Change agent to support OAuth2 auth (#159)

* Change agent to support OAuth2 auth

Signed-off-by: Jose Fuentes <[email protected]>

* Use single character shorthand for credentials file

Signed-off-by: Jose Fuentes <[email protected]>

* Fix initialization of oauth client

Signed-off-by: Jose Fuentes <[email protected]>

* Delete not related files

Signed-off-by: Jose Fuentes <[email protected]>

* Fix typo

Signed-off-by: Jose Fuentes <[email protected]>

Author: j-fuentes

Makefile

@@ -15,7 +15,10 @@ define LDFLAGS
 -X "github.com/jetstack/preflight/pkg/version.Platform=$(GOOS)/$(GOARCH)" \
 -X "github.com/jetstack/preflight/pkg/version.Commit=$(COMMIT)" \
 -X "github.com/jetstack/preflight/pkg/version.BuildDate=$(DATE)" \
--X "github.com/jetstack/preflight/pkg/version.GoVersion=$(GOVERSION)"
+-X "github.com/jetstack/preflight/pkg/version.GoVersion=$(GOVERSION)" \
+-X "github.com/jetstack/preflight/pkg/client.clientID=$(OAUTH_CLIENT_ID)" \
+-X "github.com/jetstack/preflight/pkg/client.clientSecret=$(OAUTH_CLIENT_SECRET)" \
+-X "github.com/jetstack/preflight/pkg/client.authServer=$(OAUTH_AUTH_SERVER)"
 endef
 
 GO_BUILD:=go build -ldflags '$(LDFLAGS)'

cmd/agent.go

@@ -36,4 +36,11 @@ func init() {
 		3600,
 		"Time between scans, in seconds.",
 	)
+	agentCmd.PersistentFlags().StringVarP(
+		&agent.CredentialsPath,
+		"credentials-file",
+		"k",
+		"",
+		"(Experimental) Location of the credentials file. For OAuth2 based authentication.",
+	)
 }

pkg/agent/credentials.go

@@ -0,0 +1,46 @@
+package agent
+
+import (
+	"encoding/json"
+	"fmt"
+
+	"github.com/hashicorp/go-multierror"
+)
+
+// Credentials defines the format of the credentials.json file.
+type Credentials struct {
+	// UserID is the ID or email for the user or service account.
+	UserID string `json:"user_id"`
+	// UserSecret is the secret for the user or service account.
+	UserSecret string `json:"user_secret"`
+}
+
+func (c *Credentials) validate() error {
+	var result *multierror.Error
+
+	if c.UserID == "" {
+		result = multierror.Append(result, fmt.Errorf("user_id cannot be empty"))
+	}
+
+	if c.UserSecret == "" {
+		result = multierror.Append(result, fmt.Errorf("user_secret cannot be empty"))
+	}
+
+	return result.ErrorOrNil()
+}
+
+// ParseCredentials reads credentials into a struct used. Performs validations.
+func ParseCredentials(data []byte) (*Credentials, error) {
+	var credentials Credentials
+
+	err := json.Unmarshal(data, &credentials)
+	if err != nil {
+		return nil, err
+	}
+
+	if err = credentials.validate(); err != nil {
+		return nil, err
+	}
+
+	return &credentials, nil
+}

pkg/agent/run.go

@@ -1,18 +1,16 @@
 package agent
 
 import (
-	"bytes"
 	"context"
-	"encoding/json"
 	"fmt"
 	"io/ioutil"
 	"log"
-	"net/http"
 	"net/url"
 	"os"
 	"time"
 
 	"github.com/jetstack/preflight/api"
+	"github.com/jetstack/preflight/pkg/client"
 	"github.com/jetstack/preflight/pkg/datagatherer"
 	"github.com/spf13/cobra"
 )
@@ -26,6 +24,9 @@ var AuthToken string
 // Period is the number of seconds between scans
 var Period uint
 
+// CredentialsPath is where the agent will try to loads the credentials. (Experimental)
+var CredentialsPath string
+
 // Run starts the agent process
 func Run(cmd *cobra.Command, args []string) {
 	ctx := context.Background()
@@ -43,21 +44,10 @@ func Run(cmd *cobra.Command, args []string) {
 		log.Fatalf("Failed to parse config file: %s", err)
 	}
 
-	// AuthToken flag takes preference over token in configuration file.
-	if AuthToken == "" {
-		AuthToken = config.Token
-	} else {
-		log.Printf("Using authorization token from flag.")
-	}
-
 	if config.Token != "" {
 		config.Token = "(redacted)"
 	}
 
-	if AuthToken == "" {
-		log.Fatalf("Missing authorization token. Cannot continue.")
-	}
-
 	serverURL, err := url.Parse(fmt.Sprintf("%s://%s%s", config.Endpoint.Protocol, config.Endpoint.Host, config.Endpoint.Path))
 	if err != nil {
 		log.Fatalf("Failed to build URL: %s", err)
@@ -70,6 +60,47 @@ func Run(cmd *cobra.Command, args []string) {
 
 	log.Printf("Loaded config: \n%s", dump)
 
