Merge pull request #307 from Permify/authn

Authn

internal/authn/oidc/authn.go

@@ -54,7 +54,6 @@ func (t *OidcAuthn) Authenticate(ctx context.Context) error {
 		return authn.Unauthenticated
 	}
 	return nil
-
 }
 
 // validateOtherClaims - Validate claims that are not validated by the oidc client library

internal/authn/oidc/authn_test.go

@@ -32,20 +32,24 @@ func Test_AuthenticateWithSigningMethods(t *testing.T) {
 		method  jwt.SigningMethod
 		wantErr bool
 	}{
-		{"Should pass with RS256",
+		{
+			"Should pass with RS256",
 			jwt.SigningMethodRS256,
 			false,
 		},
-		{"Should fail with HS256, zitadel/oidc does not support HSXXX algorithms by default",
+		{
+			"Should fail with HS256, zitadel/oidc does not support HSXXX algorithms by default",
 			// see https://github.com/zitadel/oidc/blob/v1.13.0/pkg/oidc/keyset.go#L94
 			jwt.SigningMethodHS256,
 			true,
 		},
-		{"Should pass with ES256",
+		{
+			"Should pass with ES256",
 			jwt.SigningMethodES256,
 			false,
 		},
-		{"Should pass with PS256",
+		{
+			"Should pass with PS256",
 			jwt.SigningMethodPS256,
 			false,
 		},
@@ -104,35 +108,41 @@ func Test_AuthenticateClaims(t *testing.T) {
 		claimOverride *jwt.RegisteredClaims
 		wantErr       bool
 	}{
-		{"With correct values there should be no errors",
+		{
+			"With correct values there should be no errors",
 			&jwt.RegisteredClaims{},
 			false,
 		},
-		{"Wrong issuer in the token, it should fail",
+		{
+			"Wrong issuer in the token, it should fail",
 			&jwt.RegisteredClaims{
 				Issuer: "http://wrong-issuer",
 			},
 			true,
 		},
-		{"Wrong clientID in the token, it should fail",
+		{
+			"Wrong clientID in the token, it should fail",
 			&jwt.RegisteredClaims{
 				Audience: []string{"wrong-clientid"},
 			},
 			true,
 		},
-		{"Expired Token, it should fail",
+		{
+			"Expired Token, it should fail",
 			&jwt.RegisteredClaims{
 				ExpiresAt: &jwt.NumericDate{Time: time.Date(1999, 1, 0, 0, 0, 0, 0, time.UTC)},
 			},
 			true,
 		},
-		{"Issued at the future, it should fail",
+		{
+			"Issued at the future, it should fail",
 			&jwt.RegisteredClaims{
 				IssuedAt: &jwt.NumericDate{Time: time.Date(3999, 1, 0, 0, 0, 0, 0, time.UTC)},
 			},
 			true,
 		},
-		{"Token used before its NotBefore date, it should fail",
+		{
+			"Token used before its NotBefore date, it should fail",
 			&jwt.RegisteredClaims{
 				NotBefore: &jwt.NumericDate{Time: time.Date(3999, 1, 0, 0, 0, 0, 0, time.UTC)},
 			},
@@ -196,27 +206,32 @@ func Test_AuthenticateKeyIds(t *testing.T) {
 		keyId    string
 		wantErr  bool
 	}{
-		{"With no keyid using RS256 it should fail, multiple public RSA keys matching for RS256 and PS256",
+		{
+			"With no keyid using RS256 it should fail, multiple public RSA keys matching for RS256 and PS256",
 			jwt.SigningMethodRS256,
 			false, "",
 			true,
 		},
-		{"With no keyid using ES256 it should pass, unique public ecdsa key in keyset",
+		{
+			"With no keyid using ES256 it should pass, unique public ecdsa key in keyset",
 			jwt.SigningMethodES256,
 			true, "",
 			false,
 		},
-		{"With right keyid using RS256 it should pass",
+		{
+			"With right keyid using RS256 it should pass",
 			jwt.SigningMethodRS256,
 			true, fakeOidcProvider.keyIds[jwt.SigningMethodRS256],
 			false,
 		},
-		{"With wrong keyid using RS256 it should fail",
+		{
+			"With wrong keyid using RS256 it should fail",
 			jwt.SigningMethodRS256,
 			true, "wrongkeyid",
 			true,
 		},
-		{"With keyid belonging to a different key it should fail",
+		{
+			"With keyid belonging to a different key it should fail",
 			jwt.SigningMethodES256,
 			true, fakeOidcProvider.keyIds[jwt.SigningMethodRS256],
 			true,

internal/authn/oidc/fakes_test.go

@@ -149,7 +149,7 @@ func httpError(w http.ResponseWriter, code int) {
 }
 
 func (s *fakeOidcProvider) SignIDToken(unsignedToken *jwt.Token) (string, error) {
-	var signedToken = ""
+	signedToken := ""
 	var err error
 
 	switch unsignedToken.Method {

internal/authn/preshared/authn.go

@@ -7,6 +7,7 @@ import (
 	"github.com/pkg/errors"
 
