Move authentication to grpc interceptor

[gdbelvin]

This PR supports greater flexibility for deployment specific authentication schemes by moving authentication from the core/ code base to an impl/ specific grpc interceptor which can easily be swapped out with more appropriate authentication logic in specific deployments.

Changes:

• core/authentication moved to impl/authentication
• ValidateCreds moved to AuthFunc to match the grpc_auth.AuthFunc interface.
  • SecurityContext moved to ValidatedSecurity and is now stored in context.Context
• impl/google/authentication merged with impl/authentication to use the new ValidatedSecurity
• Removed auth from core/keyserver 😄
• Wrote a simple auth interceptor to support per-method authentication configurations.

[codecov-io]

Codecov Report

Merging #973 into master will increase coverage by 0.17%.
The diff coverage is 38.46%.

@@            Coverage Diff             @@
##           master     #973      +/-   ##
==========================================
+ Coverage   49.55%   49.73%   +0.17%     
==========================================
  Files          28       29       +1     
  Lines        2030     2041      +11     
==========================================
+ Hits         1006     1015       +9     
- Misses        843      846       +3     
+ Partials      181      180       -1

Impacted Files	Coverage Δ
impl/authentication/interceptor.go	0% <0%> (ø)
core/keyserver/keyserver.go	34.89% <0%> (+1.72%)	⬆️
impl/authentication/google.go	18.75% <0%> (ø)
impl/authentication/context.go	100% <100%> (ø)
impl/integration/env.go	73.07% <100%> (+1.64%)	⬆️
impl/authentication/fake.go	88.88% <100%> (ø)
impl/authorization/authorization.go	82.35% <73.33%> (-9.96%)	⬇️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update ae6690b...9e2bcf5. Read the comment docs.

[AlCutter]

authenticates

[gdbelvin]

done

[AlCutter]

"interceptor that"

[gdbelvin]

done

[AlCutter]

Should this be a V(...).Infof?

[Martin2112]

+1

[gdbelvin]

This was a debug. I'll remove

[AlCutter]

Warning / V?

[gdbelvin]

yes

[AlCutter]

"interceptor that"

[gdbelvin]

done

[AlCutter]

Does sctx need to change now that SecurityContext is not used?

[gdbelvin]

Updated comment

[AlCutter]

this implies that two resources with differing domains (and/or apps) "blah/blah" and "blah_blah" are treated identically, is that ok?

[gdbelvin]

The / character is not allowed in domainIDs or appIDs. If they were allowed, a specially crafted domainID or appID could cross boundaries. eg domainID = "blah/apps/apptakeover"

[AlCutter]

Sure, but my point is that there are now multiple "preimages" which result in identical resource labels - this function doesn't enforce the rule that "/"s aren't allowed, it just quietly papers over that situation resulting in the multiple "preimage" thing.
Maybe that's OK, I don't know :)

Is the rule about the contents of domainID and appID enforced elsewhere?
if so this function possibly doesn't need to Sprintf, and if it isn't enforced elsewhere then maybe this function should return an error in the case where a passed-in ID contains the character?

[gdbelvin]

Excellent point. I'll make this return an error.

[Martin2112]

That looks like a TODO to me.

[gdbelvin]

I don't anticipate adding authenticated streaming methods right now.
This comment is a reminder to add the interceptor if we do add an authenticated streaming rpc.

[Martin2112]

OK, as you're the one who'll have to write the postmortem when that doesn't happen.

[gdbelvin]

I'll add a reference to the streaming interceptor with an empty map to make things clearer.

[Martin2112]

Can we avoid hardcoding this? Presumably there will be a bunch of methods under the same prefix x/y in future.

[gdbelvin]

We could replace this with a regex in the future if we need to, but simpler seems easier to test and maintain for the moment.

[Martin2112]

I thought I saw another copy of the same string. Literals in multiple places often get overlooked.

[Martin2112]

Maybe this should be called SecurityContext, or the key renamed so they match.

[gdbelvin]

Renamed

[Martin2112]

Time passes ... Thorin sings about gold.

[gdbelvin]

:-)

[Martin2112]

Aren't there more than two cases e.g. corrupt token? There are multiple errors defined below, which makes me think so.

[gdbelvin]

FakeAuthFunc is fairly simple. I'm getting 100% code coverage.

[Martin2112]

OK we shouldn't really be testing fakes though. Are there tests for the multiple possible errors defined or is that elsewhere?

[gdbelvin]

TestGoogleAuthn tests those code paths.

[Martin2112]

Does this add much value?

[gdbelvin]

Not really, except that it nicely separates the ideas of parsing and authenticating.

[Martin2112]

+1

[Martin2112]

The other code returns fixed errors but this doesn't. Should this do the same?

[gdbelvin]

The other fixed errors weren't really needed. I've removed them now.

[Martin2112]

OK, this possibly addresses my point above.

[Martin2112]

maybe t.FailNow() ?

[gdbelvin]

We want to run the rest of the tests :-)
I'll put this in a t.Run()

[Martin2112]

r.Run() is better.

[Martin2112]

Deja vu.

[gdbelvin]

The integration tests act like a sort of "main", wiring together libraries much like main does.
As a result, this intentionally lives in impl/ and allows other environments to setup their own custom envs

[Martin2112]

OK if it doesn't rely on those strings matching (my earlier point) then it might not be a problem.

[gdbelvin]

I don't see a place in the generated proto files where these strings are publicly exported. Not sure what the best solution is.

[gdbelvin]

PTAL

[Martin2112]

I think the potential only blocker is the point Al made about the preimages.

[gdbelvin]

Fixed the resource label pre-image issue.

[gdbelvin]

PTAL