NOISSUE - Merge authz and authn into new service auth #1313
Conversation
| default values. | ||
|
|
||
| | Variable | Description | Default | | ||
| |---------------------------|--------------------------------------------------------------------------|---------------| |
auth/README.md
Outdated
| | MF_AUTH_SERVER_CERT | Path to server certificate in pem format | | | ||
| | MF_AUTH_SERVER_KEY | Path to server key in pem format | | | ||
| | MF_AUTH_SECRET | String used for signing tokens | auth | | ||
| | MF_JAEGER_URL | Jaeger server URL | localhost:6831 | |
auth/README.md
Outdated
| @@ -0,0 +1,118 @@ | |||
| # Authentication service | |||
There was a problem hiding this comment.
This should be updated (it's Auth service, not Authentication service) with the authorization section (at least mention it before we implement all the features).
auth/api/grpc/requests.go
Outdated
| type AssignmentReq struct { | ||
| GroupID string | ||
| MemberID string | ||
| } | ||
|
|
||
| func (req AssignmentReq) validate() error { | ||
| if req.GroupID == "" { | ||
| return auth.ErrMalformedEntity | ||
| } | ||
|
|
||
| if req.MemberID == "" { | ||
| return auth.ErrMalformedEntity | ||
| } | ||
|
|
||
| return nil | ||
| } |
There was a problem hiding this comment.
Looks like this is not used. Please remove.
auth/api/grpc/requests.go
Outdated
| Act string | ||
| } | ||
|
|
||
| func (req AuthZReq) validate() error { |
There was a problem hiding this comment.
This should not be exported. Request and response structs are internal to the API package.
auth/api/grpc/server.go
Outdated
| } | ||
|
|
||
| func (s *grpcServer) Assign(ctx context.Context, token *mainflux.Assignment) (*empty.Empty, error) { | ||
| _, res, err := s.identify.ServeGRPC(ctx, token) |
auth/api/grpc/server.go
Outdated
| } | ||
|
|
||
| func (s *grpcServer) Authorize(ctx context.Context, token *mainflux.AuthorizeReq) (*mainflux.AuthorizeRes, error) { | ||
| _, res, err := s.identify.ServeGRPC(ctx, token) |
There was a problem hiding this comment.
s.authorize.ServeGRPC
auth/api/grpc/server.go
Outdated
| } | ||
|
|
||
| func (s *grpcServer) Members(ctx context.Context, token *mainflux.MembersReq) (*mainflux.MembersRes, error) { | ||
| _, res, err := s.identify.ServeGRPC(ctx, token) |
auth/api/http/transport.go
Outdated
| @@ -46,6 +47,83 @@ func MakeHandler(svc authn.Service, tracer opentracing.Tracer) http.Handler { | |||
| opts..., | |||
| )) | |||
|
|
|||
| mux.Get("/members/:memberID/groups", kithttp.NewServer( | |||
There was a problem hiding this comment.
Please reorder methods in CRUD order (where read = get one, list all, list members, list member of...).
auth/postgres/tracing.go
Outdated
| @@ -21,6 +21,12 @@ type database struct { | |||
| type Database interface { | |||
| NamedExecContext(context.Context, string, interface{}) (sql.Result, error) | |||
| QueryRowxContext(context.Context, string, ...interface{}) *sqlx.Row | |||
| QueryxContext(context.Context, string, ...interface{}) (*sqlx.Rows, error) | |||
| // NamedExecContext(context.Context, string, interface{}) (sql.Result, error) | |||
There was a problem hiding this comment.
Please remove unused methods, both from the interface and from the implementation.
| @@ -13,9 +13,12 @@ service ThingsService { | |||
| rpc Identify(Token) returns (ThingID) {} | |||
There was a problem hiding this comment.
This should be renamed to auth.proto.
auth/README.md
Outdated
| @@ -0,0 +1,118 @@ | |||
| # Authentication service | |||
There was a problem hiding this comment.
I would call this Authentication and Authorization Service.
Also - capitalize words in titles.
auth/README.md
Outdated
| @@ -0,0 +1,118 @@ | |||
| # Authentication service | |||
|
|
|||
| Authentication service provides an API for managing authentication keys. User service is using AuthN service gRPC API to obtain login token or password reset token. Authentication key consists of the following fields: | |||
There was a problem hiding this comment.
