Merge pull request #1 from rarimo/develop

Creating service

.github/workflows/actions.yml

@@ -0,0 +1,31 @@
+on:
+  workflow_dispatch:
+
+jobs:
+  converge:
+    name: Converge
+    runs-on: ubuntu-latest
+    steps:
+
+      - name: Checkout code
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Install werf
+        uses: werf/actions/[email protected]
+
+      - name: Log in to registry
+        # This is where you will update the personal access token to GITHUB_TOKEN
+        run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u $ --password-stdin
+
+      - name: Run echo
+        run: |
+          werf version
+          docker version
+          echo $GITHUB_REPOSITORY
+          echo $GITHUB_SHA
+      - name: Run Build
+        run: |
+          . $(werf ci-env github --as-file) 
+          werf export service --tag ghcr.io/$GITHUB_REPOSITORY:$GITHUB_SHA

.github/workflows/actions_branch.yml

@@ -0,0 +1,34 @@
+on:
+  push:
+    branches:
+      - 'master'
+      - 'develop'
+
+jobs:
+  converge:
+    name: Converge
+    runs-on: ubuntu-latest
+    steps:
+
+      - name: Checkout code
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Install werf
+        uses: werf/actions/[email protected]
+
+      - name: Log in to registry
+        # This is where you will update the personal access token to GITHUB_TOKEN
+        run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u $ --password-stdin
+
+      - name: Run echo
+        run: |
+          werf version
+          docker version
+          echo $GITHUB_REPOSITORY
+          echo $GITHUB_SHA
+      - name: Run Build
+        run: |
+          . $(werf ci-env github --as-file) 
+          werf export service --tag ghcr.io/$GITHUB_REPOSITORY:$GITHUB_SHA

.github/workflows/deploy-gh-pages.yaml

@@ -0,0 +1,35 @@
+#
+# Builds the docs and deploys to GitHub pages
+#
+# https://github.com/actions/setup-node
+# Using https://github.com/marketplace/actions/deploy-to-github-pages
+name: Deploy to Github pages
+
+on:
+  push:
+    #tags:
+    #  - v*
+    branches:
+      - master
+
+jobs:
+  deploy_pages:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+      - uses: actions/setup-node@v3
+        with:
+          node-version: '18'
+
+      - run: |
+          cd ./docs
+          npm install
+          npm run build
+
+      - run: touch docs/.nojekyll
+      - name: Deploy docs 🚀
+        uses: JamesIves/github-pages-deploy-action@releases/v3
+        with:
+          BRANCH: gh-pages # The branch the action should deploy to.
+          FOLDER: docs/web_deploy # The folder the action should deploy.

.github/workflows/tag.yml

@@ -0,0 +1,34 @@
+on:
+  push:
+    tags:
+      - 'v[0-9]+.[0-9]+.[0-9]+'
+      - 'v[0-9]+.[0-9]+.[0-9]+-rc[0-9]+'
+
+jobs:
+  converge:
+    name: Converge
+    runs-on: ubuntu-latest
+    steps:
+
+      - name: Checkout code
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Install werf
+        uses: werf/actions/[email protected]
+
+      - name: Log in to registry
+        # This is where you will update the personal access token to GITHUB_TOKEN
+        run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u $ --password-stdin
+
+      - name: Run echo
+        run: |
+          werf version
+          docker version
+          echo $GITHUB_REPOSITORY
+          echo $GITHUB_REF_NAME
+      - name: Run Build
+        run: |
+          . $(werf ci-env github --as-file) 
+          werf export service --tag ghcr.io/$GITHUB_REPOSITORY:$GITHUB_REF_NAME

.gitignore

@@ -0,0 +1,6 @@
+.idea
+/vendor/
+/docs/node_modules/
+/docs/web_deploy/
+
+config.*.yaml

Dockerfile

@@ -0,0 +1,17 @@
+FROM golang:1.20-alpine as buildbase
+
+RUN apk add git build-base
+
+WORKDIR /go/src/github.com/rarimo/rarime-auth-svc
+COPY vendor .
+COPY . .
+
+RUN GOOS=linux go build  -o /usr/local/bin/rarime-auth-svc /go/src/github.com/rarimo/rarime-auth-svc
+
+
+FROM alpine:3.9
+
+COPY --from=buildbase /usr/local/bin/rarime-auth-svc /usr/local/bin/rarime-auth-svc
+RUN apk add --no-cache ca-certificates
+
+ENTRYPOINT ["rarime-auth-svc"]

