feat(cas): download endpoint (#294)

Signed-off-by: Miguel Martinez Trivino <[email protected]>

Author: migmartri

app/artifact-cas/api/cas/v1/status_http.pb.go

@@ -19,4 +19,4 @@ credentials_service:
     token: ${VAULT_TOKEN:notasecret}
 
 auth:
-  robot_account_public_key_path: "../../devel/devkeys/cas.pub"
+  public_key_path: "../../devel/devkeys/cas.pub"

app/artifact-cas/cmd/wire_gen.go

@@ -1,6 +1,6 @@
 # Example config file
 auth:
-  robot_account_public_key_path: "./configs/devkeys/cas.public.pem"
+  public_key_path: "./configs/devkeys/cas.public.pem"
 
 server:
   http:

app/artifact-cas/configs/config.devel.yaml

@@ -59,5 +59,7 @@ message Server {
 message Auth {
   // Public key used to verify the received JWT token
   // This token in the context of chainloop has been crafted by the controlplane
-  string robot_account_public_key_path = 1;
+  string robot_account_public_key_path = 1 [deprecated = true];
+  // Public key used to verify the received JWT token
+  string public_key_path = 2;
 }

app/artifact-cas/configs/samples/config.yaml

@@ -44,11 +44,17 @@ import (
 // NewGRPCServer new a gRPC server.
 func NewGRPCServer(c *conf.Server, authConf *conf.Auth, byteService *service.ByteStreamService, rSvc *service.ResourceService, logger log.Logger) (*grpc.Server, error) {
 	log := log.NewHelper(logger)
-	log.Debugw("msg", "loading public key from file", "file", authConf.RobotAccountPublicKeyPath)
-
 	// Load the key on initialization instead of on every request
 	// TODO: implement jwks endpoint
-	rawKey, err := os.ReadFile(authConf.RobotAccountPublicKeyPath)
+	publicKeyPath := authConf.GetPublicKeyPath()
+	if publicKeyPath == "" {
+		// Maintain backwards compatibility
+		publicKeyPath = authConf.RobotAccountPublicKeyPath
+	}
+
+	log.Debugw("msg", "loading public key from file", "file", publicKeyPath)
+
+	rawKey, err := os.ReadFile(publicKeyPath)
 	if err != nil {
 		return nil, fmt.Errorf("failed to load public key: %w", err)
 	}
@@ -130,39 +136,49 @@ func jwtAuthFunc(keyFunc jwt.Keyfunc, signingMethod jwt.SigningMethod) grpc_auth
 			return nil, err
 		}
 
-		var tokenInfo *jwt.Token
-		claims := &casJWT.Claims{}
-
-		tokenInfo, err = jwt.ParseWithClaims(token, claims, keyFunc)
+		claims, err := verifyAndMarshalJWT(token, keyFunc, signingMethod)
 		if err != nil {
-			var ve *jwt.ValidationError
-			if !errors.As(err, &ve) {
-				return nil, errors.Unauthorized("UNAUTHORIZED", err.Error())
-			}
-
-			if ve.Errors&jwt.ValidationErrorMalformed != 0 {
-				return nil, jwtMiddleware.ErrTokenInvalid
-			}
+			return nil, err
+		}
 
-			if ve.Errors&(jwt.ValidationErrorExpired) != 0 {
-				return nil, jwtMiddleware.ErrTokenExpired
-			}
+		return jwtMiddleware.NewContext(ctx, claims), nil
+	}
+}
 
-			if ve.Errors&(jwt.ValidationErrorNotValidYet) != 0 {
-				return nil, jwtMiddleware.ErrTokenExpired
-			}
+// verifyAndMarshalJWT verifies the token and returns the claims
+func verifyAndMarshalJWT(token string, keyFunc jwt.Keyfunc, signingMethod jwt.SigningMethod) (*casJWT.Claims, error) {
+	var tokenInfo *jwt.Token
+	claims := &casJWT.Claims{}
 
