feat: support aksk verify

Author: hunjixin

api/api_impl/server.go

@@ -9,6 +9,8 @@ import (
 	"net/url"
 	"strings"
 
+	"github.com/jiaozifs/jiaozifs/auth/aksk"
+
 	"github.com/hellofresh/health-go/v5"
 
 	"github.com/getkin/kin-openapi/openapi3"
@@ -37,7 +39,14 @@ const (
 	extensionValidationExcludeBody = "x-validation-exclude-body"
 )
 
-func SetupAPI(lc fx.Lifecycle, apiConfig *config.APIConfig, secretStore crypt.SecretStore, sessionStore sessions.Store, repo models.IRepo, controller APIController) error {
+func SetupAPI(lc fx.Lifecycle,
+	authenticator *auth.BasicAuthenticator,
+	apiConfig *config.APIConfig,
+	secretStore crypt.SecretStore,
+	sessionStore sessions.Store,
+	repo models.IRepo,
+	verifier aksk.Verifier,
+	controller APIController) error {
 	swagger, err := api.GetSwagger()
 	if err != nil {
 		return err
@@ -66,7 +75,7 @@ func SetupAPI(lc fx.Lifecycle, apiConfig *config.APIConfig, secretStore crypt.Se
 		OapiRequestValidatorWithOptions(swagger, &openapi3filter.Options{
 			AuthenticationFunc: openapi3filter.NoopAuthenticationFunc,
 		}),
-		auth.Middleware(swagger, nil, secretStore, repo.UserRepo(), sessionStore),
+		auth.Middleware(swagger, authenticator, secretStore, repo.UserRepo(), repo.AkskRepo(), sessionStore, verifier),
 	)
 
 	raw, err := api.RawSpec()

api/jiaozifs.gen.go

@@ -17,6 +17,7 @@ security:
   - jwt_token: [] # Default security for the entire API
   - basic_auth: []
   - cookie_auth: []
+  - ak_sk: []
 components:
   parameters:
     PaginationPrefix:

api/swagger.yml

@@ -0,0 +1,26 @@
+package auth
+
+import (
+	"context"
+
+	"github.com/jiaozifs/jiaozifs/auth/aksk"
+	"github.com/jiaozifs/jiaozifs/models"
+)
+
+var _ aksk.SkGetter = (*SkGetter)(nil)
+
+type SkGetter struct {
+	akskRepo models.IAkskRepo
+}
+
+func (s SkGetter) Get(ak string) (string, error) {
+	aksk, err := s.akskRepo.Get(context.Background(), models.NewGetAkSkParams().SetAccessKey(ak))
+	if err != nil {
+		return "", err
+	}
+	return aksk.SecretKey, nil
+}
+
+func NewAkskVerifier(repo models.IRepo) aksk.Verifier {
+	return aksk.NewV0Verier(SkGetter{repo.AkskRepo()})
+}

auth/aksk.go

@@ -12,6 +12,12 @@ import (
 )
 
 const (
+	AccessKeykey        = "JiaozifsAccessKeyId"
+	SignatureVersionKey = "SignatureVersion"
+	SignatureMethodKey  = "SignatureMethod"
+	TimestampKey        = "Timestamp"
+	SignatureKey        = "Signature"
+
 	signatureVersion = "0"
 	signatureMethod  = "HmacSHA256"
 	timeFormat       = "2006-01-02T15:04:05Z"
@@ -37,10 +43,10 @@ func (voSigner V0Signer) Sign(req *http.Request) error {
 	curTime := time.Now()
 	// set query parameter
 	query := req.URL.Query()
-	query.Set("AWSAccessKeyId", voSigner.accessKey)
-	query.Set("SignatureVersion", signatureVersion)
-	query.Set("SignatureMethod", signatureMethod)
-	query.Set("Timestamp", curTime.UTC().Format(timeFormat))
+	query.Set(AccessKeykey, voSigner.accessKey)
+	query.Set(SignatureVersionKey, signatureVersion)
+	query.Set(SignatureVersionKey, signatureMethod)
+	query.Set(TimestampKey, curTime.UTC().Format(timeFormat))
 
 	req.Header.Del("Signature")
 
