ORGANIC-467. Added the option to specify Authenticator to use in env.

Author: thomasyip

api/api.go

@@ -59,7 +59,7 @@ func NewAPI(globalConfig *conf.GlobalConfiguration, db storage.Connection) *API
 
 // NewAPIWithVersion creates a new REST API using the specified version
 func NewAPIWithVersion(ctx context.Context, globalConfig *conf.GlobalConfiguration, db storage.Connection, version string) *API {
-	auth := NewAuthWithVersion(ctx, globalConfig, version)
+	auth := NewAuthWithVersion(ctx, version)
 	api := &API{config: globalConfig, db: db, auth: *auth, version: version}
 
 	xffmw, _ := xff.Default()

api/auth.go

@@ -5,25 +5,23 @@ import (
 	"net/http"
 
 	jwt "github.com/dgrijalva/jwt-go"
-	"github.com/netlify/git-gateway/conf"
 	"github.com/sirupsen/logrus"
 	"github.com/okta/okta-jwt-verifier-golang"
 )
 
 type Authenticator interface {
-	// authenticate checks incoming requests for tokens presented using the Authorization header
+	// `authenticate` checks incoming requests for tokens presented using the Authorization header
 	authenticate(w http.ResponseWriter, r *http.Request) (context.Context, error)
 	getName() string
 }
 
 type Authorizer interface {
-	// authorize checks incoming requests for roles data in tokens that is parsed and verified by prior authentication step
+	// `authorize` checks incoming requests for roles data in tokens that is parsed and verified by a prior `authenticate` step
 	authorize(w http.ResponseWriter, r *http.Request) (context.Context, error)
 	getName() string
 }
 
 type Auth struct {
-	config  *conf.GlobalConfiguration
 	authenticator Authenticator
 	authorizer Authorizer
 	version string
@@ -44,10 +42,23 @@ type RolesAuthorizer struct {
 	auth Auth
 }
 
-func NewAuthWithVersion(ctx context.Context, globalConfig *conf.GlobalConfiguration, version string) *Auth {
-	auth := &Auth{config: globalConfig, version: version}
+func NewAuthWithVersion(ctx context.Context, version string) *Auth {
+	config := getConfig(ctx)
+	auth := &Auth{version: version}
+	authenticatorName := config.JWT.Authenticator
+
+	if (authenticatorName == "bearer-jwt-token") {
+		auth.authenticator = &JWTAuthenticator{name: "bearer-jwt-token", auth: *auth}
+	} else if (authenticatorName == "bearer-okta-jwt-token") {
+		auth.authenticator = &OktaJWTAuthenticator{name: "bearer-okta-jwt-token", auth: *auth}
+	} else {
+		if (authenticatorName != "") {
+			logrus.Fatal("Authenticator `%v` is not recognized", authenticatorName)
+		} else {
+			logrus.Fatal("Authenticator is not defined")
+		}
+	}
 
-	auth.authenticator = &OktaJWTAuthenticator{name: "bearer-jwt-token", auth: *auth}
 	auth.authorizer = &RolesAuthorizer{name: "bearer-jwt-token-roles", auth: *auth}
 
 	return auth

conf/configuration.go

@@ -49,6 +49,7 @@ type JWTConfiguration struct {
 	CID    string `envconfig:"CLIENT_ID" json:"client_id,omitempty"`
 	Issuer string `envconfig:"ISSUER" json:"issuer,omitempty"`
 	AUD    string `envconfig:"AUD" json:"aud,omitempty"`
+	Authenticator string `envconfig:"AUTHENTICATOR" json:"authenticator,omitempty"`
 }
 
 // GlobalConfiguration holds all the configuration that applies to all instances.

example.env

@@ -1,30 +1,38 @@
-# Warning: Many configuration would not work with quote (ie "").
+# Do not use quote (ie, "") if you start `git-gateway` with docker command: `--env-file`
 
-# JWT Secret is not needed for RS256. Instead, issuer should be specified
-# (eg, https://dev-1234.oktapreview.com/oauth2/default)
-GITGATEWAY_JWT_SECRET=
+# DB
+GITGATEWAY_DB_DRIVER=sqlite3
+DATABASE_URL=gorm.db
 
-# @TODO - REQUIRED for Okta
-ISSUER=
+# Startup Options
+GITGATEWAY_API_HOST=localhost
+PORT=9999
 
-# @TODO - REQUIRED for Okta
-CLIENT_ID=
+# <> config for JWT Token with HS256 alg
+# AUTHENTICATOR=bearer-jwt-token
+
+# Leave blank for other AUTHENTICATOR
+GITGATEWAY_JWT_SECRET="CHANGE-THIS! VERY IMPORTANT!"
+# </>
 
+# <> config for JWT Token with Okta (RS256) alg
+AUTHENTICATOR=bearer-okta-jwt-token
+
+# REQUIRED for AUTHENTICATOR=bearer-okta-jwt-token
 AUD=api://default
 
-GITGATEWAY_DB_DRIVER=sqlite3
-DATABASE_URL=gorm.db
+# REQUIRED for AUTHENTICATOR=bearer-okta-jwt-token
+ISSUER=
+# </>
 
-# @TODO - Is there way to expose internal port from Docker?
-GITGATEWAY_API_HOST=0.0.0.0
-PORT=8087
+# REQUIRED for both AUTHENTICATOR = {bearer-jwt-token or bearer-okta-jwt-token}
+CLIENT_ID=
 
-# @TODO - REQUIRED
+# REQUIRED for GITHUB
 GITGATEWAY_GITHUB_ACCESS_TOKEN=
 
-# @TODO - REQUIRED
-GITGATEWAY_GITHUB_REPO=
+# REQUIRED for GITHUB
+GITGATEWAY_GITHUB_REPO=owner/name
 
-# Original example.env wrote: leave blank to allow all roles. But, it won't
-# work unless it is commented out
-# GITGATEWAY_ROLES=
+# Commented out to allow roles
+GITGATEWAY_ROLES=admin,cms