Merge branch '1-jwt-auth-middleware' into 'main'

Use JWT auth middleware with configuration option

Closes #1

See merge request gaia-x/data-infrastructure-federation-services/tsa/task!2

.gitlab-ci.yml

@@ -16,24 +16,39 @@ include:
   - template: 'Workflows/Branch-Pipelines.gitlab-ci.yml'
 
 lint:
-  image: golangci/golangci-lint:v1.44.2
+  image: golangci/golangci-lint:v1.50.1
   stage: test
   tags:
     - amd64-docker
-  script:
-    - golangci-lint --version
-    - golangci-lint run
   before_script:
     - ln -s /builds /go/src/gitlab.com
     - cd /go/src/gitlab.com/${CI_PROJECT_PATH}
+  script:
+    - go version
+    - golangci-lint --version
+    - golangci-lint run
 
 unit tests:
-  image: golang:1.17.7
+  image: golang:1.19.3
   extends: .gotest
   stage: test
   tags:
     - amd64-docker
   before_script: []
+  coverage: '/total:\s+\(statements\)\s+(\d+.\d+\%)/'
+
+govulncheck:
+  image: golang:1.19.3
+  stage: test
+  tags:
+    - amd64-docker
+  before_script:
+    - ln -s /builds /go/src/gitlab.com
+    - cd /go/src/gitlab.com/${CI_PROJECT_PATH}
+  script:
+    - go version
+    - go install golang.org/x/vuln/cmd/govulncheck@latest
+    - govulncheck ./...
 
 amd64:
   extends: .docker-build

.golangci.yml

@@ -12,7 +12,6 @@ linters:
   enable:
     - megacheck
     - govet
-    - deadcode
     - errcheck
     - goconst
     - gocyclo
@@ -22,10 +21,9 @@ linters:
     - ineffassign
     - nakedret
     - staticcheck
-    - structcheck
     - unconvert
-    - varcheck
     - vet
     - vetshadow
     - misspell
     - staticcheck
+    - unused

cmd/task/main.go

@@ -21,6 +21,7 @@ import (
 	"golang.org/x/oauth2/clientcredentials"
 	"golang.org/x/sync/errgroup"
 
+	"gitlab.com/gaia-x/data-infrastructure-federation-services/tsa/golib/auth"
 	"gitlab.com/gaia-x/data-infrastructure-federation-services/tsa/golib/graceful"
 	goahealth "gitlab.com/gaia-x/data-infrastructure-federation-services/tsa/task/gen/health"
 	goahealthsrv "gitlab.com/gaia-x/data-infrastructure-federation-services/tsa/task/gen/http/health/server"
@@ -74,6 +75,8 @@ func main() {
 	// create storage
 	storage := storage.New(db)
 
+	httpClient := httpClient()
+
 	// create an HTTP Client which uses an authentication token
 	// Create an HTTP Client which uses an authentication token.
 	// The token will auto-refresh as necessary.
@@ -95,7 +98,7 @@ func main() {
 		cfg.Executor.Workers,
 		cfg.Executor.PollInterval,
 		cfg.Executor.MaxTaskRetries,
-		httpClient(),
+		httpClient,
 		logger,
 	)
 
@@ -106,7 +109,7 @@ func main() {
 		cache,
 		cfg.ListExecutor.Workers,
 		cfg.ListExecutor.PollInterval,
-		httpClient(),
+		httpClient,
 		logger,
 	)
 
@@ -166,6 +169,16 @@ func main() {
 		openapiServer = goaopenapisrv.New(openapiEndpoints, mux, dec, enc, nil, errFormatter, nil, nil)
 	}
 
+	// Apply Authentication middleware if enabled.
+	if cfg.Auth.Enabled {
+		m, err := auth.NewMiddleware(cfg.Auth.JwkURL, cfg.Auth.RefreshInterval, httpClient)
+		if err != nil {
+			log.Fatalf("failed to create authentication middleware: %v", err)
+		}
+		taskServer.Use(m.Handler())
+		taskListServer.Use(m.Handler())
+	}
+
 	// Configure the mux.
 	goatasksrv.Mount(mux, taskServer)
 	goatasklistsrv.Mount(mux, taskListServer)
@@ -231,14 +244,14 @@ func httpClient() *http.Client {
 		Transport: &http.Transport{
 			Proxy: http.ProxyFromEnvironment,
 			DialContext: (&net.Dialer{
-				Timeout: 30 * time.Second,
+				Timeout: 10 * time.Second,
 			}).DialContext,
 			MaxIdleConns:        100,
 			MaxIdleConnsPerHost: 100,
 			TLSHandshakeTimeout: 10 * time.Second,
 			IdleConnTimeout:     60 * time.Second,
 		},
-		Timeout: 30 * time.Second,
+		Timeout: 20 * time.Second,
 	}
 }
 
