feat: authenticate users and agents requests

.gitignore

@@ -8,5 +8,4 @@ dist/
 /.gitea-release
 /agent-key.json
 /apps
-/server-key.json
+/server-key.json
-/.emissary-token

Makefile

@@ -137,7 +137,4 @@ gitea-release: tools/gitea-release/bin/gitea-release.sh goreleaser
 tools/gitea-release/bin/gitea-release.sh:
 	mkdir -p tools/gitea-release/bin
 	curl --output tools/gitea-release/bin/gitea-release.sh https://forge.cadoles.com/Cadoles/Jenkins/raw/branch/master/resources/com/cadoles/gitea/gitea-release.sh
-	chmod +x tools/gitea-release/bin/gitea-release.sh
+	chmod +x tools/gitea-release/bin/gitea-release.sh
-
-.emissary-token:
-	$(MAKE) run-emissary-server EMISSARY_CMD="--debug --config tmp/server.yml server auth create-token > .emissary-token"

go.mod

@@ -16,7 +16,6 @@ require (
 	github.com/jackc/pgx/v5 v5.3.1
 	github.com/jedib0t/go-pretty/v6 v6.4.4
 	github.com/lestrrat-go/jwx/v2 v2.0.8
-	github.com/lithammer/shortuuid/v4 v4.0.0
 	github.com/mitchellh/mapstructure v1.5.0
 	github.com/pkg/errors v0.9.1
 	github.com/qri-io/jsonschema v0.2.1

go.sum

@@ -913,8 +913,6 @@ github.com/lib/pq v1.10.0/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
 github.com/lib/pq v1.10.7 h1:p7ZhMD+KsSRozJr34udlUrhboJwWAgCg34+/ZZNvZZw=
 github.com/lib/pq v1.10.7/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
 github.com/linuxkit/virtsock v0.0.0-20201010232012-f8cee7dfc7a3/go.mod h1:3r6x7q95whyfWQpmGZTu3gk3v2YkMi05HEzl7Tf7YEo=
-github.com/lithammer/shortuuid/v4 v4.0.0 h1:QRbbVkfgNippHOS8PXDkti4NaWeyYfcBTHtw7k08o4c=
-github.com/lithammer/shortuuid/v4 v4.0.0/go.mod h1:Zs8puNcrvf2rV9rTH51ZLLcj7ZXqQI3lv67aw4KiB1Y=
 github.com/lyft/protoc-gen-star v0.5.3/go.mod h1:V0xaHgaf5oCCqmcxYcWiDfTiKsZsRc87/1qhoTACD8w=
 github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
 github.com/magiconair/properties v1.8.1/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=

internal/auth/agent/user.go

@@ -13,7 +13,7 @@ type User struct {
 
 // Subject implements auth.User
 func (u *User) Subject() string {
-	return fmt.Sprintf("agent-%d", u.agent.ID)
+	return fmt.Sprintf("agent#%d", u.agent.ID)
 }
 
 func (u *User) Agent() *datastore.Agent {

internal/auth/middleware.go

@@ -71,7 +71,6 @@ func Middleware(authenticators ...Authenticator) func(http.Handler) http.Handler
 				return
 			}
 
-			ctx = logger.With(ctx, logger.F("user", user.Subject()))
 			ctx = context.WithValue(ctx, contextKeyUser, user)
 
 			h.ServeHTTP(w, r.WithContext(ctx))

internal/auth/user/jwt.go

@@ -27,17 +27,9 @@ func parseToken(ctx context.Context, keys jwk.Set, issuer string, rawToken strin
 	return token, nil
 }
 
-func GenerateToken(ctx context.Context, key jwk.Key, issuer, subject string, role Role) (string, error) {
+func GenerateToken(ctx context.Context, key jwk.Key, role Role) (string, error) {
 	token := jwt.New()
 
