Merge pull request #45 from Financial-Times/feature/UPPSF-4661-migrat…

…e-requests-to-basic-auth migrate to basicAuth
Financial-Times · Oct 13, 2023 · ad72bfe · ad72bfe
2 parents 121bc73 + 257e9b3
commit ad72bfe
Show file tree

Hide file tree

Showing 9 changed files with 91 additions and 41 deletions.
diff --git a/content/content_api.go b/content/content_api.go
@@ -11,18 +11,21 @@ import (
 	tidutils "github.com/Financial-Times/transactionid-utils-go"
 )
 
-const apiKeyHeader = "X-Api-Key"
-
-const syntheticContentUUID = "4f2f97ea-b8ec-11e4-b8e6-00144feab7de"
+const (
+	syntheticContentUUID = "4f2f97ea-b8ec-11e4-b8e6-00144feab7de"
+	xPolicyHeader        = "x-policy"
+)
 
 type API struct {
 	endpoint   string
-	apiKey     string
+	username   string
+	password   string
+	xPolicies  []string
 	httpClient *http.Client
 }
 
-func NewContentAPI(endpoint string, apiKey string, httpClient *http.Client) *API {
-	return &API{endpoint, apiKey, httpClient}
+func NewContentAPI(endpoint string, username string, password string, xPolicies []string, httpClient *http.Client) *API {
+	return &API{endpoint, username, password, xPolicies, httpClient}
 }
 
 func (api *API) Get(ctx context.Context, contentUUID string, log *logger.UPPLogger) (*http.Response, error) {
@@ -35,13 +38,16 @@ func (api *API) Get(ctx context.Context, contentUUID string, log *logger.UPPLogg
 	getContentLog = getContentLog.WithField(tidutils.TransactionIDHeader, tID)
 
 	apiReq, err := http.NewRequest("GET", apiReqURI, nil)
-
 	if err != nil {
 		getContentLog.WithError(err).Error("Error in creating the http request")
 		return nil, err
 	}
 
-	apiReq.Header.Set(apiKeyHeader, api.apiKey)
+	for _, policy := range api.xPolicies {
+		apiReq.Header.Add(xPolicyHeader, policy)
+	}
+
+	apiReq.SetBasicAuth(api.username, api.password)
 	if tID != "" {
 		apiReq.Header.Set(tidutils.TransactionIDHeader, tID)
 	}
@@ -57,7 +63,7 @@ func (api *API) GTG() error {
 		return fmt.Errorf("gtg request error: %v", err.Error())
 	}
 
-	apiReq.Header.Set(apiKeyHeader, api.apiKey)
+	apiReq.SetBasicAuth(api.username, api.password)
 
 	apiResp, err := api.httpClient.Do(apiReq)
 	if err != nil {

diff --git a/content/content_api_gtg_test.go b/content/content_api_gtg_test.go
@@ -15,7 +15,7 @@ func TestHappyContentAPIGTG(t *testing.T) {
 
 	testClient, err := fthttp.NewClient(fthttp.WithSysInfo("PAC", "awesome-service"))
 	assert.NoError(t, err)
-	cAPI := NewContentAPI(cAPIServerMock.URL+"/content", testAPIKey, testClient)
+	cAPI := NewContentAPI(cAPIServerMock.URL+"/content", testBasicAuthUsername, testBasicAuthPassword, nil, testClient)
 	assert.NoError(t, cAPI.GTG())
 }
 
@@ -25,7 +25,7 @@ func TestUnhappyContentAPIGTG(t *testing.T) {
 
 	testClient, err := fthttp.NewClient(fthttp.WithSysInfo("PAC", "awesome-service"))
 	assert.NoError(t, err)
-	cAPI := NewContentAPI(cAPIServerMock.URL+"/content", testAPIKey, testClient)
+	cAPI := NewContentAPI(cAPIServerMock.URL+"/content", testBasicAuthUsername, testBasicAuthPassword, nil, testClient)
 	assert.EqualError(t, cAPI.GTG(), "gtg returned a non-200 HTTP status: 503 - I not am happy!")
 }
 
