Merge pull request #262 from jetstack/api-token

Implement API token authentication for upload requests

Author: davidsbond

cmd/agent.go

@@ -4,6 +4,7 @@ import (
 	"fmt"
 	"io/ioutil"
 	"log"
+	"os"
 	"time"
 
 	"github.com/jetstack/preflight/pkg/agent"
@@ -110,5 +111,10 @@ func init() {
 		false,
 		"Runs agent in strict mode. No retry attempts will be made for a missing data gatherer's data.",
 	)
-
+	agentCmd.PersistentFlags().StringVar(
+		&agent.APIToken,
+		"api-token",
+		os.Getenv("API_TOKEN"),
+		"Token used for authentication when API tokens are in use on the backend",
+	)
 }

pkg/agent/run.go

@@ -47,6 +47,9 @@ var BackoffMaxTime time.Duration
 // StrictMode flag causes the agent to fail at the first attempt
 var StrictMode bool
 
+// APIToken is an authentication token used for the backend API as an alternative to oauth flows.
+var APIToken string
+
 // schema version of the data sent by the agent.
 // The new default version is v2.
 // In v2 the agent posts data readings using api.gathereredResources
@@ -59,7 +62,7 @@ const schemaVersion string = "v2.0.0"
 func Run(cmd *cobra.Command, args []string) {
 	ctx, cancel := context.WithCancel(context.Background())
 	defer cancel()
-	config, preflightClient := getConfiguration(ctx)
+	config, preflightClient := getConfiguration()
 
 	dataGatherers := map[string]datagatherer.DataGatherer{}
 	var wg sync.WaitGroup
@@ -137,7 +140,7 @@ func Run(cmd *cobra.Command, args []string) {
 			Period = config.Period
 		}
 
-		gatherAndOutputData(ctx, config, preflightClient, dataGatherers)
+		gatherAndOutputData(config, preflightClient, dataGatherers)
 
 		if OneShot {
 			break
@@ -147,7 +150,7 @@ func Run(cmd *cobra.Command, args []string) {
 	}
 }
 
-func getConfiguration(ctx context.Context) (Config, *client.PreflightClient) {
+func getConfiguration() (Config, client.Client) {
 	log.Printf("Preflight agent version: %s (%s)", version.PreflightVersion, version.Commit)
 	file, err := os.Open(ConfigFilePath)
 	if err != nil {
@@ -203,25 +206,28 @@ func getConfiguration(ctx context.Context) (Config, *client.PreflightClient) {
 		Version:   version.PreflightVersion,
 		ClusterID: config.ClusterID,
 	}
-	var preflightClient *client.PreflightClient
-	if credentials != nil {
-		log.Printf("A credentials file was specified. Using OAuth2 authentication...")
-		preflightClient, err = client.New(agentMetadata, credentials, baseURL)
-		if err != nil {
-			log.Fatalf("Error creating preflight client: %+v", err)
-		}
-	} else {
-		log.Printf("No credentials file was specified. Starting client with no authentication...")
-		preflightClient, err = client.NewWithNoAuth(agentMetadata, baseURL)
-		if err != nil {
-			log.Fatalf("Error creating preflight client: %+v", err)
-		}
+
+	var preflightClient client.Client
+	switch {
+	case credentials != nil:
+		log.Println("A credentials file was specified, using oauth authentication.")
+		preflightClient, err = client.NewOAuthClient(agentMetadata, credentials, baseURL)
+	case APIToken != "":
+		log.Println("An API token was specified, using API token authentication.")
+		preflightClient, err = client.NewAPITokenClient(agentMetadata, APIToken, baseURL)
+	default:
+		log.Println("No credentials were specified, using with no authentication.")
+		preflightClient, err = client.NewUnauthenticatedClient(agentMetadata, baseURL)
+	}
+
+	if err != nil {
+		log.Fatalf("failed to create client: %v", err)
 	}
 
 	return config, preflightClient
 }
 
-func gatherAndOutputData(ctx context.Context, config Config, preflightClient *client.PreflightClient, dataGatherers map[string]datagatherer.DataGatherer) {
+func gatherAndOutputData(config Config, preflightClient client.Client, dataGatherers map[string]datagatherer.DataGatherer) {
 	var readings []*api.DataReading
 