-	if err := token.Set(jwt.SubjectKey, subject); err != nil {
-		return "", errors.WithStack(err)
-	}
-
-	if err := token.Set(jwt.IssuerKey, issuer); err != nil {
-		return "", errors.WithStack(err)
-	}
-
 	if err := token.Set(keyRole, role); err != nil {
 		return "", errors.WithStack(err)
 	}

internal/command/agent/run.go

@@ -17,6 +17,7 @@ import (
 	"forge.cadoles.com/Cadoles/emissary/internal/jwk"
 	"forge.cadoles.com/Cadoles/emissary/internal/machineid"
 	"github.com/pkg/errors"
+	_ "github.com/santhosh-tekuri/jsonschema/v5/httploader"
 	"github.com/urfave/cli/v2"
 	"gitlab.com/wpetit/goweb/logger"
 )

internal/command/client/agent/count.go

@@ -18,13 +18,7 @@ func CountCommand() *cli.Command {
 		Flags: clientFlag.ComposeFlags(),
 		Action: func(ctx *cli.Context) error {
 			baseFlags := clientFlag.GetBaseFlags(ctx)
-
+			client := client.New(baseFlags.ServerURL)
-			token, err := clientFlag.GetToken(baseFlags)
-			if err != nil {
-				return errors.WithStack(apierr.Wrap(err))
-			}
-
-			client := client.New(baseFlags.ServerURL, client.WithToken(token))
 
 			_, total, err := client.QueryAgents(ctx.Context)
 			if err != nil {

internal/command/client/agent/get.go

@@ -20,17 +20,12 @@ func GetCommand() *cli.Command {
 		Action: func(ctx *cli.Context) error {
 			baseFlags := clientFlag.GetBaseFlags(ctx)
 
-			token, err := clientFlag.GetToken(baseFlags)
-			if err != nil {
-				return errors.WithStack(apierr.Wrap(err))
-			}
-
 			agentID, err := agentFlag.AssertAgentID(ctx)
 			if err != nil {
 				return errors.WithStack(err)
 			}
 
-			client := client.New(baseFlags.ServerURL, client.WithToken(token))
+			client := client.New(baseFlags.ServerURL)
 
 			agent, err := client.GetAgent(ctx.Context, agentID)
 			if err != nil {

internal/command/client/agent/query.go

@@ -18,13 +18,7 @@ func QueryCommand() *cli.Command {
 		Flags: clientFlag.ComposeFlags(),
 		Action: func(ctx *cli.Context) error {
 			baseFlags := clientFlag.GetBaseFlags(ctx)
-
+			client := client.New(baseFlags.ServerURL)
-			token, err := clientFlag.GetToken(baseFlags)
-			if err != nil {
-				return errors.WithStack(apierr.Wrap(err))
-			}
-
-			client := client.New(baseFlags.ServerURL, client.WithToken(token))
 
 			agents, _, err := client.QueryAgents(ctx.Context)
 			if err != nil {

internal/command/client/agent/spec/get.go

@@ -24,12 +24,7 @@ func GetCommand() *cli.Command {
 				return errors.WithStack(err)
 			}
 
-			token, err := clientFlag.GetToken(baseFlags)
+			client := client.New(baseFlags.ServerURL)
-			if err != nil {
-				return errors.WithStack(apierr.Wrap(err))
-			}
-
-			client := client.New(baseFlags.ServerURL, client.WithToken(token))
 
 			specs, err := client.GetAgentSpecs(ctx.Context, agentID)
 			if err != nil {

internal/command/client/agent/spec/update.go

@@ -61,12 +61,7 @@ func UpdateCommand() *cli.Command {
 
 			noPatch := ctx.Bool("no-patch")
 
-			token, err := clientFlag.GetToken(baseFlags)
+			client := client.New(baseFlags.ServerURL)
-			if err != nil {
-				return errors.WithStack(apierr.Wrap(err))
-			}
-
-			client := client.New(baseFlags.ServerURL, client.WithToken(token))
 
 			specs, err := client.GetAgentSpecs(ctx.Context, agentID)
 			if err != nil {

internal/command/client/agent/update.go

@@ -26,11 +26,6 @@ func UpdateCommand() *cli.Command {
 		Action: func(ctx *cli.Context) error {
 			baseFlags := clientFlag.GetBaseFlags(ctx)
 
