pipe-cd · pipecd-bot · Dec 7, 2020 · Dec 3, 2020 · Dec 7, 2020 · khanhtc1202
@@ -0,0 +1,28 @@
+load("@io_bazel_rules_go//go:def.bzl", "go_library", "go_test")
+
+go_library(
+    name = "go_default_library",
+    srcs = ["verifier.go"],
+    importpath = "github.com/pipe-cd/pipe/pkg/app/api/apikeyverifier",
+    visibility = ["//visibility:public"],
+    deps = [
+        "//pkg/cache:go_default_library",
+        "//pkg/cache/memorycache:go_default_library",
+        "//pkg/model:go_default_library",
+        "@org_uber_go_zap//:go_default_library",
+    ],
+)
+
+go_test(
+    name = "go_default_test",
+    size = "small",
+    srcs = ["verifier_test.go"],
+    embed = [":go_default_library"],
+    deps = [
+        "//pkg/model:go_default_library",
+        "@com_github_stretchr_testify//assert:go_default_library",
+        "@com_github_stretchr_testify//require:go_default_library",
+        "@org_golang_google_protobuf//proto:go_default_library",
+        "@org_uber_go_zap//:go_default_library",
+    ],
+)
@@ -0,0 +1,90 @@
+// Copyright 2020 The PipeCD Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package apikeyverifier
+
+import (
+	"context"
+	"fmt"
+	"time"
+
+	"go.uber.org/zap"
+
+	"github.com/pipe-cd/pipe/pkg/cache"
+	"github.com/pipe-cd/pipe/pkg/cache/memorycache"
+	"github.com/pipe-cd/pipe/pkg/model"
+)
+
+type apiKeyGetter interface {
+	GetAPIKey(ctx context.Context, id string) (*model.APIKey, error)
+}
+
+type Verifier struct {
+	apiKeyCache cache.Cache
+	apiKeyStore apiKeyGetter
+	logger      *zap.Logger
+}
+
+func NewVerifier(ctx context.Context, getter apiKeyGetter, logger *zap.Logger) *Verifier {
+	return &Verifier{
+		apiKeyCache: memorycache.NewTTLCache(ctx, 5*time.Minute, time.Minute),
+		apiKeyStore: getter,
+		logger:      logger,
+	}
+}
+
+func (v *Verifier) Verify(ctx context.Context, key string) (*model.APIKey, error) {
+	keyID, err := model.ExtractAPIKeyID(key)
+	if err != nil {
+		return nil, err
+	}
+
+	var apiKey *model.APIKey
+	item, err := v.apiKeyCache.Get(keyID)
+	if err == nil {
+		apiKey = item.(*model.APIKey)
+		if err := checkAPIKey(apiKey, keyID, key); err != nil {
+			return nil, err
+		}
+		return apiKey, nil
+	}
+
+	// If the cache data was not found,
+	// we have to retrieve from datastore and save it to the cache.
+	apiKey, err = v.apiKeyStore.GetAPIKey(ctx, keyID)
+	if err != nil {
+		return nil, fmt.Errorf("unable to find API key %s from datastore, %w", keyID, err)
+	}
+
+	if err := v.apiKeyCache.Put(keyID, apiKey); err != nil {
+		v.logger.Warn("unable to store API key in memory cache", zap.Error(err))
+	}
+	if err := checkAPIKey(apiKey, keyID, key); err != nil {
+		return nil, err
+	}
+
+	return apiKey, nil
+}
+
+func checkAPIKey(apiKey *model.APIKey, id, key string) error {
+	if apiKey.Disabled {
+		return fmt.Errorf("the api key %s was already disabled", id)
+	}
+
+	if err := apiKey.CompareKey(key); err != nil {
+		return fmt.Errorf("invalid api key %s: %w", id, err)
+	}
+
+	return nil
+}
@@ -0,0 +1,105 @@
+// Copyright 2020 The PipeCD Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package apikeyverifier
+
+import (
+	"context"
+	"fmt"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"go.uber.org/zap"
+	"google.golang.org/protobuf/proto"
+
+	"github.com/pipe-cd/pipe/pkg/model"
+)
+
+type fakeAPIKeyGetter struct {
+	calls   int
+	apiKeys map[string]*model.APIKey
+}
+
+func (g *fakeAPIKeyGetter) GetAPIKey(_ context.Context, id string) (*model.APIKey, error) {
+	g.calls++
+	p, ok := g.apiKeys[id]
+	if ok {
+		msg := proto.Clone(p)
+		return msg.(*model.APIKey), nil
+	}
+	return nil, fmt.Errorf("not found")
+}
+
+func TestVerify(t *testing.T) {
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	var id1 = "test-api-key"
+	key1, hash1, err := model.GenerateAPIKey(id1)
+	require.NoError(t, err)
+
+	var id2 = "disabled-api-key"
+	key2, hash2, err := model.GenerateAPIKey(id2)
+	require.NoError(t, err)
+
+	apiKeyGetter := &fakeAPIKeyGetter{
+		apiKeys: map[string]*model.APIKey{
+			id1: {
+				Id:        id1,
+				Name:      id1,
+				KeyHash:   hash1,
+				ProjectId: "test-project",
+			},
+			id2: {
+				Id:        id2,
+				Name:      id2,
+				KeyHash:   hash2,
+				ProjectId: "test-project",
+				Disabled:  true,
+			},
+		},
+	}
+	v := NewVerifier(ctx, apiKeyGetter, zap.NewNop())
+
+	// Not found key.
+	notFoundKey, _, err := model.GenerateAPIKey("not-found-api-key")
+	require.NoError(t, err)
+
+	apiKey, err := v.Verify(ctx, notFoundKey)
+	require.Nil(t, apiKey)
+	require.NotNil(t, err)
+	assert.Equal(t, "unable to find API key not-found-api-key from datastore, not found", err.Error())
+	require.Equal(t, 1, apiKeyGetter.calls)
+
+	// Found key but it was disabled.
+	apiKey, err = v.Verify(ctx, key2)
+	require.Nil(t, apiKey)
+	require.NotNil(t, err)
+	assert.Equal(t, "the api key disabled-api-key was already disabled", err.Error())
+	require.Equal(t, 2, apiKeyGetter.calls)
+
+	// Found key but invalid secret.
+	apiKey, err = v.Verify(ctx, fmt.Sprintf("%s.invalidhash", id1))
+	require.Nil(t, apiKey)
+	require.NotNil(t, err)
+	assert.Equal(t, "invalid api key test-api-key: wrong api key test-api-key.invalidhash: crypto/bcrypt: hashedPassword is not the hash of the given password", err.Error())
+	require.Equal(t, 3, apiKeyGetter.calls)
+
+	// OK.
+	apiKey, err = v.Verify(ctx, key1)
+	assert.Equal(t, id1, apiKey.Name)
+	assert.Nil(t, err)
+	require.Equal(t, 3, apiKeyGetter.calls)
+}
@@ -23,7 +23,7 @@ import (
 )
 
