Skip to content

api: migrate auth (users and tokens) to protobuf #1848

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
BeryJu wants to merge 3 commits into
base: main
Choose a base branch
from
Open

api: migrate auth (users and tokens) to protobuf #1848

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
f6d2349
api: migrate auth (users and tokens) to protobuf
BeryJu Sep 16, 2025
f3771de
add marshal/unmarshal wrapper
BeryJu Sep 18, 2025
d7787ef
migrate tokens
BeryJu Sep 18, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 4 additions & 4 deletions pkg/roles/api/auth/api.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,9 +30,9 @@ func (ap *AuthProvider) APIConfig() usecase.Interactor {
}

type APIMeOutput struct {
Username string `json:"username" required:"true"`
Authenticated bool `json:"authenticated" required:"true"`
Permissions []Permission `json:"permissions" required:"true"`
Username string `json:"username" required:"true"`
Authenticated bool `json:"authenticated" required:"true"`
Permissions []*types.Permission `json:"permissions" required:"true"`
}

func (ap *AuthProvider) APIMe() usecase.Interactor {
Expand All @@ -43,7 +43,7 @@ func (ap *AuthProvider) APIMe() usecase.Interactor {
output.Authenticated = false
return nil
}
user := u.(User)
user := u.(*types.User)
output.Authenticated = true
output.Username = user.Username
output.Permissions = user.Permissions
Expand Down
5 changes: 2 additions & 3 deletions pkg/roles/api/auth/api_tokens.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -62,12 +62,11 @@ type APITokensPutOutput struct {

func (ap *AuthProvider) APITokensPut() usecase.Interactor {
u := usecase.NewInteractor(func(ctx context.Context, input APITokensPutInput, output *APITokensPutOutput) error {
token := &Token{
token := &types.Token{
Key: base64.RawStdEncoding.EncodeToString(securecookie.GenerateRandomKey(64)),
Username: input.Username,
ap: ap,
}
err := token.put(ctx)
err := ap.putToken(token, ctx)
if err != nil {
return status.Wrap(err, status.Internal)
}
Expand Down
10 changes: 5 additions & 5 deletions pkg/roles/api/auth/api_tokens_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@
"beryju.io/gravity/pkg/roles/api"
"beryju.io/gravity/pkg/roles/api/auth"
"beryju.io/gravity/pkg/roles/api/types"
"beryju.io/gravity/pkg/tests"

Check failure on line 10 in pkg/roles/api/auth/api_tokens_test.go

View workflow job for this annotation

GitHub Actions / Lint 

could not import beryju.io/gravity/pkg/tests (-: # beryju.io/gravity/pkg/tests [beryju.io/gravity/pkg/roles/api/auth.test]
"github.com/stretchr/testify/assert"
)

Expand All @@ -20,14 +20,14 @@
defer role.Stop()
prov := auth.NewAuthProvider(role, inst)

tests.PanicIfError(inst.KV().Put(
tests.PanicIfError(inst.KV().PutObj(
ctx,
inst.KV().Key(
types.KeyRole,
types.KeyTokens,
tests.RandomString(),
).String(),
tests.MustJSON(auth.Token{}),
&types.Token{},
))

var output auth.APITokensGetOutput
Expand Down Expand Up @@ -58,7 +58,7 @@
types.KeyTokens,
output.Key,
),
auth.Token{
&types.Token{
Username: name,
},
)
Expand All @@ -75,14 +75,14 @@

name := tests.RandomString()

tests.PanicIfError(inst.KV().Put(
tests.PanicIfError(inst.KV().PutObj(
ctx,
inst.KV().Key(
types.KeyRole,
types.KeyTokens,
name,
).String(),
tests.MustJSON(auth.Token{}),
&types.Token{},
))

