add user basic authentication (#332)

* add user basic authentication * add test which expects unauthorised on basic auth * Consolidate tests and config * Add basic auth to cli --------- Co-authored-by: David Farr <[email protected]>
resonatehq · May 21, 2024 · 80db12e · 80db12e
1 parent d5a4a3d
commit 80db12e
Show file tree

Hide file tree

Showing 15 changed files with 1,092 additions and 950 deletions.
diff --git a/cmd/promises/complete.go b/cmd/promises/complete.go
@@ -84,7 +84,7 @@ func CompletePromiseCmds(c client.ResonateClient) []*cobra.Command {
 				} else if resp.StatusCode() == 200 {
 					cmd.Printf("%s promise: %s (deduplicated)\n", state.PastT, id)
 				} else {
-					cmd.PrintErrln(string(resp.Body))
+					cmd.PrintErrln(resp.Status(), string(resp.Body))
 				}
 			},
 		}

diff --git a/cmd/promises/completes_test.go → cmd/promises/complete_test.go b/cmd/promises/completes_test.go → cmd/promises/complete_test.go
diff --git a/cmd/promises/create.go b/cmd/promises/create.go
@@ -77,7 +77,7 @@ func CreatePromiseCmd(c client.ResonateClient) *cobra.Command {
 			} else if resp.StatusCode() == 200 {
 				cmd.Printf("Created promise: %s (deduplicated)\n", id)
 			} else {
-				cmd.PrintErrln(string(resp.Body))
+				cmd.PrintErrln(resp.Status(), string(resp.Body))
 			}
 		},
 	}

diff --git a/cmd/promises/get.go b/cmd/promises/get.go
@@ -36,7 +36,7 @@ func GetPromiseCmd(c client.ResonateClient) *cobra.Command {
 			}
 
 			if resp.StatusCode() != 200 {
-				cmd.PrintErrln(string(resp.Body))
+				cmd.PrintErrln(resp.Status(), string(resp.Body))
 				return
 			}
 

diff --git a/cmd/promises/promises.go b/cmd/promises/promises.go
@@ -12,13 +12,24 @@ import (
 )
 
 func NewCmd(c client.ResonateClient) *cobra.Command {
+	var (
+		username string
+		password string
+	)
+
 	cmd := &cobra.Command{
 		Use:     "promises",
 		Aliases: []string{"promise"},
 		Short:   "Manage durable promises",
 		Run: func(cmd *cobra.Command, args []string) {
 			_ = cmd.Help()
 		},
+		PersistentPreRun: func(cmd *cobra.Command, args []string) {
+			// Set basic auth if provided
+			if username != "" || password != "" {
+				c.SetBasicAuth(username, password)
+			}
+		},
 	}
 
 	// Add subcommands
@@ -27,6 +38,10 @@ func NewCmd(c client.ResonateClient) *cobra.Command {
 	cmd.AddCommand(CreatePromiseCmd(c))
 	cmd.AddCommand(CompletePromiseCmds(c)...)
 
+	// Flags
+	cmd.PersistentFlags().StringVarP(&username, "username", "U", "", "Basic auth username")
+	cmd.PersistentFlags().StringVarP(&password, "password", "P", "", "Basic auth password")
+
 	return cmd
 }
 

diff --git a/cmd/promises/search.go b/cmd/promises/search.go
@@ -69,7 +69,7 @@ func SearchPromisesCmd(c client.ResonateClient) *cobra.Command {
 			}
 
 			if resp.StatusCode() != 200 {
-				cmd.PrintErr(string(resp.Body))
+				cmd.PrintErrln(resp.Status(), string(resp.Body))
 				return
 			}
 

diff --git a/cmd/schedules/create.go b/cmd/schedules/create.go
@@ -82,7 +82,7 @@ func CreateScheduleCmd(c client.ResonateClient) *cobra.Command {
 			} else if resp.StatusCode() == 200 {
 				cmd.Printf("Created schedule: %s (deduplicated)\n", id)
 			} else {
-				cmd.PrintErrln(string(resp.Body))
+				cmd.PrintErrln(resp.Status(), string(resp.Body))
 			}
 		},
 	}