 const (
-	apiKeyLength = 50
+	apiKeyLength = 32
 )
 
 func GenerateAPIKey(id string) (key, hash string, err error) {

@@ -29,7 +29,9 @@ go_test(
     ],
     embed = [":go_default_library"],
     deps = [
+        "//pkg/model:go_default_library",
         "@com_github_stretchr_testify//assert:go_default_library",
+        "@com_github_stretchr_testify//require:go_default_library",
         "@org_golang_google_grpc//:go_default_library",
         "@org_golang_google_grpc//metadata:go_default_library",
         "@org_uber_go_zap//:go_default_library",

@@ -30,13 +30,14 @@ type CredentialsType string
 
 const (
 	// IDTokenCredentials represents JWT IDToken for a web user.
-	// They can be used for project admin, project viewer or owner.
 	IDTokenCredentials CredentialsType = "ID-TOKEN"
-	// PipedTokenCredentials represents a generated token for authenticating
-	// between Piped and microservices.
+	// PipedTokenCredentials represents a generated token for
+	// authenticating between Piped and control-plane.
 	PipedTokenCredentials CredentialsType = "PIPED-TOKEN"
+	// APIKeyCredentials represents a generated key for
+	// authenticating between pipectl/external-service and control-plane.
+	APIKeyCredentials CredentialsType = "API-KEY"
 	// UnknownCredentials represents an unsupported credentials.
-	// It is used as a return result in case of error.
 	UnknownCredentials CredentialsType = "UNKNOWN"
 )
 
@@ -84,26 +85,36 @@ func extractCredentials(ctx context.Context) (creds Credentials, err error) {
 		err = status.Error(codes.Unauthenticated, "missing credentials")
 		return
 	}
+
 	rawCredentials := md["authorization"]
 	if len(rawCredentials) == 0 {
 		err = status.Error(codes.Unauthenticated, "missing credentials in authorization")
 		return
 	}
+
 	subs := strings.Split(rawCredentials[0], " ")
 	if len(subs) != 2 {
 		err = status.Error(codes.Unauthenticated, "credentials is malformed")
 		return
 	}
+
 	switch CredentialsType(subs[0]) {
 	case IDTokenCredentials:
 		creds.Data = subs[1]
 		creds.Type = IDTokenCredentials
+
 	case PipedTokenCredentials:
 		creds.Data = subs[1]
 		creds.Type = PipedTokenCredentials
+
+	case APIKeyCredentials:
+		creds.Data = subs[1]
+		creds.Type = APIKeyCredentials
+
 	default:
 		err = status.Error(codes.Unauthenticated, "unsupported credentials type")
 	}
+
 	if creds.Data == "" {
 		err = status.Error(codes.Unauthenticated, "credentials is malformed")
 	}

@@ -82,6 +82,15 @@ func TestExtractToken(t *testing.T) {
 			expectedCredentialsType: PipedTokenCredentials,
 			failed:                  false,
 		},
+		{
+			name: "should be ok with APIKey",
+			ctx: metadata.NewIncomingContext(context.Background(), metadata.MD{
+				"authorization": []string{"API-KEY key"},
+			}),
+			expectedCredentials:     "key",
+			expectedCredentialsType: APIKeyCredentials,
+			failed:                  false,
+		},
 	}
 	for _, tc := range testcases {
 		t.Run(tc.name, func(t *testing.T) {
-Original file line number
+Diff line change
@@ Expand Up / @@ -23,7 +23,7 @@ import ( @@
     )
     const (
-    	apiKeyLength = 50
+    	apiKeyLength = 32
     )
     func GenerateAPIKey(id string) (key, hash string, err error) {
@@ Expand Down @@