-			return nil, err
+	tokenInfo, err := jwt.ParseWithClaims(token, claims, keyFunc)
+	if err != nil {
+		var ve *jwt.ValidationError
+		if !errors.As(err, &ve) {
+			return nil, errors.Unauthorized("UNAUTHORIZED", err.Error())
 		}
 
-		if !tokenInfo.Valid {
+		if ve.Errors&jwt.ValidationErrorMalformed != 0 {
 			return nil, jwtMiddleware.ErrTokenInvalid
 		}
 
-		if tokenInfo.Method != signingMethod {
-			return nil, jwtMiddleware.ErrUnSupportSigningMethod
+		if ve.Errors&(jwt.ValidationErrorExpired) != 0 {
+			return nil, jwtMiddleware.ErrTokenExpired
 		}
 
-		return jwtMiddleware.NewContext(ctx, tokenInfo.Claims), nil
+		if ve.Errors&(jwt.ValidationErrorNotValidYet) != 0 {
+			return nil, jwtMiddleware.ErrTokenExpired
+		}
+
+		return nil, err
 	}
+
+	if !tokenInfo.Valid {
+		return nil, jwtMiddleware.ErrTokenInvalid
+	}
+
+	if tokenInfo.Method != signingMethod {
+		return nil, jwtMiddleware.ErrUnSupportSigningMethod
+	}
+
+	return claims, nil
 }

app/artifact-cas/internal/conf/conf.pb.go

@@ -16,18 +16,26 @@
 package server
 
 import (
+	"fmt"
+	"os"
+
 	"github.com/chainloop-dev/chainloop/app/artifact-cas/internal/conf"
 	"github.com/chainloop-dev/chainloop/app/artifact-cas/internal/service"
+	casJWT "github.com/chainloop-dev/chainloop/internal/robotaccount/cas"
+	jwt "github.com/golang-jwt/jwt/v4"
+
+	nhttp "net/http"
 
 	api "github.com/chainloop-dev/chainloop/app/artifact-cas/api/cas/v1"
 	"github.com/go-kratos/kratos/v2/log"
+	jwtMiddleware "github.com/go-kratos/kratos/v2/middleware/auth/jwt"
 	"github.com/go-kratos/kratos/v2/middleware/logging"
 	"github.com/go-kratos/kratos/v2/middleware/recovery"
 	"github.com/go-kratos/kratos/v2/transport/http"
 )
 
 // NewHTTPServer new a HTTP server.
-func NewHTTPServer(c *conf.Server, logger log.Logger) *http.Server {
+func NewHTTPServer(c *conf.Server, authConf *conf.Auth, downloadSvc *service.DownloadService, logger log.Logger) (*http.Server, error) {
 	var opts = []http.ServerOption{
 		http.Middleware(
 			recovery.Recovery(),
@@ -43,8 +51,47 @@ func NewHTTPServer(c *conf.Server, logger log.Logger) *http.Server {
 	if c.Http.Timeout != nil {
 		opts = append(opts, http.Timeout(c.Http.Timeout.AsDuration()))
 	}
+
+	// Load the key on initialization instead of on every request
+	// TODO: implement jwks endpoint
+	publicKeyPath := authConf.GetPublicKeyPath()
+	if publicKeyPath == "" {
+		// Maintain backwards compatibility
+		publicKeyPath = authConf.RobotAccountPublicKeyPath
+	}
+
+	rawKey, err := os.ReadFile(publicKeyPath)
+	if err != nil {
+		return nil, fmt.Errorf("failed to load public key: %w", err)
+	}
+
 	srv := http.NewServer(opts...)
 
