EVG-7427: add user manager for service users

auth/auth.go

@@ -41,6 +41,13 @@ func LoadUserManager(settings *evergreen.Settings) (gimlet.UserManager, evergree
 		}
 		return manager, info, nil
 	}
+	makeOnlyAPIManager := func() (gimlet.UserManager, evergreen.UserManagerInfo, error) {
+		manager, err := NewOnlyAPIUserManager(authConfig.OnlyAPI)
+		if err != nil {
+			return nil, info, errors.Wrap(err, "problem setting up API-only authentication")
+		}
+		return manager, info, nil
+	}
 	makeGithubManager := func() (gimlet.UserManager, evergreen.UserManagerInfo, error) {
 		manager, err := NewGithubUserManager(authConfig.Github, settings.Ui.LoginDomain)
 		if err != nil {
@@ -66,6 +73,10 @@ func LoadUserManager(settings *evergreen.Settings) (gimlet.UserManager, evergree
 		if authConfig.Naive != nil {
 			return makeNaiveManager()
 		}
+	case evergreen.AuthOnlyAPIKey:
+		if authConfig.OnlyAPI != nil {
+			return makeOnlyAPIManager()
+		}
 	}
 
 	if authConfig.LDAP != nil {
@@ -80,6 +91,9 @@ func LoadUserManager(settings *evergreen.Settings) (gimlet.UserManager, evergree
 	if authConfig.Github != nil {
 		return makeGithubManager()
 	}
+	if authConfig.OnlyAPI != nil {
+		return makeOnlyAPIManager()
+	}
 	return nil, info, errors.New("Must have at least one form of authentication, currently there are none")
 }
 

auth/auth_test.go

@@ -8,20 +8,21 @@ import (
 )
 
 func TestLoadUserManager(t *testing.T) {
-	l := evergreen.LDAPConfig{
+	ldap := evergreen.LDAPConfig{
 		URL:                "url",
 		Port:               "port",
 		UserPath:           "path",
 		ServicePath:        "bot",
 		Group:              "group",
 		ExpireAfterMinutes: "60",
 	}
-	g := evergreen.GithubAuthConfig{
+	github := evergreen.GithubAuthConfig{
 		ClientId:     "client_id",
 		ClientSecret: "client_secret",
 	}
-	n := evergreen.NaiveAuthConfig{}
-	o := evergreen.OktaConfig{
+	naive := evergreen.NaiveAuthConfig{}
+	onlyAPI := evergreen.OnlyAPIAuthConfig{}
+	okta := evergreen.OktaConfig{
 		ClientID:     "client_id",
 		ClientSecret: "client_secret",
 		Issuer:       "issuer",
@@ -35,49 +36,56 @@ func TestLoadUserManager(t *testing.T) {
 	assert.False(t, info.CanReauthorize)
 	assert.Nil(t, um, "a UserManager should not be able to be created in an empty AuthConfig")
 
-	a = evergreen.AuthConfig{Github: &g}
+	a = evergreen.AuthConfig{Github: &github}
 	um, info, err = LoadUserManager(&evergreen.Settings{AuthConfig: a})
 	assert.NoError(t, err, "a UserManager should be able to be created if one AuthConfig type is Github")
 	assert.False(t, info.CanClearTokens)
 	assert.False(t, info.CanReauthorize)
 	assert.NotNil(t, um, "a UserManager should be able to be created if one AuthConfig type is Github")
 
-	a = evergreen.AuthConfig{LDAP: &l}
+	a = evergreen.AuthConfig{LDAP: &ldap}
 	um, info, err = LoadUserManager(&evergreen.Settings{AuthConfig: a})
 	assert.NoError(t, err, "a UserManager should be able to be created if one AuthConfig type is LDAP")
 	assert.True(t, info.CanClearTokens)
 	assert.True(t, info.CanReauthorize)
 	assert.NotNil(t, um, "a UserManager should be able to be created if one AuthConfig type is LDAP")
 