+	var credentials *Credentials
+	if CredentialsPath != "" {
+		file, err = os.Open(CredentialsPath)
+		if err != nil {
+			log.Fatalf("Failed to load credentials from file %s", CredentialsPath)
+		}
+		defer file.Close()
+
+		b, err = ioutil.ReadAll(file)
+
+		credentials, err = ParseCredentials(b)
+		if err != nil {
+			log.Fatalf("Failed to parse credentials file: %s", err)
+		}
+	}
+
+	var preflightClient *client.PreflightClient
+	if credentials != nil {
+		log.Printf("A credentials file was specified. Using OAuth2 authentication...")
+		preflightClient, err = client.New(credentials.UserID, credentials.UserSecret, serverURL.String())
+		if err != nil {
+			log.Fatalf("Error creating preflight client: %+v", err)
+		}
+	} else {
+		// AuthToken flag takes preference over token in configuration file.
+		if AuthToken == "" {
+			AuthToken = config.Token
+		} else {
+			log.Printf("Using authorization token from flag.")
+		}
+
+		if AuthToken == "" {
+			log.Fatalf("Missing authorization token. Cannot continue.")
+		}
+
+		preflightClient, err = client.NewWithBasicAuth(AuthToken, serverURL.String())
+		if err != nil {
+			log.Fatalf("Error creating preflight client: %+v", err)
+		}
+	}
+
 	dataGatherers := make(map[string]datagatherer.DataGatherer)
 
 	for _, dgConfig := range config.DataGatherers {
@@ -108,44 +139,13 @@ func Run(cmd *cobra.Command, args []string) {
 	for {
 		log.Println("Running Agent...")
 		log.Println("Posting data to ", serverURL)
-		err = postData(serverURL, AuthToken, readings)
+		err = preflightClient.PostDataReadings(readings)
 		// TODO: handle errors gracefully: e.g. handle retries when it is possible
 		if err != nil {
 			log.Fatalf("Post to server failed: %+v", err)
+		} else {
+			log.Println("Data sent successfully.")
 		}
 		time.Sleep(time.Duration(Period) * time.Second)
 	}
 }
-
-func postData(serverURL *url.URL, token string, readings []*api.DataReading) error {
-	data, err := json.Marshal(readings)
-	if err != nil {
-		return err
-	}
-
-	req, err := http.NewRequest(http.MethodPost, serverURL.String(), bytes.NewBuffer(data))
-	req.Header.Set("Content-Type", "application/json")
-
-	if len(token) > 0 {
-		req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", token))
-	}
-
-	client := &http.Client{}
-	resp, err := client.Do(req)
-	if err != nil {
-		return err
-	}
-
-	body, err := ioutil.ReadAll(resp.Body)
-	if err != nil {
-		return err
-	}
-
-	if code := resp.StatusCode; code < 200 || code >= 300 {
-		return fmt.Errorf("Received response with status code %d. Body: %s", code, string(body))
-	}
-
-	log.Println("Data sent successfully. Server says: ", string(body))
-
-	return nil
-}

pkg/client/accessToken.go

@@ -0,0 +1,78 @@
+package client
+
+import (
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"strings"
+	"time"
+
+	"github.com/juju/errors"
+)
+
+type accessToken struct {
+	bearer         string
+	expirationDate time.Time
+}
+
+func (t *accessToken) needsRenew() bool {
+	return t.bearer == "" || time.Now().After(t.expirationDate)
+}
+
+// getValidAccessToken returns a valid access token. It will fetch a new access
+// token from the auth server in case the current access token does not exist
+// or it is expired.
+func (c *PreflightClient) getValidAccessToken() (*accessToken, error) {
+	if c.accessToken.needsRenew() {
+		err := c.renewAccessToken()
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	return c.accessToken, nil
+}
+
+func (c *PreflightClient) renewAccessToken() error {
+	url := fmt.Sprintf("https://%s/oauth/token", authServer)
+	// TODO: audience will be dynamic in the future, but at the moment this client only sends readings.
+	audience := "https://preflight.jetstack.io/api/v1/datareading"
+	payload := fmt.Sprintf("grant_type=password&client_id=%s&client_secret=%s&audience=%s&username=%s&password=%s", clientID, clientSecret, audience, c.userID, c.userSecret)
+	req, err := http.NewRequest("POST", url, strings.NewReader(payload))
+	if err != nil {
+		return errors.Trace(err)
+	}
+	req.Header.Add("content-type", "application/x-www-form-urlencoded")
+
+	res, err := http.DefaultClient.Do(req)
+	if err != nil {
+		return errors.Trace(err)
+	}
+
+	body, err := ioutil.ReadAll(res.Body)
+	if err != nil {
+		return errors.Trace(err)
+	}
+
+	defer res.Body.Close()
+
+	response := struct {
+		Bearer    string `json:"access_token"`
+		ExpiresIn uint   `json:"expires_in"`
+	}{}
+
+	err = json.Unmarshal(body, &response)
+	if err != nil {
+		return errors.Trace(err)
+	}
+
+	if response.ExpiresIn == 0 {
+		return fmt.Errorf("got wrong expiration for access token")
+	}
+
+	c.accessToken.bearer = response.Bearer
+	c.accessToken.expirationDate = time.Now().Add(time.Duration(response.ExpiresIn) * time.Second)
+
+	return nil
+}