add initial BasicAuth support

Author: Jeff McCormick

apiserver.go

@@ -20,6 +20,7 @@ func main() {
 
 	log.Infoln("postgres-operator apiserver starts")
 	r := mux.NewRouter()
+	r.HandleFunc("/authtest", versionservice.AuthTestHandler)
 	r.HandleFunc("/version", versionservice.VersionHandler)
 	r.HandleFunc("/clones", cloneservice.CreateCloneHandler)
 	r.HandleFunc("/policies", policyservice.CreatePolicyHandler)
@@ -37,5 +38,6 @@ func main() {
 	r.HandleFunc("/clusters/scale/{name}", clusterservice.ScaleClusterHandler)
 	r.HandleFunc("/backups/{name}", backupservice.ShowBackupHandler).Methods("GET", "DELETE")
 	r.HandleFunc("/backups", backupservice.CreateBackupHandler).Methods("POST")
+	//log.Fatal(http.ListenAndServeTLS(":8080", "/cpmkeys/cert.pem", "/cpmkeys/key.pem", r))
 	log.Fatal(http.ListenAndServe(":8080", r))
 }

apiserver/root.go

@@ -16,6 +16,7 @@ limitations under the License.
 */
 
 import (
+	"bufio"
 	"flag"
 	log "github.com/Sirupsen/logrus"
 	crdclient "github.com/crunchydata/postgres-operator/client"
@@ -24,8 +25,12 @@ import (
 	"k8s.io/client-go/rest"
 	"k8s.io/client-go/tools/clientcmd"
 	"os"
+	"strings"
 )
 
+// pgouserPath ...
+const pgouserPath = "/config/pgouser"
+
 // RESTClient ...
 var RESTClient *rest.RESTClient
 
@@ -44,9 +49,14 @@ const TreeTrunk = "└── "
 // TreeBranch is for debugging only in this context
 const TreeBranch = "├── "
 
+// Credentials holds the BasicAuth credentials found in the config
+var Credentials map[string]string
+
 func init() {
 	log.Infoln("apiserver starts")
 
+	getCredentials()
+
 	initConfig()
 
 	ConnectToKube()
@@ -131,3 +141,59 @@ func initConfig() {
 	log.Debug("namespace is " + viper.GetString("Namespace"))
 
 }
+
+func file2lines(filePath string) []string {
+	f, err := os.Open(filePath)
+	if err != nil {
+		log.Error(err)
+		os.Exit(2)
+	}
+	defer f.Close()
+
+	var lines []string
+	scanner := bufio.NewScanner(f)
+	for scanner.Scan() {
+		lines = append(lines, scanner.Text())
+	}
+	if err := scanner.Err(); err != nil {
+		log.Error(err)
+	}
+
+	return lines
+}
+
+func parseUserMap(dat string) (string, string) {
+
+	fields := strings.Split(strings.TrimSpace(dat), ":")
+	log.Infof("%v\n", fields)
+	log.Infof("username=[%s] password=[%s]\n", fields[0], fields[1])
+	return fields[0], fields[1]
+}
+
+// getCredentials ...
+func getCredentials() {
+	var Username, Password string
+
+	Credentials = make(map[string]string)
+
+	lines := file2lines(pgouserPath)
+	for _, v := range lines {
+		Username, Password = parseUserMap(v)
+		log.Debugf("username=%s password=%s\n", Username, Password)
+		Credentials[Username] = Password
+	}
+
+}
+
+func BasicAuthCheck(username, password string) bool {
+	value := Credentials[username]
+	if value == "" {
+		return false
+	}
+
+	if value != password {
+		return false
+	}
+
+	return true
+}

apiserver/versionservice/versionservice.go

@@ -18,6 +18,7 @@ limitations under the License.
 import (
 	"encoding/json"
 	log "github.com/Sirupsen/logrus"
+	"github.com/crunchydata/postgres-operator/apiserver"
 	"net/http"
 )
 
@@ -34,3 +35,33 @@ func VersionHandler(w http.ResponseWriter, r *http.Request) {
 
 	json.NewEncoder(w).Encode(resp)
 }
+
+// VersionHandler ...
+// pgo version
+func AuthTestHandler(w http.ResponseWriter, r *http.Request) {
+
+	log.Debug("versionservice.AuthTestHandler called")
+
+	w.Header().Set("WWW-Authenticate", `Basic realm="Restricted"`)
+
+	username, password, authOK := r.BasicAuth()
+	if authOK == false {
+		http.Error(w, "Not authorized", 401)
+		return
+	}
+
+	log.Debugf("versionservice.AuthTestHandler username=[%s] password=[%s]\n", username, password)
+
+	if !apiserver.BasicAuthCheck(username, password) {
+		//if username != "username" || password != "password" {
+		http.Error(w, "Not authenticated in apiserver", 401)
+		return
+	}
+
+	w.WriteHeader(http.StatusOK)
+	w.Header().Set("Content-Type", "application/json")
+
+	resp := Version()
+
+	json.NewEncoder(w).Encode(resp)
+}

conf/apiserver/pgouser

@@ -0,0 +1,2 @@
+username:password
+testuser:testpass

deploy/deploy.sh

@@ -18,6 +18,7 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 $DIR/cleanup.sh
 