-	a = evergreen.AuthConfig{Okta: &o}
+	a = evergreen.AuthConfig{Okta: &okta}
 	um, info, err = LoadUserManager(&evergreen.Settings{AuthConfig: a})
 	assert.NoError(t, err, "a UserManager should be able to be created if one AuthConfig type is Okta")
 	assert.True(t, info.CanClearTokens)
 	assert.True(t, info.CanReauthorize)
 	assert.NotNil(t, um, "a UserManager should be able to be created if one AuthConfig type is Okta")
 
-	a = evergreen.AuthConfig{Naive: &n}
+	a = evergreen.AuthConfig{Naive: &naive}
 	um, info, err = LoadUserManager(&evergreen.Settings{AuthConfig: a})
 	assert.NoError(t, err, "a UserManager should be able to be created if one AuthConfig type is Naive")
 	assert.False(t, info.CanClearTokens)
 	assert.False(t, info.CanReauthorize)
 	assert.NotNil(t, um, "a UserManager should be able to be created if one AuthConfig type is Naive")
 
-	a = evergreen.AuthConfig{PreferredType: evergreen.AuthLDAPKey, LDAP: &l}
+	a = evergreen.AuthConfig{OnlyAPI: &onlyAPI}
+	um, info, err = LoadUserManager(&evergreen.Settings{AuthConfig: a})
+	assert.NoError(t, err, "a UserManager should be able to be created if one AuthConfig type is OnlyAPI")
+	assert.False(t, info.CanClearTokens)
+	assert.False(t, info.CanReauthorize)
+	assert.NotNil(t, um, "a UserManager should be able to be created if one AuthConfig type is OnlyAPI")
+
+	a = evergreen.AuthConfig{PreferredType: evergreen.AuthLDAPKey, LDAP: &ldap}
 	um, info, err = LoadUserManager(&evergreen.Settings{AuthConfig: a})
 	assert.NoError(t, err)
 	assert.True(t, info.CanClearTokens)
 	assert.True(t, info.CanReauthorize)
 	assert.NotNil(t, um)
 
-	a = evergreen.AuthConfig{PreferredType: evergreen.AuthOktaKey, Okta: &o}
+	a = evergreen.AuthConfig{PreferredType: evergreen.AuthOktaKey, Okta: &okta}
 	um, info, err = LoadUserManager(&evergreen.Settings{AuthConfig: a})
 	assert.NoError(t, err)
 	assert.True(t, info.CanClearTokens)
 	assert.True(t, info.CanReauthorize)
 	assert.NotNil(t, um)
 
-	a = evergreen.AuthConfig{PreferredType: evergreen.AuthGithubKey, Github: &g}
+	a = evergreen.AuthConfig{PreferredType: evergreen.AuthGithubKey, Github: &github}
 	um, info, err = LoadUserManager(&evergreen.Settings{AuthConfig: a})
 	assert.NoError(t, err)
 	assert.False(t, info.CanClearTokens)
@@ -86,14 +94,14 @@ func TestLoadUserManager(t *testing.T) {
 	_, ok := um.(*GithubUserManager)
 	assert.True(t, ok)
 
-	a = evergreen.AuthConfig{PreferredType: evergreen.AuthNaiveKey, Naive: &n}
+	a = evergreen.AuthConfig{PreferredType: evergreen.AuthNaiveKey, Naive: &naive}
 	um, info, err = LoadUserManager(&evergreen.Settings{AuthConfig: a})
 	assert.NoError(t, err)
 	assert.False(t, info.CanClearTokens)
 	assert.False(t, info.CanReauthorize)
 	assert.NotNil(t, um)
 
