Make HTTP authentication as the middleware

Replace bogus HTTP header check with the real HTTP auth middleware, add
the option to support various auth backend type, and remove unnecessary
unit test for missing authorization header. Add `auth` as the option to
config.yaml for API authentication and authorization mechanism
configuration. If this is not specified, the `passthrough` backend will
be used (i.e. no authentication will be performed). See auth config from
[readme](https://github.com/veraison/services/blob/main/auth/README.md).
Note `role` is not used in ratsd, and thus can be removed from config.yaml

Signed-off-by: Ian Chin Wang <[email protected]>

Author: cowbon

api/server.go

@@ -15,7 +15,6 @@ import (
 // Defines missing consts in the API Spec
 const (
 	ApplicationvndVeraisonCharesJson string = "application/vnd.veraison.chares+json"
-	ExpectedAuth                     string = "Bearer my.jwt.token"
 )
 
 type Server struct {
@@ -38,18 +37,6 @@ func (s *Server) reportProblem(w http.ResponseWriter, prob *problems.DefaultProb
 func (s *Server) RatsdChares(w http.ResponseWriter, r *http.Request, param RatsdCharesParams) {
 	var requestData ChaResRequest
 
-	auth := r.Header.Get("Authorization")
-	if auth != ExpectedAuth {
-		p := &problems.DefaultProblem{
-			Type:   string(TagGithubCom2024VeraisonratsdErrorUnauthorized),
-			Title:  string(AccessUnauthorized),
-			Detail: "wrong or missing authorization header",
-			Status: http.StatusUnauthorized,
-		}
-		s.reportProblem(w, p)
-		return
-	}
-
 	// Check if content type matches the expectation
 	ct := r.Header.Get("Content-Type")
 	if ct != ApplicationvndVeraisonCharesJson {

api/server_test.go

@@ -19,31 +19,6 @@ const (
 	jsonType = "application/json"
 )
 
-func TestRatsdChares_missing_auth_header(t *testing.T) {
-	expectedCode := http.StatusUnauthorized
-	expectedType := problems.ProblemMediaType
-	expectedBody := &problems.DefaultProblem{
-		Type:   string(TagGithubCom2024VeraisonratsdErrorUnauthorized),
-		Title:  string(AccessUnauthorized),
-		Status: http.StatusUnauthorized,
-		Detail: "wrong or missing authorization header",
-	}
-
-	var params RatsdCharesParams
-	logger := log.Named("test")
-	s := &Server{logger: logger}
-	w := httptest.NewRecorder()
-	r, _ := http.NewRequest(http.MethodPost, "/ratsd/chares", http.NoBody)
-	s.RatsdChares(w, r, params)
-
-	var body problems.DefaultProblem
-	_ = json.Unmarshal(w.Body.Bytes(), &body)
-
-	assert.Equal(t, expectedCode, w.Code)
-	assert.Equal(t, expectedType, w.Result().Header.Get("Content-Type"))
-	assert.Equal(t, expectedBody, &body)
-}
-
 func TestRatsdChares_wrong_content_type(t *testing.T) {
 	expectedCode := http.StatusBadRequest
 	expectedType := problems.ProblemMediaType
@@ -59,7 +34,6 @@ func TestRatsdChares_wrong_content_type(t *testing.T) {
 	s := &Server{logger: logger}
 	w := httptest.NewRecorder()
 	r, _ := http.NewRequest(http.MethodPost, "/ratsd/chares", http.NoBody)
-	r.Header.Add("Authorization", ExpectedAuth)
 	r.Header.Add("Content-Type", jsonType)
 	s.RatsdChares(w, r, params)
 
@@ -80,7 +54,6 @@ func TestRatsdChares_wrong_accept_type(t *testing.T) {
 	s := &Server{logger: logger}
 	w := httptest.NewRecorder()
 	r, _ := http.NewRequest(http.MethodPost, "/ratsd/chares", http.NoBody)
-	r.Header.Add("Authorization", ExpectedAuth)
 	r.Header.Add("Content-Type", ApplicationvndVeraisonCharesJson)
 	s.RatsdChares(w, r, params)
 
@@ -108,7 +81,6 @@ func TestRatsdChares_missing_nonce(t *testing.T) {
 	w := httptest.NewRecorder()
 	rb := strings.NewReader("{\"noncee\": \"MIDBNH28iioisjPy\"}")
 	r, _ := http.NewRequest(http.MethodPost, "/ratsd/chares", rb)
-	r.Header.Add("Authorization", ExpectedAuth)
 	r.Header.Add("Content-Type", ApplicationvndVeraisonCharesJson)
 	s.RatsdChares(w, r, params)
 
@@ -139,7 +111,6 @@ func TestRatsdChares_valid_request(t *testing.T) {
 	w := httptest.NewRecorder()
 	rb := strings.NewReader("{\"nonce\": \"MIDBNH28iioisjPy\"}")
 	r, _ := http.NewRequest(http.MethodPost, "/ratsd/chares", rb)
-	r.Header.Add("Authorization", ExpectedAuth)
 	r.Header.Add("Content-Type", ApplicationvndVeraisonCharesJson)
 	s.RatsdChares(w, r, params)
 

cmd/main.go

@@ -8,6 +8,7 @@ import (
 
 	"github.com/veraison/ratsd/api"
 	"github.com/veraison/ratsd/plugin"
+	"github.com/veraison/ratsd/auth"
 	"github.com/veraison/services/config"
 	"github.com/veraison/services/log"
 )
@@ -45,7 +46,7 @@ func main() {
 		Protocol:   "https",
 	}
 
-	subs, err := config.GetSubs(v, "ratsd", "*logging")
+	subs, err := config.GetSubs(v, "ratsd", "*logging", "*auth")
 	if err != nil {
 		log.Fatal(err)
 	}
@@ -55,6 +56,17 @@ func main() {
 		log.Fatalf("could not configure logging: %v", err)
 	}
 
+	authorizer, err := auth.NewAuthorizer(subs["auth"], log.Named("auth"))
+	if err != nil {
+		log.Fatalf("could not init authorizer: %v", err)
+	}
+	defer func() {
+		err := authorizer.Close()
+		if err != nil {
+			log.Errorf("Could not close authorizer: %v", err)
+		}
+	}()
+
 	log.Infow("Initializing ratsd core")
 
 	loader := config.NewLoader(&cfg)
@@ -74,7 +86,11 @@ func main() {
 
 	svr := api.NewServer(log.Named("api"))
 	r := http.NewServeMux()
-	h := api.HandlerFromMux(svr, r)
+	options := api.StdHTTPServerOptions{
+		BaseRouter:  r,
+		Middlewares: []api.MiddlewareFunc{authorizer.GetMiddleware},
+	}
+	h := api.HandlerWithOptions(svr, options)
 
 	s := &http.Server{
 		Handler: h,