feat: Implemented API key authentication mechanism (#1246)

* refactor: refactor metronome metrics with consistent tags (#1241)

* feat: Implemented API key authentication mechanism

* fix: Fixed marshaling based on code review suggestion

* feat: Added whoami endpoint

* refactor: minor refactor based on code review comments

---------

Co-authored-by: Peter Boros <[email protected]>

Author: JigarJoshi

api/proto

@@ -1004,6 +1004,32 @@ func (x *ListInvoicesRequest) UnmarshalJSON(data []byte) error {
 	return nil
 }
 
+// UnmarshalJSON on ListAppKeysRequest. Handles query param.
+func (x *ListAppKeysRequest) UnmarshalJSON(data []byte) error {
+	var mp map[string]jsoniter.RawMessage
+
+	if err := jsoniter.Unmarshal(data, &mp); err != nil {
+		return err
+	}
+
+	for key, value := range mp {
+		var v any
+
+		switch key {
+		case "key_type":
+			v = &x.KeyType
+		case "project":
+			v = &x.Project
+		default:
+			continue
+		}
+		if err := jsoniter.Unmarshal(value, v); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
 func (x *GetNamespaceMetadataResponse) MarshalJSON() ([]byte, error) {
 	resp := struct {
 		MetadataKey string              `json:"metadataKey,omitempty"`

api/server/v1/marshaler.go

@@ -120,6 +120,7 @@ const (
 	QuotaLimitsMetricsMethodName     = ObservabilityMethodPrefix + "QuotaLimits"
 	QuotaUsageMethodName             = ObservabilityMethodPrefix + "QuotaUsage"
 	GetInfoMethodName                = ObservabilityMethodPrefix + "GetInfo"
+	WhoAmIMethodName                 = ObservabilityMethodPrefix + "WhoAmI"
 
 	// Realtime.
 	PresenceMethodName          = realtimeMethodPrefix + "Presence"

api/server/v1/tx.go

@@ -62,6 +62,12 @@ auth:
     - issuer: http://tigris_gotrue:8086
       algorithm: HS256
       audience: https://tigris-testB
+  api_keys:
+    auds:
+      - https://tigris-test
+    length: 120
+    email_suffix: "@apikey.tigrisdata.com"
+    user_password: hello
   token_cache_size: 100
   primary_audience: https://tigris-test
   oauth_provider: gotrue

config/server.test.yaml

@@ -76,6 +76,7 @@ type AuthzConfig struct {
 type AuthConfig struct {
 	Enabled                    bool                  `mapstructure:"enabled" yaml:"enabled" json:"enabled"`
 	Validators                 []ValidatorConfig     `mapstructure:"validators" yaml:"validators" json:"validators"`
+	ApiKeys                    ApiKeysConfig         `mapstructure:"api_keys" yaml:"api_keys" json:"api_keys"`
 	PrimaryAudience            string                `mapstructure:"primary_audience" yaml:"primary_audience" json:"primary_audience"`
 	JWKSCacheTimeout           time.Duration         `mapstructure:"jwks_cache_timeout" yaml:"jwks_cache_timeout" json:"jwks_cache_timeout"`
 	LogOnly                    bool                  `mapstructure:"log_only" yaml:"log_only" json:"log_only"`
@@ -118,6 +119,13 @@ type ValidatorConfig struct {
 	Audience  string                       `mapstructure:"audience" yaml:"audience" json:"audience"`
 }
 
+type ApiKeysConfig struct {
+	Auds         []string `mapstructure:"auds" yaml:"auds" json:"auds"`
+	Length       int      `mapstructure:"length" yaml:"length" json:"length"`
+	EmailSuffix  string   `mapstructure:"email_suffix" yaml:"email_suffix" json:"email_suffix"`
+	UserPassword string   `mapstructure:"user_password" yaml:"user_password" json:"user_password"`
+}
+
 type CdcConfig struct {
 	Enabled        bool `mapstructure:"enabled" yaml:"enabled" json:"enabled"`
 	StreamInterval time.Duration
@@ -321,6 +329,10 @@ var DefaultConfig = Config{
 				Audience: "https://tigris-api",
 			},
 		},
+		ApiKeys: ApiKeysConfig{
+			Auds:   nil,
+			Length: 120,
+		},
 		PrimaryAudience:            "https://tigris-api",
 		JWKSCacheTimeout:           5 * time.Minute,
 		TokenValidationCacheSize:   1000,

server/config/options.go

@@ -32,6 +32,7 @@ import (
 	"github.com/tigrisdata/tigris/server/defaults"
 	"github.com/tigrisdata/tigris/server/metrics"
 	"github.com/tigrisdata/tigris/server/request"
+	"github.com/tigrisdata/tigris/server/services/v1/auth"
 	"github.com/tigrisdata/tigris/server/types"
 	"google.golang.org/grpc"
 )
@@ -135,10 +136,10 @@ func GetJWTValidators(config *config.Config) []*validator.Validator {
 	return jwtValidators
 }
 
