsekar probably needs your review most here

main.go Outdated
Comment on lines 42 to 48

authConfig := config.GetAuth()
if err := auth.UpdateJWKS(authConfig.KeysEndpoint); err != nil {
log.Fatalf("error getting JWKs: %v", err)
}
router.Use(auth.JWTAuthMiddleware(authConfig.KeysEndpoint))
router.Use(cors.New(cors.Config{
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We probably need to set an env variable through which we can disable OAuth? or @bsekar is there a better way to do integration and acceptance tests?

pkg/auth/middleware.go Fixed Show resolved Hide resolved
fvarg00
fvarg00 reviewed May 21, 2024
View reviewed changes
config/config.go Outdated Show resolved Hide resolved
fvarg00
fvarg00 reviewed May 21, 2024
View reviewed changes
config/config.yaml Outdated Show resolved Hide resolved
fvarg00
fvarg00 reviewed May 21, 2024
View reviewed changes
config/config.go Outdated Show resolved Hide resolved
fvarg00
fvarg00 reviewed May 21, 2024
View reviewed changes
pkg/auth/middleware.go Outdated Show resolved Hide resolved
fvarg00
fvarg00 requested changes May 21, 2024
View reviewed changes
Copy link
Collaborator

@fvarg00 fvarg00 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added comments, please review and address.

@anoop2811
Fix: Update dockerfile failure for apt-get
6349f18 
- Fix other lint issues

Signed-off-by: Anoop Gopalakrishnan <[email protected]>
fvarg00
fvarg00 reviewed Jun 26, 2024
View reviewed changes
main.go Outdated
if _, err := jwksCache.Refresh(ctx, authConfig.JSONWebKeysEndpoint); err != nil {
log.Fatalf("URL is not a valid JWKS: %v", err)
}
fmt.Println("JWKS cache initialized and refreshed")
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Use log.info instead of fmt.Println ?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is outdated. This is no longer in main.go

@anoop2811 anoop2811 merged commit 96716ce into guidewire-oss:main Jul 3, 2024
7 checks passed
@anoop2811
Copy link
Contributor

Good work @marius-williams !

@marius-williams
Copy link
Contributor Author

Good work @marius-williams !

Thank you @anoop2811 !

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jjchambl jjchambl jjchambl left review comments

@anoop2811 anoop2811 anoop2811 left review comments

@fvarg00 fvarg00 fvarg00 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@marius-williams @anoop2811 @fvarg00 @jjchambl @marwilliams3