-			token, err := clientFlag.GetToken(baseFlags)
-			if err != nil {
-				return errors.WithStack(apierr.Wrap(err))
-			}
-
 			agentID, err := agentFlag.AssertAgentID(ctx)
 			if err != nil {
 				return errors.WithStack(err)
@@ -43,7 +38,7 @@ func UpdateCommand() *cli.Command {
 				options = append(options, client.WithAgentStatus(status))
 			}
 
-			client := client.New(baseFlags.ServerURL, client.WithToken(token))
+			client := client.New(baseFlags.ServerURL)
 
 			agent, err := client.UpdateAgent(ctx.Context, agentID, options...)
 			if err != nil {

internal/command/client/flag/flag.go

@@ -2,13 +2,9 @@ package flag
 
 import (
 	"fmt"
-	"io/ioutil"
-	"os"
-	"strings"
 
 	"forge.cadoles.com/Cadoles/emissary/internal/format"
 	"forge.cadoles.com/Cadoles/emissary/internal/format/table"
-	"github.com/pkg/errors"
 	"github.com/urfave/cli/v2"
 )
 
@@ -32,17 +28,6 @@ func ComposeFlags(flags ...cli.Flag) []cli.Flag {
 			Usage:   fmt.Sprintf("use `MODE` as output mode (available: %s)", []format.OutputMode{format.OutputModeCompact, format.OutputModeWide}),
 			Value:   string(format.OutputModeCompact),
 		},
-		&cli.StringFlag{
-			Name:    "token",
-			Aliases: []string{"t"},
-			Usage:   "use `TOKEN` as authentification token",
-		},
-		&cli.StringFlag{
-			Name:      "token-file",
-			Usage:     "use `TOKEN_FILE` as file containing the authentification token",
-			Value:     ".emissary-token",
-			TakesFile: true,
-		},
 	}
 
 	flags = append(flags, baseFlags...)
@@ -54,43 +39,16 @@ type BaseFlags struct {
 	ServerURL  string
 	Format     format.Format
 	OutputMode format.OutputMode
-	Token      string
-	TokenFile  string
 }
 
 func GetBaseFlags(ctx *cli.Context) *BaseFlags {
 	serverURL := ctx.String("server")
 	rawFormat := ctx.String("format")
 	rawOutputMode := ctx.String("output-mode")
-	tokenFile := ctx.String("token-file")
-	token := ctx.String("token")
 
 	return &BaseFlags{
 		ServerURL:  serverURL,
 		Format:     format.Format(rawFormat),
 		OutputMode: format.OutputMode(rawOutputMode),
-		Token:      token,
-		TokenFile:  tokenFile,
 	}
 }
-
-func GetToken(flags *BaseFlags) (string, error) {
-	if flags.Token != "" {
-		return flags.Token, nil
-	}
-
-	if flags.TokenFile == "" {
-		return "", nil
-	}
-
-	rawToken, err := ioutil.ReadFile(flags.TokenFile)
-	if err != nil && !errors.Is(err, os.ErrNotExist) {
-		return "", errors.WithStack(err)
-	}
-
-	if rawToken == nil {
-		return "", nil
-	}
-
-	return strings.TrimSpace(string(rawToken)), nil
-}

