-
Notifications
You must be signed in to change notification settings - Fork 669
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
NOISSUE - Merge authz and authn into new service auth #1313
Conversation
default values. | ||
|
||
| Variable | Description | Default | | ||
|---------------------------|--------------------------------------------------------------------------|---------------| |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Align
auth/README.md
Outdated
| MF_AUTH_SERVER_CERT | Path to server certificate in pem format | | | ||
| MF_AUTH_SERVER_KEY | Path to server key in pem format | | | ||
| MF_AUTH_SECRET | String used for signing tokens | auth | | ||
| MF_JAEGER_URL | Jaeger server URL | localhost:6831 | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Align
auth/README.md
Outdated
@@ -0,0 +1,118 @@ | |||
# Authentication service |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should be updated (it's Auth service, not Authentication service) with the authorization section (at least mention it before we implement all the features).
auth/api/grpc/requests.go
Outdated
type AssignmentReq struct { | ||
GroupID string | ||
MemberID string | ||
} | ||
|
||
func (req AssignmentReq) validate() error { | ||
if req.GroupID == "" { | ||
return auth.ErrMalformedEntity | ||
} | ||
|
||
if req.MemberID == "" { | ||
return auth.ErrMalformedEntity | ||
} | ||
|
||
return nil | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks like this is not used. Please remove.
auth/api/grpc/requests.go
Outdated
Act string | ||
} | ||
|
||
func (req AuthZReq) validate() error { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should not be exported. Request and response structs are internal to the API package.
auth/api/grpc/server.go
Outdated
} | ||
|
||
func (s *grpcServer) Assign(ctx context.Context, token *mainflux.Assignment) (*empty.Empty, error) { | ||
_, res, err := s.identify.ServeGRPC(ctx, token) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s.assign.ServeGRPC
auth/api/grpc/server.go
Outdated
} | ||
|
||
func (s *grpcServer) Authorize(ctx context.Context, token *mainflux.AuthorizeReq) (*mainflux.AuthorizeRes, error) { | ||
_, res, err := s.identify.ServeGRPC(ctx, token) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s.authorize.ServeGRPC
auth/api/grpc/server.go
Outdated
} | ||
|
||
func (s *grpcServer) Members(ctx context.Context, token *mainflux.MembersReq) (*mainflux.MembersRes, error) { | ||
_, res, err := s.identify.ServeGRPC(ctx, token) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s.members.ServeGRPC
auth/api/http/transport.go
Outdated
@@ -46,6 +47,83 @@ func MakeHandler(svc authn.Service, tracer opentracing.Tracer) http.Handler { | |||
opts..., | |||
)) | |||
|
|||
mux.Get("/members/:memberID/groups", kithttp.NewServer( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please reorder methods in CRUD order (where read = get one, list all, list members, list member of...).
auth/postgres/tracing.go
Outdated
@@ -21,6 +21,12 @@ type database struct { | |||
type Database interface { | |||
NamedExecContext(context.Context, string, interface{}) (sql.Result, error) | |||
QueryRowxContext(context.Context, string, ...interface{}) *sqlx.Row | |||
QueryxContext(context.Context, string, ...interface{}) (*sqlx.Rows, error) | |||
// NamedExecContext(context.Context, string, interface{}) (sql.Result, error) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please remove unused methods, both from the interface and from the implementation.
@@ -13,9 +13,12 @@ service ThingsService { | |||
rpc Identify(Token) returns (ThingID) {} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should be renamed to auth.proto
.
auth/README.md
Outdated
@@ -0,0 +1,118 @@ | |||
# Authentication service |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would call this Authentication and Authorization Service
.