diff --git a/cmd/schedules/delete.go b/cmd/schedules/delete.go
@@ -34,7 +34,7 @@ func DeleteScheduleCmd(c client.ResonateClient) *cobra.Command {
 			}
 
 			if resp.StatusCode() != 204 {
-				cmd.PrintErrln(string(resp.Body))
+				cmd.PrintErrln(resp.Status(), string(resp.Body))
 				return
 			}
 

diff --git a/cmd/schedules/get.go b/cmd/schedules/get.go
@@ -37,7 +37,7 @@ func GetScheduleCmd(c client.ResonateClient) *cobra.Command {
 			}
 
 			if resp.StatusCode() != 200 {
-				cmd.PrintErrln(string(resp.Body))
+				cmd.PrintErrln(resp.Status(), string(resp.Body))
 				return
 			}
 

diff --git a/cmd/schedules/schedules.go b/cmd/schedules/schedules.go
@@ -12,13 +12,24 @@ import (
 )
 
 func NewCmd(c client.ResonateClient) *cobra.Command {
+	var (
+		username string
+		password string
+	)
+
 	cmd := &cobra.Command{
 		Use:     "schedules",
 		Aliases: []string{"schedule"},
 		Short:   "Manage durable schedules",
 		Run: func(cmd *cobra.Command, args []string) {
 			_ = cmd.Help()
 		},
+		PersistentPreRun: func(cmd *cobra.Command, args []string) {
+			// Set basic auth if provided
+			if username != "" || password != "" {
+				c.SetBasicAuth(username, password)
+			}
+		},
 	}
 
 	// Add subcommands
@@ -27,6 +38,10 @@ func NewCmd(c client.ResonateClient) *cobra.Command {
 	cmd.AddCommand(CreateScheduleCmd(c))
 	cmd.AddCommand(DeleteScheduleCmd(c))
 
+	// Flags
+	cmd.PersistentFlags().StringVarP(&username, "username", "U", "", "Basic auth username")
+	cmd.PersistentFlags().StringVarP(&password, "password", "P", "", "Basic auth password")
+
 	return cmd
 }
 

diff --git a/cmd/schedules/search.go b/cmd/schedules/search.go
@@ -54,7 +54,7 @@ func SearchSchedulesCmd(c client.ResonateClient) *cobra.Command {
 			}
 
 			if resp.StatusCode() != 200 {
-				cmd.PrintErr(string(resp.Body))
+				cmd.PrintErrln(resp.Status(), string(resp.Body))
 				return
 			}
 

diff --git a/cmd/serve/serve.go b/cmd/serve/serve.go
@@ -184,22 +184,22 @@ func ServeCmd() *cobra.Command {
 		},
 	}
 
-	// assert
-	cmd.Flags().Bool("ignore-asserts", false, "ignore-asserts mode")
-	_ = viper.BindPFlag("ignore-asserts", cmd.Flags().Lookup("ignore-asserts"))
-
 	// api
 	cmd.Flags().Int("api-size", 100, "size of the submission queue buffered channel")
 	cmd.Flags().String("api-http-addr", "0.0.0.0:8001", "http server address")
 	cmd.Flags().Duration("api-http-timeout", 10*time.Second, "http server graceful shutdown timeout")
 	cmd.Flags().String("api-grpc-addr", "0.0.0.0:50051", "grpc server address")
 	cmd.Flags().String("api-base-url", "http://localhost:8001", "base url to automatically generate absolute URLs for the server's resources")
+	cmd.Flags().String("api-http-auth-username", "", "username for basic auth")
+	cmd.Flags().String("api-http-auth-password", "", "password for basic auth")
 
 	_ = viper.BindPFlag("api.size", cmd.Flags().Lookup("api-size"))
 	_ = viper.BindPFlag("api.subsystems.http.addr", cmd.Flags().Lookup("api-http-addr"))
 	_ = viper.BindPFlag("api.subsystems.http.timeout", cmd.Flags().Lookup("api-http-timeout"))
 	_ = viper.BindPFlag("api.subsystems.grpc.addr", cmd.Flags().Lookup("api-grpc-addr"))
 	_ = viper.BindPFlag("api.baseUrl", cmd.Flags().Lookup("api-base-url"))
+	_ = viper.BindPFlag("api.subsystems.http.auth.username", cmd.Flags().Lookup("api-http-auth-username"))
+	_ = viper.BindPFlag("api.subsystems.http.auth.password", cmd.Flags().Lookup("api-http-auth-password"))
 
