Merge pull request #434 from cisco-open/feat/custom_grant

Add support for custom token granter, enhancer, auth registry and tenant hierachy loader

Author: TimShi

cmd/lanai-cli/initcmd/Dockerfile.tmpl

@@ -1,5 +1,5 @@
 ARG BASE_IMAGE=debian:bookworm
-ARG BUILDER_IMAGE=golang:1.21-bookworm
+ARG BUILDER_IMAGE=golang:1.24-bookworm
 
 ## Build Container ##
 FROM ${BUILDER_IMAGE} AS builder

examples/auth/README.md

@@ -16,12 +16,12 @@ In this example, the source code contains the fully finished service. This step
 involved in writing this service.
 
 ### 1. Create the Initial Project
-This involves the following steps. For detail explanation of each step, see the [developer guide](../docs/Develop.md)
+This involves the following steps. For detail explanation of each step, see the [developer guide](../../docs/Develop.md)
 
 1. Create Module.yml
 2. Add go.mod 
 3. Add Makefile 
-4. call ```shell make init CLI_TAG="develop"``` to initialize the project 
+4. call ```shell make init CLI_TAG="main"``` to initialize the project 
 
 ### 2. Adding Main File
 Add the main file corresponding to the definition in Module.yml. The main file is the entry point for this service.

examples/auth/pkg/service/clients.go

@@ -21,12 +21,15 @@ import (
 	"errors"
 	"fmt"
 	"github.com/cisco-open/go-lanai/pkg/discovery"
+	"github.com/cisco-open/go-lanai/pkg/utils"
 	"github.com/cisco-open/go-lanai/pkg/utils/order"
+	"net/url"
 	"time"
 )
 
 var (
 	insecureInstanceMatcher = discovery.InstanceWithTagKV("secure", "false", true)
+	supportedSchemes        = utils.NewStringSet("http", "https")
 )
 
 type clientDefaults struct {
@@ -203,9 +206,13 @@ func (c *client) shallowCopy() *client {
 
 func (c *client) executor(request *Request, resolver TargetResolver, dec DecodeResponseFunc) Retryable {
 	return func(ctx context.Context) (interface{}, error) {
-		target, e := resolver.Resolve(ctx, request)
-		if e != nil {
-			return nil, e
+		target, e := url.Parse(request.Path)
+		// only need to resolve the target if the request.Path is not absolute
+		if e != nil || !supportedSchemes.Has(target.Scheme) {
+			target, e = resolver.Resolve(ctx, request)
+			if e != nil {
+				return nil, e
+			}
 		}
 
 		req, e := request.CreateFunc(ctx, request.Method, target)

pkg/integrate/httpclient/client.go

@@ -34,6 +34,7 @@ import (
 	"go.uber.org/fx"
 	"net/http"
 	"net/url"
+	"path"
 	"testing"
 	"time"
 )
@@ -112,6 +113,7 @@ func TestWithMockedServer(t *testing.T) {
 		test.GomegaSubTest(SubTestWithRetry(&di), "TestWithRetry"),
 		test.GomegaSubTest(SubTestWithTimeout(&di), "TestWithTimeout"),
 		test.GomegaSubTest(SubTestWithURLEncoded(&di), "TestWithURLEncoded"),
+		test.GomegaSubTest(SubTestWithAbsoluteUrl(&di), "TestWithAbsoluteUrl"),
 	)
 }
 
@@ -390,6 +392,43 @@ func SubTestWithURLEncoded(di *TestDI) test.GomegaSubTestFunc {
 	}
 }
 
+func SubTestWithAbsoluteUrl(di *TestDI) test.GomegaSubTestFunc {
+	return func(ctx context.Context, t *testing.T, g *gomega.WithT) {
+		client := di.HttpClient
+
+		random := utils.RandomString(20)
+		now := time.Now().Format(time.RFC3339)
+		reqBody := makeEchoRequestBody()
+		opts := append([]httpclient.RequestOptions{
+			httpclient.WithHeader("X-Data", random),
+			httpclient.WithParam("time", now),
+			httpclient.WithParam("data", random),
+			httpclient.WithBody(reqBody),
+		})
+
+		uri, e := url.Parse(fmt.Sprintf(`http://localhost:%d%s`, webtest.CurrentPort(ctx), webtest.CurrentContextPath(ctx)))
+		g.Expect(e).ToNot(HaveOccurred())
+
+		uri.Path = path.Join(uri.Path, TestPath)
+		req := httpclient.NewRequest(uri.String(), http.MethodPost, opts...)
+
+		resp, e := client.Execute(ctx, req, httpclient.JsonBody(&EchoResponse{}))
+		g.Expect(e).To(Succeed(), "execute request shouldn't fail")
+
+		expected := EchoResponse{
+			Headers: map[string]string{
+				"X-Data": random,
+			},
+			Form: map[string]string{
+				"time": now,
+				"data": random,
+			},
+			ReqBody: reqBody,
+		}
+		assertResponse(t, g, resp, http.StatusOK, &expected)
+	}
+}
+
 /*************************
 	Request/Response
  *************************/

pkg/integrate/httpclient/client_test.go

@@ -44,7 +44,7 @@ type Client interface {
 	// The returned client is responsible to perform retrying.
 	// The returned client is goroutine-safe and can be reused
 	WithBaseUrl(baseUrl string) (Client, error)
-
+	
 	// WithConfig create a shallow copy of the client with specified config.
 	// Service (with LB) or BaseURL cannot be changed with this method.
 	// If any field of provided config is zero value, this value is not applied.