-func measuredAuthFunction(ctx context.Context, jwtValidators []*validator.Validator, config *config.Config, cache gcache.Cache) (context.Context, error) {
+func measuredAuthFunction(ctx context.Context, jwtValidators []*validator.Validator, config *config.Config, cache gcache.Cache, a auth.Provider) (context.Context, error) {
 	measurement := metrics.NewMeasurement("auth", "auth", metrics.AuthSpanType, metrics.GetAuthBaseTags(ctx))
 	measurement.StartTracing(ctx, true)
-	ctxResult, err := authFunction(ctx, jwtValidators, config, cache)
+	ctxResult, err := authFunction(ctx, jwtValidators, config, cache, a)
 	if err != nil {
 		measurement.CountErrorForScope(metrics.AuthErrorCount, measurement.GetAuthErrorTags(err))
 		measurement.FinishWithError(ctxResult, err)
@@ -151,7 +152,7 @@ func measuredAuthFunction(ctx context.Context, jwtValidators []*validator.Valida
 	return ctxResult, nil
 }
 
-func authFunction(ctx context.Context, jwtValidators []*validator.Validator, config *config.Config, cache gcache.Cache) (ctxResult context.Context, err error) {
+func authFunction(ctx context.Context, jwtValidators []*validator.Validator, config *config.Config, cache gcache.Cache, a auth.Provider) (ctxResult context.Context, err error) {
 	reqMetadata, err := request.GetRequestMetadataFromContext(ctx)
 	if err != nil {
 		log.Warn().Err(err).Msg("Failed to load request metadata")
@@ -178,9 +179,36 @@ func authFunction(ctx context.Context, jwtValidators []*validator.Validator, con
 	if err != nil {
 		return ctx, err
 	}
+	if strings.Contains(tkn, ".") {
+		return authenticateUsingAuthToken(ctx, jwtValidators, config, cache, tkn, reqMetadata)
+	} else if strings.HasPrefix(tkn, auth.ApiKeyPrefix) {
+		return authenticateUsingApiKey(ctx, jwtValidators, config, cache, tkn, reqMetadata, a)
+	}
+	return ctx, errors.Unauthenticated("Failed to authenticate")
+}
 
-	validatedToken := getCachedToken(ctx, tkn, cache)
+func authenticateUsingApiKey(ctx context.Context, _ []*validator.Validator, _ *config.Config, cache gcache.Cache, apiKey string, reqMetadata *request.Metadata, a auth.Provider) (context.Context, error) {
+	token, err := cache.Get(apiKey)
+	if err != nil || token == nil {
+		token, err = a.ValidateApiKey(ctx, apiKey, config.DefaultConfig.Auth.ApiKeys.Auds)
+		if err != nil {
+			return ctx, err
+		}
+		// put it to cache
+		err = cache.Set(apiKey, token)
+		if err != nil {
+			log.Err(err).Msg("Could not set to the cache")
+		}
+	}
+	castedToken := token.(*types.AccessToken)
+	reqMetadata.SetNamespace(ctx, castedToken.Namespace)
+	reqMetadata.SetAccessToken(castedToken)
+	return ctx, nil
+}
 
+func authenticateUsingAuthToken(ctx context.Context, jwtValidators []*validator.Validator, config *config.Config, cache gcache.Cache, tkn string, reqMetadata *request.Metadata) (context.Context, error) {
+	validatedToken := getCachedToken(ctx, tkn, cache)
+	var err error
 	// if not found from cache
 	if validatedToken == nil {
 		count := 0
@@ -272,16 +300,17 @@ func getAuthFunction(config *config.Config) func(ctx context.Context) (context.C
 		lruCache := gcache.New(config.Auth.TokenValidationCacheSize).
 			Expiration(time.Duration(config.Auth.TokenValidationCacheTTLSec) * time.Second).
 			Build()
+		authProvider := auth.NewGotrueProvider()
 
