Merge pull request #930 from ldelossa/louis/middleware-packaging

move middleware to package

cmd/clair/httptransport.go

@@ -7,6 +7,8 @@ import (
 	"net/http"
 	"time"
 
+	"github.com/quay/clair/v4/middleware/auth"
+	"github.com/quay/clair/v4/middleware/compress"
 	"github.com/quay/claircore/libindex"
 	"github.com/quay/claircore/libvuln"
 	"go.opentelemetry.io/otel/plugin/othttp"
@@ -75,7 +77,7 @@ func devMode(ctx context.Context, conf config.Config) (*http.Server, error) {
 	matcher.Register(mux)
 	return &http.Server{
 		Addr:    conf.HTTPListenAddr,
-		Handler: othttp.NewHandler(Compress(mux), "server"),
+		Handler: othttp.NewHandler(compress.Handler(mux), "server"),
 	}, nil
 }
 
@@ -96,7 +98,7 @@ func indexerMode(ctx context.Context, conf config.Config) (*http.Server, error)
 	}
 	return &http.Server{
 		Addr:    conf.Indexer.HTTPListenAddr,
-		Handler: othttp.NewHandler(Compress(indexer), "server"),
+		Handler: othttp.NewHandler(compress.Handler(indexer), "server"),
 	}, nil
 }
 
@@ -120,7 +122,7 @@ func matcherMode(ctx context.Context, conf config.Config) (*http.Server, error)
 	}
 	return &http.Server{
 		Addr:    conf.Matcher.HTTPListenAddr,
-		Handler: othttp.NewHandler(Compress(matcher), "server"),
+		Handler: othttp.NewHandler(compress.Handler(matcher), "server"),
 	}, nil
 }
 
@@ -132,11 +134,11 @@ func setAuth(srv *http.Server, conf config.Config) error {
 		if !ok {
 			return fmt.Errorf("missing needed config key: %q", param)
 		}
-		ks, err := QuayKeyserver(api)
+		ks, err := auth.NewQuayKeyserver(api)
 		if err != nil {
 			return err
 		}
-		srv.Handler = AuthHandler(srv.Handler, ks)
+		srv.Handler = auth.Handler(srv.Handler, ks)
 	case "psk":
 		const (
 			iss = "issuer"
@@ -154,11 +156,11 @@ func setAuth(srv *http.Server, conf config.Config) error {
 		if !ok {
 			return fmt.Errorf("missing needed config key: %q", iss)
 		}
-		psk, err := PSKAuth(k, i)
+		psk, err := auth.NewPSK(k, i)
 		if err != nil {
 			return err
 		}
-		srv.Handler = AuthHandler(srv.Handler, psk)
+		srv.Handler = auth.Handler(srv.Handler, psk)
 	case "":
 	default:
 		return fmt.Errorf("unknown auth kind %q", conf.Auth.Name)

cmd/clair/httpauth.go → middleware/auth/handler.go

@@ -1,4 +1,4 @@
-package main
+package auth
 
 import (
 	"context"
@@ -12,23 +12,23 @@ type AuthCheck interface {
 	Check(context.Context, *http.Request) bool
 }
 
-type authHandler struct {
+type handler struct {
 	auth AuthCheck
 	next http.Handler
 }
 
-func (h *authHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+func (h *handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	if !h.auth.Check(r.Context(), r) {
 		w.WriteHeader(http.StatusUnauthorized)
 		return
 	}
 	h.next.ServeHTTP(w, r)
 }
 
-// AuthHandler returns a Handler that gates access to the passed Handler behind
+// Handler returns a http.Handler that gates access to the passed Handler behind
 // the passed AuthCheck.
-func AuthHandler(h http.Handler, f AuthCheck) http.Handler {
-	return &authHandler{
+func Handler(h http.Handler, f AuthCheck) http.Handler {
+	return &handler{
 		auth: f,
 		next: h,
 	}

cmd/clair/httpauth_keyserver.go → middleware/auth/httpauth_keyserver.go

@@ -1,4 +1,4 @@
-package main
+package auth
 
 import (
 	"context"
@@ -15,15 +15,38 @@ import (
 	"gopkg.in/square/go-jose.v2/jwt"
 )
 
-type ks struct {
+// QuayKS implements the AuthCheck interface.
+//
+// When Check is called the JWT on the incoming http request
+// will be validated against the Quay Keyserver
+//
+// It follows the algorithm outlined here:
+// https://github.com/quay/jwtproxy/tree/master/jwt/keyserver/keyregistry#verifier
+type QuayKeyserver struct {
 	root   *url.URL
 	client *http.Client
 	mu     sync.RWMutex
 	cache  map[string]*jose.JSONWebKey
 }
 