+	srv.Handle(service.DownloadPath, authFromQueryMiddleware(loadPublicKey(rawKey), casJWT.SigningMethod, downloadSvc))
 	api.RegisterStatusServiceHTTPServer(srv, service.NewStatusService(Version))
-	return srv
+	return srv, nil
+}
+
+func authFromQueryMiddleware(keyFunc jwt.Keyfunc, signingMethod jwt.SigningMethod, next nhttp.Handler) nhttp.Handler {
+	return nhttp.HandlerFunc(func(w http.ResponseWriter, r *nhttp.Request) {
+		token := r.URL.Query().Get("t")
+		if token == "" {
+			nhttp.Error(w, "missing token", nhttp.StatusUnauthorized)
+			return
+		}
+
+		claims, err := verifyAndMarshalJWT(token, keyFunc, signingMethod)
+		if err != nil {
+			// return unauthorized
+			nhttp.Error(w, "invalid token", nhttp.StatusUnauthorized)
+			return
+		}
+
+		// Attach the claims to the context
+		ctx := jwtMiddleware.NewContext(r.Context(), claims)
+		r = r.WithContext(ctx)
+
+		// Run the next handler
+		next.ServeHTTP(w, r)
+	})
 }

app/artifact-cas/internal/conf/conf.proto

@@ -0,0 +1,104 @@
+//
+// Copyright 2023 The Chainloop Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package service
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"net/http"
+	"strconv"
+
+	"code.cloudfoundry.org/bytefmt"
+	backend "github.com/chainloop-dev/chainloop/internal/blobmanager"
+	casJWT "github.com/chainloop-dev/chainloop/internal/robotaccount/cas"
+	sl "github.com/chainloop-dev/chainloop/internal/servicelogger"
+	cr_v1 "github.com/google/go-containerregistry/pkg/v1"
+	"github.com/gorilla/mux"
+)
+
+// i.e /download/sha256:1234567890abcdef
+const DownloadPath = "/download/{digest}"
+
+type DownloadService struct {
+	*commonService
+}
+
+func NewDownloadService(bp backend.Provider, opts ...NewOpt) *DownloadService {
+	return &DownloadService{
+		commonService: newCommonService(bp, opts...),
+	}
+}
+
+func (s *DownloadService) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+	auth, err := infoFromAuth(ctx)
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusUnauthorized)
+		return
+	}
+
+	digest, ok := mux.Vars(r)["digest"]
+	if !ok {
+		http.Error(w, "missing digest", http.StatusBadRequest)
+		return
+	}
+
+	hash, err := cr_v1.NewHash(digest)
+	if err != nil {
+		http.Error(w, "invalid digest", http.StatusBadRequest)
+		return
+	}
+
+	// Only downloader tokens are allowed
+	if err := auth.CheckRole(casJWT.Downloader); err != nil {
+		http.Error(w, err.Error(), http.StatusUnauthorized)
+		return
+	}
+
+	// Retrieve the CAS backend from where to download the file
+	b, err := s.backendP.FromCredentials(ctx, auth.StoredSecretID)
+	if err != nil {
+		http.Error(w, sl.LogAndMaskErr(err, s.log).Error(), http.StatusInternalServerError)
+		return
+	}
+
+	info, err := b.Describe(ctx, hash.Hex)
+	if err != nil && backend.IsNotFound(err) {
+		http.Error(w, err.Error(), http.StatusNotFound)
+		return
+	} else if err != nil {
+		http.Error(w, sl.LogAndMaskErr(err, s.log).Error(), http.StatusInternalServerError)
+		return
+	}
+
+	// Set headers
+	w.Header().Set("Content-Disposition", fmt.Sprintf("attachment; filename=%s", info.FileName))
+	w.Header().Set("Content-Length", strconv.FormatInt(info.Size, 10))
+
+	s.log.Infow("msg", "download initialized", "digest", hash, "size", bytefmt.ByteSize(uint64(info.Size)))
+
+	if err := b.Download(ctx, w, hash.Hex); err != nil {
+		if errors.Is(err, context.Canceled) {
+			s.log.Infow("msg", "download canceled", "digest", hash)
+			return
+		}
+
+		http.Error(w, sl.LogAndMaskErr(err, s.log).Error(), http.StatusInternalServerError)
+	}
+
+	s.log.Infow("msg", "download finished", "digest", hash, "size", bytefmt.ByteSize(uint64(info.Size)))
+}