WIP

.github/workflows/testing.yaml

@@ -0,0 +1,41 @@
+name: OT-Auth Service Testing
+on:
+  # Trigger the workflow on push or pull request,
+  # but only for the master branch
+  push:
+    branches:
+      - master
+      - develop
+  pull_request:
+    branches:
+      - master
+jobs:
+  build:
+    name: Testing
+    runs-on: ubuntu-latest
+    steps:
+    - name: Set up Go
+      uses: actions/setup-go@v1
+      with:
+        go-version: 1.15.2
+      id: go
+
+    - name: Check out code into the Go module directory
+      uses: actions/checkout@v2
+
+    # use mysql in VM https://github.com/actions/virtual-environments/blob/master/images/linux/Ubuntu1804-README.md
+    # https://github.com/actions/virtual-environments/issues/576
+    - name: run dgraph service
+      run: |
+        export TZ=UTC
+        docker run --name dgraph -p 8088:8080 -d dgraph/standalone
+        sleep 5
+        curl -X POST localhost:8088/admin/schema --data-binary '@graphql/schema/schema.graphql'
+
+    - name: Get dependencies
+      run: |
+        go get -v -t -d ./...
+
+    - name: Test
+      run: |
+        CONFIG_FILE_PATH=${PWD}/config/testing.yaml APP_ENV=testing go test -p 1 -v ./...

Containerfile

@@ -0,0 +1,10 @@
+FROM alpine
+
+WORKDIR /opt/bin
+
+ENV CONFIG_FILE_PATH=/etc/app/config.yaml
+COPY config/default.yaml /etc/app/config.yaml
+
+COPY ./dist/ot-auth .
+
+ENTRYPOINT ["./ot-auth"]

Dockerfile

@@ -2,9 +2,9 @@ FROM alpine
 
 WORKDIR /opt/bin
 
-ENV CONFIG_FILE_PATH=/etc/app/config.yml
-COPY config/default.yml /etc/app/config.yml
+ENV CONFIG_FILE_PATH=/etc/app/config.yaml
+COPY config/default.yaml /etc/app/config.yaml
 
-COPY ./dist/app .
+COPY ./dist/ot-auth .
 
-ENTRYPOINT ["./app"]
+ENTRYPOINT ["./ot-auth"]

Makefile

@@ -1,4 +1,4 @@
-.PHONY: dev test image doc gen
+.PHONY: dev test doc gen
 
 APP_NAME := ot-auth
 APP_PATH := github.com/open-trust/ot-auth
@@ -19,21 +19,21 @@ doc:
 BUILD_TIME := $(shell date -u +"%FT%TZ")
 BUILD_COMMIT := $(shell git rev-parse HEAD)
 
-.PHONY: build build-tool
+.PHONY: build build-linux
 build:
 	@mkdir -p ./dist
 	GO111MODULE=on go build -ldflags "-X ${APP_PATH}/src/conf.AppName=${APP_NAME} \
 	-X ${APP_PATH}/src/conf.AppVersion=${APP_VERSION} \
 	-X ${APP_PATH}/src/conf.BuildTime=${BUILD_TIME} \
 	-X ${APP_PATH}/src/conf.GitSHA1=${BUILD_COMMIT}" \
-	-o ./dist/app main.go
+	-o ./dist/ot-auth main.go
 build-linux:
 	@mkdir -p ./dist
 	GO111MODULE=on CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -ldflags "-X ${APP_PATH}/src/conf.AppName=${APP_NAME} \
 	-X ${APP_PATH}/src/conf.AppVersion=${APP_VERSION} \
 	-X ${APP_PATH}/src/conf.BuildTime=${BUILD_TIME} \
 	-X ${APP_PATH}/src/conf.GitSHA1=${BUILD_COMMIT}" \
-	-o ./dist/app main.go
+	-o ./dist/ot-auth main.go
 
 PKG_LIST := $(shell go list ./... | grep -v /vendor/)
 GO_FILES := $(shell find . -name '*.go' | grep -v /vendor/)
@@ -45,7 +45,10 @@ coverhtml:
 	@go tool cover -html=coverage/cover.out -o coverage/coverage.html
 	@go tool cover -func=coverage/cover.out | tail -n 1
 
