Merge pull request #148 from kbase/dev-kill_DIE

Get auth token from cookie

README.md

@@ -101,8 +101,17 @@ This data structure is identical to Shock's error data structure.
 
 # API
 
-Requests are authenticated by including the header `Authorization: OAuth <kbase token>` in the
-request.
+## Authentication
+
+Requests are authenticated by including the header `Authorization: OAuth <kbase token>` or
+including a cookie with the value of `<kbase token>` in the request.
+
+The names of cookies that the server will check are set in the deployment configuration file.
+
+The header takes precedence, then each cookie in the list in the configuration file in order.
+
+Note that for backwards compatibility, incorrect or invalid authentication headers respond with a
+400 HTTP code. Invalid cookies respond with the appropriate 401 code.
 
 ## Root
 

RELEASE_NOTES.md

@@ -1,6 +1,7 @@
 # 0.1.4
 
 * Added the `del` param when downloading the file from a node.
+* The Blobstore will now look for auth tokens in cookies specified in the deployment configuration.
 
 # 0.1.3
 

app/blobstore.go

@@ -19,7 +19,7 @@ import (
 
 const (
 	name        = "blobstore"
-	version     = "0.1.3"
+	version     = "0.1.4"
 	shockname   = "Shock"
 	shockver    = "0.9.6" // do not increment
 	deprecation = "The id and version fields are deprecated."

config/config.go

@@ -46,6 +46,9 @@ const (
 	// KeyAuthAdminRoles is the configuration key where the value is comma-delimited auth server
 	// roles that denote that a user is a blobstore admin
 	KeyAuthAdminRoles = "kbase-auth-admin-roles"
+	// KeyAuthTokenCookies is the configuartion key where the value is comma-delimited cookie
+	// names where the serivce should look for authentication tokens.
+	KeyAuthTokenCookies = "kbase-auth-token-cookies"
 	// KeyDontTrustXIPHeaders is the configuration key where the value determines whether to
 	// distrust the X-Forwarded-For and X-Real-IP headers (true) or not (anything else).
 	KeyDontTrustXIPHeaders = "dont-trust-x-ip-headers"
@@ -82,6 +85,9 @@ type Config struct {
 	// AuthAdminRoles are the auth server roles that denote that a user is a blobstore admin.
 	// It is never nil but may be empty.
 	AuthAdminRoles *[]string
+	// AuthTokenCookies are the cookie names to check for auth tokens.
+	// It is never nil but may be empty.
+	AuthTokenCookies *[]string
 	// DontTrustXIPHeaders determines whether to distrust the X-Forwarded-For and X-Real-IP
 	// headers.
 	DontTrustXIPHeaders bool
@@ -112,6 +118,7 @@ func New(configFilePath string) (*Config, error) {
 	s3region, err := getString(err, configFilePath, sec, KeyS3Region, true)
 	authurl, err := getURL(err, configFilePath, sec, KeyAuthURL)
 	roles, err := getStringList(err, configFilePath, sec, KeyAuthAdminRoles)
+	cookies, err := getStringList(err, configFilePath, sec, KeyAuthTokenCookies)
 	xip, err := getString(err, configFilePath, sec, KeyDontTrustXIPHeaders, false)
 	if err != nil {
 		return nil, err
@@ -137,6 +144,7 @@ func New(configFilePath string) (*Config, error) {
 			S3Region:            s3region,
 			AuthURL:             authurl,
 			AuthAdminRoles:      roles,
+			AuthTokenCookies:    cookies,
 			DontTrustXIPHeaders: "true" == xip,
 		},
 		nil