@@ -256,7 +269,7 @@ func exposeMetrics(addr string, logger *zap.Logger) {
 	promMux := http.NewServeMux()
 	promMux.Handle("/metrics", promhttp.Handler())
 	logger.Info(fmt.Sprintf("exposing prometheus metrics at %s/metrics", addr))
-	if err := http.ListenAndServe(addr, promMux); err != nil {
+	if err := http.ListenAndServe(addr, promMux); err != nil { //nolint:gosec
 		logger.Error("error exposing prometheus metrics", zap.Error(err))
 	}
 }

deployment/ci/Dockerfile

-FROM golang:1.19-alpine3.15 as builder
+FROM golang:1.19.3-alpine3.15 as builder
 
 RUN apk add git
 

deployment/compose/Dockerfile

-FROM golang:1.19
+FROM golang:1.19.3
 
 ENV GO111MODULE=on
 

go.mod

@@ -8,7 +8,7 @@ require (
 	github.com/kelseyhightower/envconfig v1.4.0
 	github.com/prometheus/client_golang v1.13.0
 	github.com/stretchr/testify v1.8.0
-	gitlab.com/gaia-x/data-infrastructure-federation-services/tsa/golib v0.0.0-20220913103832-19b72aa5e623
+	gitlab.com/gaia-x/data-infrastructure-federation-services/tsa/golib v1.1.1
 	go.mongodb.org/mongo-driver v1.8.4
 	go.uber.org/zap v1.21.0
 	goa.design/goa/v3 v3.8.5
@@ -20,9 +20,11 @@ require (
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/cespare/xxhash/v2 v2.1.2 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.1.0 // indirect
 	github.com/dimfeld/httppath v0.0.0-20170720192232-ee938bf73598 // indirect
 	github.com/dimfeld/httptreemux/v5 v5.4.0 // indirect
 	github.com/go-stack/stack v1.8.0 // indirect
+	github.com/goccy/go-json v0.9.11 // indirect
 	github.com/golang/protobuf v1.5.2 // indirect
 	github.com/golang/snappy v0.0.1 // indirect
 	github.com/gopherjs/gopherjs v0.0.0-20220221023154-0b2280d3ff96 // indirect
@@ -31,6 +33,12 @@ require (
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
 	github.com/jtolds/gls v4.20.0+incompatible // indirect
 	github.com/klauspost/compress v1.13.6 // indirect
+	github.com/lestrrat-go/blackmagic v1.0.1 // indirect
+	github.com/lestrrat-go/httpcc v1.0.1 // indirect
+	github.com/lestrrat-go/httprc v1.0.4 // indirect
+	github.com/lestrrat-go/iter v1.0.2 // indirect
+	github.com/lestrrat-go/jwx/v2 v2.0.6 // indirect
+	github.com/lestrrat-go/option v1.0.0 // indirect
 	github.com/manveru/faker v0.0.0-20171103152722-9fbc68a78c4d // indirect
 	github.com/matttproud/golang_protobuf_extensions v1.0.1 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
@@ -47,7 +55,7 @@ require (
 	github.com/zach-klippenstein/goregen v0.0.0-20160303162051-795b5e3961ea // indirect
 	go.uber.org/atomic v1.7.0 // indirect
 	go.uber.org/multierr v1.6.0 // indirect
-	golang.org/x/crypto v0.0.0-20210921155107-089bfa567519 // indirect
+	golang.org/x/crypto v0.0.0-20220427172511-eb4f295cb31f // indirect
 	golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4 // indirect
 	golang.org/x/net v0.0.0-20220802222814-0bcc04d9c69b // indirect
 	golang.org/x/sys v0.0.0-20220803195053-6e608f9ce704 // indirect