assert.NoError(t, prov.APITokensDelete().Interact(ctx, auth.APITokensDeleteInput{
Expand Down
15 changes: 7 additions & 8 deletions pkg/roles/api/auth/api_users.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,8 +15,8 @@ type APIUsersGetInput struct {
Username string `query:"username" description:"Optional username of a user to get"`
}
type APIUser struct {
Username string `json:"username" required:"true"`
Permissions []Permission `json:"permissions" required:"true"`
Username string `json:"username" required:"true"`
Permissions []*types.Permission `json:"permissions" required:"true"`
}
type APIUsersGetOutput struct {
Users []APIUser `json:"users" required:"true"`
Expand Down Expand Up @@ -64,8 +64,8 @@ func (ap *AuthProvider) APIUsersGet() usecase.Interactor {
type APIUsersPutInput struct {
Username string `query:"username" required:"true"`

Password string `json:"password" required:"true"`
Permissions []Permission `json:"permissions" required:"true"`
Password string `json:"password" required:"true"`
Permissions []*types.Permission `json:"permissions" required:"true"`
}

func (ap *AuthProvider) APIUsersPut() usecase.Interactor {
Expand All @@ -78,7 +78,7 @@ func (ap *AuthProvider) APIUsersPut() usecase.Interactor {
input.Username,
).String(),
)
var oldUser *User
var oldUser *types.User
if err == nil && len(rawUsers.Kvs) > 0 {
user, err := ap.userFromKV(rawUsers.Kvs[0])
if err != nil {
Expand All @@ -89,10 +89,9 @@ func (ap *AuthProvider) APIUsersPut() usecase.Interactor {
oldUser = user
}

user := &User{
user := &types.User{
Username: input.Username,
Permissions: input.Permissions,
ap: ap,
}
if input.Password != "" {
hash, err := bcrypt.GenerateFromPassword([]byte(input.Password), bcrypt.DefaultCost)
Expand All @@ -103,7 +102,7 @@ func (ap *AuthProvider) APIUsersPut() usecase.Interactor {
} else if oldUser != nil {
user.Password = oldUser.Password
}
err = user.put(ctx)
err = ap.putUser(user, ctx)
if err != nil {
return status.Wrap(err, status.Internal)
}
Expand Down
4 changes: 2 additions & 2 deletions pkg/roles/api/auth/api_users_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ func TestAPIUsersGet(t *testing.T) {
types.KeyUsers,
tests.RandomString(),
).String(),
tests.MustJSON(auth.User{}),
string(tests.MustProto(&types.User{})),
))

var output auth.APIUsersGetOutput
Expand Down Expand Up @@ -92,7 +92,7 @@ func TestAPIUsersDelete(t *testing.T) {
types.KeyUsers,
name,
).String(),
tests.MustJSON(auth.User{}),
string(tests.MustProto(&types.User{})),
))

assert.NoError(t, prov.APIUsersDelete().Interact(ctx, auth.APIUsersDeleteInput{
Expand Down
6 changes: 3 additions & 3 deletions pkg/roles/api/auth/first_start.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ import (

"beryju.io/gravity/pkg/extconfig"
"beryju.io/gravity/pkg/roles"
"beryju.io/gravity/pkg/roles/api/types"
"github.com/gorilla/securecookie"
"go.uber.org/zap"
)
Expand Down Expand Up @@ -36,12 +37,11 @@ func (ap *AuthProvider) FirstStart(ev *roles.Event) {