 $CO_CMD --namespace=$CO_NAMESPACE create configmap apiserver-conf \
+	--from-file=$COROOT/conf/apiserver/pgouser \
 	--from-file=$COROOT/conf/apiserver/pgo.yaml \
 	--from-file=$COROOT/conf/apiserver/pgo.csvload-template.json \
 	--from-file=$COROOT/conf/apiserver/pgo.lspvc-template.json 

pgo/cmd/auth.go

@@ -0,0 +1,106 @@
+package cmd
+
+/*
+ Copyright 2017 Crunchy Data Solutions, Inc.
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+*/
+
+import (
+	log "github.com/Sirupsen/logrus"
+	"io/ioutil"
+	"net/http"
+	"os"
+	"runtime"
+	"strings"
+)
+
+const etcpath = "/etc/pgo/pgouser"
+const pgouserenvvar = "PGOUSER"
+
+// BasicAuthUsername and BasicAuthPassword are for BasicAuth, they are fetched from a file
+var BasicAuthUsername, BasicAuthPassword string
+
+// StatusCheck ...
+func StatusCheck(resp *http.Response) {
+	log.Debugf("http status code is %d\n", resp.StatusCode)
+	if resp.StatusCode == 401 {
+		log.Fatalf("Authentication Failed: %d\n", resp.StatusCode)
+		os.Exit(2)
+	} else if resp.StatusCode != 200 {
+		log.Fatalf("Invalid Status Code: %d\n", resp.StatusCode)
+		os.Exit(2)
+	}
+}
+
+func UserHomeDir() string {
+	env := "HOME"
+	if runtime.GOOS == "windows" {
+		env = "USERPROFILE"
+	} else if runtime.GOOS == "plan9" {
+		env = "home"
+	}
+	return os.Getenv(env)
+}
+
+func parseCredentials(dat string) (string, string) {
+
+	fields := strings.Split(strings.TrimSpace(dat), ":")
+	log.Debugf("%v\n", fields)
+	log.Debugf("username=[%s] password=[%s]\n", fields[0], fields[1])
+	return fields[0], fields[1]
+}
+
+func GetCredentials() {
+	log.Debug("GetCredentials called")
+
+	dir := UserHomeDir()
+	fullPath := dir + "/" + ".pgouser"
+	log.Debug("looking in " + fullPath + " for credentials")
+	dat, err := ioutil.ReadFile(fullPath)
+	if err != nil {
+		log.Debug(fullPath + " not found")
+	} else {
+		log.Debug(fullPath + " found")
+		log.Debug("pgouser file found at " + fullPath + "contains " + string(dat))
+		BasicAuthUsername, BasicAuthPassword = parseCredentials(string(dat))
+		return
+	}
+
+	fullPath = etcpath
+	dat, err = ioutil.ReadFile(fullPath)
+	if err != nil {
+		log.Debug(etcpath + " not found")
+	} else {
+		log.Debug(fullPath + " found")
+		log.Debug("pgouser file found at " + fullPath + "contains " + string(dat))
+		BasicAuthUsername, BasicAuthPassword = parseCredentials(string(dat))
+		return
+	}
+
+	pgoUser := os.Getenv(pgouserenvvar)
+	if pgoUser == "" {
+		log.Error(pgouserenvvar + " env var not set")
+		os.Exit(2)
+	}
+
+	fullPath = pgoUser
+	log.Debug(pgouserenvvar + " env var is being used at " + fullPath)
+	dat, err = ioutil.ReadFile(fullPath)
+	if err != nil {
+		log.Error(fullPath + " file not found")
+		os.Exit(2)
+	}
+
+	log.Debug("pgouser file found at " + fullPath + "contains " + string(dat))
+	BasicAuthUsername, BasicAuthPassword = parseCredentials(string(dat))
+}

pgo/cmd/root.go

@@ -94,4 +94,5 @@ func initConfig() {
 		}
 	}
 	log.Debug("in initConfig with url=" + APIServerURL)
+	GetCredentials()
 }

pgo/cmd/version.go

@@ -47,7 +47,8 @@ func init() {
 
 func showVersion() {
 
-	url := APIServerURL + "/version"
+	//url := APIServerURL + "/version"
+	url := APIServerURL + "/authtest"
 	log.Debug(url)
 
 	req, err := http.NewRequest("GET", url, nil)
@@ -57,6 +58,7 @@ func showVersion() {
 	}
 
 	req.Header.Set("Content-Type", "application/json")
+	req.SetBasicAuth(BasicAuthUsername, BasicAuthPassword)
 
 	client := &http.Client{}
 
@@ -69,6 +71,8 @@ func showVersion() {
 
 	defer resp.Body.Close()
 
+	StatusCheck(resp)
+
 	var response msgs.VersionResponse
 
 	if err := json.NewDecoder(resp.Body).Decode(&response); err != nil {