@@ -35,14 +35,14 @@ func TestContentAPIGTGWrongAPIKey(t *testing.T) {
 
 	testClient, err := fthttp.NewClient(fthttp.WithSysInfo("PAC", "awesome-service"))
 	assert.NoError(t, err)
-	cAPI := NewContentAPI(cAPIServerMock.URL+"/content", "a-non-existing-key", testClient)
+	cAPI := NewContentAPI(cAPIServerMock.URL+"/content", "a-non-existing-username", "a-non-existing-password", nil, testClient)
 	assert.EqualError(t, cAPI.GTG(), "gtg returned a non-200 HTTP status: 401 - unauthorized")
 }
 
 func TestContentAPIGTGInvalidURL(t *testing.T) {
 	testClient, err := fthttp.NewClient(fthttp.WithSysInfo("PAC", "awesome-service"))
 	assert.NoError(t, err)
-	cAPI := NewContentAPI(":#", testAPIKey, testClient)
+	cAPI := NewContentAPI(":#", testBasicAuthUsername, testBasicAuthPassword, nil, testClient)
 	assert.Error(t, cAPI.GTG(), "Missing protocol scheme in gtg request")
 }
 
@@ -52,19 +52,28 @@ func TestContentAPIGTGConnectionError(t *testing.T) {
 
 	testClient, err := fthttp.NewClient(fthttp.WithSysInfo("PAC", "awesome-service"))
 	assert.NoError(t, err)
-	cAPI := NewContentAPI(cAPIServerMock.URL, testAPIKey, testClient)
+	cAPI := NewContentAPI(cAPIServerMock.URL, testBasicAuthUsername, testBasicAuthPassword, nil, testClient)
 	assert.Error(t, cAPI.GTG())
 }
 
 func newContentAPIGTGServerMock(t *testing.T, status int, body string) *httptest.Server {
 	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		assert.Equal(t, "/content/"+syntheticContentUUID, r.URL.Path)
-		if apiKey := r.Header.Get(apiKeyHeader); apiKey != testAPIKey {
+		username, password, ok := r.BasicAuth()
+		if !ok {
 			w.WriteHeader(http.StatusUnauthorized)
 			_, err := w.Write([]byte("unauthorized"))
 			assert.NoError(t, err)
 			return
 		}
+
+		if username != testBasicAuthUsername || password != testBasicAuthPassword {
+			w.WriteHeader(http.StatusUnauthorized)
+			_, err := w.Write([]byte("unauthorized"))
+			assert.NoError(t, err)
+			return
+		}
+
 		w.WriteHeader(status)
 		_, err := w.Write([]byte(body))
 		assert.NoError(t, err)

diff --git a/content/handler.go b/content/handler.go
@@ -147,7 +147,6 @@ func (h *Handler) WriteNativeContent(w http.ResponseWriter, r *http.Request) {
 }
 
 func (h *Handler) readContentFromUPP(ctx context.Context, w http.ResponseWriter, contentId string) {
-
 	readContentUPPLog := h.log.WithField(tidutils.TransactionIDHeader, ctx.Value(tidutils.TransactionIDHeader)).WithField("uuid", contentId)
 	readContentUPPLog.Warn("Draft not found in PAC, trying UPP")
 	uppResp, err := h.uppContentAPI.Get(ctx, contentId, h.log)

diff --git a/content/handler_test.go b/content/handler_test.go
@@ -22,11 +22,12 @@ import (
 )
 
 const (
-	originIDcctTest    = "cct"
-	contentTypeArticle = "application/vnd.ft-upp-article+json"
-	testAPIKey         = "testAPIKey"
-	testTID            = "test_tid"
-	testTimeout        = 8 * time.Second
+	originIDcctTest       = "cct"
+	contentTypeArticle    = "application/vnd.ft-upp-article+json"
+	testBasicAuthUsername = "testUsername"
+	testBasicAuthPassword = "testPassword"
+	testTID               = "test_tid"
+	testTimeout           = 8 * time.Second
 )
 