Use just Auth, to avoid using the word Authentication, because this service is both AuthN and AuthZ.
auth/README.md
Outdated
| make install | ||
|
|
||
| # set the environment variables and run the service | ||
| MF_AUTH_LOG_LEVEL=[Service log level] MF_AUTH_DB_HOST=[Database host address] MF_AUTH_DB_PORT=[Database host port] MF_AUTH_DB_USER=[Database user] MF_AUTH_DB_PASS=[Database password] MF_AUTH_DB=[Name of the database used by the service] MF_AUTH_DB_SSL_MODE=[SSL mode to connect to the database with] MF_AUTH_DB_SSL_CERT=[Path to the PEM encoded certificate file] MF_AUTH_DB_SSL_KEY=[Path to the PEM encoded key file] MF_AUTH_DB_SSL_ROOT_CERT=[Path to the PEM encoded root certificate file] MF_AUTH_HTTP_PORT=[Service HTTP port] MF_AUTH_GRPC_PORT=[Service gRPC port] MF_AUTH_SECRET=[String used for signing tokens] MF_AUTH_SERVER_CERT=[Path to server certificate] MF_AUTH_SERVER_KEY=[Path to server key] MF_JAEGER_URL=[Jaeger server URL] $GOBIN/mainflux-authn |
There was a problem hiding this comment.
mainflux-auth, not mainflux-authn
auth/README.md
Outdated
| locally: | ||
|
|
||
| ```yaml | ||
| version: "2" |
There was a problem hiding this comment.
We use version 3.8 or something AFAIK. Please verify.
auth/api/grpc/client.go
Outdated
|
|
||
| res, err := client.authorize(ctx, AuthZReq{Act: req.Act, Obj: req.Obj, Sub: req.Sub}) | ||
| if err != nil { | ||
| return &mainflux.AuthorizeRes{Authorized: false, Err: err.Error()}, err |
There was a problem hiding this comment.
Please align naming of AuthZReq{} and AuthorizeRes{}
auth/api/grpc/requests.go
Outdated
| // 1. subject - an action invoker | ||
| // 2. object - an entity over which action will be executed | ||
| // 3. action - type of action that will be executed (read/write) | ||
| type AuthZReq struct { |
There was a problem hiding this comment.
Consider aligning this name (you are were using something like AuthorizeRequest / Response). I am not against AuthZReq also, but then align other entities.
auth/service.go
Outdated
| Total: p.Total, | ||
| Offset: p.Offset, | ||
| Limit: p.Limit, | ||
| // Name: things, |
| authorized bool | ||
| err string | ||
| } | ||
| type membersRes struct { |
There was a problem hiding this comment.
Should this contain an err field, as well? Please put an empty line between type definitions (membersRes and emptyRes).
|
|
||
| import ( | ||
| "context" | ||
| "time" | ||
|
|
||
| "github.com/mainflux/mainflux" | ||
| "github.com/mainflux/mainflux/internal/groups" |
There was a problem hiding this comment.
Since Groups are now in the Auth service (we'll have generic groups), there is no need to put this in internal, since it won't be shared with other services. We can simply move it to auth package.
There was a problem hiding this comment.
not sure about that since some endpoints may be in other services
There was a problem hiding this comment.
Yes, some endpoints probably will be in other services, but we won't share them; we won't use the groups package as an internally shared package, but as a dependency from the auth service. That is, we won't have multiple implementations of the Groups.
auth.proto
Outdated
|
|
||
| message MembersRes { | ||
| uint64 total = 1; | ||
| uint64 offset = 2; |
There was a problem hiding this comment.
check indentation here, looks like it's messed up
| | MF_AUTHN_GRPC_URL | AuthN service gRPC URL | localhost:8181 | | ||
| | MF_AUTHN_GRPC_TIMEOUT | AuthN service gRPC request timeout in seconds | 1s | | ||
| | MF_AUTH_GRPC_URL | AuthN service gRPC URL | localhost:8181 | | ||
| | MF_AUTH_GRPC_TIMEOUT | AuthN service gRPC request timeout in seconds | 1s | |
There was a problem hiding this comment.
Alignment of table is broken with new envars, just add one space
things/README.md
Outdated
| @@ -44,8 +44,8 @@ default values. | |||
| | MF_THINGS_SINGLE_USER_EMAIL | User email for single user mode (no gRPC communication with users) | | | |||
| | MF_THINGS_SINGLE_USER_TOKEN | User token for single user mode that should be passed in auth header | | | |||
| | MF_JAEGER_URL | Jaeger server URL | localhost:6831 | | |||
| | MF_AUTHN_GRPC_URL | AuthN service gRPC URL | localhost:8181 | | |||
| | MF_AUTHN_GRPC_TIMEOUT | AuthN service gRPC request timeout in seconds | 1s | | |||
| | MF_AUTH_GRPC_URL | AuthN service gRPC URL | localhost:8181 | | |||
There was a problem hiding this comment.
add one space in renamed envars because of table alingment
auth/postgres/init.go
Outdated
|
|
||
| // Connect creates a connection to the PostgreSQL instance and applies any | ||
| // unapplied database migrations. A non-nil error is returned to indicate | ||
| // failure. |
There was a problem hiding this comment.