+// NewQuayKeyserver returns an instance of a QuayKeyserver
+func NewQuayKeyserver(api string) (*QuayKeyserver, error) {
+	root, err := url.Parse(api)
+	if err != nil {
+		return nil, err
+	}
+
+	t := httpcache.NewMemoryCacheTransport()
+	t.MarkCachedResponses = true
+	return &QuayKeyserver{
+		client: t.Client(),
+		root:   root,
+		cache:  make(map[string]*jose.JSONWebKey),
+	}, nil
+}
+
 // Check implements AuthCheck.
-func (s *ks) Check(ctx context.Context, r *http.Request) bool {
+func (s *QuayKeyserver) Check(ctx context.Context, r *http.Request) bool {
 	wt, ok := fromHeader(r)
 	if !ok {
 		return false
@@ -113,23 +136,3 @@ func (s *ks) Check(ctx context.Context, r *http.Request) bool {
 	}
 	return true
 }
-
-// QuayKeyserver returns an AuthCheck that validates JWTs by fetching keys from the
-// Quay at "api".
-//
-// It follows the algorithm outlined here:
-// https://github.com/quay/jwtproxy/tree/master/jwt/keyserver/keyregistry#verifier
-func QuayKeyserver(api string) (AuthCheck, error) {
-	root, err := url.Parse(api)
-	if err != nil {
-		return nil, err
-	}
-
-	t := httpcache.NewMemoryCacheTransport()
-	t.MarkCachedResponses = true
-	return &ks{
-		client: t.Client(),
-		root:   root,
-		cache:  make(map[string]*jose.JSONWebKey),
-	}, nil
-}

cmd/clair/httpauth_keyserver_test.go → middleware/auth/httpauth_keyserver_test.go

@@ -1,4 +1,4 @@
-package main
+package auth
 
 import (
 	"bytes"

cmd/clair/httpauth_psk.go → middleware/auth/httpauth_psk.go

@@ -1,4 +1,4 @@
-package main
+package auth
 
 import (
 	"context"
@@ -8,12 +8,25 @@ import (
 	"gopkg.in/square/go-jose.v2/jwt"
 )
 
-type psk struct {
+// PSK implements the AuthCheck interface.
+//
+// When Check is called the JWT on the incoming http request
+// will be validated against a pre-shared-key.
+type PSK struct {
 	key []byte
 	iss string
 }
 
-func (p *psk) Check(_ context.Context, r *http.Request) bool {
+// NewPSK returns an instance of a PSK
+func NewPSK(key []byte, issuer string) (*PSK, error) {
+	return &PSK{
+		key: key,
+		iss: issuer,
+	}, nil
+}
+
+// Check implements AuthCheck
+func (p *PSK) Check(_ context.Context, r *http.Request) bool {
 	wt, ok := fromHeader(r)
 	if !ok {
 		return false
@@ -34,12 +47,3 @@ func (p *psk) Check(_ context.Context, r *http.Request) bool {
 	}
 	return true
 }
-
-// PSKAuth returns an AuthCheck that validates a JWT with the supplied key and
-// ensures the issuer claim matches.
-func PSKAuth(key []byte, issuer string) (AuthCheck, error) {
-	return &psk{
-		key: key,
-		iss: issuer,
-	}, nil
-}

cmd/clair/httpauth_psk_test.go → middleware/auth/httpauth_psk_test.go

@@ -1,4 +1,4 @@
-package main
+package auth
 
 import (
 	"bytes"

cmd/clair/httpcompress.go → middleware/compress/handler.go

@@ -1,4 +1,4 @@
-package main
+package compress
 
 import (
 	"fmt"
@@ -15,10 +15,10 @@ import (
 	"github.com/klauspost/compress/snappy"
 )
 
-// Compress wraps the provided http.Handler and provides transparent body
+// Handler wraps the provided http.Handler and provides transparent body
 // compression based on a Request's "Accept-Encoding" header.
-func Compress(next http.Handler) http.Handler {
-	h := compressHandler{
+func Handler(next http.Handler) http.Handler {
+	h := handler{
 		next: next,
 	}
 	h.snappy.New = func() interface{} {
@@ -36,10 +36,10 @@ func Compress(next http.Handler) http.Handler {
 	return &h
 }
 
-var _ http.Handler = (*compressHandler)(nil)
+var _ http.Handler = (*handler)(nil)
 
-// CompressHandler performs transparent HTTP body compression.
-type compressHandler struct {
+// handler performs transparent HTTP body compression.
+type handler struct {
 	snappy, gzip, flate sync.Pool
 	next                http.Handler
 }
@@ -97,7 +97,7 @@ type accept struct {
 }
 
 // ServeHTTP implements http.Handler.
-func (c *compressHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+func (c *handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	ae, nok := parseAccept(r.Header.Get("accept-encoding"))
 	if ae == nil {
 		// If there was no header, play it cool.