feat(api): adds initial auth to endpoints

Author: jmgilman

foundry/api/Earthfile

@@ -57,6 +57,8 @@ test:
         --load foundry-api-test:latest=(+docker-test) \
         --compose docker-compose.yml \
         --service api \
+        --service auth \
+        --service auth-jwt \
         --service postgres
         RUN docker compose up api-test
     END

foundry/api/client/client.go

@@ -43,6 +43,7 @@ type Client interface {
 type HTTPClient struct {
 	baseURL    string
 	httpClient *http.Client
+	token      string
 }
 
 // ClientOption is a function type for client configuration
@@ -62,6 +63,13 @@ func WithTransport(transport http.RoundTripper) ClientOption {
 	}
 }
 
+// WithToken sets the JWT token for authentication
+func WithToken(token string) ClientOption {
+	return func(c *HTTPClient) {
+		c.token = token
+	}
+}
+
 // NewClient creates a new API client
 func NewClient(baseURL string, options ...ClientOption) Client {
 	client := &HTTPClient{
@@ -101,6 +109,11 @@ func (c *HTTPClient) do(ctx context.Context, method, path string, reqBody, respB
 	}
 	req.Header.Set("Accept", "application/json")
 
+	// Add JWT token to Authorization header if present
+	if c.token != "" {
+		req.Header.Set("Authorization", "Bearer "+c.token)
+	}
+
 	resp, err := c.httpClient.Do(req)
 	if err != nil {
 		return fmt.Errorf("error performing request: %w", err)

foundry/api/cmd/api/main.go

@@ -13,6 +13,8 @@ import (
 	"github.com/alecthomas/kong"
 	"github.com/input-output-hk/catalyst-forge/foundry/api/cmd/api/auth"
 	"github.com/input-output-hk/catalyst-forge/foundry/api/internal/api"
+	"github.com/input-output-hk/catalyst-forge/foundry/api/internal/api/middleware"
+	am "github.com/input-output-hk/catalyst-forge/foundry/api/internal/auth"
 	"github.com/input-output-hk/catalyst-forge/foundry/api/internal/config"
 	"github.com/input-output-hk/catalyst-forge/foundry/api/internal/models"
 	"github.com/input-output-hk/catalyst-forge/foundry/api/internal/repository"
@@ -111,8 +113,16 @@ func (r *RunCmd) Run() error {
 	releaseService := service.NewReleaseService(releaseRepo, aliasRepo, counterRepo, deploymentRepo)
 	deploymentService := service.NewDeploymentService(deploymentRepo, releaseRepo, eventRepo, k8sClient, db, logger)
 
+	// Initialize middleware
+	authManager, err := am.NewAuthManager(r.Auth.PrivateKey, r.Auth.PublicKey, am.WithLogger(logger))
+	if err != nil {
+		logger.Error("Failed to initialize auth manager", "error", err)
+		return err
+	}
+	authMiddleware := middleware.NewAuthMiddleware(authManager, logger)
+
 	// Setup router
-	router := api.SetupRouter(releaseService, deploymentService, db, logger)
+	router := api.SetupRouter(releaseService, deploymentService, authMiddleware, db, logger)
 
 	// Initialize server
 	server := api.NewServer(r.GetServerAddr(), router, logger)

foundry/api/docker-compose.yml

@@ -1,9 +1,31 @@
 services:
+  auth:
+    image: foundry-api:latest
+    container_name: auth
+    entrypoint: ["/bin/sh", "-c", "/app/foundry-api auth init --output-dir /data"]
+    volumes:
+      - auth:/data
+    restart: on-failure
+
+  auth-jwt:
+    image: foundry-api:latest
+    container_name: auth-jwt
+    entrypoint: ["/bin/sh", "-c", "/app/foundry-api auth generate -a -k /data/private.pem >/jwt/token.txt"]
+    volumes:
+      - auth:/data
+      - jwt:/jwt
+    restart: on-failure
+    depends_on:
+      auth:
+        condition: service_started
+
   api:
     image: foundry-api:latest
     container_name: api
     environment:
       HTTP_PORT: 5000
+      AUTH_PRIVATE_KEY: /auth/private.pem
+      AUTH_PUBLIC_KEY: /auth/public.pem
       DB_SUPER_USER: postgres
       DB_SUPER_PASSWORD: postgres
       DB_ROOT_NAME: postgres
@@ -19,13 +41,17 @@ services:
       LOG_FORMAT: text
     ports:
       - "5000:5000"
+    volumes:
+      - auth:/auth
     healthcheck:
       test: ["CMD", "curl", "-f", "http://localhost:5000/healthz"]
       interval: 10s
       timeout: 5s
       retries: 3
       start_period: 10s
     depends_on:
+      auth:
+        condition: service_started
       postgres:
         condition: service_healthy
     restart: on-failure
@@ -35,6 +61,9 @@ services:
     container_name: api-test
     environment:
       API_URL: http://api:5000
+      JWT_TOKEN_PATH: /jwt/token.txt
+    volumes:
+      - jwt:/jwt
     depends_on:
       api:
         condition: service_healthy
@@ -58,4 +87,6 @@ services:
     restart: on-failure
 
