Introduce authentication to the broker #308
Conversation
| ft "github.com/openshift/ansible-service-broker/pkg/fusortest" | ||
| ) | ||
|
|
||
| func TestCreateConfig(t *testing.T) { |
pkg/auth/auth.go
Outdated
| return &fusa, nil | ||
| } | ||
|
|
||
| func (d *FileUserServiceAdapter) buildDb() error { |
There was a problem hiding this comment.
buildDB() - because Db is an acronym, it should be all uppercase or lowercase.
pkg/auth/auth.go
Outdated
| // userdb is probably overkill, but if we ever want to allow multiple users, | ||
| // it'll come in handy. | ||
| d.userdb = make(map[string]User) | ||
| unamestr := string(username) |
There was a problem hiding this comment.
can you just cast to string in struct literal? you are for password so would just like to match style IMO.
pkg/auth/auth.go
Outdated
|
|
||
| // FindByLogin - given a login name, this will return the associated User or an | ||
| // error | ||
| func (d FileUserServiceAdapter) FindByLogin(login string) (User, error) { |
There was a problem hiding this comment.
Should this be unexported?
pkg/auth/auth.go
Outdated
| // our backend storage. Returns fals otherwise. | ||
| func (d FileUserServiceAdapter) ValidateUser(username string, password string) bool { | ||
| user, err := d.FindByLogin(username) | ||
| if err != nil { |
There was a problem hiding this comment.
Can we log the error here, the user not found error above will be lost and not printed out. Could make it hard to debug.
There was a problem hiding this comment.
Probably, I don't have the log in these structs so I removed the fmt I had. Definitely will log though. Thanks.
pkg/auth/auth.go
Outdated
| // Handler - does the authentication for the routes | ||
| func Handler(h http.Handler, providers []Provider) http.Handler { | ||
| return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { | ||
| // TODO: loop through the providers |
pkg/auth/basic_auth.go
Outdated
| fmt.Println(err.Error()) | ||
| } | ||
| userpass := strings.Split(string(decodedheader), ":") | ||
| username = userpass[0] |
There was a problem hiding this comment.
Should we check this if I pass hearder Authorization Basic I think this will panic. just thinking out loud
There was a problem hiding this comment.
So I tried quite a few things in tests, all are Authorization Basic with different encoded values:
- just the username "admin"
- just the password ":password"
- empty string
all are handled correctly no panic on this line. strings.Split always returns a slice of at least one item even if that item is empty string.
pkg/handler/handler.go
Outdated
| @@ -84,6 +85,7 @@ func (h handler) bootstrap(w http.ResponseWriter, r *http.Request, params map[st | |||
| } | |||
|
|
|||
| func (h handler) ServeHTTP(w http.ResponseWriter, r *http.Request) { | |||
| fmt.Println("entered handler.ServeHTTP") | |||
|
@jmrodri Can you try rebasing to see if it makes travis happier? |
jmrodri
force-pushed
the
authimpl
branch
2 times, most recently
from
9522f0c
to
16484df
Compare
|
@shawn-hurley authHandler now returns json. |
TESTFirst build a new broker image for testing. NOTE: make run won't work. There's a trello card and an issue for it.
Next, using the authimpl branch of catasb: fusor/catasb#105 this PR contains the broker configuration secret when creating the broker instance on the service-catalog.
-asb_template_url: https://raw.githubusercontent.com/openshift/ansible-service-broker/master/templates/deploy-ansible-service-broker.template.yaml
+asb_template_url: file:///home/jesusr/dev/src/github.com/openshift/ansible-service-broker/templates/deploy-ansible-service-broker.template.yaml
-broker_tag: "latest"
+broker_tag: "authimpl"
-broker_image_name: docker.io/ansibleplaybookbundle/ansible-service-broker
+broker_image_name: docker.io/jmrodri/ansible-service-broker
|
TROUBLESHOOTINGIf you see |
jmrodri
changed the title
| name: asb-auth-secret | ||
| namespace: ansible-service-broker | ||
| data: | ||
| username: YnJva2VyLWFkbWlu |
There was a problem hiding this comment.
Let's introduce 2 params for the auth username/password in the parameters section
BASIC_AUTH_USER_NAME=YnJva2VyLWFkbWlu
BASIC_AUTH_USER_PASSWORD=TFl0SU5lc0hBZw==
Then refer to them here so it's easier to adjust the username/password on deploying.
There was a problem hiding this comment.
@jmrodri Just like in fusor/catasb#105 , we need to add the auth info to the CI broker template: https://github.com/openshift/ansible-service-broker/blob/master/scripts/broker-ci/broker-resource.yaml .
|
|
||
| // GetType - returns the type of Principal. This is a user principal. | ||
| func (u User) GetType() string { | ||
| return "user" |
There was a problem hiding this comment.
Should this be const variable instead?
|
|
||
| // FileUserServiceAdapter - a file based UserServiceAdapter which seeds its | ||
| // users from a file. | ||
| type FileUserServiceAdapter struct { |
There was a problem hiding this comment.
NIT: Can you organize the structs at the top of the file or add them all to a type.go?
There was a problem hiding this comment.
I prefer to keep the methods of the struct near the struct definition. What I did do was move the NewFileUser ctor method further down so that the structs methods are below the struct.
|
ACK |
* make auth look at /var/run/asb-auth * add /var/run/asb-auth, might be able to delete * use proper secret name
There was a problem hiding this comment.
Looks good! I like the interfaces and tests. One update would be the template params @jwmatthews mentioned.
etc/example-config.yaml
Outdated
| auth: | ||
| - type: basic | ||
| enabled: true | ||
| - type: oauth |
There was a problem hiding this comment.
Spoke with @jmrodri, comment out or delete, up to you.
There was a problem hiding this comment.
deleted the oauth lines.
pkg/auth/auth.go
Outdated
| ) | ||
|
|
||
| // ConfigEntry - Configuration for authentication | ||
| type ConfigEntry struct { |
There was a problem hiding this comment.
Think the other packages take the pattern of naming this Config for each section, so it's referenced as Config within the package, and auth.Config outside.
There was a problem hiding this comment.
I was conflicted about this because it is a list of auth definitions.
auth:
- type: basic
enabled: true
- type: oauth
enabled: true
- type: cert
enabled: trueSo each type is a config entry. I guess we could say it's an array of auth.Config.
* remove fmt.println * warn potential users of echo
|
@jwmatthews variables added to template. |
|
@rthallisey CI build fixed. I was missing the secret but while I copied that in I put in the wrong broker url I had asb-1337... instead of asb-1338... We're green now! |
|
@eriknelson retest please. |
| // an error | ||
| func (d FileUserServiceAdapter) FindByLogin(login string) (User, error) { | ||
|
|
||
| // TODO: add some error checking |
There was a problem hiding this comment.
Did we make a card for this?
|
@jmrodri All my tests passed. Started up catasb, saw authenticated catalog requests coming from the service-catalog. Checked curl without auth fails, checked curl with bad credentials fails, checked curl with correct credentials succeeds, and verified I could disable auth editing the config value. Think this is ready to merge unless anyone objects. |
|
Merging since complaints have been addressed, CI is working, and a bunch of people have tested this back to front. |
Currently supports just basic auth but it's structured to allow extension for additional auth backends.