pkg/integrate/httpclient/context.go

@@ -24,5 +24,3 @@ func NewStaticTargetResolver(baseUrl string) (TargetResolverFunc, error) {
 		return &uri, nil
 	}, nil
 }
-
-

pkg/integrate/httpclient/resolver_static.go

@@ -181,6 +181,9 @@ type Configuration struct {
 	OpenIDSSOEnabled      bool
 	SamlIdpSigningMethod  string
 	ApprovalStore         auth.ApprovalStore
+	CustomTokenGranter    []auth.TokenGranter
+	CustomTokenEnhancer   []auth.TokenEnhancer
+	CustomAuthRegistry    auth.AuthorizationRegistry
 
 	// not directly configurable items
 	appContext                *bootstrap.ApplicationContext
@@ -265,6 +268,16 @@ func (c *Configuration) tokenGranter() auth.TokenGranter {
 			granters = append(granters, passwordGranter)
 		}
 
+		for _, custom := range c.CustomTokenGranter {
+			switch v := custom.(type) {
+			case auth.AuthorizationServiceInjector:
+				v.Inject(c.authorizationService())
+			default:
+				// do nothing
+			}
+		}
+		granters = append(granters, c.CustomTokenGranter...)
+
 		c.sharedTokenGranter = auth.NewCompositeTokenGranter(granters...)
 	}
 	return c.sharedTokenGranter
@@ -295,7 +308,11 @@ func (c *Configuration) contextDetailsStore() security.ContextDetailsStore {
 
 func (c *Configuration) authorizationRegistry() auth.AuthorizationRegistry {
 	if c.sharedAuthRegistry == nil {
-		c.sharedAuthRegistry = c.contextDetailsStore().(auth.AuthorizationRegistry)
+		if c.CustomAuthRegistry != nil {
+			c.sharedAuthRegistry = c.CustomAuthRegistry
+		} else {
+			c.sharedAuthRegistry = c.contextDetailsStore().(auth.AuthorizationRegistry)
+		}
 	}
 	return c.sharedAuthRegistry
 }
@@ -329,6 +346,7 @@ func (c *Configuration) authorizationService() auth.AuthorizationService {
 				})
 				conf.PostTokenEnhancers = append(conf.PostTokenEnhancers, openidEnhancer)
 			}
+			conf.TokenEnhancers = append(conf.TokenEnhancers, c.CustomTokenEnhancer...)
 		})
 	}
 

pkg/security/config/authserver/config.go

@@ -37,6 +37,7 @@ import (
 	"github.com/cisco-open/go-lanai/pkg/security/idp/passwdidp"
 	"github.com/cisco-open/go-lanai/pkg/security/logout"
 	"github.com/cisco-open/go-lanai/pkg/security/oauth2"
+	"github.com/cisco-open/go-lanai/pkg/security/oauth2/auth"
 	"github.com/cisco-open/go-lanai/pkg/security/oauth2/auth/authorize"
 	"github.com/cisco-open/go-lanai/pkg/security/oauth2/auth/clientauth"
 	"github.com/cisco-open/go-lanai/pkg/security/oauth2/auth/token"
@@ -59,6 +60,7 @@ import (
 	. "github.com/cisco-open/go-lanai/test/utils/gomega"
 	"github.com/cisco-open/go-lanai/test/webtest"
 	"github.com/crewjam/saml"
+	"github.com/golang-jwt/jwt/v4"
 	"github.com/google/uuid"
 	"github.com/onsi/gomega"
 	. "github.com/onsi/gomega"
@@ -157,6 +159,7 @@ type intDI struct {
 	Mocking         sectest.MockingProperties
 	TokenReader     oauth2.TokenStoreReader
 	SessionStore    session.Store
+	AuthReg         auth.AuthorizationRegistry `optional:"true"`
 }
 