-DOCKER_IMAGE_TAG := ${APP_NAME}:latest
-.PHONY: image
+IMAGE_TAG := ${APP_NAME}:latest
+.PHONY: image oci-image
 image:
-	docker build --rm -t ${DOCKER_IMAGE_TAG} .
+	docker build --rm -t ${IMAGE_TAG} .
+
+oci-image:
+	podman build --rm -t ${IMAGE_TAG} .

config/default.yaml

@@ -1,4 +1,4 @@
-addr: ":8081"
+addr: ":8080"
 cert_file:
 key_file:
 logger:
@@ -7,8 +7,7 @@ trusted_proxy: false
 service_endpoints:
 - http://ot.example.com/v1
 dgraph:
-  graphql_endpoint: http://localhost:8080/graphql
-  admin_endpoint: http://localhost:8080/admin
+  graphql_endpoint: http://localhost:8088/graphql
 open_trust:
   otid: "otid:ot.example.com"
   keys_refresh_hint: 3600

config/testing.yaml

@@ -7,8 +7,7 @@ trusted_proxy: false
 service_endpoints:
 - http://ot.example.com/v1
 dgraph:
-  graphql_endpoint: http://localhost:8080/graphql
-  admin_endpoint: http://localhost:8080/admin
+  graphql_endpoint: http://localhost:8088/graphql
 open_trust:
   otid: "otid:ot.example.com"
   keys_refresh_hint: 3600

go.mod

@@ -4,12 +4,12 @@ go 1.15
 
 require (
 	github.com/Yamashou/gqlgenc v0.0.0-20200928023108-347589dedfe3
-	github.com/open-trust/ot-go-lib v0.7.1
+	github.com/open-trust/ot-go-lib v0.8.1
 	github.com/teambition/compressible-go v1.0.1
 	github.com/teambition/gear v1.21.7
 	github.com/vektah/gqlparser v1.3.1 // indirect
 	github.com/vektah/gqlparser/v2 v2.1.0
 	go.uber.org/dig v1.10.0
-	golang.org/x/tools v0.0.0-20201015182029-a5d9e455e9c4 // indirect
+	golang.org/x/tools v0.0.0-20201021000207-d49c4edd7d96 // indirect
 	gopkg.in/yaml.v2 v2.3.0
 )

go.sum

@@ -103,6 +103,10 @@ github.com/open-trust/ot-go-lib v0.7.0 h1:O4UbBDc5J27wct3Npiib3QWLNESCa/1jONuRBr
 github.com/open-trust/ot-go-lib v0.7.0/go.mod h1:deUR66Xhh27lg14MKtoPYRVbci1hcYK3quhwBKBq9Hk=
 github.com/open-trust/ot-go-lib v0.7.1 h1:vvfOmDYqDeZl3avxHwrR8+1m+JpLwgA9jCiROt3MCA0=
 github.com/open-trust/ot-go-lib v0.7.1/go.mod h1:deUR66Xhh27lg14MKtoPYRVbci1hcYK3quhwBKBq9Hk=
+github.com/open-trust/ot-go-lib v0.8.0 h1:5LbYAnnFcr3piq20W5hFMLk0EnIUJrQlC6Mchz3atF4=
+github.com/open-trust/ot-go-lib v0.8.0/go.mod h1:deUR66Xhh27lg14MKtoPYRVbci1hcYK3quhwBKBq9Hk=
+github.com/open-trust/ot-go-lib v0.8.1 h1:BGsnzA6/YAM9ll3mnCXCe1+TBVMR+8RMwaL9pz4GSUk=
+github.com/open-trust/ot-go-lib v0.8.1/go.mod h1:deUR66Xhh27lg14MKtoPYRVbci1hcYK3quhwBKBq9Hk=
 github.com/opentracing/basictracer-go v1.0.0/go.mod h1:QfBfYuafItcjQuMwinw9GhYKwFXS9KnPs5lxoYwgW74=
 github.com/opentracing/opentracing-go v1.0.2/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o=
 github.com/pelletier/go-toml v1.8.1/go.mod h1:T2/BmBdy8dvIRq1a/8aqjN41wvWlN4lrapLU/GW4pbc=
@@ -220,6 +224,10 @@ golang.org/x/tools v0.0.0-20201014231627-1610a49f37af h1:VIUWFyOgzG3c0t9KYop5Ybp
 golang.org/x/tools v0.0.0-20201014231627-1610a49f37af/go.mod h1:z6u4i615ZeAfBE4XtMziQW1fSVJXACjjbWkB/mvPzlU=
 golang.org/x/tools v0.0.0-20201015182029-a5d9e455e9c4 h1:rQWkJiVIyJ3PgiSHL+RXc8xbrK8duU6jG5eeZ9G7nk8=
 golang.org/x/tools v0.0.0-20201015182029-a5d9e455e9c4/go.mod h1:z6u4i615ZeAfBE4XtMziQW1fSVJXACjjbWkB/mvPzlU=
+golang.org/x/tools v0.0.0-20201019175715-b894a3290fff h1:HiwHyqQ9ttqCHuTa++R4wNxOg6MY1hduSDT8j2aXoMM=
+golang.org/x/tools v0.0.0-20201019175715-b894a3290fff/go.mod h1:z6u4i615ZeAfBE4XtMziQW1fSVJXACjjbWkB/mvPzlU=
+golang.org/x/tools v0.0.0-20201021000207-d49c4edd7d96 h1:K+nJoPcImWk+ZGPHOKkDocKcQPACCz8usiCiVQYfXsk=
+golang.org/x/tools v0.0.0-20201021000207-d49c4edd7d96/go.mod h1:z6u4i615ZeAfBE4XtMziQW1fSVJXACjjbWkB/mvPzlU=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=