@@ -80,7 +86,7 @@ func (voSigner V0Signer) Sign(req *http.Request) error {
 	hash := hmac.New(sha256.New, []byte(voSigner.secretKey))
 	hash.Write([]byte(stringToSign))
 	signature := base64.StdEncoding.EncodeToString(hash.Sum(nil))
-	query.Set("Signature", signature)
+	query.Set(SignatureKey, signature)
 
 	req.URL.RawQuery = query.Encode()
 	return nil

auth/aksk/sign.go

@@ -12,15 +12,18 @@ import (
 	"time"
 )
 
-type V0Verifier interface {
-	Verify(req *http.Request) error
+type Verifier interface {
+	// IsAkskCredential check the requess is aksk credential, just check request have AccessKeykey
+	IsAkskCredential(req *http.Request) bool
+	// Verify verify the request and return access key
+	Verify(req *http.Request) (string, error)
 }
 
 type SkGetter interface {
 	Get(ak string) (string, error)
 }
 
-var _ V0Verifier = (*V0Verier)(nil)
+var _ Verifier = (*V0Verier)(nil)
 
 type V0Verier struct {
 	skGetter SkGetter
@@ -30,38 +33,43 @@ func NewV0Verier(skGetter SkGetter) *V0Verier {
 	return &V0Verier{skGetter: skGetter}
 }
 
-func (v *V0Verier) Verify(req *http.Request) error {
+func (v *V0Verier) IsAkskCredential(req *http.Request) bool {
+	accessKey := req.URL.Query().Get(AccessKeykey)
+	return len(accessKey) > 0
+}
+
+func (v *V0Verier) Verify(req *http.Request) (string, error) {
 	query := req.URL.Query()
-	accessKey := query.Get("AWSAccessKeyId")
+	accessKey := query.Get(AccessKeykey)
 	if len(accessKey) == 0 {
-		return fmt.Errorf("ak not found")
+		return "", fmt.Errorf("ak not found")
 	}
 
 	secretKey, err := v.skGetter.Get(accessKey)
 	if err != nil {
-		return fmt.Errorf("access key not correct")
+		return "", fmt.Errorf("access key not correct")
 	}
 
-	sigMethod := query.Get("SignatureMethod")
+	sigMethod := query.Get(SignatureMethodKey)
 	if sigMethod != signatureMethod {
-		return fmt.Errorf("invalid signature method %s", sigMethod)
+		return "", fmt.Errorf("invalid signature method %s", sigMethod)
 	}
 
-	sigVersion := query.Get("SignatureVersion")
+	sigVersion := query.Get(SignatureVersionKey)
 	if sigVersion != signatureVersion {
-		return fmt.Errorf("invalid signature method %s", sigMethod)
+		return "", fmt.Errorf("invalid signature method %s", sigMethod)
 	}
 
-	reqTime := query.Get("Timestamp")
+	reqTime := query.Get(TimestampKey)
 	t, err := time.Parse(timeFormat, reqTime)
 	if err != nil {
-		return fmt.Errorf("invalid timestamp %s", reqTime)
+		return "", fmt.Errorf("invalid timestamp %s", reqTime)
 	}
 	if t.Before(time.Now().Add(-5 * time.Minute)) {
-		return fmt.Errorf("request is out of data")
+		return "", fmt.Errorf("request is out of data")
 	}
-	expectSignature := query.Get("Signature")
-	query.Del("Signature")
+	expectSignature := query.Get(SignatureKey)
+	query.Del(SignatureKey)
 
 	method := req.Method
 	host := req.URL.Host
@@ -99,7 +107,7 @@ func (v *V0Verier) Verify(req *http.Request) error {
 	hash.Write([]byte(stringToSign))
 	actualSig := base64.StdEncoding.EncodeToString(hash.Sum(nil))
 	if actualSig != expectSignature {
-		return fmt.Errorf("signature not correct")
+		return "", fmt.Errorf("signature not correct")
 	}
-	return nil
+	return accessKey, nil
 }

auth/aksk/verifier.go

@@ -24,8 +24,9 @@ func TestFull(t *testing.T) {
 		err = signer.Sign(req)
 		require.NoError(t, err)
 