 func TestWithMockedServer(t *testing.T) {
@@ -189,6 +192,7 @@ func TestWithMockedServer(t *testing.T) {
 				testdata.NewAuthServerConfigurer, //This configurer will set up mocked client store, mocked tenant store etc.
 				testdata.NewResServerConfigurer,
 				testdata.NewMockedApprovalStore,
+				auth.NewLegacyTokenEnhancer,
 			),
 		),
 		test.GomegaSubTest(SubTestOAuth2AuthorizeWithPasswdIDP(di), "TestOAuth2AuthorizeWithPasswdIDP"),
@@ -234,6 +238,7 @@ func TestWithMockedServerWithoutFinalizer(t *testing.T) {
 				sectest.BindMockingProperties,
 				testdata.NewAuthServerConfigurer,
 				testdata.NewResServerConfigurer,
+				auth.NewLegacyTokenEnhancer,
 			),
 		),
 		// a user has access to two tenants, switch from one to the other
@@ -242,6 +247,39 @@ func TestWithMockedServerWithoutFinalizer(t *testing.T) {
 	)
 }
 
+func TestWithMockedServerWithCustomTokenGranter(t *testing.T) {
+	di := &intDI{}
+	test.RunTest(context.Background(), t,
+		apptest.Bootstrap(),
+		apptest.WithTimeout(2*time.Minute),
+		webtest.WithMockedServer(),
+		sectest.WithMockedMiddleware(sectest.MWEnableSession()),
+		apptest.WithModules(
+			authserver.Module, resserver.Module,
+			passwdidp.Module, extsamlidp.Module, authorize.Module, samlidp.Module,
+			passwd.Module, formlogin.Module, logout.Module,
+			samlctx.Module, samlsp.Module,
+			basicauth.Module, clientauth.Module,
+			token.Module, access.Module, errorhandling.Module,
+			request_cache.Module, csrf.Module, session.Module,
+			redis.Module,
+		),
+		apptest.WithDI(di),
+		apptest.WithFxOptions(
+			fx.Provide(
+				IntegrationTestMocksProvider(),
+				sectest.BindMockingProperties,
+				testdata.NewAuthServerConfigurer,
+				testdata.NewResServerConfigurer,
+				testdata.NewCustomTokenEnhancer,
+				testdata.NewCustomAuthRegistry,
+				testdata.NewCustomTokenGranter,
+			),
+		),
+		test.GomegaSubTest(SubTestCustomTokenGranter(di), "TestCustomTokenGranter"),
+	)
+}
+
 /*************************
 	Sub Tests
  *************************/
@@ -914,6 +952,31 @@ func SubTestOauth2SwitchTenant(
 	}
 }
 
+func SubTestCustomTokenGranter(
+	di *intDI,
+) test.GomegaSubTestFunc {
+	return func(ctx context.Context, t *testing.T, g *gomega.WithT) {
+		req := webtest.NewRequest(ctx, http.MethodPost, "/v2/token", customGrantReqBody(), withClientAuth("custom-grant-client", TestClientSecret), tokenReqOptions())
+		resp := webtest.MustExec(ctx, req)
+		g.Expect(resp).ToNot(BeNil(), "response should not be nil")
+		g.Expect(resp.Response.StatusCode).To(Equal(http.StatusOK), "response should have correct status code")
+
+		body, e := io.ReadAll(resp.Response.Body)
+		g.Expect(e).To(Succeed(), `token response body should be readable`)
+		g.Expect(body).To(HaveJsonPath("$.access_token"), "token response should have access_token")
+
+		accessToken := oauth2.NewDefaultAccessToken("")
+		e = json.Unmarshal(body, accessToken)
+		g.Expect(e).ToNot(HaveOccurred())
+
+		tk, _, e := jwt.NewParser().ParseUnverified(accessToken.Value(), jwt.MapClaims{})
+		g.Expect(e).ToNot(HaveOccurred())
+		g.Expect(tk.Claims.(jwt.MapClaims)["MyClaim"]).To(Equal("my_claim_value"))
+
+		g.Expect(di.AuthReg.(*testdata.CustomAuthRegistry).RegistrationCount).To(Equal(1))
+	}
+}
+
 /*************************
 	Helpers
  *************************/
@@ -1103,6 +1166,12 @@ func passwordGrantReqBody(tenantId string, username string, password string) io.
 	return strings.NewReader(values.Encode())
 }
 
+func customGrantReqBody() io.Reader {
+	values := url.Values{}
+	values.Set(oauth2.ParameterGrantType, "custom_grant")
+	return strings.NewReader(values.Encode())
+}
+
 func tokenReqOptions() webtest.RequestOptions {
 	return func(req *http.Request) {
 		req.Header.Set("Content-Type", "application/x-www-form-urlencoded")

pkg/security/config/integration_test.go

@@ -93,6 +93,11 @@ mocking:
       redirect-uris: ["localhost:*/**"]
       tenants: ["id-tenant-3"]
       scopes: "scope_a,scope_b"
+    custom-grant-client:
+      id: "custom-grant-client"
+      secret: "test-secret"
+      access-token-validity: 3600s
+      grant-types: "custom_grant"
   accounts:
     system:
       username: "system"