graphql/schema/schema.graphql

@@ -46,6 +46,7 @@ type UserRegistryBundle {
   updatedAt: DateTime!
   provider: ServiceRegistry! # 绑定的第三方 ID 服务提供方
   bundleId: String! @search(by: [hash]) # 绑定的第三方 ID
+  extension: String!
   registry: UserRegistry! # 所属的用户类主体
   uk: String! @id # 联合索引 Base64(SHA1(subjectType, subjectID, bundleId))
 }

main.go

@@ -6,7 +6,7 @@ import (
 	"fmt"
 	"os"
 
-	"github.com/open-trust/ot-auth/src/api"
+	"github.com/open-trust/ot-auth/src/app"
 	"github.com/open-trust/ot-auth/src/conf"
 	"github.com/open-trust/ot-auth/src/logging"
 )
@@ -27,7 +27,7 @@ func main() {
 		conf.Config.SrvAddr = ":8080"
 	}
 
-	app := api.NewApp()
+	app := app.New()
 	prefix := "http://"
 	if conf.Config.CertFile != "" && conf.Config.KeyFile != "" {
 		prefix = "https://"

src/api/common.go

@@ -0,0 +1,30 @@
+package api
+
+import (
+	"github.com/open-trust/ot-auth/src/bll"
+	"github.com/open-trust/ot-auth/src/util"
+)
+
+func init() {
+	util.DigProvide(NewAPIs)
+}
+
+// APIs ..
+type APIs struct {
+	Healthz      *Healthz
+	WellKnown    *WellKnown
+	GraphQL      *GraphQL
+	Registration *Registration
+	OTVID        *OTVID
+}
+
+// NewAPIs ...
+func NewAPIs(blls *bll.Blls) *APIs {
+	return &APIs{
+		GraphQL:      &GraphQL{blls: blls},
+		Healthz:      &Healthz{blls: blls},
+		WellKnown:    &WellKnown{blls: blls},
+		Registration: &Registration{blls: blls},
+		OTVID:        &OTVID{blls: blls},
+	}
+}

src/api/otvid.go

@@ -68,7 +68,7 @@ func (a *OTVID) Sign(ctx *gear.Context) error {
 
 		if !vid.ID.Equal(input.Subject) {
 			// 当请求主体不是信任域主体并且是代理其它请求主体 sub 申请签发 OTVID，则必须提供目标 sub 的自签发 OTVID
-			_, signInfo, err = a.blls.OTVID.VerifySelf(ctx, input.OTVID)
+			_, signInfo, err = a.blls.OTVID.VerifySelf(ctx, input.ForwardedOTVID)
 			if err != nil {
 				return err
 			}
@@ -104,11 +104,7 @@ func (a *OTVID) Verify(ctx *gear.Context) error {
 	}
 