internal/command/server/auth/create_token.go

@@ -1,54 +0,0 @@
-package auth
-
-import (
-	"fmt"
-
-	"forge.cadoles.com/Cadoles/emissary/internal/auth/user"
-	"forge.cadoles.com/Cadoles/emissary/internal/command/common"
-	"forge.cadoles.com/Cadoles/emissary/internal/jwk"
-	"github.com/lithammer/shortuuid/v4"
-	"github.com/pkg/errors"
-	"github.com/urfave/cli/v2"
-)
-
-func CreateTokenCommand() *cli.Command {
-	return &cli.Command{
-		Name:  "create-token",
-		Usage: "Create a new authentification token",
-		Flags: []cli.Flag{
-			&cli.StringFlag{
-				Name:  "role",
-				Usage: fmt.Sprintf("associate `ROLE` to the token (available: %v)", []user.Role{user.RoleReader, user.RoleWriter}),
-				Value: string(user.RoleReader),
-			},
-			&cli.StringFlag{
-				Name:  "subject",
-				Usage: "associate `SUBJECT` to the token",
-				Value: fmt.Sprintf("user-%s", shortuuid.New()),
-			},
-		},
-		Action: func(ctx *cli.Context) error {
-			conf, err := common.LoadConfig(ctx)
-			if err != nil {
-				return errors.Wrap(err, "Could not load configuration")
-			}
-
-			subject := ctx.String("subject")
-			role := ctx.String("role")
-
-			key, err := jwk.LoadOrGenerate(string(conf.Server.PrivateKeyPath), jwk.DefaultKeySize)
-			if err != nil {
-				return errors.WithStack(err)
-			}
-
-			token, err := user.GenerateToken(ctx.Context, key, string(conf.Server.Issuer), subject, user.Role(role))
-			if err != nil {
-				return errors.WithStack(err)
-			}
-
-			fmt.Println(token)
-
-			return nil
-		},
-	}
-}

internal/command/server/auth/root.go

@@ -6,10 +6,8 @@ import (
 
 func Root() *cli.Command {
 	return &cli.Command{
-		Name:  "auth",
+		Name:        "auth",
-		Usage: "Authentication related commands",
+		Usage:       "Authentication related commands",
-		Subcommands: []*cli.Command{
+		Subcommands: []*cli.Command{},
-			CreateTokenCommand(),
-		},
 	}
 }

misc/packaging/common/config-agent.yml

@@ -1,6 +1,3 @@
-logger:
-  level: 1
-  format: human
 agent:
   serverUrl: http://127.0.0.1:3000
   privateKeyPath: /var/lib/emissary/agent-key.json

misc/packaging/common/config-server.yml

@@ -1,27 +1,24 @@
+http:
+  host: 0.0.0.0
+  port: 3000
 logger:
   level: 1
   format: human
-server:
+database:
-  privateKeyPath: /var/lib/emissary/server-key.json
+  driver: sqlite
-  issuer: http://127.0.0.1:3000
+  dsn: sqlite:///var/lib/emissary/data.sqlite
-  http:
+cors:
-    host: 0.0.0.0
+  allowedOrigins: []
-    port: 3000
+  allowCredentials: true
-  database:
+  allowMethods:
-    driver: sqlite
+    - POST
-    dsn: sqlite:///var/lib/emissary/data.sqlite
+    - GET
-  cors:
+    - PUT
-    allowedOrigins: []
+    - DELETE
-    allowCredentials: true
+  allowedHeaders:
-    allowMethods:
+    - Origin
-      - POST
+    - Accept
-      - GET
+    - Content-Type
-      - PUT
+    - Authorization
-      - DELETE
+    - Sentry-Trace
-    allowedHeaders:
-      - Origin
-      - Accept
-      - Content-Type
-      - Authorization
-      - Sentry-Trace
   debug: false

modd.conf

@@ -6,8 +6,7 @@ tmp/config.yml
     prep: make build-emissary
     prep: make tmp/server.yml
     prep: make tmp/agent.yml
-    prep: make run-emissary-server EMISSARY_CMD="--debug --config tmp/server.yml server database migrate"
+    prep: make run-emissary-server EMISSARY_CMD="--debug --config tmp/agent.yml server database migrate"
-    prep: make .emissary-token
     daemon: make run-emissary-server EMISSARY_CMD="--debug --config tmp/server.yml server run"
     daemon: make run-emissary-agent EMISSARY_CMD="--debug --config tmp/agent.yml agent run"
 }