 volumes:
+  auth:
+  jwt:
   postgres-data:

foundry/api/internal/api/middleware/auth.go

@@ -0,0 +1,106 @@
+package middleware
+
+import (
+	"fmt"
+	"log/slog"
+	"net/http"
+	"slices"
+	"strings"
+
+	"github.com/gin-gonic/gin"
+	"github.com/input-output-hk/catalyst-forge/foundry/api/internal/auth"
+)
+
+// AuthenticatedUser is a struct that contains the user information from the
+// authentication middleware
+type AuthenticatedUser struct {
+	ID          string
+	Permissions []auth.Permission
+	Claims      *auth.Claims
+}
+
+// hasPermissions checks if the user has the required permissions
+func (u *AuthenticatedUser) hasPermissions(permissions []auth.Permission) bool {
+	for _, required := range permissions {
+		if slices.Contains(u.Permissions, required) {
+			return true
+		}
+	}
+	return false
+}
+
+// AuthMiddleware provides a middleware that validates a user's permissions
+type AuthMiddleware struct {
+	authManager *auth.AuthManager
+	logger      *slog.Logger
+}
+
+// ValidatePermissions returns a middleware that validates a user's permissions
+func (h *AuthMiddleware) ValidatePermissions(permissions []auth.Permission) gin.HandlerFunc {
+	return func(c *gin.Context) {
+		token, err := h.getToken(c)
+		if err != nil {
+			h.logger.Warn("Invalid token", "error", err)
+			c.JSON(http.StatusUnauthorized, gin.H{
+				"error": "Invalid token",
+			})
+			c.Abort()
+		}
+
+		user, err := h.getUser(token)
+		if err != nil {
+			h.logger.Warn("Invalid token", "error", err)
+			c.JSON(http.StatusUnauthorized, gin.H{
+				"error": "Invalid token",
+			})
+			c.Abort()
+		}
+
+		if !user.hasPermissions(permissions) {
+			h.logger.Warn("Permission denied", "user_id", user.ID, "permissions", permissions)
+			c.JSON(http.StatusForbidden, gin.H{
+				"error": "Permission denied",
+			})
+			c.Abort()
+		}
+
+		c.Set("user", user)
+		c.Next()
+	}
+}
+
+// getToken extracts the token from the Authorization header
+func (h *AuthMiddleware) getToken(c *gin.Context) (string, error) {
+	authHeader := c.GetHeader("Authorization")
+	if authHeader == "" {
+		return "", fmt.Errorf("authorization header is required")
+	}
+
+	if !strings.HasPrefix(authHeader, "Bearer ") {
+		return "", fmt.Errorf("authorization header must start with 'Bearer '")
+	}
+
+	return strings.TrimPrefix(authHeader, "Bearer "), nil
+}
+
+// getUser validates the token and returns the authenticated user
+func (h *AuthMiddleware) getUser(token string) (*AuthenticatedUser, error) {
+	claims, err := h.authManager.ValidateToken(token)
+	if err != nil {
+		return nil, err
+	}
+
+	return &AuthenticatedUser{
+		ID:          claims.UserID,
+		Permissions: claims.Permissions,
+		Claims:      claims,
+	}, nil
+}
+
+// NewAuthMiddleware creates a new AuthMiddlewareHandler
+func NewAuthMiddleware(authManager *auth.AuthManager, logger *slog.Logger) *AuthMiddleware {
+	return &AuthMiddleware{
+		authManager: authManager,
+		logger:      logger,
+	}
+}

foundry/api/internal/api/router.go

@@ -6,6 +6,7 @@ import (
 	"github.com/gin-gonic/gin"
 	"github.com/input-output-hk/catalyst-forge/foundry/api/internal/api/handlers"
 	"github.com/input-output-hk/catalyst-forge/foundry/api/internal/api/middleware"
+	"github.com/input-output-hk/catalyst-forge/foundry/api/internal/auth"
 	"github.com/input-output-hk/catalyst-forge/foundry/api/internal/service"
 	"gorm.io/gorm"
 )
@@ -14,6 +15,7 @@ import (
 func SetupRouter(
 	releaseService service.ReleaseService,
 	deploymentService service.DeploymentService,
+	am *middleware.AuthMiddleware,
 	db *gorm.DB,
 	logger *slog.Logger,
 ) *gin.Engine {
@@ -39,27 +41,27 @@ func SetupRouter(
 	// Route Setup //
 
 	// Release endpoints
-	r.POST("/release", releaseHandler.CreateRelease)
-	r.GET("/release/:id", releaseHandler.GetRelease)
-	r.PUT("/release/:id", releaseHandler.UpdateRelease)
-	r.GET("/releases", releaseHandler.ListReleases)
+	r.POST("/release", am.ValidatePermissions([]auth.Permission{auth.PermReleaseWrite}), releaseHandler.CreateRelease)
+	r.GET("/release/:id", am.ValidatePermissions([]auth.Permission{auth.PermReleaseRead}), releaseHandler.GetRelease)
+	r.PUT("/release/:id", am.ValidatePermissions([]auth.Permission{auth.PermReleaseWrite}), releaseHandler.UpdateRelease)
+	r.GET("/releases", am.ValidatePermissions([]auth.Permission{auth.PermReleaseRead}), releaseHandler.ListReleases)
 