 	// 本接口无需验证请求主体的权限
-	vf, err := conf.OT.NewVerifier(input.Audience)
-	if err != nil {
-		return gear.ErrBadRequest.From(err)
-	}
-	vid, err := vf.ParseOTVID(input.OTVID)
+	vid, err := conf.OT.ParseOTVID(ctx, input.OTVID, input.Audience)
 	if err != nil {
 		// 解析或验证错误，错误信息以 200 响应
 		res := gear.ToErrorResponse(err)
@@ -119,11 +115,12 @@ func (a *OTVID) Verify(ctx *gear.Context) error {
 	if !ok && err == nil {
 		err = fmt.Errorf("OTVID %s has become invalid", vid.ID.String())
 	}
+	jwt, _ := vid.ToJWT()
 	if err != nil {
 		res := gear.ToErrorResponse(err)
 		res.Error.Code = 0
-		res.Error.Data = vid.ToJSON()
+		res.Error.Data = jwt
 		return ctx.OkJSON(res)
 	}
-	return ctx.OkJSON(tpl.SuccessResponseType{Result: vid.ToJSON()})
+	return ctx.OkJSON(tpl.SuccessResponseType{Result: jwt})
 }

src/api/well_known.go

@@ -25,3 +25,11 @@ func (a *WellKnown) OpenTrustConfiguration(ctx *gear.Context) error {
 		"keysRefreshHint":  conf.Config.OpenTrust.KeysRefreshHint,
 	})
 }
+
+// ServiceEndpoints ...
+func (a *WellKnown) ServiceEndpoints(ctx *gear.Context) error {
+	return ctx.OkJSON(map[string]interface{}{
+		"otid":             conf.OT.OTID,
+		"serviceEndpoints": conf.Config.ServiceEndpoints,
+	})
+}

src/api/app.go → src/app/app.go

@@ -1,4 +1,4 @@
-package api
+package app
 
 import (
 	"log"
@@ -12,8 +12,8 @@ import (
 	"github.com/open-trust/ot-auth/src/util"
 )
 
-// NewApp ...
-func NewApp() *gear.App {
+// New ...
+func New() *gear.App {
 	app := gear.New()
 
 	app.Set(gear.SetEnv, conf.AppEnv)

src/api/router.go → src/app/router.go

@@ -1,43 +1,24 @@
-package api
+package app
 
 import (
 	"github.com/teambition/gear"
 
-	"github.com/open-trust/ot-auth/src/bll"
+	"github.com/open-trust/ot-auth/src/api"
 	"github.com/open-trust/ot-auth/src/conf"
 	"github.com/open-trust/ot-auth/src/middleware"
 	"github.com/open-trust/ot-auth/src/util"
 )
 
 func init() {
-	util.DigProvide(newAPIs)
-	util.DigProvide(newRouters)
-}
-
-// APIs ..
-type APIs struct {
-	Healthz      *Healthz
-	WellKnown    *WellKnown
-	GraphQL      *GraphQL
-	Registration *Registration
-	OTVID        *OTVID
-}
-
-func newAPIs(blls *bll.Blls) *APIs {
-	return &APIs{
-		GraphQL:      &GraphQL{blls: blls},
-		Healthz:      &Healthz{blls: blls},
-		WellKnown:    &WellKnown{blls: blls},
-		Registration: &Registration{blls: blls},
-		OTVID:        &OTVID{blls: blls},
-	}
+	util.DigProvide(NewRouters)
 }
 
 func getVersion(ctx *gear.Context) error {
 	return ctx.OkJSON(conf.AppInfo())
 }
 
-func newRouters(apis *APIs) []*gear.Router {
+// NewRouters ...
+func NewRouters(apis *api.APIs) []*gear.Router {
 
 	router := gear.NewRouter()
 	router.Get("/", getVersion)
@@ -52,7 +33,7 @@ func newRouters(apis *APIs) []*gear.Router {
 		Root: "/v1",
 	})
 
-	routerV1.Get("/", getVersion)
+	routerV1.Get("/", apis.WellKnown.ServiceEndpoints)
 
 	routerV1.Post("/sign", apis.OTVID.Sign) // 自签发 OTVID，在 API 内验证
 	routerV1.Post("/verify", middleware.Verify, apis.OTVID.Verify)