 type mockDraftContentRW struct {
@@ -72,7 +73,7 @@ func TestReadBackOffWhenNoDraftFoundToContentAPI(t *testing.T) {
 	defer cAPIServerMock.Close()
 	testClient, err := fthttp.NewClient(fthttp.WithSysInfo("PAC", "awesome-service"))
 	assert.NoError(t, err)
-	cAPI := NewContentAPI(cAPIServerMock.URL, testAPIKey, testClient)
+	cAPI := NewContentAPI(cAPIServerMock.URL, testBasicAuthUsername, testBasicAuthPassword, nil, testClient)
 
 	h := NewHandler(cAPI, rw, testTimeout, logger.NewUPPLogger("test logger", "debug"))
 	r := vestigo.NewRouter()
@@ -149,7 +150,7 @@ func TestReadNotFoundAnywhere(t *testing.T) {
 
 	testClient, err := fthttp.NewClient(fthttp.WithSysInfo("PAC", "awesome-service"))
 	assert.NoError(t, err)
-	cAPI := NewContentAPI(cAPIServerMock.URL, testAPIKey, testClient)
+	cAPI := NewContentAPI(cAPIServerMock.URL, testBasicAuthUsername, testBasicAuthPassword, nil, testClient)
 	h := NewHandler(cAPI, rw, testTimeout, logger.NewUPPLogger("test logger", "debug"))
 
 	r := vestigo.NewRouter()
@@ -178,7 +179,7 @@ func TestReadContentAPI504(t *testing.T) {
 
 	testClient, err := fthttp.NewClient(fthttp.WithSysInfo("PAC", "awesome-service"))
 	assert.NoError(t, err)
-	cAPI := NewContentAPI(cAPIServerMock.URL, testAPIKey, testClient)
+	cAPI := NewContentAPI(cAPIServerMock.URL, testBasicAuthUsername, testBasicAuthPassword, nil, testClient)
 	h := NewHandler(cAPI, rw, testTimeout, logger.NewUPPLogger("test logger", "debug"))
 	r := vestigo.NewRouter()
 	r.Get("/drafts/content/:uuid", h.ReadContent)
@@ -202,7 +203,7 @@ func TestReadInvalidURL(t *testing.T) {
 	rw.mock.On("Read", mock.Anything, mock.AnythingOfType("string")).Return(nil, ErrDraftNotFound)
 	testClient, err := fthttp.NewClient(fthttp.WithSysInfo("PAC", "awesome-service"))
 	assert.NoError(t, err)
-	cAPI := NewContentAPI(":#", testAPIKey, testClient)
+	cAPI := NewContentAPI(":#", testBasicAuthUsername, testBasicAuthPassword, nil, testClient)
 	h := NewHandler(cAPI, rw, testTimeout, logger.NewUPPLogger("test logger", "debug"))
 	r := vestigo.NewRouter()
 	r.Get("/drafts/content/:uuid", h.ReadContent)
@@ -229,7 +230,7 @@ func TestReadConnectionError(t *testing.T) {
 
 	testClient, err := fthttp.NewClient(fthttp.WithSysInfo("PAC", "awesome-service"))
 	assert.NoError(t, err)
-	cAPI := NewContentAPI(cAPIServerMock.URL, testAPIKey, testClient)
+	cAPI := NewContentAPI(cAPIServerMock.URL, testBasicAuthUsername, testBasicAuthPassword, nil, testClient)
 	h := NewHandler(cAPI, rw, testTimeout, logger.NewUPPLogger("test logger", "debug"))
 	r := vestigo.NewRouter()
 	r.Get("/drafts/content/:uuid", h.ReadContent)
@@ -465,10 +466,17 @@ func TestWriteNativeContentWriteError(t *testing.T) {
 
 func newContentAPIServerMock(t *testing.T, status int, body string) *httptest.Server {
 	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		if apiKey := r.Header.Get(apiKeyHeader); apiKey != testAPIKey {
+		username, password, ok := r.BasicAuth()
+		if !ok {
 			w.WriteHeader(http.StatusUnauthorized)
 			return
 		}
+
+		if username != testBasicAuthUsername || password != testBasicAuthPassword {
+			w.WriteHeader(http.StatusUnauthorized)
+			return
+		}
+
 		assert.Equal(t, testTID, r.Header.Get(tidutils.TransactionIDHeader))
 		w.WriteHeader(status)
 		if _, err := w.Write([]byte(body)); err != nil {