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2023 Zero Block Global Foundation
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -1,8 +1,73 @@
 # rarime-auth-svc
 
+[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
+
 ## Description
 
-Service that issues and verifies JWT
+RariMe Auth service designed to authorize users with Iden3 AuthV2 ZK-proofs and issue JWT tokens based on it.
+This JWT can be used on other internal or external service to authenticate user for executing endpoints.
+
+Frontend firstly should request Base64-encoded challenge using `v1/authorize/{did}/challenge` request.
+Then generate AuthV2 ZK proof with received challenge as decoded big-endian value. Using this proof
+execute `v1/authorize` request and receive JWT (refresh and access) tokens in response and also in cookies.
+
+## Usage
+
+To integrate on other service use the [pkg/auth](./pkg/auth) package.
+It contains client and client config to execute `v1/validate` requests and example of `grants` that can be used
+with `Authenticates` method to check uses access.
+
+Example:
+
+Add middleware to endpoints that require auth:
+
+```go
+package middleware
+
+import (
+	"net/http"
+
+	"github.com/rarimo/rarime-auth-svc/pkg/auth"
+	"gitlab.com/distributed_lab/ape"
+	"gitlab.com/distributed_lab/ape/problems"
+)
+
+func AuthMiddleware(client *auth.Client) func(http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			claim, err := client.ValidateJWT(r)
+			if err != nil {
+				ape.RenderErr(w, problems.Unauthorized())
+				return
+			}
+
+			// Save claims somewhere (probably in request context)
+			ctx := handlers.CtxClaim(claim)(r.Context())
+			next.ServeHTTP(w, r.WithContext(ctx))
+		})
+	}
+}
+```
+
+How protected endpoints definition looks like:
+
+```go
+r.Route("/integrations/your-service", func (r chi.Router) {
+r.Route("/v1", func (r chi.Router) {
+r.Post("/unprotected", handlers.Unprotected)
+r.With(middleware.AuthMiddleware(s.client)).Get("/protected", handlers.Protected)
+})
+})
+```
+
+Then, use parsed claims in handler to allow users execute business logic:
+
+```go
+if !auth.Authenticates([]resources.Claim{claim}, auth.UserGrant("did")) {
+ape.RenderErr(w, problems.Unauthorized())
+return
+}
+```
 
 ## Install
 
@@ -19,22 +84,24 @@ Service that issues and verifies JWT
 We do use openapi:json standard for API. We use swagger for documenting our API.
 
 To open online documentation, go to [swagger editor](http://localhost:8080/swagger-editor/) here is how you can start it
+
 ```
   cd docs
   npm install
   npm start
 ```
+
 To build documentation use `npm run build` command,
 that will create open-api documentation in `web_deploy` folder.
 
 To generate resources for Go models run `./generate.sh` script in root folder.
 use `./generate.sh --help` to see all available options.
 
 Note: if you are using Gitlab for building project `docs/spec/paths` folder must not be
-empty, otherwise only `Build and Publish` job will be passed.  
+empty, otherwise only `Build and Publish` job will be passed.
+
+## Running from docker
 
-## Running from docker 
-
 Make sure that docker installed.
 
 use `docker run ` with `-p 8080:80` to expose port 80 to 8080
@@ -50,12 +117,7 @@ use `docker run ` with `-p 8080:80` to expose port 80 to 8080
 * Provide valid config file
 * Launch the service with `run service` command
 
-
-
-### Third-party services
-
-
 ## Contact
 
 Responsible Oleg Fomenko
-The primary contact for this project is  t.me/of_dl
+The primary contact for this project is t.me/of_dl

config.yaml

@@ -0,0 +1,19 @@
+log:
+  level: debug
+  disable_sentry: true
+
+listener:
+  addr: :8000
+
+jwt:
+  secret_key: 0xbcb14d08dc1472b80f49eaf72f0873ac314a7146083bbf3694df8c3238949f2ec0971427f5509382a2812c700e541e328cd6ec65a1383c3ca435cdf55862dc4b
+  access_expiration_time: 12h
+  refresh_expiration_time: 24h
+
+cookies:
+  domain: "rarime.com"
+  secure: true
+
+verifier:
+  schema: 12345
+  enabled: false

docs/.redoclyrc

@@ -0,0 +1,9 @@
+
+apiTitle: rarime-auth-svc
+splitSpec: true
+codeSamples: false
+swaggerUI: true
+travis: true
+repo: tokend/notifications/notifications-router-svc
+oasVersion: 1.0.0
+

docs/LICENSE

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2016 Ivan Goncharov
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.