Add API Key Authentication (#269)

Added API Key authentication. 

Due to a recurring question about authentication of clients I've implemented a Interceptor layer to the tonic server to check all calls for valid api keys. 

example config: 
```
auth.enabled = false --defaults to false
auth.tokens = {
    { client = "test", token = "Sometest" },
    { client = "another client", token = "Some other test" }
}
```
`auth.tokens` is a table of auth keys with their client name. 
There can be a "default" client or a single key for all clients, but this is up to configuration. 
There can be as many client keys as needed. 

In the debug log the client that authenticates is logged. 

### Performance
Performance wise there is no notable difference. 

### Possible future features

* Possibly in the future "expiration_date" can be added to automatically revoke issues, but I didn't think that was needed for a first implementation. 

* Add per client `eval` authorisation

CHANGELOG.md

@@ -16,6 +16,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Added `GetClients` to `SrsService`, which retrieves a list of units that are connected to SRS and the frequencies they are connected to.
 - Added `SrsConnectEvent` and `SrsDisconnectEvent` events 
 - Added `GetDrawArgumentValue` API for units, which returns the value for drawing. (useful for "hook down", "doors open" checks)
+- Added Authentication Interceptor. This enables authentication on a per client basis.
 
 ### Fixed
 - Fixed `MarkAddEvent`, `MarkChangeEvent` and `MarkRemoveEvent` position

Cargo.toml

@@ -65,6 +65,7 @@ time = { version = "0.3", features = ["formatting", "parsing"] }
 tokio.workspace = true
 tokio-stream.workspace = true
 tonic.workspace = true
+tonic-middleware = "0.1.4"
 
 [build-dependencies]
 walkdir = "2.3"

README.md

@@ -81,6 +81,15 @@ throughputLimit = 600
 -- Whether the integrity check, meant to spot installation issues, is disabled.
 integrityCheckDisabled = false
 
+-- Whether or not authentication is required
+auth.enabled = false 
+-- Authentication tokens table with client names and their tokens for split tokens. 
+auth.tokens = {
+  -- client => clientName, token => Any token. Advice to use UTF-8 only. Length not limited explicitly 
+  { client = "SomeClient", token = "SomeToken" }, 
+  { client = "SomeClient2", token = "SomeOtherToken" }
+}
+
 -- The default TTS provider to use if a TTS request does not explicitly specify another one.
 tts.defaultProvider = "win"
 
@@ -217,6 +226,52 @@ In order to develop clients for `DCS-gRPC` you must be familiar with gRPC concep
 
 The gRPC .proto files are available in the `Docs/DCS-gRPC` folder and also available in the Github repo
 
+### Client Authentication
+
+If authentication is enabled on the server you will have to add `X-API-Key` to the metadata/headers. 
+Below are some example on what it could look like in your code.
+
+#### Examples
+
+<details>
+  <summary>dotnet / c# </summary>
+
+You can either set the `Metadata` for each request or you can create a `GrpcChannel` with an interceptor that will set the key each time.
+
+For a single request: 
+
+```c#
+var client = new MissionService.MissionServiceClient(channel);
+
+Metadata metadata = new Metadata()
+{
+    { "X-API-Key", "<yourKey>" }
+};
+
+var response = client.GetScenarioCurrentTime(new GetScenarioCurrentTimeRequest { }, headers: metadata, deadline: DateTime.UtcNow.AddSeconds(2));
+```
+
+For all requests on a channel: 
+```c#
+public GrpcChannel CreateChannel(string host, string post, string? apiKey)
+{
+  GrpcChannelOptions options = new GrpcChannelOptions();
+  if (apiKey != null)
+  {
+      CallCredentials credentials = CallCredentials.FromInterceptor(async (context, metadata) =>
+      {
+          metadata.Add("X-API-Key", apiKey);
+      });
+
+      options.Credentials = ChannelCredentials.Create(ChannelCredentials.Insecure, credentials) ;
+  }
+
+  return GrpcChannel.ForAddress($"http://{host}:{port}", options);
+}
+```
+
+</details>
+
 ## Server Development
 
 The following section is only applicable to people who want to developer the DCS-gRPC server itself.

lua/DCS-gRPC/grpc-mission.lua

@@ -3,6 +3,7 @@ if not GRPC then
     -- scaffold nested tables to allow direct assignment in config file
     tts = { provider = { gcloud = {}, aws = {}, azure = {}, win = {} } },
     srs = {},
+    auth = {}
   }
 end
 

lua/DCS-gRPC/grpc.lua

@@ -21,6 +21,7 @@ if isMissionEnv then
     integrityCheckDisabled = GRPC.integrityCheckDisabled,
     tts = GRPC.tts,
     srs = GRPC.srs,
+    auth = GRPC.auth
   }))
 end
 

lua/Hooks/DCS-gRPC.lua

@@ -9,6 +9,7 @@ local function init()
       -- scaffold nested tables to allow direct assignment in config file
       tts = { provider = { gcloud = {}, aws = {}, azure = {}, win = {} } },
       srs = {},
+      auth = {}
     }
   end
 