diff --git a/content/handler_timeout_test.go b/content/handler_timeout_test.go
@@ -31,7 +31,7 @@ func TestReadTimeoutFromDraftContent(t *testing.T) {
 	validatorService := NewSparkDraftContentValidatorService(contentAPITestServer.server.URL, client)
 	resolver := NewDraftContentValidatorResolver(cctOnlyResolverConfig(validatorService))
 	contentRWService := NewDraftContentRWService(contentRWTestServer.server.URL, resolver, client)
-	uppAPI := NewContentAPI(contentAPITestServer.server.URL, "awesomely-unique-key", client)
+	uppAPI := NewContentAPI(contentAPITestServer.server.URL, testBasicAuthUsername, testBasicAuthPassword, nil, client)
 
 	handler := NewHandler(uppAPI, contentRWService, 150*time.Millisecond, logger.NewUPPLogger("draft-content-api-test", "debug"))
 
@@ -75,7 +75,7 @@ func TestReadTimeoutFromUPPContent(t *testing.T) {
 	resolver := NewDraftContentValidatorResolver(cctOnlyResolverConfig(validatorService))
 
 	contentRWService := NewDraftContentRWService(contentRWTestServer.server.URL, resolver, client)
-	uppAPI := NewContentAPI(contentAPITestServer.server.URL, "awesomely-unique-key", client)
+	uppAPI := NewContentAPI(contentAPITestServer.server.URL, testBasicAuthUsername, testBasicAuthPassword, nil, client)
 
 	handler := NewHandler(uppAPI, contentRWService, 150*time.Millisecond, logger.NewUPPLogger("draft-content-api-test", "debug"))
 
@@ -126,7 +126,7 @@ func TestNativeWriteTimeout(t *testing.T) {
 	resolver := NewDraftContentValidatorResolver(cctOnlyResolverConfig(validatorService))
 
 	contentRWService := NewDraftContentRWService(contentRWTestServer.server.URL, resolver, client)
-	uppAPI := NewContentAPI(contentAPITestServer.server.URL, "awesomely-unique-key", client)
+	uppAPI := NewContentAPI(contentAPITestServer.server.URL, testBasicAuthUsername, testBasicAuthPassword, nil, client)
 
 	handler := NewHandler(uppAPI, contentRWService, 150*time.Millisecond, logger.NewUPPLogger("draft-content-api-test", "debug"))
 

diff --git a/docker-compose.yaml b/docker-compose.yaml
@@ -9,6 +9,7 @@ services:
         DRAFT_CONTENT_RW_ENDPOINT: "http://generic-rw-aurora:8080"
         API_YML: "./api.yml"
         VALIDATOR_YML: "./config.yml"
+        DELIVERY_BASIC_AUTH: "username:password"
     ports:
         - "8080:8080"
     depends_on:

diff --git a/helm/draft-content-api/templates/deployment.yaml b/helm/draft-content-api/templates/deployment.yaml
@@ -43,16 +43,18 @@ spec:
             configMapKeyRef:
               name: global-config
               key: internal-content-endpoint
+        - name: X_POLICIES
+          value: "{{ .Values.env.X_POLICIES }}"
         - name: APP_TIMEOUT
           valueFrom:
             configMapKeyRef:
               name: timeout-config
               key: draft-content-api-timeout
-        - name: CAPI_APIKEY
+        - name: DELIVERY_BASIC_AUTH
           valueFrom:
             secretKeyRef:
               name: doppler-global-secrets
-              key: DRAFT_CONTENT_API_UPP_API_KEY
+              key: UPP_DELIVERY_CLUSTER_BASIC_AUTH
         - name: LOG_LEVEL
           value: "{{ .Values.env.LOG_LEVEL }}"
         ports:

diff --git a/helm/draft-content-api/values.yaml b/helm/draft-content-api/values.yaml
@@ -16,3 +16,4 @@ resources:
     memory: 128Mi
 env:
   LOG_LEVEL: "INFO"
+  X_POLICIES: "INTERNAL_UNSTABLE, INCLUDE_PROVENANCE, INCLUDE_LAST_MODIFIED_DATE, INCLUDE_RICH_CONTENT, INCLUDE_LITE"
diff --git a/main.go b/main.go
@@ -1,6 +1,7 @@
 package main
 
 import (
+	"fmt"
 	"net/http"
 	"os"
 	"strings"
@@ -62,18 +63,24 @@ func main() {
 		EnvVar: "DRAFT_CONTENT_RW_ENDPOINT",
 	})
 
+	deliveryBasicAuth := app.String(cli.StringOpt{
+		Name:   "delivery-basic-auth",
+		Value:  "username:password",
+		Desc:   "Basic auth for access to the delivery UPP clusters",
+		EnvVar: "DELIVERY_BASIC_AUTH",
+	})
+
 	contentEndpoint := app.String(cli.StringOpt{
 		Name:   "content-endpoint",
-		Value:  "http://test.api.ft.com/content",
+		Value:  "http://localhost:8081/content",
 		Desc:   "Endpoint to get content from CAPI",
 		EnvVar: "CONTENT_ENDPOINT",
 	})
 
-	contentAPIKey := app.String(cli.StringOpt{
-		Name:   "content-api-key",
-		Value:  "",
-		Desc:   "API key to access CAPI",
-		EnvVar: "CAPI_APIKEY",
+	xPolicies := app.Strings(cli.StringsOpt{
+		Name:   "x-policies",
+		Desc:   "The x-policies to apply with a request to the UPP Delivery cluster",
+		EnvVar: "X_POLICIES",
 	})
 
 	apiYml := app.String(cli.StringOpt{
@@ -110,10 +117,14 @@ func main() {
 	app.Action = func() {
 		log.Infof("System code: %s, App Name: %s, Port: %s, App Timeout: %sms", *appSystemCode, *appName, *port, *appTimeout)
 
+		err := validateXPolicies(*xPolicies)
+		if err != nil {
+			log.WithError(err).Fatal("invalid content policy")
+		}
+
 		timeout, err := time.ParseDuration(*appTimeout)
 		if err != nil {
-			log.Errorf("App could not start, error=[%s]\n", err)
-			return
+			log.Fatalf("App could not start, error=[%s]\n", err)
 		}
 
 		validatorConfig, err := config.ReadConfig(*validatorYml)
@@ -139,8 +150,12 @@ func main() {
 		draftContentRWService := content.NewDraftContentRWService(*contentRWEndpoint, resolver, httpClient)
 
 		content.AllowedContentTypes = getAllowedContentType(validatorConfig)
+		basicAuthCredentials := strings.Split(*deliveryBasicAuth, ":")
+		if len(basicAuthCredentials) != 2 {
+			log.Fatal("error while resolving basic auth")
+		}
 
-		cAPI := content.NewContentAPI(*contentEndpoint, *contentAPIKey, httpClient)
+		cAPI := content.NewContentAPI(*contentEndpoint, basicAuthCredentials[0], basicAuthCredentials[1], *xPolicies, httpClient)
 
 		contentHandler := content.NewHandler(cAPI, draftContentRWService, timeout, log)
 		healthService, err := health.NewHealthService(*appSystemCode, *appName, defaultAppDescription, draftContentRWService, cAPI,
@@ -158,6 +173,15 @@ func main() {
 	}
 }
 
+func validateXPolicies(policies []string) error {
+	for _, policy := range policies {
+		if strings.ContainsAny(policy, " ;") {
+			return fmt.Errorf("policies should not contain spaces or semicolons: '%s'", policy)
+		}
+	}
+	return nil
+}
+
 func extractServices(dcm map[string]content.DraftContentValidator) []health.ExternalService {
 	result := make([]health.ExternalService, 0, len(dcm))