Also - capitalize words in titles.
auth/README.md
Outdated
@@ -0,0 +1,118 @@ | |||
# Authentication service | |||
|
|||
Authentication service provides an API for managing authentication keys. User service is using AuthN service gRPC API to obtain login token or password reset token. Authentication key consists of the following fields: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Use just Auth
, to avoid using the word Authentication
, because this service is both AuthN and AuthZ.
auth/README.md
Outdated
make install | ||
|
||
# set the environment variables and run the service | ||
MF_AUTH_LOG_LEVEL=[Service log level] MF_AUTH_DB_HOST=[Database host address] MF_AUTH_DB_PORT=[Database host port] MF_AUTH_DB_USER=[Database user] MF_AUTH_DB_PASS=[Database password] MF_AUTH_DB=[Name of the database used by the service] MF_AUTH_DB_SSL_MODE=[SSL mode to connect to the database with] MF_AUTH_DB_SSL_CERT=[Path to the PEM encoded certificate file] MF_AUTH_DB_SSL_KEY=[Path to the PEM encoded key file] MF_AUTH_DB_SSL_ROOT_CERT=[Path to the PEM encoded root certificate file] MF_AUTH_HTTP_PORT=[Service HTTP port] MF_AUTH_GRPC_PORT=[Service gRPC port] MF_AUTH_SECRET=[String used for signing tokens] MF_AUTH_SERVER_CERT=[Path to server certificate] MF_AUTH_SERVER_KEY=[Path to server key] MF_JAEGER_URL=[Jaeger server URL] $GOBIN/mainflux-authn |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
mainflux-auth
, not mainflux-authn
auth/README.md
Outdated
locally: | ||
|
||
```yaml | ||
version: "2" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We use version 3.8
or something AFAIK. Please verify.
auth/api/grpc/client.go
Outdated
|
||
res, err := client.authorize(ctx, AuthZReq{Act: req.Act, Obj: req.Obj, Sub: req.Sub}) | ||
if err != nil { | ||
return &mainflux.AuthorizeRes{Authorized: false, Err: err.Error()}, err |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please align naming of AuthZReq{}
and AuthorizeRes{}
auth/api/grpc/requests.go
Outdated
// 1. subject - an action invoker | ||
// 2. object - an entity over which action will be executed | ||
// 3. action - type of action that will be executed (read/write) | ||
type AuthZReq struct { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Consider aligning this name (you are were using something like AuthorizeRequest / Response
). I am not against AuthZReq
also, but then align other entities.
auth/service.go
Outdated
Total: p.Total, | ||
Offset: p.Offset, | ||
Limit: p.Limit, | ||
// Name: things, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Remove dead code
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please remove dead code.
authorized bool | ||
err string | ||
} | ||
type membersRes struct { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should this contain an err field, as well? Please put an empty line between type definitions (membersRes
and emptyRes
).
|
||
import ( | ||
"context" | ||
"time" | ||
|
||
"github.com/mainflux/mainflux" | ||
"github.com/mainflux/mainflux/internal/groups" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since Groups are now in the Auth service (we'll have generic groups), there is no need to put this in internal
, since it won't be shared with other services. We can simply move it to auth
package.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
not sure about that since some endpoints may be in other services
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, some endpoints probably will be in other services, but we won't share them; we won't use the groups
package as an internally shared package, but as a dependency from the auth
service. That is, we won't have multiple implementations of the Groups.
auth.proto
Outdated
|
||
message MembersRes { | ||
uint64 total = 1; | ||
uint64 offset = 2; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
check indentation here, looks like it's messed up
| MF_AUTHN_GRPC_URL | AuthN service gRPC URL | localhost:8181 | | ||
| MF_AUTHN_GRPC_TIMEOUT | AuthN service gRPC request timeout in seconds | 1s | | ||
| MF_AUTH_GRPC_URL | AuthN service gRPC URL | localhost:8181 | | ||
| MF_AUTH_GRPC_TIMEOUT | AuthN service gRPC request timeout in seconds | 1s | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Alignment of table is broken with new envars, just add one space
things/README.md
Outdated
@@ -44,8 +44,8 @@ default values. | |||
| MF_THINGS_SINGLE_USER_EMAIL | User email for single user mode (no gRPC communication with users) | | | |||
| MF_THINGS_SINGLE_USER_TOKEN | User token for single user mode that should be passed in auth header | | | |||
| MF_JAEGER_URL | Jaeger server URL | localhost:6831 | | |||
| MF_AUTHN_GRPC_URL | AuthN service gRPC URL | localhost:8181 | | |||
| MF_AUTHN_GRPC_TIMEOUT | AuthN service gRPC request timeout in seconds | 1s | | |||
| MF_AUTH_GRPC_URL | AuthN service gRPC URL | localhost:8181 | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
add one space in renamed envars because of table alingment
auth/postgres/init.go
Outdated
|
||
// Connect creates a connection to the PostgreSQL instance and applies any | ||
// unapplied database migrations. A non-nil error is returned to indicate | ||
// failure. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Move this failure
word to upper line for easier reading.