-	a = evergreen.AuthConfig{PreferredType: evergreen.AuthGithubKey, LDAP: &l, Github: &g, Naive: &n}
+	a = evergreen.AuthConfig{PreferredType: evergreen.AuthGithubKey, LDAP: &ldap, Github: &github, Naive: &naive}
 	um, info, err = LoadUserManager(&evergreen.Settings{AuthConfig: a})
 	assert.NoError(t, err)
 	assert.False(t, info.CanClearTokens)
@@ -102,7 +110,7 @@ func TestLoadUserManager(t *testing.T) {
 	_, ok = um.(*GithubUserManager)
 	assert.True(t, ok)
 
-	a = evergreen.AuthConfig{PreferredType: evergreen.AuthGithubKey, Naive: &n}
+	a = evergreen.AuthConfig{PreferredType: evergreen.AuthGithubKey, Naive: &naive}
 	um, info, err = LoadUserManager(&evergreen.Settings{AuthConfig: a})
 	assert.NoError(t, err)
 	assert.False(t, info.CanClearTokens)

auth/naive.go

@@ -16,7 +16,7 @@ import (
 // Note: This use of the UserManager is recommended for dev/test purposes only and users who need high security authentication
 // mechanisms should rely on a different authentication mechanism.
 type NaiveUserManager struct {
-	users []*evergreen.AuthUser
+	users []evergreen.AuthUser
 }
 
 func NewNaiveUserManager(naiveAuthConfig *evergreen.NaiveAuthConfig) (*NaiveUserManager, error) {
@@ -63,7 +63,7 @@ func (*NaiveUserManager) GetUserByID(id string) (gimlet.User, error) { return ge
 func (*NaiveUserManager) GetOrCreateUser(u gimlet.User) (gimlet.User, error) {
 	return getOrCreateUser(u)
 }
-func (b *NaiveUserManager) ClearUser(u gimlet.User, all bool) error {
+func (*NaiveUserManager) ClearUser(_ gimlet.User, _ bool) error {
 	return errors.New("Naive Authentication does not support Clear User")
 }
 func (*NaiveUserManager) GetGroupsForUser(string) ([]string, error) {

auth/only_api.go

@@ -0,0 +1,30 @@
+package auth
+
+import (
+	"github.com/evergreen-ci/evergreen"
+	"github.com/evergreen-ci/gimlet"
+	"github.com/mongodb/grip"
+)
+
+// NewOnlyAPIUserManager creates a user manager for special users that can only
+// make API requests. Users are pre-populated from the given config.
+func NewOnlyAPIUserManager(config *evergreen.OnlyAPIAuthConfig) (gimlet.UserManager, error) {
+	env := evergreen.GetEnvironment()
+	var rm gimlet.RoleManager
+	if env != nil {
+		rm = env.RoleManager()
+	}
+
+	users := make([]gimlet.BasicUser, 0, len(config.Users))
+	catcher := grip.NewBasicCatcher()
+	for _, u := range config.Users {
+		opts, err := gimlet.NewBasicUserOptions(u.Username)
+		if err != nil {
+			catcher.Wrap(err, "invalid API-only user in config")
+			continue
+		}
+		users = append(users, *gimlet.NewBasicUser(opts.Key(u.Key).RoleManager(rm)))
+	}
+
+	return gimlet.NewBasicUserManager(users, rm)
+}

auth/only_api_test.go

@@ -0,0 +1,21 @@
+package auth
+
+import (
+	"testing"
+
+	"github.com/evergreen-ci/evergreen"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestOnlyAPIAuthManager(t *testing.T) {
+	config := evergreen.AuthConfig{
+		OnlyAPI: &evergreen.OnlyAPIAuthConfig{},
+	}
+	manager, info, err := LoadUserManager(&evergreen.Settings{AuthConfig: config})
+	require.NoError(t, err)
+	assert.False(t, info.CanClearTokens)
+	assert.False(t, info.CanReauthorize)
+	assert.Nil(t, manager.GetLoginHandler(""))
+	assert.Nil(t, manager.GetLoginCallbackHandler())
+}

config_auth.go

@@ -1,8 +1,6 @@
 package evergreen
 
 import (
-	"fmt"
-
 	"github.com/evergreen-ci/evergreen/util"
 	"github.com/mongodb/grip"
 	"github.com/pkg/errors"
@@ -19,9 +17,23 @@ type AuthUser struct {
 	Email       string `bson:"email" json:"email" yaml:"email"`
 }
 