 	"github.com/Permify/permify/internal/authn"
+	"github.com/Permify/permify/internal/config"
 )
 
 // KeyAuthenticator - Interface for key authenticator
@@ -20,12 +21,12 @@ type KeyAuthn struct {
 }
 
 // NewKeyAuthn - Create New Authenticated Keys
-func NewKeyAuthn(keys ...string) (*KeyAuthn, error) {
-	if len(keys) < 1 {
+func NewKeyAuthn(ctx context.Context, cfg config.Preshared) (*KeyAuthn, error) {
+	if len(cfg.Keys) < 1 {
 		return nil, errors.New("pre shared key authn must have at least one key")
 	}
 	mapKeys := make(map[string]struct{})
-	for _, k := range keys {
+	for _, k := range cfg.Keys {
 		mapKeys[k] = struct{}{}
 	}
 	return &KeyAuthn{

internal/config/config.go

@@ -49,12 +49,14 @@ type (
 
 	// Authn -.
 	Authn struct {
-		Enabled      bool     `mapstructure:"enabled"`
-		Method       string   `mapstructure:"method"`
-		Keys         []string `mapstructure:"keys"`
-		PrivateToken string   `mapstructure:"private_token"`
-		Algorithms   []string `mapstructure:"algorithms"`
-		Oidc         Oidc     `mapstructure:"oidc"`
+		Enabled   bool      `mapstructure:"enabled"`
+		Method    string    `mapstructure:"method"`
+		Preshared Preshared `mapstructure:"preshared"`
+		Oidc      Oidc      `mapstructure:"oidc"`
+	}
+
+	Preshared struct {
+		Keys []string `mapstructure:"keys"`
 	}
 
 	Oidc struct {
@@ -201,8 +203,9 @@ func DefaultConfig() *Config {
 			Relationship: Relationship{},
 		},
 		Authn: Authn{
-			Enabled: false,
-			Keys:    []string{},
+			Enabled:   false,
+			Preshared: Preshared{},
+			Oidc:      Oidc{},
 		},
 		Database: Database{
 			Engine:      "memory",

internal/repositories/postgres/relationshipWriter_test.go

@@ -92,7 +92,6 @@ var _ = Describe("RelationshipWriter", func() {
 			Expect(err).ShouldNot(HaveOccurred())
 
 			// TODO: can we write a helper function to fetch the recently inserted record? as we are just creating a mock! any comments? Will think about it!
-
 		})
 	})
 })

internal/servers/server.go

@@ -25,7 +25,6 @@ import (
 
 	health "google.golang.org/grpc/health/grpc_health_v1"
 
-	"github.com/Permify/permify/internal/authn/multitenant"
 	"github.com/Permify/permify/internal/authn/oidc"
 	"github.com/Permify/permify/internal/authn/preshared"
 	"github.com/Permify/permify/internal/config"
@@ -63,20 +62,12 @@ func (s *ServiceContainer) Run(ctx context.Context, cfg *config.Server, authenti
 		switch authentication.Method {
 		case "preshared":
 			var authenticator *preshared.KeyAuthn
-			authenticator, err = preshared.NewKeyAuthn(authentication.Keys...)
+			authenticator, err = preshared.NewKeyAuthn(ctx, authentication.Preshared)
 			if err != nil {
 				return err
 			}
 			unaryInterceptors = append(unaryInterceptors, grpcAuth.UnaryServerInterceptor(middleware.KeyAuthFunc(authenticator)))
 			streamingInterceptors = append(streamingInterceptors, grpcAuth.StreamServerInterceptor(middleware.KeyAuthFunc(authenticator)))
-		case "multitenant":
-			var authenticator *multitenant.TenantAuthn
-			authenticator, err = multitenant.NewTenantAuthn(authentication.PrivateToken, authentication.Algorithms)
-			if err != nil {
-				return err
-			}
-			unaryInterceptors = append(unaryInterceptors, multitenant.UnaryServerInterceptor(authenticator))
-			streamingInterceptors = append(streamingInterceptors, multitenant.StreamServerInterceptor(authenticator))
 		case "oidc":
 			var authenticator *oidc.OidcAuthn
 			authenticator, err = oidc.NewOidcAuthn(ctx, authentication.Oidc)
@@ -86,7 +77,7 @@ func (s *ServiceContainer) Run(ctx context.Context, cfg *config.Server, authenti
 			unaryInterceptors = append(unaryInterceptors, oidc.UnaryServerInterceptor(authenticator))
 			streamingInterceptors = append(streamingInterceptors, oidc.StreamServerInterceptor(authenticator))
 		default:
-			return fmt.Errorf("Unkown authentication method: '%s'", authentication.Method)
+			return fmt.Errorf("unkown authentication method: '%s'", authentication.Method)
 		}
 	}