 		// inline closure to access the state of jwtValidator
 		if config.Tracing.Enabled {
 			return func(ctx context.Context) (context.Context, error) {
-				return measuredAuthFunction(ctx, jwtValidators, config, lruCache)
+				return measuredAuthFunction(ctx, jwtValidators, config, lruCache, authProvider)
 			}
 		}
 
 		return func(ctx context.Context) (context.Context, error) {
-			return authFunction(ctx, jwtValidators, config, lruCache)
+			return authFunction(ctx, jwtValidators, config, lruCache, authProvider)
 		}
 	}
 

server/middleware/auth.go

@@ -26,6 +26,7 @@ import (
 	api "github.com/tigrisdata/tigris/api/server/v1"
 	"github.com/tigrisdata/tigris/errors"
 	"github.com/tigrisdata/tigris/server/config"
+	"github.com/tigrisdata/tigris/server/services/v1/auth"
 	"github.com/tigrisdata/tigris/util/log"
 	"google.golang.org/grpc/metadata"
 )
@@ -47,35 +48,36 @@ func TestAuth(t *testing.T) {
 		FoundationDB: config.FoundationDBConfig{},
 	}
 	cache := gcache.New(10).Expiration(time.Duration(5) * time.Minute).Build()
+	authProvider := auth.NewGotrueProvider()
 	t.Run("log_only mode: no token", func(t *testing.T) {
-		ctx, err := authFunction(context.TODO(), []*validator.Validator{{}}, &config.DefaultConfig, cache)
+		ctx, err := authFunction(context.TODO(), []*validator.Validator{{}}, &config.DefaultConfig, cache, authProvider)
 		require.NotNil(t, ctx)
 		require.Nil(t, err)
 	})
 
 	t.Run("enforcing mode: no token", func(t *testing.T) {
-		_, err := authFunction(context.TODO(), []*validator.Validator{{}}, &enforcedAuthConfig, cache)
+		_, err := authFunction(context.TODO(), []*validator.Validator{{}}, &enforcedAuthConfig, cache, authProvider)
 		require.NotNil(t, err)
 		require.Equal(t, err, errors.Unauthenticated("request unauthenticated with bearer"))
 	})
 
 	t.Run("enforcing mode: Bad authorization string1", func(t *testing.T) {
 		incomingCtx := metadata.NewIncomingContext(context.TODO(), metadata.Pairs("authorization", "bearer"))
-		_, err := authFunction(incomingCtx, []*validator.Validator{{}}, &enforcedAuthConfig, cache)
+		_, err := authFunction(incomingCtx, []*validator.Validator{{}}, &enforcedAuthConfig, cache, authProvider)
 		require.NotNil(t, err)
 		require.Equal(t, err, errors.Unauthenticated("bad authorization string"))
 	})
 
 	t.Run("enforcing mode: Bad token", func(t *testing.T) {
 		incomingCtx := metadata.NewIncomingContext(context.TODO(), metadata.Pairs("authorization", "bearer somebadtoken"))
-		_, err := authFunction(incomingCtx, []*validator.Validator{{}}, &enforcedAuthConfig, cache)
+		_, err := authFunction(incomingCtx, []*validator.Validator{{}}, &enforcedAuthConfig, cache, authProvider)
 		require.NotNil(t, err)
-		require.Equal(t, err, errors.Unauthenticated("Failed to validate access token, could not be validated"))
+		require.Equal(t, errors.Unauthenticated("Failed to authenticate"), err)
 	})
 
 	t.Run("enforcing mode: Bad token 2", func(t *testing.T) {
 		incomingCtx := metadata.NewIncomingContext(context.TODO(), metadata.Pairs("authorization", "bearer some.bad.token"))
-		_, err := authFunction(incomingCtx, []*validator.Validator{{}}, &enforcedAuthConfig, cache)
+		_, err := authFunction(incomingCtx, []*validator.Validator{{}}, &enforcedAuthConfig, cache, authProvider)
 		require.NotNil(t, err)
 		require.Contains(t, err.Error(), "Failed to validate access token")
 	})

server/middleware/auth_test.go

@@ -23,7 +23,6 @@ import (
 	"github.com/tigrisdata/tigris/lib/container"
 	"github.com/tigrisdata/tigris/server/config"
 	"github.com/tigrisdata/tigris/server/request"
-	"github.com/tigrisdata/tigris/server/types"
 	"google.golang.org/grpc"
 )
 
@@ -73,6 +72,7 @@ var (
 		api.QuotaLimitsMetricsMethodName,
 		api.QuotaUsageMethodName,
 		api.GetInfoMethodName,
+		api.WhoAmIMethodName,
 
 		// realtime
 		api.ReadMessagesMethodName,
@@ -152,6 +152,7 @@ var (
 		api.QuotaLimitsMetricsMethodName,
 		api.QuotaUsageMethodName,
 		api.GetInfoMethodName,
+		api.WhoAmIMethodName,
 
 		// realtime
 		api.PresenceMethodName,
@@ -253,6 +254,7 @@ var (
 		api.QuotaLimitsMetricsMethodName,
 		api.QuotaUsageMethodName,
 		api.GetInfoMethodName,
+		api.WhoAmIMethodName,
 