token := os.Getenv("ADMIN_TOKEN")
if token != "" {
t := Token{
t := &types.Token{
Key: token,
Username: username,
ap: ap,
}
err := t.put(ev.Context)
err := ap.putToken(t, ev.Context)
if err != nil {
ap.log.Warn("failed to create bootstrap token", zap.Error(err))
return
Expand Down
2 changes: 1 addition & 1 deletion pkg/roles/api/auth/method_api_key.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,6 @@ func (ap *AuthProvider) checkStaticToken(r *http.Request) bool {
return false
}
session := r.Context().Value(types.RequestSession).(*sessions.Session)
session.Values[types.SessionKeyUser] = *user
session.Values[types.SessionKeyUser] = user
return false
}
6 changes: 3 additions & 3 deletions pkg/roles/api/auth/method_oidc.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -92,10 +92,10 @@ func (ap *AuthProvider) oidcCallback(w http.ResponseWriter, r *http.Request) {
http.Error(w, "failed to authenticate", http.StatusBadRequest)
return
}
user := User{
user := &types.User{
Username: claims.Email,
Password: "",
Permissions: []Permission{
Permissions: []*types.Permission{
{
Path: "/*",
Methods: []string{http.MethodGet, http.MethodPost, http.MethodPut, http.MethodHead, http.MethodDelete},
Expand Down Expand Up @@ -150,6 +150,6 @@ func (ap *AuthProvider) checkJWTToken(r *http.Request) bool {
return false
}
session := r.Context().Value(types.RequestSession).(*sessions.Session)
session.Values[types.SessionKeyUser] = *user
session.Values[types.SessionKeyUser] = user
return false
}
2 changes: 1 addition & 1 deletion pkg/roles/api/auth/method_oidc_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -87,7 +87,7 @@ func TestAuthOIDC_Token(t *testing.T) {
types.KeyUsers,
"admin@example.com",
).String(),
tests.MustJSON(auth.User{}),
string(tests.MustProto(&types.User{})),
))

role := api.New(inst)
Expand Down
5 changes: 3 additions & 2 deletions pkg/roles/api/auth/middleware.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,10 +34,11 @@ func (ap *AuthProvider) isRequestAllowed(r *http.Request) bool {
if hub == nil {
hub = sentry.CurrentHub()
}
uu := u.(*types.User)
hub.Scope().SetUser(sentry.User{
Username: u.(User).Username,
Username: uu.Username,
})
return ap.checkPermission(r, u.(User))
return ap.checkPermission(r, uu)
}

func (ap *AuthProvider) ServeHTTP(rw http.ResponseWriter, r *http.Request) {
Expand Down
10 changes: 6 additions & 4 deletions pkg/roles/api/auth/permission.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,20 +3,22 @@ package auth
import (
"net/http"
"strings"

"beryju.io/gravity/pkg/roles/api/types"
)

const wildcard = "*"

func (ap *AuthProvider) checkPermission(req *http.Request, u User) bool {
var longestMatch *Permission
func (ap *AuthProvider) checkPermission(req *http.Request, u *types.User) bool {
var longestMatch *types.Permission
for _, perm := range u.Permissions {
if strings.HasSuffix(perm.Path, wildcard) && strings.HasPrefix(req.URL.Path, strings.TrimSuffix(perm.Path, wildcard)) {
if longestMatch == nil || len(perm.Path) > len(longestMatch.Path) {
longestMatch = &perm
longestMatch = perm
}
} else if perm.Path == req.URL.Path {
if longestMatch == nil || len(perm.Path) > len(longestMatch.Path) {
longestMatch = &perm
longestMatch = perm
}
}
}
Expand Down
13 changes: 7 additions & 6 deletions pkg/roles/api/auth/permissions_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ import (
"net/http"
"testing"

"beryju.io/gravity/pkg/roles/api/types"
"github.com/stretchr/testify/assert"
)

Expand All @@ -17,8 +18,8 @@ func mustRequest(meth string, url string) *http.Request {

func TestPermission_Fixed(t *testing.T) {
ap := AuthProvider{}
assert.True(t, ap.checkPermission(mustRequest("get", "/foo/bar"), User{
Permissions: []Permission{
assert.True(t, ap.checkPermission(mustRequest("get", "/foo/bar"), &types.User{
Permissions: []*types.Permission{
{
Path: "/foo/bar",
Methods: []string{"get", "post"},
Expand All @@ -37,16 +38,16 @@ func TestPermission_Fixed(t *testing.T) {