 	// Input/OutputPath flag overwrites agent.yaml configuration
@@ -243,7 +249,7 @@ func gatherAndOutputData(ctx context.Context, config Config, preflightClient *cl
 			log.Fatalf("failed to unmarshal local data file: %s", err)
 		}
 	} else {
-		readings = gatherData(ctx, config, dataGatherers)
+		readings = gatherData(config, dataGatherers)
 	}
 
 	if OutputPath != "" {
@@ -271,14 +277,7 @@ func gatherAndOutputData(ctx context.Context, config Config, preflightClient *cl
 	}
 }
 
-func startAndSyncDataGather(ctx context.Context, dg datagatherer.DataGatherer) error {
-	if err := dg.Run(nil); err != nil {
-		return err
-	}
-	return dg.WaitForCacheSync(nil)
-}
-
-func gatherData(ctx context.Context, config Config, dataGatherers map[string]datagatherer.DataGatherer) []*api.DataReading {
+func gatherData(config Config, dataGatherers map[string]datagatherer.DataGatherer) []*api.DataReading {
 	readings := []*api.DataReading{}
 
 	var dgError *multierror.Error
@@ -327,7 +326,7 @@ func gatherData(ctx context.Context, config Config, dataGatherers map[string]dat
 	return readings
 }
 
-func postData(config Config, preflightClient *client.PreflightClient, readings []*api.DataReading) error {
+func postData(config Config, preflightClient client.Client, readings []*api.DataReading) error {
 	baseURL := config.Server
 
 	log.Println("Running Agent...")

pkg/client/accessToken.go

@@ -1,107 +1,98 @@
 package client
 
 import (
-	"bytes"
 	"encoding/json"
 	"fmt"
-	"io/ioutil"
-	"path/filepath"
-	"time"
+	"io"
+	"net/http"
+	"strings"
 
+	"github.com/hashicorp/go-multierror"
 	"github.com/jetstack/preflight/api"
 )
 
-// These variables are injected at build time.
-var ClientID string
-var ClientSecret string
-var AuthServerDomain string
+var (
+	// ClientID is the auth0 client identifier (injected at build time)
+	ClientID string
 
-// PreflightClient can be used to talk to the Preflight backend.
-type PreflightClient struct {
-	// OAuth2
-	credentials *Credentials
-	// accessToken is the current OAuth access token.
-	accessToken *accessToken
+	// ClientSecret is the auth0 client secret (injected at build time)
+	ClientSecret string
 
-	baseURL string
-
-	agentMetadata *api.AgentMetadata
-}
+	// AuthServerDomain is the auth0 domain (injected at build time)
+	AuthServerDomain string
+)
 
-// NewWithNoAuth creates a new client with no authentication.
-func NewWithNoAuth(agentMetadata *api.AgentMetadata, baseURL string) (*PreflightClient, error) {
-	if baseURL == "" {
-		return nil, fmt.Errorf("cannot create PreflightClient: baseURL cannot be empty")
+type (
+	// The Client interface describes types that perform requests against the Jetstack Secure backend.
+	Client interface {
+		PostDataReadings(orgID, clusterID string, readings []*api.DataReading) error
+		Post(path string, body io.Reader) (*http.Response, error)
 	}
 