Move this failure word to upper line for easier reading.
auth/service.go
Outdated
|
|
||
| // Revoke removes the Key with the provided id that is | ||
| // issued by the user identified by the provided key. | ||
| RevokeKey(ctx context.Context, token, id string) error |
There was a problem hiding this comment.
Same question, is Key is necessary ?
| } | ||
|
|
||
| func (svc service) Authorize(ctx context.Context, token, sub, obj, act string) (bool, error) { | ||
| return true, nil |
There was a problem hiding this comment.
Is this is a placeholder for impl ?
auth/service.go
Outdated
| // implementation, and all of its decorators (e.g. logging & metrics). | ||
| // Token is a string value of the actual Key and is used to authenticate | ||
| // an Auth service request. | ||
| type Service interface { |
There was a problem hiding this comment.
Would embeding interfaces makes more sense ? So i can see the union of multiple interfaces (Groups and Auth) in Auth spec. IMHO it would be much more obvious.
| @@ -57,7 +57,7 @@ func TestParse(t *testing.T) { | |||
| require.Nil(t, err, fmt.Sprintf("issuing key expected to succeed: %s", err)) | |||
|
|
|||
| apiKey := key() | |||
| apiKey.Type = authn.APIKey | |||
| apiKey.Type = auth.APIKey | |||
| apiKey.ExpiresAt = time.Now().UTC().Add(-1 * time.Minute).Round(time.Second) | |||
| apiToken, err := tokenizer.Issue(apiKey) | |||
There was a problem hiding this comment.
if you will follow naming, then token makes more sense than tokenizer (interface name).
Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com>
Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com>
Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com>
Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com>
Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com>
Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com>
Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com>
Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com>
Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com>
Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com>
Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com>
auth/postgres/tracing.go
Outdated
| @@ -30,14 +32,24 @@ func NewDatabase(db *sqlx.DB) Database { | |||
| } | |||
| } | |||
|
|
|||
| func (d database) NamedExecContext(ctx context.Context, query string, args interface{}) (sql.Result, error) { | |||
| func (dm database) NamedQueryContext(ctx context.Context, query string, args interface{}) (*sqlx.Rows, error) { | |||
There was a problem hiding this comment.
Why was this changed to dm, and what m really represents here (a bit confusing)?
twins/mocks/auth.go
Outdated
| return &authNServiceClient{users} | ||
| } | ||
|
|
||
| func (svc authNServiceClient) Identify(ctx context.Context, in *mainflux.Token, opts ...grpc.CallOption) (*mainflux.UserIdentity, error) { |
Codecov Report
@@ Coverage Diff @@
## master #1313 +/- ##
==========================================
- Coverage 64.91% 60.97% -3.95%
==========================================
Files 117 110 -7
Lines 8029 8581 +552
==========================================
+ Hits 5212 5232 +20
- Misses 2361 2904 +543
+ Partials 456 445 -11
Continue to review full report at Codecov.
|
Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com>
writers/influxdb/messages_test.go
Outdated
| @@ -84,7 +84,7 @@ func TestSave(t *testing.T) { | |||
| } | |||
|
|
|||
| for _, tc := range cases { | |||
| // Clean previously saved messages. | |||
| // // Clean previously saved messages. | |||
There was a problem hiding this comment.
No need for double //. Please remove.
Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com>
auth/api/grpc/endpoint.go
Outdated
| return issueRes{}, err | ||
| } | ||
|
|
||
| now := time.Now().UTC() |
There was a problem hiding this comment.
I do not think that we need this var - just call the fnc directly in the struct declaration below.
auth/api/metrics.go
Outdated
| } | ||
|
|
||
| // MetricsMiddleware instruments core service by tracking request count and | ||
| // latency. |
There was a problem hiding this comment.
Move this word to upper line to simplify comment reading.
auth/service.go
Outdated
| Total: p.Total, | ||
| Offset: p.Offset, | ||
| Limit: p.Limit, | ||
| // Name: things, |
Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com>
drasko
changed the title
What does this do?
New auth service will perform functions of authn service
Additionally it will support groups features