-		err = verifer.Verify(req)
+		actualAk, err := verifer.Verify(req)
 		require.NoError(t, err)
+		require.Equal(t, ak, actualAk)
 	})
 
 	t.Run("fail verify", func(t *testing.T) {
@@ -39,7 +40,7 @@ func TestFull(t *testing.T) {
 		query := req.URL.Query()
 		query.Add("a", "b")
 		req.URL.RawQuery = query.Encode()
-		err = verifer.Verify(req)
+		_, err = verifer.Verify(req)
 		require.Error(t, err)
 	})
 	t.Run("no access id", func(t *testing.T) {
@@ -53,7 +54,7 @@ func TestFull(t *testing.T) {
 		query := req.URL.Query()
 		query.Del("AWSAccessKeyId")
 		req.URL.RawQuery = query.Encode()
-		err = verifer.Verify(req)
+		_, err = verifer.Verify(req)
 		require.Error(t, err)
 	})
 	t.Run("sig method fail", func(t *testing.T) {
@@ -67,7 +68,7 @@ func TestFull(t *testing.T) {
 		query := req.URL.Query()
 		query.Set("SignatureMethod", "2")
 		req.URL.RawQuery = query.Encode()
-		err = verifer.Verify(req)
+		_, err = verifer.Verify(req)
 		require.Error(t, err)
 	})
 	t.Run("sig method fail", func(t *testing.T) {
@@ -81,7 +82,7 @@ func TestFull(t *testing.T) {
 		query := req.URL.Query()
 		query.Set("SignatureMethod", "md5")
 		req.URL.RawQuery = query.Encode()
-		err = verifer.Verify(req)
+		_, err = verifer.Verify(req)
 		require.Error(t, err)
 	})
 	t.Run("sig version fail", func(t *testing.T) {
@@ -95,7 +96,7 @@ func TestFull(t *testing.T) {
 		query := req.URL.Query()
 		query.Set("SignatureVersion", "2")
 		req.URL.RawQuery = query.Encode()
-		err = verifer.Verify(req)
+		_, err = verifer.Verify(req)
 		require.Error(t, err)
 	})
 	t.Run("no timestamp", func(t *testing.T) {
@@ -109,7 +110,7 @@ func TestFull(t *testing.T) {
 		query := req.URL.Query()
 		query.Del("Timestamp")
 		req.URL.RawQuery = query.Encode()
-		err = verifer.Verify(req)
+		_, err = verifer.Verify(req)
 		require.Error(t, err)
 	})
 
@@ -124,7 +125,7 @@ func TestFull(t *testing.T) {
 		query := req.URL.Query()
 		query.Set("Timestamp", time.Now().String())
 		req.URL.RawQuery = query.Encode()
-		err = verifer.Verify(req)
+		_, err = verifer.Verify(req)
 		require.Error(t, err)
 	})
 	t.Run("request out of date", func(t *testing.T) {
@@ -138,7 +139,7 @@ func TestFull(t *testing.T) {
 		query := req.URL.Query()
 		query.Set("Timestamp", time.Now().Add(-time.Minute*10).UTC().Format(timeFormat))
 		req.URL.RawQuery = query.Encode()
-		err = verifer.Verify(req)
+		_, err = verifer.Verify(req)
 		require.Error(t, err)
 	})
 }

auth/aksk/verifier_test.go

@@ -7,6 +7,8 @@ import (
 	"net/http"
 	"strings"
 
+	"github.com/jiaozifs/jiaozifs/auth/aksk"
+
 	"github.com/golang-jwt/jwt/v5"
 
 	"github.com/getkin/kin-openapi/openapi3"
@@ -53,11 +55,19 @@ type CookieAuthConfig struct {
 	AuthSource              string
 }
 