config/config_test.go

@@ -93,6 +93,7 @@ func (t *TestSuite) TestMinimalConfig() {
 		S3DisableSSLVerify:  false,
 		AuthURL:             u,
 		AuthAdminRoles:      &[]string{},
+		AuthTokenCookies:    &[]string{},
 		DontTrustXIPHeaders: false,
 	}
 	t.Equal(&expected, cfg, "incorrect config")
@@ -114,6 +115,7 @@ func (t *TestSuite) TestMinimalConfigWhitespaceFields() {
 		"s3-region =       us-west-1    \t   ",
 		"kbase-auth-url = https://kbase.us/authyauth",
 		"kbase-auth-admin-roles =    \t     ",
+		"kbase-auth-token-cookies =    \t     ",
 		"dont-trust-x-ip-headers =      \t     ",
 	)
 	cfg, err := New(filePath)
@@ -132,6 +134,7 @@ func (t *TestSuite) TestMinimalConfigWhitespaceFields() {
 		S3DisableSSLVerify:  false,
 		AuthURL:             u,
 		AuthAdminRoles:      &[]string{},
+		AuthTokenCookies:    &[]string{},
 		DontTrustXIPHeaders: false,
 	}
 	t.Equal(&expected, cfg, "incorrect config")
@@ -153,6 +156,7 @@ func (t *TestSuite) TestMaximalConfig() {
 		"s3-disable-ssl-verify=     true    ",
 		"kbase-auth-url = https://kbase.us/authyauth",
 		"kbase-auth-admin-roles =    \t     ,    foo   , \tbar\t , ,  baz ,,",
+		"kbase-auth-token-cookies =    \t   , chokkiechip   , \toreoinmilk\t , , earwaxNsnot ,,",
 		"dont-trust-x-ip-headers =     true   \t  ",
 	)
 	cfg, err := New(filePath)
@@ -173,6 +177,7 @@ func (t *TestSuite) TestMaximalConfig() {
 		S3Region:            "us-west-1",
 		AuthURL:             u,
 		AuthAdminRoles:      &[]string{"foo", "bar", "baz"},
+		AuthTokenCookies:    &[]string{"chokkiechip", "oreoinmilk", "earwaxNsnot"},
 		DontTrustXIPHeaders: true,
 	}
 	t.Equal(&expected, cfg, "incorrect config")

deploy.cfg.example

@@ -30,6 +30,9 @@ s3-region = us-west-1
 kbase-auth-url = https://kbase.us/services/auth
 # KBase auth server custom roles that denote the user is a blobstore admin. Comma delimited.
 kbase-auth-admin-roles = KBASE_ADMIN, BLOBSTORE_ADMIN
+# A list of comma separated cookie names to check for authentication tokens.
+# The authentication header is checked first, then each cookie in the list in order.
+# kbase-auth-token-cookies = 
 
 # If "true", make the server ignore the X-Forwarded-For and X-Real-IP headers. Otherwise
 # (the default behavior), the logged IP address for a request, in order of precedence, is

deployment/conf/deployment.cfg.templ

@@ -28,6 +28,9 @@ s3-disable-ssl-verify = {{ default .Env.s3_disable_ssl_verify "false" }}
 kbase-auth-url = {{ default .Env.kbase_auth_url "https://ci.kbase.us/services/auth" }}
 # KBase auth server custom roles that denote the user is a blobstore admin. Comma delimited.
 kbase-auth-admin-roles = {{ default .Env.kbase_auth_admin_roles "KBASE_ADMIN, BLOBSTORE_ADMIN" }}
+# A list of comma separated cookie names to check for authentication tokens.
+# The authentication header is checked first, then each cookie in the list in order.
+kbase-auth-token-cookies = {{ default .Env.kbase_auth_token_cookies "kbase_session, kbase_session_backup" }}
 
 # If "true", make the server ignore the X-Forwarded-For and X-Real-IP headers. Otherwise
 # (the default behavior), the logged IP address for a request, in order of precedence, is