+// OnlyAPIUser configures a special service user with only access to the API via
+// a key.
+type OnlyAPIUser struct {
+	Username string   `bson:"username" json:"username" yaml:"username"`
+	Key      string   `bson:"key" json:"key" yaml:"key"`
+	Roles    []string `bson:"roles" json:"roles" yaml:"roles"`
+}
+
 // NaiveAuthConfig contains a list of AuthUsers from the settings file.
 type NaiveAuthConfig struct {
-	Users []*AuthUser `bson:"users" json:"users" yaml:"users"`
+	Users []AuthUser `bson:"users" json:"users" yaml:"users"`
+}
+
+// KeyAuthConfig contains the users that can only authenticate via the API from
+// the settings.
+type OnlyAPIAuthConfig struct {
+	Users []OnlyAPIUser `bson:"users" json:"users" yaml:"users"`
 }
 
 // LDAPConfig contains settings for interacting with an LDAP server.
@@ -54,14 +66,15 @@ type GithubAuthConfig struct {
 	Organization string   `bson:"organization" json:"organization" yaml:"organization"`
 }
 
-// AuthConfig has a pointer to either a CrowConfig or a NaiveAuthConfig.
+// AuthConfig contains the settings for the various auth managers.
 type AuthConfig struct {
-	LDAP                    *LDAPConfig       `bson:"ldap,omitempty" json:"ldap" yaml:"ldap"`
-	Okta                    *OktaConfig       `bson:"okta,omitempty" json:"okta" yaml:"okta"`
-	Naive                   *NaiveAuthConfig  `bson:"naive,omitempty" json:"naive" yaml:"naive"`
-	Github                  *GithubAuthConfig `bson:"github,omitempty" json:"github" yaml:"github"`
-	PreferredType           string            `bson:"preferred_type,omitempty" json:"preferred_type" yaml:"preferred_type"`
-	BackgroundReauthMinutes int               `bson:"background_reauth_minutes" json:"background_reauth_minutes" yaml:"background_reauth_minutes"`
+	LDAP                    *LDAPConfig        `bson:"ldap,omitempty" json:"ldap" yaml:"ldap"`
+	Okta                    *OktaConfig        `bson:"okta,omitempty" json:"okta" yaml:"okta"`
+	Naive                   *NaiveAuthConfig   `bson:"naive,omitempty" json:"naive" yaml:"naive"`
+	OnlyAPI                 *OnlyAPIAuthConfig `bson:"only_api,omitempty" json:"only_api" yaml:"only_api"`
+	Github                  *GithubAuthConfig  `bson:"github,omitempty" json:"github" yaml:"github"`
+	PreferredType           string             `bson:"preferred_type,omitempty" json:"preferred_type" yaml:"preferred_type"`
+	BackgroundReauthMinutes int                `bson:"background_reauth_minutes" json:"background_reauth_minutes" yaml:"background_reauth_minutes"`
 }
 
 func (c *AuthConfig) SectionId() string { return "auth" }
@@ -97,6 +110,7 @@ func (c *AuthConfig) Set() error {
 			AuthLDAPKey:                    c.LDAP,
 			AuthOktaKey:                    c.Okta,
 			AuthNaiveKey:                   c.Naive,
+			AuthOnlyAPIKey:                 c.OnlyAPI,
 			AuthGithubKey:                  c.Github,
 			authPreferredTypeKey:           c.PreferredType,
 			authBackgroundReauthMinutesKey: c.BackgroundReauthMinutes,
@@ -105,6 +119,27 @@ func (c *AuthConfig) Set() error {
 	return errors.Wrapf(err, "error updating section %s", c.SectionId())
 }
 