-func Middleware(swagger *openapi3.T, authenticator Authenticator, secretStore crypt.SecretStore, userRepo models.IUserRepo, sessionStore sessions.Store) func(next http.Handler) http.Handler {
+func Middleware(swagger *openapi3.T,
+	authenticator *BasicAuthenticator,
+	secretStore crypt.SecretStore,
+	userRepo models.IUserRepo,
+	akskRepo models.IAkskRepo,
+	sessionStore sessions.Store,
+	verifier aksk.Verifier,
+) func(next http.Handler) http.Handler {
 	router, err := legacy.NewRouter(swagger)
 	if err != nil {
 		panic(err)
 	}
+
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			// if request already authenticated
@@ -72,7 +82,7 @@ func Middleware(swagger *openapi3.T, authenticator Authenticator, secretStore cr
 				_, _ = w.Write([]byte(err.Error()))
 				return
 			}
-			user, err := checkSecurityRequirements(r, securityRequirements, authenticator, sessionStore, secretStore, userRepo)
+			user, err := checkSecurityRequirements(r, securityRequirements, authenticator, sessionStore, secretStore, verifier, userRepo, akskRepo)
 			if err != nil {
 				w.WriteHeader(http.StatusUnauthorized)
 				_, _ = w.Write([]byte(err.Error()))
@@ -90,10 +100,12 @@ func Middleware(swagger *openapi3.T, authenticator Authenticator, secretStore cr
 // it will return nil user and error in case of no security checks to match.
 func checkSecurityRequirements(r *http.Request,
 	securityRequirements openapi3.SecurityRequirements,
-	authenticator Authenticator,
+	authenticator *BasicAuthenticator,
 	sessionStore sessions.Store,
 	secretStore crypt.SecretStore,
+	verifier aksk.Verifier,
 	userRepo models.IUserRepo,
+	akskRepo models.IAkskRepo,
 ) (*models.User, error) {
 	ctx := r.Context()
 	var user *models.User
@@ -120,7 +132,8 @@ func checkSecurityRequirements(r *http.Request,
 				if !ok {
 					continue
 				}
-				user, err = userByAuth(ctx, authenticator, userRepo, userName, password)
+
+				user, err = userByAuth(ctx, authenticator, userName, password)
 			case "cookie_auth":
 				var internalAuthSession *sessions.Session
 				internalAuthSession, _ = sessionStore.Get(r, InternalAuthSessionName)
@@ -132,6 +145,12 @@ func checkSecurityRequirements(r *http.Request,
 					continue
 				}
 				user, err = userByToken(ctx, userRepo, secretStore.SharedSecret(), token)
+			case "ak_sk":
+				isAkskRequest := verifier.IsAkskCredential(r)
+				if !isAkskRequest {
+					continue
+				}
+				user, err = userByAKSK(ctx, akskRepo, userRepo, verifier, r)
 			default:
 				// unknown security requirement to check
 				log.With("provider", provider).Error("Authentication middleware unknown security requirement provider")
@@ -149,6 +168,24 @@ func checkSecurityRequirements(r *http.Request,
 	return nil, nil
 }
 
+func userByAKSK(ctx context.Context, akskRepo models.IAkskRepo, userRepo models.IUserRepo, verifier aksk.Verifier, r *http.Request) (*models.User, error) {
+	ak, err := verifier.Verify(r)
+	if err != nil {
+		return nil, err
+	}
+
+	akModel, err := akskRepo.Get(ctx, models.NewGetAkSkParams().SetAccessKey(ak))
+	if err != nil {
+		return nil, err
+	}
+
+	userModel, err := userRepo.Get(ctx, models.NewGetUserParams().SetID(akModel.UserID))
+	if err != nil {
+		return nil, err
+	}
+	return userModel, nil
+}
+
 func userByToken(ctx context.Context, userRepo models.IUserRepo, secret []byte, tokenString string) (*models.User, error) {
 	claims, err := VerifyToken(secret, tokenString)
 	if err != nil {
@@ -177,16 +214,11 @@ func userByToken(ctx context.Context, userRepo models.IUserRepo, secret []byte,
 	return userData, nil
 }
 
-func userByAuth(ctx context.Context, authenticator Authenticator, userRepo models.IUserRepo, accessKey string, secretKey string) (*models.User, error) {
-	username, err := authenticator.AuthenticateUser(ctx, accessKey, secretKey)
+func userByAuth(ctx context.Context, authenticator *BasicAuthenticator, accessKey string, secretKey string) (*models.User, error) {
+	user, err := authenticator.AuthenticateUser(ctx, accessKey, secretKey)
 	if err != nil {
 		log.With("user", accessKey).Errorf("authenticate %v", err)
 		return nil, ErrAuthenticatingRequest
 	}
-	user, err := userRepo.Get(ctx, models.NewGetUserParams().SetName(username))
-	if err != nil {
-		log.With("user_name", username).Debugf("could not find user id by credentials %s", err)
-		return nil, ErrAuthenticatingRequest
-	}
 	return user, nil
 }