docker-compose.yml

@@ -5,13 +5,13 @@ version: "3.1"
 # that is started up and polled
 services:
   kbase_blobstore:
-    image: kbase/blobstore:latest
+    build: .
     ports:
       - "8080:8080"
     environment:
       blobstore_host: 0.0.0.0:8080
-      mongo_host: localhost:27017
-      mongo_database: dc_blobstore_test
+      mongodb_host: mongo:27017
+      mongodb_database: dc_blobstore_test
       kbase_auth_url: https://ci.kbase.us/services/auth
       kbase_auth_admin_roles: KBASE_ADMIN,BLOBSTORE_ADMIN
       s3_host: minio:9000
@@ -24,9 +24,7 @@ services:
     command:
       - "-multiline"
       - "-wait"
-      - "tcp://ci-mongo:27017"
-      - "-wait"
-      - "tcp://mongoinit:8080"
+      - "tcp://mongo:27017"
       - "-wait"
       - "tcp://minio:9000"
       - "-timeout"
@@ -36,37 +34,10 @@ services:
       - "/kb/deployment/blobstore/blobstore"
       - "--conf"
       - "/kb/deployment/conf/deployment.cfg"
-      # If you needed to pass in context for template evaluation you would put something like
-      # these lines that tell dockerize to hit github for an INI style file for the context
-    # - "-env"
-    # - "https://raw.githubusercontent.com/kbase/mini_kb/master/deployment/conf/tauth2-minikb.yml"
-      # If the -env URL needs authentication you would use an -env-header directive that specified
-      # either the hard coded string for the header, or a path to a file that contains the header
-      # string ( used for working with docker secrets files)
-    # - "-env-header"
-    # - "AUTHORIZATION:authtokenvalue"
-      # or for a path to a secrets file:
-    # - "env-header"
-    # - "/run/secrets/authheader"
-      # If your server is using self-signed certs, or otherwise problematic for cert validation
-      # you can add the following flag:
-    # - "-validateCert=false"
-    depends_on: ["ci-mongo", "mongoinit", "minio"]
-
-  mongoinit:
-    image: kbase/db_initialize:latest
-    entrypoint:
-      - "/kb/deployment/bin/dockerize.sh"
-      - "-wait"
-      - "tcp://ci-mongo:27017"
-      - "-timeout"
-      - "120s"
-    depends_on: [ "ci-mongo" ]
+    depends_on: ["mongo", "minio"]
 
-  ci-mongo:
-    image: mongo:2
-    command:
-      - "--smallfiles"
+  mongo:
+    image: mongo:3.6
     ports:
       - "27017:27017"
 

service/errortypes.go

@@ -18,7 +18,7 @@ const (
 // special explanation in the error string.
 type UnauthorizedCustomError string
 
-// UnauthorizedCustomError creates a new UnauthorizedCustomError.
+// NewUnauthorizedCustomError creates a new UnauthorizedCustomError.
 func NewUnauthorizedCustomError(err string) *UnauthorizedCustomError {
 	e := UnauthorizedCustomError(err)
 	return &e
@@ -28,13 +28,29 @@ func (e *UnauthorizedCustomError) Error() string {
 	return string(*e)
 }
 
+// InvalidTokenCustomError denotes that an invalid token was submitted and special explanation
+// is needed in the error string.
+type InvalidTokenCustomError string
+
+// NewInvalidTokenCustomError creates a new InvalidTokenCustomError.
+func NewInvalidTokenCustomError(err string) *InvalidTokenCustomError {
+	e := InvalidTokenCustomError(err)
+	return &e
+}
+
+func (e *InvalidTokenCustomError) Error() string {
+	return string(*e)
+}
+
 func translateError(err error) (code int, errstr string) {
 	// not sure about this approach. Alternative is to add some state to every error that
 	// can be mapped to a code, and I'm not super thrilled about that either.
 	switch t := err.(type) {
 	case *auth.InvalidTokenError:
 		// Shock compatibility, should be 401
 		return http.StatusBadRequest, invalidAuthHeader
+	case *InvalidTokenCustomError:
+		return http.StatusUnauthorized, t.Error()
 	case *core.NoBlobError:
 		return http.StatusNotFound, "Node not found"
 	case *core.UnauthorizedError:
@@ -45,7 +61,7 @@ func translateError(err error) (code int, errstr string) {
 		return http.StatusBadRequest, "Users that are not node owners can only delete " +
 			"themselves from ACLs."
 	case *UnauthorizedCustomError:
-		return http.StatusUnauthorized, t.Error()
+		return http.StatusForbidden, t.Error()
 	case *auth.InvalidUserError:
 		// no equivalent shock error, it accepts any string as a username
 		return http.StatusBadRequest, t.Error()