go.sum

@@ -58,6 +58,9 @@ github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGX
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/decred/dcrd/crypto/blake256 v1.0.0/go.mod h1:sQl2p6Y26YV+ZOcSTP6thNdn47hh8kt6rqSlvmrXFAc=
+github.com/decred/dcrd/dcrec/secp256k1/v4 v4.1.0 h1:HbphB4TFFXpv7MNrT52FGrrgVXF1owhMVTHFZIlnvd4=
+github.com/decred/dcrd/dcrec/secp256k1/v4 v4.1.0/go.mod h1:DZGJHZMqrU4JJqFAWUS2UO1+lbSKsdiOoYi9Zzey7Fc=
 github.com/dimfeld/httppath v0.0.0-20170720192232-ee938bf73598 h1:MGKhKyiYrvMDZsmLR/+RGffQSXwEkXgfLSA08qDn9AI=
 github.com/dimfeld/httppath v0.0.0-20170720192232-ee938bf73598/go.mod h1:0FpDmbrt36utu8jEmeU05dPC9AB5tsLYVVi+ZHfyuwI=
 github.com/dimfeld/httptreemux/v5 v5.4.0 h1:IiHYEjh+A7pYbhWyjmGnj5HZK6gpOOvyBXCJ+BE8/Gs=
@@ -79,6 +82,8 @@ github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG
 github.com/go-logfmt/logfmt v0.5.1/go.mod h1:WYhtIu8zTZfxdn5+rREduYbwxfcBr/Vr6KEVveWlfTs=
 github.com/go-stack/stack v1.8.0 h1:5SgMzNM5HxrEjV0ww2lTmX6E2Izsfxas4+YHWRs3Lsk=
 github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
+github.com/goccy/go-json v0.9.11 h1:/pAaQDLHEoCq/5FFmSKBswWmK6H0e8g4159Kc/X/nqk=
+github.com/goccy/go-json v0.9.11/go.mod h1:6MelG93GURQebXPDq3khkgXZkazVtN9CRI+MGFi0w8I=
 github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
@@ -175,6 +180,18 @@ github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORN
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
+github.com/lestrrat-go/blackmagic v1.0.1 h1:lS5Zts+5HIC/8og6cGHb0uCcNCa3OUt1ygh3Qz2Fe80=
+github.com/lestrrat-go/blackmagic v1.0.1/go.mod h1:UrEqBzIR2U6CnzVyUtfM6oZNMt/7O7Vohk2J0OGSAtU=
+github.com/lestrrat-go/httpcc v1.0.1 h1:ydWCStUeJLkpYyjLDHihupbn2tYmZ7m22BGkcvZZrIE=
+github.com/lestrrat-go/httpcc v1.0.1/go.mod h1:qiltp3Mt56+55GPVCbTdM9MlqhvzyuL6W/NMDA8vA5E=
+github.com/lestrrat-go/httprc v1.0.4 h1:bAZymwoZQb+Oq8MEbyipag7iSq6YIga8Wj6GOiJGdI8=
+github.com/lestrrat-go/httprc v1.0.4/go.mod h1:mwwz3JMTPBjHUkkDv/IGJ39aALInZLrhBp0X7KGUZlo=
+github.com/lestrrat-go/iter v1.0.2 h1:gMXo1q4c2pHmC3dn8LzRhJfP1ceCbgSiT9lUydIzltI=
+github.com/lestrrat-go/iter v1.0.2/go.mod h1:Momfcq3AnRlRjI5b5O8/G5/BvpzrhoFTZcn06fEOPt4=
+github.com/lestrrat-go/jwx/v2 v2.0.6 h1:RlyYNLV892Ed7+FTfj1ROoF6x7WxL965PGTHso/60G0=
+github.com/lestrrat-go/jwx/v2 v2.0.6/go.mod h1:aVrGuwEr3cp2Prw6TtQvr8sQxe+84gruID5C9TxT64Q=
+github.com/lestrrat-go/option v1.0.0 h1:WqAWL8kh8VcSoD6xjSH34/1m8yxluXQbDeKNfvFeEO4=
+github.com/lestrrat-go/option v1.0.0/go.mod h1:5ZHFbivi4xwXxhxY9XHDe2FHo6/Z7WWmtT7T5nBBp3I=
 github.com/manveru/faker v0.0.0-20171103152722-9fbc68a78c4d h1:Zj+PHjnhRYWBK6RqCDBcAhLXoi3TzC27Zad/Vn+gnVQ=
 github.com/manveru/faker v0.0.0-20171103152722-9fbc68a78c4d/go.mod h1:WZy8Q5coAB1zhY9AOBJP0O6J4BuDfbupUDavKY+I3+s=
 github.com/manveru/gobdd v0.0.0-20131210092515-f1a17fdd710b h1:3E44bLeN8uKYdfQqVQycPnaVviZdBLbizFhU49mtbe4=
@@ -255,8 +272,8 @@ github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9de