 		// realtime
 		api.PresenceMethodName,
@@ -348,6 +350,7 @@ var (
 		api.QuotaLimitsMetricsMethodName,
 		api.QuotaUsageMethodName,
 		api.GetInfoMethodName,
+		api.WhoAmIMethodName,
 
 		// realtime
 		api.PresenceMethodName,
@@ -424,11 +427,11 @@ func authorize(ctx context.Context) (err error) {
 			Msg("Empty role allowed for transition purpose")
 		return nil
 	}
+	// if !isAuthorizedProject(reqMetadata, accessToken) {
+	//	authorizationErr = errors.PermissionDenied("You are not allowed to perform operation: %s", reqMetadata.GetFullMethod())
+	//}
 	var authorizationErr error
-	if !isAuthorizedProject(reqMetadata, accessToken) {
-		authorizationErr = errors.PermissionDenied("You are not allowed to perform operation: %s", reqMetadata.GetFullMethod())
-	}
-	if err == nil && !isAuthorizedOperation(reqMetadata.GetFullMethod(), role) {
+	if !isAuthorizedOperation(reqMetadata.GetFullMethod(), role) {
 		authorizationErr = errors.PermissionDenied("You are not allowed to perform operation: %s", reqMetadata.GetFullMethod())
 	}
 
@@ -447,13 +450,6 @@ func authorize(ctx context.Context) (err error) {
 	return nil
 }
 
-func isAuthorizedProject(reqMetadata *request.Metadata, accessToken *types.AccessToken) bool {
-	if accessToken.Project != "" && reqMetadata.GetProject() != accessToken.Project {
-		return false
-	}
-	return true
-}
-
 func isAuthorizedOperation(method string, role string) bool {
 	if methods := getMethodsForRole(role); methods != nil {
 		return methods.Contains(method)

server/middleware/authz.go

@@ -97,6 +97,7 @@ func TestAuthzOwnerRole(t *testing.T) {
 	require.True(t, isAuthorizedOperation(api.QuotaLimitsMetricsMethodName, ownerRoleName))
 	require.True(t, isAuthorizedOperation(api.QuotaUsageMethodName, ownerRoleName))
 	require.True(t, isAuthorizedOperation(api.GetInfoMethodName, ownerRoleName))
+	require.True(t, isAuthorizedOperation(api.WhoAmIMethodName, ownerRoleName))
 
 	// realtime
 	require.True(t, isAuthorizedOperation(api.PresenceMethodName, ownerRoleName))
@@ -193,6 +194,7 @@ func TestAuthzEditorRole(t *testing.T) {
 	require.True(t, isAuthorizedOperation(api.QuotaLimitsMetricsMethodName, editorRoleName))
 	require.True(t, isAuthorizedOperation(api.QuotaUsageMethodName, editorRoleName))
 	require.True(t, isAuthorizedOperation(api.GetInfoMethodName, editorRoleName))
+	require.True(t, isAuthorizedOperation(api.WhoAmIMethodName, editorRoleName))
 
 	// realtime
 	require.True(t, isAuthorizedOperation(api.PresenceMethodName, editorRoleName))
@@ -263,6 +265,7 @@ func TestAuthzReadOnlyRole(t *testing.T) {
 	require.True(t, isAuthorizedOperation(api.QuotaLimitsMetricsMethodName, readOnlyRoleName))
 	require.True(t, isAuthorizedOperation(api.QuotaUsageMethodName, readOnlyRoleName))
 	require.True(t, isAuthorizedOperation(api.GetInfoMethodName, readOnlyRoleName))
+	require.True(t, isAuthorizedOperation(api.WhoAmIMethodName, readOnlyRoleName))
 
 	// realtime
 	require.True(t, isAuthorizedOperation(api.ReadMessagesMethodName, readOnlyRoleName))

server/middleware/authz_test.go

@@ -33,6 +33,7 @@ import (
 	"github.com/tigrisdata/tigris/server/metadata"
 	"github.com/tigrisdata/tigris/server/request"
 	"github.com/tigrisdata/tigris/server/transaction"
+	"github.com/tigrisdata/tigris/server/types"
 	"golang.org/x/net/context/ctxhttp"
 )
 
@@ -328,6 +329,10 @@ func (*auth0) ListGlobalAppKeys(_ context.Context, _ *api.ListGlobalAppKeysReque
 	return nil, errors.Internal("auth0 implementation doesn't support it")
 }
 
+func (*auth0) ValidateApiKey(_ context.Context, _ string, _ []string) (*types.AccessToken, error) {
+	return nil, errors.Internal("auth0 implementation doesn't support it")
+}
+
 func validateOwnershipAuth0(ctx context.Context, operationName string, appId string, a *auth0) (*management.Client, string, error) {
 	client, err := a.Management.Client.Read(appId)
 	if err != nil {