auth/service.go
Outdated
|
||
// Revoke removes the Key with the provided id that is | ||
// issued by the user identified by the provided key. | ||
RevokeKey(ctx context.Context, token, id string) error |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same question, is Key
is necessary ?
} | ||
|
||
func (svc service) Authorize(ctx context.Context, token, sub, obj, act string) (bool, error) { | ||
return true, nil |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this is a placeholder for impl ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes
auth/service.go
Outdated
// implementation, and all of its decorators (e.g. logging & metrics). | ||
// Token is a string value of the actual Key and is used to authenticate | ||
// an Auth service request. | ||
type Service interface { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would embeding interfaces makes more sense ? So i can see the union of multiple interfaces (Groups and Auth) in Auth spec. IMHO it would be much more obvious.
@@ -57,7 +57,7 @@ func TestParse(t *testing.T) { | |||
require.Nil(t, err, fmt.Sprintf("issuing key expected to succeed: %s", err)) | |||
|
|||
apiKey := key() | |||
apiKey.Type = authn.APIKey | |||
apiKey.Type = auth.APIKey | |||
apiKey.ExpiresAt = time.Now().UTC().Add(-1 * time.Minute).Round(time.Second) | |||
apiToken, err := tokenizer.Issue(apiKey) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if you will follow naming, then token makes more sense than tokenizer (interface name).
Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com>
Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com>
Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com>
Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com>
Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com>
Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com>
Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com>
Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com>
Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com>
Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com>
Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com>
auth/postgres/tracing.go
Outdated
@@ -30,14 +32,24 @@ func NewDatabase(db *sqlx.DB) Database { | |||
} | |||
} | |||
|
|||
func (d database) NamedExecContext(ctx context.Context, query string, args interface{}) (sql.Result, error) { | |||
func (dm database) NamedQueryContext(ctx context.Context, query string, args interface{}) (*sqlx.Rows, error) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why was this changed to dm
, and what m
really represents here (a bit confusing)?
twins/mocks/auth.go
Outdated
return &authNServiceClient{users} | ||
} | ||
|
||
func (svc authNServiceClient) Identify(ctx context.Context, in *mainflux.Token, opts ...grpc.CallOption) (*mainflux.UserIdentity, error) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
authN
or auth
?
Codecov Report
@@ Coverage Diff @@
## master #1313 +/- ##
==========================================
- Coverage 64.91% 60.97% -3.95%
==========================================
Files 117 110 -7
Lines 8029 8581 +552
==========================================
+ Hits 5212 5232 +20
- Misses 2361 2904 +543
+ Partials 456 445 -11
Continue to review full report at Codecov.
|
Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com>
writers/influxdb/messages_test.go
Outdated
@@ -84,7 +84,7 @@ func TestSave(t *testing.T) { | |||
} | |||
|
|||
for _, tc := range cases { | |||
// Clean previously saved messages. | |||
// // Clean previously saved messages. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No need for double //
. Please remove.
Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com>
auth/api/grpc/endpoint.go
Outdated
return issueRes{}, err | ||
} | ||
|
||
now := time.Now().UTC() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I do not think that we need this var - just call the fnc directly in the struct declaration below.
auth/api/metrics.go
Outdated
} | ||
|
||
// MetricsMiddleware instruments core service by tracking request count and | ||
// latency. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Move this word to upper line to simplify comment reading.
auth/service.go
Outdated
Total: p.Total, | ||
Offset: p.Offset, | ||
Limit: p.Limit, | ||
// Name: things, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please remove dead code.
Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
What does this do?
New auth service will perform functions of authn service
Additionally it will support groups features