 github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
 github.com/zach-klippenstein/goregen v0.0.0-20160303162051-795b5e3961ea h1:CyhwejzVGvZ3Q2PSbQ4NRRYn+ZWv5eS1vlaEusT+bAI=
 github.com/zach-klippenstein/goregen v0.0.0-20160303162051-795b5e3961ea/go.mod h1:eNr558nEUjP8acGw8FFjTeWvSgU1stO7FAO6eknhHe4=
-gitlab.com/gaia-x/data-infrastructure-federation-services/tsa/golib v0.0.0-20220913103832-19b72aa5e623 h1:VuWLKBdO5bTGimppwkk6v+cJZ6onc2J16hBXHf048GU=
-gitlab.com/gaia-x/data-infrastructure-federation-services/tsa/golib v0.0.0-20220913103832-19b72aa5e623/go.mod h1:5BPRkziGjdCI9xVfJBGY+7Ea51gtiEEs7+rbYeC8lnY=
+gitlab.com/gaia-x/data-infrastructure-federation-services/tsa/golib v1.1.1 h1:VdHDHXko2Z+YplWDliA1M0tcyCMDLp2qPPYx0C8fviI=
+gitlab.com/gaia-x/data-infrastructure-federation-services/tsa/golib v1.1.1/go.mod h1:0y0nhsIVlNFwyIopCi4FLZZuJK+aTP80p4KFRS4MlHA=
 go.mongodb.org/mongo-driver v1.8.4 h1:NruvZPPL0PBcRJKmbswoWSrmHeUvzdxA3GCPfD/NEOA=
 go.mongodb.org/mongo-driver v1.8.4/go.mod h1:0sQWfOeY63QTntERDJJ/0SuKK0T1uVSgKCuAROlKEPY=
 go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
@@ -281,8 +298,8 @@ golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8U
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20201216223049-8b5274cf687f/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
-golang.org/x/crypto v0.0.0-20210921155107-089bfa567519 h1:7I4JAnoQBe7ZtJcBaYHi5UtiO8tQHbUSXxL+pnGRANg=
-golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
+golang.org/x/crypto v0.0.0-20220427172511-eb4f295cb31f h1:OeJjE6G4dgCY4PIXvIRQbE8+RX+uXZyGhUy/ksMGJoc=
+golang.org/x/crypto v0.0.0-20220427172511-eb4f295cb31f/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@@ -346,6 +363,7 @@ golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81R
 golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
 golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
 golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
+golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
 golang.org/x/net v0.0.0-20220225172249-27dd8689420f/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
 golang.org/x/net v0.0.0-20220802222814-0bcc04d9c69b h1:3ogNYyK4oIQdIKzTu68hQrr4iuVxF3AxKl9Aj/eDrw0=

internal/config/config.go

@@ -4,6 +4,7 @@ import "time"
 
 type Config struct {
 	HTTP         httpConfig
+	Auth         authConfig
 	Mongo        mongoConfig
 	Policy       policyConfig
 	Executor     executorConfig
@@ -23,6 +24,12 @@ type httpConfig struct {
 	WriteTimeout time.Duration `envconfig:"HTTP_WRITE_TIMEOUT" default:"10s"`
 }
 
+type authConfig struct {
+	Enabled         bool          `envconfig:"AUTH_ENABLED" default:"true"`
+	JwkURL          string        `envconfig:"AUTH_JWK_URL"`
+	RefreshInterval time.Duration `envconfig:"AUTH_REFRESH_INTERVAL" default:"1h"`
+}
+
 type mongoConfig struct {
 	Addr string `envconfig:"MONGO_ADDR" required:"true"`
 	User string `envconfig:"MONGO_USER" required:"true"`