feat: Implemented Basic Auth scheme

cmd/argo/commands/client/conn.go

@@ -40,21 +40,21 @@ func GetClientConn() *grpc.ClientConn {
 }
 
 func GetContext() context.Context {
-	token := GetBearerToken()
-	if token == "" {
+	authString := GetAuthString()
+	if authString == "" {
 		return context.Background()
 	}
-	return metadata.NewOutgoingContext(context.Background(), metadata.Pairs("authorization", "Bearer "+GetBearerToken()))
+	return metadata.NewOutgoingContext(context.Background(), metadata.Pairs("authorization", authString))
 }
 
-func GetBearerToken() string {
+func GetAuthString() string {
 	restConfig, err := Config.ClientConfig()
 	if err != nil {
 		log.Fatal(err)
 	}
-	token, err := kubeconfig.GetBearerToken(restConfig)
+	authString, err := kubeconfig.GetAuthString(restConfig)
 	if err != nil {
 		log.Fatal(err)
 	}
-	return token
+	return authString
 }

cmd/argo/commands/token.go

@@ -18,7 +18,7 @@ func NewTokenCommand() *cobra.Command {
 				cmd.HelpFunc()(cmd, args)
 				os.Exit(1)
 			}
-			fmt.Print(client.GetBearerToken())
+			fmt.Print(client.GetAuthString())
 		},
 	}
 }

server/auth/gatekeeper.go

@@ -3,7 +3,6 @@ package auth
 import (
 	"context"
 	"net/http"
-	"strings"
 
 	grpc_middleware "github.com/grpc-ecosystem/go-grpc-middleware"
 	"google.golang.org/grpc"
@@ -96,10 +95,10 @@ func (s Gatekeeper) useClientAuth(token string) bool {
 	return false
 }
 
-func getToken(md metadata.MD) string {
+func getAuthHeader(md metadata.MD) string {
 	// looks for the HTTP header `Authorization: Bearer ...`
 	for _, t := range md.Get("authorization") {
-		return strings.TrimPrefix(t, "Bearer ")
+		return t
 	}
 	// check the HTTP cookie
 	for _, t := range md.Get("grpcgateway-cookie") {
@@ -108,7 +107,7 @@ func getToken(md metadata.MD) string {
 		request := http.Request{Header: header}
 		token, err := request.Cookie("authorization")
 		if err == nil {
-			return strings.TrimPrefix(token.Value, "Bearer ")
+			return token.Value
 		}
 	}
 	return ""
@@ -127,13 +126,14 @@ func (s Gatekeeper) getClients(ctx context.Context) (versioned.Interface, kubern
 		return nil, nil, status.Error(codes.Unauthenticated, "unable to get metadata from incoming context")
 	}
 
-	token := getToken(md)
+	authString := getAuthHeader(md)
 
-	if !s.useClientAuth(token) {
+	if !s.useClientAuth(authString) {
 		return s.wfClient, s.kubeClient, nil
 	}
 
-	restConfig, err := kubeconfig.GetRestConfig(token)
+	restConfig, err := kubeconfig.GetRestConfig(authString)
+
 	if err != nil {
 		return nil, nil, status.Errorf(codes.Unauthenticated, "failed to create REST config: %v", err)
 	}

test/e2e/argo_server_test.go

@@ -671,7 +671,7 @@ func (s *ArgoServerSuite) TestArtifactServer() {
 		defer func() { s.bearerToken = token }()
 		s.bearerToken = ""
 		s.e(t).GET("/artifacts-by-uid/{uid}/basic/main-logs", uid).
-			WithHeader("Cookie", "authorization="+token).
+			WithHeader("Cookie", "authorization=Bearer "+token).
 			Expect().
 			Status(200)
 	})

util/kubeconfig/kubeconfig.go

@@ -1,6 +1,7 @@
 package kubeconfig
 
 import (
+	"encoding/base64"
 	"net/http"
 	"os"
 	"strings"
@@ -13,16 +14,60 @@ import (
 	"k8s.io/client-go/transport"
 )
 
+const (
+	Basic_Auth_Scheme  = "Basic "
+	Bearer_Auth_Scheme = "Bearer "
+)
+
 // get the default one from the filesystem
 func DefaultRestConfig() (*restclient.Config, error) {
 	rules := clientcmd.NewDefaultClientConfigLoadingRules()
 	config := clientcmd.NewNonInteractiveDeferredLoadingClientConfig(rules, &clientcmd.ConfigOverrides{})
 	return config.ClientConfig()
 }
 
-// convert a bearer token into a REST config
+func IsBasicAuthScheme(token string) bool {
+	return strings.HasPrefix(token, Basic_Auth_Scheme)
+}
+
+func IsBearerAuthScheme(token string) bool {
+	return strings.HasPrefix(token, Bearer_Auth_Scheme)
+}
+
 func GetRestConfig(token string) (*restclient.Config, error) {
 
