server: configurable user for basic auth

client/client.go

@@ -21,6 +21,7 @@ import (
 // Create/List/Get/Cancel Task endpoints. "address" is the address
 // of the TES server.
 func NewClient(address string) (*Client, error) {
+	user := os.Getenv("FUNNEL_SERVER_USER")
 	password := os.Getenv("FUNNEL_SERVER_PASSWORD")
 
 	re := regexp.MustCompile("^(.+://)?(.[^/]+)(.+)?$")
@@ -41,6 +42,7 @@ func NewClient(address string) (*Client, error) {
 			Timeout: 60 * time.Second,
 		},
 		Marshaler: &tes.Marshaler,
+		User:      user,
 		Password:  password,
 	}, nil
 }
@@ -50,6 +52,7 @@ type Client struct {
 	address   string
 	client    *http.Client
 	Marshaler *jsonpb.Marshaler
+	User      string
 	Password  string
 }
 
@@ -59,7 +62,7 @@ func (c *Client) GetTask(ctx context.Context, req *tes.GetTaskRequest) (*tes.Tas
 	u := c.address + "/v1/tasks/" + req.Id + "?view=" + req.View.String()
 	hreq, _ := http.NewRequest("GET", u, nil)
 	hreq.WithContext(ctx)
-	hreq.SetBasicAuth("funnel", c.Password)
+	hreq.SetBasicAuth(c.User, c.Password)
 	body, err := util.CheckHTTPResponse(c.client.Do(hreq))
 	if err != nil {
 		return nil, err
@@ -93,7 +96,7 @@ func (c *Client) ListTasks(ctx context.Context, req *tes.ListTasksRequest) (*tes
 	u := c.address + "/v1/tasks?" + v.Encode()
 	hreq, _ := http.NewRequest("GET", u, nil)
 	hreq.WithContext(ctx)
-	hreq.SetBasicAuth("funnel", c.Password)
+	hreq.SetBasicAuth(c.User, c.Password)
 	body, err := util.CheckHTTPResponse(c.client.Do(hreq))
 	if err != nil {
 		return nil, err
@@ -125,7 +128,7 @@ func (c *Client) CreateTask(ctx context.Context, task *tes.Task) (*tes.CreateTas
 	hreq, _ := http.NewRequest("POST", u, &b)
 	hreq.WithContext(ctx)
 	hreq.Header.Add("Content-Type", "application/json")
-	hreq.SetBasicAuth("funnel", c.Password)
+	hreq.SetBasicAuth(c.User, c.Password)
 	body, err := util.CheckHTTPResponse(c.client.Do(hreq))
 	if err != nil {
 		return nil, err
@@ -146,7 +149,7 @@ func (c *Client) CancelTask(ctx context.Context, req *tes.CancelTaskRequest) (*t
 	hreq, _ := http.NewRequest("POST", u, nil)
 	hreq.WithContext(ctx)
 	hreq.Header.Add("Content-Type", "application/json")
-	hreq.SetBasicAuth("funnel", c.Password)
+	hreq.SetBasicAuth(c.User, c.Password)
 	body, err := util.CheckHTTPResponse(c.client.Do(hreq))
 	if err != nil {
 		return nil, err
@@ -166,7 +169,7 @@ func (c *Client) GetServiceInfo(ctx context.Context, req *tes.ServiceInfoRequest
 	u := c.address + "/v1/tasks/service-info"
 	hreq, _ := http.NewRequest("GET", u, nil)
 	hreq.WithContext(ctx)
-	hreq.SetBasicAuth("funnel", c.Password)
+	hreq.SetBasicAuth(c.User, c.Password)
 	body, err := util.CheckHTTPResponse(c.client.Do(hreq))
 	if err != nil {
 		return nil, err

cmd/server/run.go

@@ -219,6 +219,7 @@ func NewServer(ctx context.Context, conf config.Config, log *logger.Logger) (*Se
 		Server: &server.Server{
 			RPCAddress:       ":" + conf.Server.RPCPort,
 			HTTPPort:         conf.Server.HTTPPort,
+			User:             conf.Server.User,
 			Password:         conf.Server.Password,
 			DisableHTTPCache: conf.Server.DisableHTTPCache,
 			Log:              log,

config/config.go

@@ -50,6 +50,7 @@ type Server struct {
 	HostName         string
 	HTTPPort         string
 	RPCPort          string
+	User             string
 	Password         string
 	DisableHTTPCache bool
 	// The timeout to use for making RPC client connections in nanoseconds

server/auth.go

@@ -12,21 +12,21 @@ import (
 
 // Return a new interceptor function that authorizes RPCs
 // using a password stored in the config.
-func newAuthInterceptor(password string) grpc.UnaryServerInterceptor {
+func newAuthInterceptor(user, password string) grpc.UnaryServerInterceptor {
 
 	// Return a function that is the interceptor.
 	return func(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo,
 		handler grpc.UnaryHandler) (interface{}, error) {
 
-		if err := authorize(ctx, password); err != nil {
+		if err := authorize(ctx, user, password); err != nil {
 			return nil, err
 		}
 		return handler(ctx, req)
 	}
 }
 
 // Check the context's metadata for the configured server/API password.
-func authorize(ctx context.Context, password string) error {
+func authorize(ctx context.Context, user, password string) error {
 	// Allow an empty password to mean that no auth. is checked.
 	if password == "" {
 		return nil
@@ -35,9 +35,9 @@ func authorize(ctx context.Context, password string) error {
 	if md, ok := metadata.FromIncomingContext(ctx); ok {
 		if len(md["authorization"]) > 0 {
 			raw := md["authorization"][0]
-			_, reqpass, ok := parseBasicAuth(raw)
+			requser, reqpass, ok := parseBasicAuth(raw)
 			if ok {
-				if reqpass == password {
+				if requser == user && reqpass == password {
 					return nil
 				}
 				return grpc.Errorf(codes.PermissionDenied, "")

server/server.go

@@ -22,6 +22,7 @@ import (
 type Server struct {
 	RPCAddress       string
 	HTTPPort         string
+	User             string
 	Password         string
 	Tasks            tes.TaskServiceServer
 	Events           events.EventServiceServer
@@ -65,7 +66,7 @@ func (s *Server) Serve(pctx context.Context) error {
 		grpc.UnaryInterceptor(
 			grpc_middleware.ChainUnaryServer(
 				// API auth check.
-				newAuthInterceptor(s.Password),
+				newAuthInterceptor(s.User, s.Password),
 				newDebugInterceptor(s.Log),
 			),
 		),

tests/auth/auth_test.go

@@ -23,6 +23,7 @@ var extask = &tes.Task{
 func TestBasicAuthFail(t *testing.T) {
 	ctx := context.Background()
 	conf := tests.DefaultConfig()
+	conf.Server.User = "funnel"
 	conf.Server.Password = "abc123"
 	fun := tests.NewFunnel(conf)
 	fun.StartServer()
@@ -70,10 +71,13 @@ func TestBasicAuthFail(t *testing.T) {
 }
 
 func TestBasicAuthed(t *testing.T) {
+	os.Setenv("FUNNEL_SERVER_USER", "funnel")
 	os.Setenv("FUNNEL_SERVER_PASSWORD", "abc123")
+	defer os.Unsetenv("FUNNEL_SERVER_USER")
 	defer os.Unsetenv("FUNNEL_SERVER_PASSWORD")
 
 	conf := tests.DefaultConfig()
+	conf.Server.User = "funnel"
 	conf.Server.Password = "abc123"
 	fun := tests.NewFunnel(conf)
 	fun.StartServer()