 	// aio
 	// Store
@@ -272,10 +272,15 @@ func ServeCmd() *cobra.Command {
 	_ = viper.BindPFlag("system.submissionBatchSize", cmd.Flags().Lookup("system-submission-batch-size"))
 	_ = viper.BindPFlag("system.completionBatchSize", cmd.Flags().Lookup("system-completion-batch-size"))
 	_ = viper.BindPFlag("system.scheduleBatchSize", cmd.Flags().Lookup("system-schedule-batch-size"))
+
 	// metrics
 	cmd.Flags().Int("metrics-port", 9090, "prometheus metrics server port")
 	_ = viper.BindPFlag("metrics.port", cmd.Flags().Lookup("metrics-port"))
 
+	// assert
+	cmd.Flags().Bool("ignore-asserts", false, "ignore-asserts mode")
+	_ = viper.BindPFlag("ignore-asserts", cmd.Flags().Lookup("ignore-asserts"))
+
 	cmd.Flags().SortFlags = false
 
 	return cmd

diff --git a/internal/app/subsystems/api/http/http.go b/internal/app/subsystems/api/http/http.go
@@ -7,6 +7,7 @@ import (
 
 	"github.com/go-playground/validator/v10"
 	"github.com/resonatehq/resonate/internal/app/subsystems/api/service"
+	"github.com/resonatehq/resonate/internal/util"
 
 	"log/slog"
 
@@ -15,8 +16,14 @@ import (
 	"github.com/resonatehq/resonate/internal/api"
 )
 
+type Auth struct {
+	Username string
+	Password string
+}
+
 type Config struct {
 	Addr    string
+	Auth    *Auth
 	Timeout time.Duration
 }
 
@@ -39,26 +46,39 @@ func New(api api.API, config *Config) api.Subsystem {
 	// Middleware
 	r.Use(s.log)
 
+	// Authentication
+	authorized := r.Group("/")
+	if config.Auth.Username != "" || config.Auth.Password != "" {
+		util.Assert(config.Auth.Username != "", "http basic auth username is required")
+		util.Assert(config.Auth.Password != "", "http basic auth password is required")
+
+		accounts := gin.Accounts{
+			config.Auth.Username: config.Auth.Password,
+		}
+		basicAuthMiddleware := gin.BasicAuth(accounts)
+		authorized.Use(basicAuthMiddleware)
+	}
+
 	// Promises API
-	r.POST("/promises", s.createPromise)
-	r.GET("/promises", s.searchPromises)
-	r.GET("/promises/*id", s.readPromise)
-	r.PATCH("/promises/*id", s.completePromise)
+	authorized.POST("/promises", s.createPromise)
+	authorized.GET("/promises", s.searchPromises)
+	authorized.GET("/promises/*id", s.readPromise)
+	authorized.PATCH("/promises/*id", s.completePromise)
 
 	// Schedules API
-	r.POST("/schedules", s.createSchedule)
-	r.GET("/schedules", s.searchSchedules)
-	r.GET("/schedules/*id", s.readSchedule)
-	r.DELETE("/schedules/*id", s.deleteSchedule)
+	authorized.POST("/schedules", s.createSchedule)
+	authorized.GET("/schedules", s.searchSchedules)
+	authorized.GET("/schedules/*id", s.readSchedule)
+	authorized.DELETE("/schedules/*id", s.deleteSchedule)
 
 	// Distributed Locks API
-	r.POST("/locks/acquire", s.acquireLock)
-	r.POST("/locks/heartbeat", s.heartbeatLocks)
-	r.POST("/locks/release", s.releaseLock)
+	authorized.POST("/locks/acquire", s.acquireLock)
+	authorized.POST("/locks/heartbeat", s.heartbeatLocks)
+	authorized.POST("/locks/release", s.releaseLock)
 
 	// Task API
-	r.POST("/tasks/claim", s.claimTask)
-	r.POST("/tasks/complete", s.completeTask)
+	authorized.POST("/tasks/claim", s.claimTask)
+	authorized.POST("/tasks/complete", s.completeTask)
 
 	return &Http{
 		config: config,