+	if IsBasicAuthScheme(token) {
+		token = strings.TrimPrefix(token, Basic_Auth_Scheme)
+		username, password, ok := decodeBasicAuthToken(token)
+		if !ok {
+			return nil, errors.New("Error parsing Basic Authentication")
+		}
+		return GetBasicRestConfig(username, password)
+	}
+	if IsBearerAuthScheme(token) {
+		token = strings.Trim(strings.TrimPrefix(token, Bearer_Auth_Scheme), " ")
+		return GetBearerRestConfig(token)
+	}
+	return nil, errors.New("Unsupported authentication scheme")
+}
+
+// convert a basic token (username, password) into a REST config
+func GetBasicRestConfig(username, password string) (*restclient.Config, error) {
+
+	restConfig, err := DefaultRestConfig()
+	if err != nil {
+		return nil, err
+	}
+	restConfig.BearerToken = ""
+	restConfig.BearerTokenFile = ""
+	restConfig.Username = username
+	restConfig.Password = password
+	return restConfig, nil
+}
+
+// convert a bearer token into a REST config
+func GetBearerRestConfig(token string) (*restclient.Config, error) {
+
 	restConfig, err := DefaultRestConfig()
 	if err != nil {
 		return nil, err
@@ -37,6 +82,27 @@ func GetRestConfig(token string) (*restclient.Config, error) {
 	return restConfig, nil
 }
 
+//Return the AuthString include Auth type(Basic or Bearer)
+func GetAuthString(in *restclient.Config) (string, error) {
+	//Checking Basic Auth
+	if in.Username != "" {
+		token, err := GetBasicAuthToken(in)
+		return Basic_Auth_Scheme + token, err
+	}
+
+	token, err := GetBearerToken(in)
+	return Bearer_Auth_Scheme + token, err
+}
+
+func GetBasicAuthToken(in *restclient.Config) (string, error) {
+
+	if in == nil {
+		return "", errors.Errorf("RestClient can't be nil")
+	}
+
+	return encodeBasicAuthToken(in.Username, in.Password), nil
+}
+
 // convert the REST config into a bearer token
 func GetBearerToken(in *restclient.Config) (string, error) {
 
@@ -47,6 +113,7 @@ func GetBearerToken(in *restclient.Config) (string, error) {
 	if in == nil {
 		return "", errors.Errorf("RestClient can't be nil")
 	}
+
 	if in.ExecProvider != nil {
 		tc, err := in.TransportConfig()
 		if err != nil {
@@ -106,3 +173,22 @@ func GetBearerToken(in *restclient.Config) (string, error) {
 func getEnvToken() string {
 	return os.Getenv("ARGO_TOKEN")
 }
+
+func encodeBasicAuthToken(username, password string) string {
+	auth := username + ":" + password
+	return base64.StdEncoding.EncodeToString([]byte(auth))
+}
+
+func decodeBasicAuthToken(auth string) (username, password string, ok bool) {
+
+	c, err := base64.StdEncoding.DecodeString(auth)
+	if err != nil {
+		return
+	}
+	cs := string(c)
+	s := strings.IndexByte(cs, ':')
+	if s < 0 {
+		return
+	}
+	return cs[:s], cs[s+1:], true
+}

util/kubeconfig/kubeconfig_test.go

@@ -0,0 +1,47 @@
+package kubeconfig
+
+import (
+
+	"os"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"k8s.io/client-go/rest"
+)
+
+const username = "admin"
+const password = "admin"
+
+const bearerToken = "bearertoken"
+
+func Test_BasicAuthString(t *testing.T) {
+	restConfig := rest.Config{}
+
+	restConfig.Username = username
+	restConfig.Password = password
+
+	t.Run("Basic Auth", func(t *testing.T) {
+		authString, err := GetAuthString(&restConfig)
+		assert.NoError(t, err)
+		outConfig, err := GetRestConfig(authString)
+		if assert.NoError(t, err) {
+			assert.Equal(t, outConfig.Username, username)
+			assert.Equal(t, outConfig.Password, password)
+		}
+	})
+}
+
+func Test_BearerAuthString(t *testing.T) {
+
+	restConfig := rest.Config{}
+
+	t.Run("Bearer Auth", func(t *testing.T) {
+		os.Setenv("ARGO_TOKEN", bearerToken)
+		authString, err := GetAuthString(&restConfig)
+		assert.NoError(t, err)
+		outConfig, err := GetRestConfig(authString)
+		if assert.NoError(t, err) {
+			assert.Equal(t, outConfig.BearerToken, bearerToken)
+		}
+	})
+}