-	return &PreflightClient{
-		agentMetadata: agentMetadata,
-		baseURL:       baseURL,
-	}, nil
-}
-
-// New creates a new client that uses OAuth2.
-func New(agentMetadata *api.AgentMetadata, credentials *Credentials, baseURL string) (*PreflightClient, error) {
-	if err := credentials.validate(); err != nil {
-		return nil, fmt.Errorf("cannot create PreflightClient: %v", err)
-	}
-	if baseURL == "" {
-		return nil, fmt.Errorf("cannot create PreflightClient: baseURL cannot be empty")
+	// Credentials defines the format of the credentials.json file.
+	Credentials struct {
+		// UserID is the ID or email for the user or service account.
+		UserID string `json:"user_id"`
+		// UserSecret is the secret for the user or service account.
+		UserSecret string `json:"user_secret"`
+		// The following fields are optional as the default behaviour
+		// is to use the equivalent variables defined at package level
+		// and injected at build time.
+		// ClientID is the oauth2 client ID.
+		ClientID string `json:"client_id,omitempty"`
+		// ClientSecret is the oauth2 client secret.
+		ClientSecret string `json:"client_secret,omitempty"`
+		// AuthServerDomain is the domain for the auth server.
+		AuthServerDomain string `json:"auth_server_domain,omitempty"`
 	}
+)
 
-	if !credentials.IsClientSet() {
-		credentials.ClientID = ClientID
-		credentials.ClientSecret = ClientSecret
-		credentials.AuthServerDomain = AuthServerDomain
+// ParseCredentials reads credentials into a struct used. Performs validations.
+func ParseCredentials(data []byte) (*Credentials, error) {
+	var credentials Credentials
+
+	err := json.Unmarshal(data, &credentials)
+	if err != nil {
+		return nil, err
 	}
 
-	if !credentials.IsClientSet() {
-		return nil, fmt.Errorf("cannot create PreflightClient: invalid OAuth2 client configuration")
+	if err = credentials.validate(); err != nil {
+		return nil, err
 	}
 
-	return &PreflightClient{
-		agentMetadata: agentMetadata,
-		credentials:   credentials,
-		baseURL:       baseURL,
-		accessToken:   &accessToken{},
-	}, nil
+	return &credentials, nil
 }
 
-func (c *PreflightClient) usingOAuth2() bool {
-	if c.credentials == nil {
-		return false
-	}
-
-	return c.credentials.UserID != ""
+// IsClientSet returns whether the client credentials are set or not.
+func (c *Credentials) IsClientSet() bool {
+	return c.ClientID != "" && c.ClientSecret != "" && c.AuthServerDomain != ""
 }
 
-// PostDataReadings sends a slice of readings to Preflight.
-func (c *PreflightClient) PostDataReadings(orgID, clusterID string, readings []*api.DataReading) error {
-	payload := api.DataReadingsPost{
-		AgentMetadata:  c.agentMetadata,
-		DataGatherTime: time.Now().UTC(),
-		DataReadings:   readings,
+func (c *Credentials) validate() error {
+	var result *multierror.Error
+
+	if c == nil {
+		return fmt.Errorf("credentials are nil")
 	}
-	data, err := json.Marshal(payload)
-	if err != nil {
-		return err
+
+	if c.UserID == "" {
+		result = multierror.Append(result, fmt.Errorf("user_id cannot be empty"))
 	}
 
-	res, err := c.Post(filepath.Join("/api/v1/org", orgID, "datareadings", clusterID), bytes.NewBuffer(data))
-	if err != nil {
-		return err
+	if c.UserSecret == "" {
+		result = multierror.Append(result, fmt.Errorf("user_secret cannot be empty"))
 	}
 
-	if code := res.StatusCode; code < 200 || code >= 300 {
-		errorContent := ""
-		body, err := ioutil.ReadAll(res.Body)
-		if err == nil {
-			errorContent = string(body)
-		}
-		defer res.Body.Close()
+	return result.ErrorOrNil()
+}
 
-		return fmt.Errorf("received response with status code %d. Body: %s", code, errorContent)
+func fullURL(baseURL, path string) string {
+	base := baseURL
+	for strings.HasSuffix(base, "/") {
+		base = strings.TrimSuffix(base, "/")
 	}
-
-	return nil
+	for strings.HasPrefix(path, "/") {
+		path = strings.TrimPrefix(path, "/")
+	}
+	return fmt.Sprintf("%s/%s", base, path)
 }