+func (c *AuthConfig) checkDuplicateUsers() error {
+	catcher := grip.NewBasicCatcher()
+	var usernames []string
+	if c.Naive != nil {
+		for _, u := range c.Naive.Users {
+			usernames = append(usernames, u.Username)
+		}
+	}
+	if c.OnlyAPI != nil {
+		for _, u := range c.OnlyAPI.Users {
+			usernames = append(usernames, u.Username)
+		}
+	}
+	used := map[string]bool{}
+	for _, name := range usernames {
+		catcher.AddWhen(used[name], errors.Errorf("duplicate user '%s' in list", name))
+		used[name] = true
+	}
+	return catcher.Resolve()
+}
+
 func (c *AuthConfig) ValidateAndDefault() error {
 	catcher := grip.NewSimpleCatcher()
 	catcher.ErrorfWhen(!util.StringSliceContains([]string{
@@ -113,18 +148,12 @@ func (c *AuthConfig) ValidateAndDefault() error {
 		AuthOktaKey,
 		AuthNaiveKey,
 		AuthGithubKey}, c.PreferredType), "invalid auth type '%s'", c.PreferredType)
-	if c.LDAP == nil && c.Naive == nil && c.Github == nil && c.Okta == nil {
+	if c.LDAP == nil && c.Naive == nil && c.OnlyAPI == nil && c.Github == nil && c.Okta == nil {
 		catcher.Add(errors.New("You must specify one form of authentication"))
 	}
-	if c.Naive != nil {
-		used := map[string]bool{}
-		for _, x := range c.Naive.Users {
-			if used[x.Username] {
-				catcher.Add(fmt.Errorf("Duplicate user %s in list", x.Username))
-			}
-			used[x.Username] = true
-		}
-	}
+
+	catcher.Add(c.checkDuplicateUsers())
+
 	if c.Github != nil {
 		if c.Github.Users == nil && c.Github.Organization == "" {
 			catcher.Add(errors.New("Must specify either a set of users or an organization for Github Authentication"))

config_db.go

@@ -95,6 +95,7 @@ var (
 	AuthOktaKey                    = bsonutil.MustHaveTag(AuthConfig{}, "Okta")
 	AuthGithubKey                  = bsonutil.MustHaveTag(AuthConfig{}, "Github")
 	AuthNaiveKey                   = bsonutil.MustHaveTag(AuthConfig{}, "Naive")
+	AuthOnlyAPIKey                 = bsonutil.MustHaveTag(AuthConfig{}, "OnlyAPI")
 	authPreferredTypeKey           = bsonutil.MustHaveTag(AuthConfig{}, "PreferredType")
 	authBackgroundReauthMinutesKey = bsonutil.MustHaveTag(AuthConfig{}, "BackgroundReauthMinutes")
 

config_test.go

@@ -295,7 +295,10 @@ func (s *AdminSuite) TestAuthConfig() {
 			ExpireAfterMinutes: 60,
 		},
 		Naive: &NaiveAuthConfig{
-			Users: []*AuthUser{{Username: "user", Password: "pw"}},
+			Users: []AuthUser{{Username: "user", Password: "pw"}},
+		},
+		OnlyAPI: &OnlyAPIAuthConfig{
+			Users: []OnlyAPIUser{{Username: "user", Key: "key", Roles: []string{"admin"}}},
 		},
 		Github: &GithubAuthConfig{
 			ClientId:     "ghclient",

mock/environment.go

@@ -91,8 +91,11 @@ func (e *Environment) Configure(ctx context.Context) error {
 	// auth.LoadUserManager(e.EvergreenSettings), we have to avoid an import
 	// cycle where this package would transitively depend on the database
 	// models.
-	e.userManager = nil
-	e.userManagerInfo = evergreen.UserManagerInfo{}
+	um, err := gimlet.NewBasicUserManager(nil, nil)
+	if err != nil {
+		return errors.WithStack(err)
+	}
+	e.userManager = um
 
 	return nil
 }