func TestPermission_Wildcard(t *testing.T) {
ap := AuthProvider{}
assert.True(t, ap.checkPermission(mustRequest("get", "/foo/bar"), User{
Permissions: []Permission{
assert.True(t, ap.checkPermission(mustRequest("get", "/foo/bar"), &types.User{
Permissions: []*types.Permission{
{
Path: "/foo/*",
Methods: []string{"get"},
},
},
}))
assert.True(t, ap.checkPermission(mustRequest("get", "/foo/bar"), User{
Permissions: []Permission{
assert.True(t, ap.checkPermission(mustRequest("get", "/foo/bar"), &types.User{
Permissions: []*types.Permission{
{
Path: "/foo/*",
Methods: []string{"*"},
Expand Down
15 changes: 5 additions & 10 deletions pkg/roles/api/auth/provider.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,6 @@ package auth
import (
"context"
"encoding/gob"
"encoding/json"
"net/http"

instanceTypes "beryju.io/gravity/pkg/instance/types"
Expand Down Expand Up @@ -40,7 +39,7 @@ func NewAuthProvider(r roles.Role, inst roles.Instance) *AuthProvider {
"/api/v1/openapi.json",
},
}
gob.Register(User{})
gob.Register(types.User{})
inst.AddEventListener(types.EventTopicAPIMuxSetup, func(ev *roles.Event) {
svc := ev.Payload.Data["svc"].(*web.Service)
mux := ev.Payload.Data["mux"].(*mux.Router)
Expand Down Expand Up @@ -70,28 +69,24 @@ func (ap *AuthProvider) CreateUser(ctx context.Context, username, password strin
return err
}

user := User{
user := types.User{
Password: string(hashedPw),
Permissions: []Permission{
Permissions: []*types.Permission{
{
Path: "/*",
Methods: []string{http.MethodGet, http.MethodPost, http.MethodPut, http.MethodHead, http.MethodDelete},
},
},
}
userJson, err := json.Marshal(user)
if err != nil {
return err
}

_, err = ap.inst.KV().Put(
_, err = ap.inst.KV().PutObj(
ctx,
ap.inst.KV().Key(
types.KeyRole,
types.KeyUsers,
username,
).String(),
string(userJson),
&user,
)
if err != nil {
return err
Expand Down
30 changes: 8 additions & 22 deletions pkg/roles/api/auth/token.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,6 @@ package auth

import (
"context"
"encoding/json"
"strings"

"beryju.io/gravity/pkg/roles/api/types"
Expand All @@ -15,39 +14,26 @@ const (
BearerType = "bearer"
)

type Token struct {
ap *AuthProvider
Key string `json:"-"`

Username string `json:"username"`
}

func (token *Token) put(ctx context.Context, opts ...clientv3.OpOption) error {
raw, err := json.Marshal(&token)
if err != nil {
return err
}
fullKey := token.ap.inst.KV().Key(
func (ap *AuthProvider) putToken(t *types.Token, ctx context.Context, opts ...clientv3.OpOption) error {
fullKey := ap.inst.KV().Key(
types.KeyRole,
types.KeyTokens,
token.Key,
t.Key,
).String()
_, err = token.ap.inst.KV().Put(ctx, fullKey, string(raw), opts...)
_, err := ap.inst.KV().PutObj(ctx, fullKey, t, opts...)
return err
}

func (ap *AuthProvider) tokenFromKV(raw *mvccpb.KeyValue) (*Token, error) {
token := &Token{
ap: ap,
}
func (ap *AuthProvider) tokenFromKV(raw *mvccpb.KeyValue) (*types.Token, error) {
token := &types.Token{}
prefix := ap.inst.KV().Key(
types.KeyRole,
types.KeyTokens,
).Prefix(true).String()
token.Key = strings.TrimPrefix(string(raw.Key), prefix)
err := json.Unmarshal(raw.Value, &token)
err := ap.inst.KV().Unmarshal(raw.Value, &token)
if err != nil {
return token, err
}
token.Key = strings.TrimPrefix(string(raw.Key), prefix)
return token, nil
}
Loading
Loading