src/authentication.rs

@@ -0,0 +1,39 @@
+use crate::config::AuthConfig;
+use tonic::codegen::http::Request;
+use tonic::transport::Body;
+use tonic::{async_trait, Status};
+use tonic_middleware::RequestInterceptor;
+
+#[derive(Clone)]
+pub struct AuthInterceptor {
+    pub auth_config: AuthConfig,
+}
+
+#[async_trait]
+impl RequestInterceptor for AuthInterceptor {
+    async fn intercept(&self, req: Request<Body>) -> Result<Request<Body>, Status> {
+        if !self.auth_config.enabled {
+            Ok(req)
+        } else {
+            match req.headers().get("X-API-Key").map(|v| v.to_str()) {
+                Some(Ok(token)) => {
+                    let mut client: Option<&String> = None;
+                    for key in &self.auth_config.tokens {
+                        if key.token == token {
+                            client = Some(&key.client);
+                            break;
+                        }
+                    }
+
+                    if client.is_some() {
+                        log::debug!("Authenticated client: {}", client.unwrap());
+                        Ok(req)
+                    } else {
+                        Err(Status::unauthenticated("Unauthenticated"))
+                    }
+                }
+                _ => Err(Status::unauthenticated("Unauthenticated")),
+            }
+        }
+    }
+}

src/config.rs

@@ -21,6 +21,7 @@ pub struct Config {
     pub integrity_check_disabled: bool,
     pub tts: Option<TtsConfig>,
     pub srs: Option<SrsConfig>,
+    pub auth: Option<AuthConfig>,
 }
 
 #[derive(Debug, Clone, Default, Deserialize, Serialize)]
@@ -87,6 +88,22 @@ pub struct SrsConfig {
     pub addr: Option<SocketAddr>,
 }
 
+#[derive(Debug, Clone, Default, Deserialize, Serialize)]
+#[serde(rename_all = "camelCase")]
+pub struct AuthConfig {
+    #[serde(default)]
+    pub enabled: bool,
+    pub tokens: Vec<ApiKey>,
+}
+
+#[derive(Debug, Clone, Default, Deserialize, Serialize)]
+#[serde(rename_all = "camelCase")]
+pub struct ApiKey {
+    #[serde(default)]
+    pub client: String,
+    pub token: String,
+}
+
 fn default_host() -> String {
     String::from("127.0.0.1")
 }

src/lib.rs

@@ -1,6 +1,7 @@
 #![allow(dead_code)]
 #![recursion_limit = "256"]
 
+mod authentication;
 mod config;
 mod fps;
 #[cfg(feature = "hot-reload")]

src/server.rs

@@ -3,6 +3,12 @@ use std::net::SocketAddr;
 use std::sync::Arc;
 use std::time::Duration;
 
+use crate::authentication::AuthInterceptor;
+use crate::config::{AuthConfig, Config, SrsConfig, TtsConfig};
+use crate::rpc::{HookRpc, MissionRpc, Srs};
+use crate::shutdown::{Shutdown, ShutdownHandle};
+use crate::srs::SrsClients;
+use crate::stats::Stats;
 use dcs_module_ipc::IPC;
 use futures_util::FutureExt;
 use stubs::atmosphere::v0::atmosphere_service_server::AtmosphereServiceServer;
@@ -25,12 +31,7 @@ use tokio::sync::oneshot::{self, Receiver};
 use tokio::sync::{mpsc, Mutex};
 use tokio::time::sleep;
 use tonic::transport;
-
-use crate::config::{Config, SrsConfig, TtsConfig};
-use crate::rpc::{HookRpc, MissionRpc, Srs};
-use crate::shutdown::{Shutdown, ShutdownHandle};
-use crate::srs::SrsClients;
-use crate::stats::Stats;
+use tonic_middleware::RequestInterceptorLayer;
 
 pub struct Server {
     runtime: Runtime,
@@ -50,6 +51,7 @@ struct ServerState {
     tts_config: TtsConfig,
     srs_config: SrsConfig,
     srs_transmit: Arc<Mutex<mpsc::Receiver<TransmitRequest>>>,
+    auth_config: AuthConfig,
 }
 
 impl Server {
@@ -71,6 +73,7 @@ impl Server {
                 tts_config: config.tts.clone().unwrap_or_default(),
                 srs_config: config.srs.clone().unwrap_or_default(),
                 srs_transmit: Arc::new(Mutex::new(rx)),
+                auth_config: config.auth.clone().unwrap_or_default(),
             },
             srs_transmit: tx,
             shutdown,
@@ -203,6 +206,7 @@ async fn try_run(
         tts_config,
         srs_config,
         srs_transmit,
+        auth_config,
     } = state;
 
     let mut mission_rpc =
@@ -242,7 +246,14 @@ async fn try_run(
         }
     });
 
+    let auth_interceptor = AuthInterceptor {
+        auth_config: auth_config.clone(),
+    };
+
+    log::info!("Authentication enabled: {}", auth_config.enabled);
+
     transport::Server::builder()
+        .layer(RequestInterceptorLayer::new(auth_interceptor.clone()))
         .add_service(AtmosphereServiceServer::new(mission_rpc.clone()))
         .add_service(CoalitionServiceServer::new(mission_rpc.clone()))
         .add_service(ControllerServiceServer::new(mission_rpc.clone()))