 	// Release aliases
-	r.GET("/release/alias/:name", releaseHandler.GetReleaseByAlias)
-	r.POST("/release/alias/:name", releaseHandler.CreateAlias)
-	r.DELETE("/release/alias/:name", releaseHandler.DeleteAlias)
-	r.GET("/release/:id/aliases", releaseHandler.ListAliases)
+	r.GET("/release/alias/:name", am.ValidatePermissions([]auth.Permission{auth.PermReleaseRead}), releaseHandler.GetReleaseByAlias)
+	r.POST("/release/alias/:name", am.ValidatePermissions([]auth.Permission{auth.PermReleaseWrite}), releaseHandler.CreateAlias)
+	r.DELETE("/release/alias/:name", am.ValidatePermissions([]auth.Permission{auth.PermReleaseWrite}), releaseHandler.DeleteAlias)
+	r.GET("/release/:id/aliases", am.ValidatePermissions([]auth.Permission{auth.PermReleaseRead}), releaseHandler.ListAliases)
 
 	// Deployment endpoints
-	r.POST("/release/:id/deploy", deploymentHandler.CreateDeployment)
-	r.GET("/release/:id/deploy/:deployId", deploymentHandler.GetDeployment)
-	r.PUT("/release/:id/deploy/:deployId", deploymentHandler.UpdateDeployment)
-	r.GET("/release/:id/deployments", deploymentHandler.ListDeployments)
-	r.GET("/release/:id/deploy/latest", deploymentHandler.GetLatestDeployment)
+	r.POST("/release/:id/deploy", am.ValidatePermissions([]auth.Permission{auth.PermDeploymentWrite}), deploymentHandler.CreateDeployment)
+	r.GET("/release/:id/deploy/:deployId", am.ValidatePermissions([]auth.Permission{auth.PermDeploymentRead}), deploymentHandler.GetDeployment)
+	r.PUT("/release/:id/deploy/:deployId", am.ValidatePermissions([]auth.Permission{auth.PermDeploymentWrite}), deploymentHandler.UpdateDeployment)
+	r.GET("/release/:id/deployments", am.ValidatePermissions([]auth.Permission{auth.PermDeploymentRead}), deploymentHandler.ListDeployments)
+	r.GET("/release/:id/deploy/latest", am.ValidatePermissions([]auth.Permission{auth.PermDeploymentRead}), deploymentHandler.GetLatestDeployment)
 
 	// Deployment event endpoints
-	r.POST("/release/:id/deploy/:deployId/events", deploymentHandler.AddDeploymentEvent)
-	r.GET("/release/:id/deploy/:deployId/events", deploymentHandler.GetDeploymentEvents)
+	r.POST("/release/:id/deploy/:deployId/events", am.ValidatePermissions([]auth.Permission{auth.PermDeploymentEventWrite}), deploymentHandler.AddDeploymentEvent)
+	r.GET("/release/:id/deploy/:deployId/events", am.ValidatePermissions([]auth.Permission{auth.PermDeploymentEventRead}), deploymentHandler.GetDeploymentEvents)
 
 	return r
 }

foundry/api/internal/config/config.go

@@ -11,6 +11,7 @@ import (
 // Config represents the application configuration
 type Config struct {
 	Server     ServerConfig     `kong:"embed"`
+	Auth       AuthConfig       `kong:"embed"`
 	Database   DatabaseConfig   `kong:"embed"`
 	Logging    LoggingConfig    `kong:"embed"`
 	Kubernetes KubernetesConfig `kong:"embed"`
@@ -22,6 +23,12 @@ type ServerConfig struct {
 	Timeout  time.Duration `kong:"help='Server timeout',default=30s,env='SERVER_TIMEOUT'"`
 }
 
+// AuthConfig represents authentication-specific configuration
+type AuthConfig struct {
+	PrivateKey string `kong:"help='Path to private key for JWT authentication',env='AUTH_PRIVATE_KEY'"`
+	PublicKey  string `kong:"help='Path to public key for JWT authentication',env='AUTH_PUBLIC_KEY'"`
+}
+
 // DatabaseConfig represents database-specific configuration
 type DatabaseConfig struct {
 	Host     string `kong:"help='Database host',default='localhost',env='DB_HOST'"`

foundry/api/test/alias_test.go

@@ -1,10 +1,8 @@
 package test
 
 import (
-	"context"
 	"encoding/base64"
 	"fmt"
-	"os"
 	"testing"
 	"time"
 
@@ -15,13 +13,8 @@ import (
 )
 
 func TestAliasAPI(t *testing.T) {
-	apiURL := os.Getenv("API_URL")
-	if apiURL == "" {
-		apiURL = "http://localhost:8080"
-	}
-
-	c := client.NewClient(apiURL)
-	ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
+	c := newTestClient()
+	ctx, cancel := newTestContext()
 	defer cancel()
 
 	projectName := fmt.Sprintf("test-project-alias-%d", time.Now().Unix())