enhanced auth

Author: adranwit

cmd/options/auth.go

@@ -9,7 +9,8 @@ type (
 	Auth struct {
 		HMAC     string     `short:"A" long:"jwtHMAC" description:"HMACKeyPath|EncKey" `
 		RSA      string     `short:"J" long:"jwtRSA" description:"PublicKeyPath|EncKey" `
-		Firebase string     `short:"F" long:"fsecret" description:"Firebase secrets" `
+		Firebase string     `short:"F" long:"firebase" description:"Firebase secrets" `
+		Cognito  string     `short:"T" long:"cognito" description:"Cognito pollId|secrets" `
 		Custom   CustomAuth `short:"E" long:"customAuth" description:"Custom AuthSQL" `
 	}
 )

cmd/options/ext.go

@@ -21,7 +21,7 @@ type (
 	Module struct {
 		GitRepository *string `short:"g" long:"gitrepo" description:"git module repo"`
 		GitFolder     *string
-		GitPrivate    *string `short:"T" long:"gitprivate" description:"git private"`
+		GitPrivate    *string `short:"I" long:"gitprivate" description:"git private"`
 		Name          string  `short:"n" long:"name" description:"module name" `
 	}
 

e2e/local/regression/cases/003_oauth/vendor_auth.sql

@@ -1,11 +1,14 @@
 /* {"URI":"auth/vendors/{vendorID}"} */
 
+
 #set($_ = $Jwt<string>(Header/Authorization).WithCodec(JwtClaim).WithStatusCode(401))
+
 #set($_ = $Authorization  /* !!403
     SELECT Authorized /* {"DataType":"bool"} */
     FROM (SELECT IS_VENDOR_AUTHORIZED($Jwt.UserID, $vendorID) AS Authorized) t
     WHERE Authorized
 */)
+
 SELECT vendor.*,
        products.* EXCEPT VENDOR_ID
 FROM (SELECT CAST($Jwt.FirstName AS CHAR) AS FIRST_NAME, t.* FROM VENDOR t WHERE t.ID = $vendorID ) vendor

gateway/authorizer.go

@@ -7,7 +7,7 @@ import (
 	"github.com/viant/afs"
 	"github.com/viant/datly/gateway/runtime/meta"
 	"github.com/viant/datly/repository/path"
-	"github.com/viant/datly/service/auth"
+	"github.com/viant/datly/service/auth/config"
 	"github.com/viant/datly/service/auth/secret"
 	"github.com/viant/toolbox"
 	"gopkg.in/yaml.v3"
@@ -36,7 +36,7 @@ type (
 		MaxJobs         int
 		UseCacheFS      bool
 		SyncFrequencyMs int
-		auth.Config
+		config.Config
 		Meta                 meta.Config
 		AutoDiscovery        *bool
 		ChangeDetection      *ChangeDetection

gateway/config.go

@@ -11,14 +11,13 @@ import (
 
 type options struct {
 	config        *Config
-	authorizer    Authorizer
+	initializers  []func(config *Config, fs *embed.FS) error
 	extensions    *extension.Registry
 	metrics       *gmetric.Service
 	repository    *repository.Service
 	statusHandler http.Handler
 	embedFs       *embed.FS
 	configURL     string
-	authProvider  func(config *Config, fs *embed.FS) (Authorizer, error)
 }
 
 func newOptions(ctx context.Context, opts ...Option) (*options, error) {
@@ -46,13 +45,6 @@ func newOptions(ctx context.Context, opts ...Option) (*options, error) {
 		result.config = &Config{}
 	}
 
-	if result.authorizer == nil && result.authProvider != nil {
-		var err error
-		if result.authorizer, err = result.authProvider(result.config, result.embedFs); err != nil {
-			return nil, err
-		}
-	}
-
 	return result, nil
 }
 
@@ -66,13 +58,6 @@ func WithConfig(config *Config) Option {
 	}
 }
 
-// WithAuthorizer sets an authorizer
-func WithAuthorizer(authorizer Authorizer) Option {
-	return func(o *options) {
-		o.authorizer = authorizer
-	}
-}
-
 // WithExtensions sets an extension registry
 func WithExtensions(registry *extension.Registry) Option {
 	return func(o *options) {
@@ -107,9 +92,9 @@ func WithStatusHandler(handler http.Handler) Option {
 	}
 }
 
-func WithAuthProvider(authProvider func(config *Config, fs *embed.FS) (Authorizer, error)) Option {
+func WithInitializer(initializer func(config *Config, fs *embed.FS) error) Option {
 	return func(o *options) {
-		o.authProvider = authProvider
+		o.initializers = append(o.initializers, initializer)
 	}
 }
 

gateway/option.go

@@ -38,7 +38,6 @@ type (
 		OpenAPIInfo   openapi3.Info
 		metrics       *gmetric.Service
 		statusHandler http.Handler
-		authorizer    Authorizer
 		paths         []*contract.Path
 	}
 
@@ -66,12 +65,11 @@ func (a *AvailableRoutesError) Error() string {
 }
 
 // NewRouter creates new router
-func NewRouter(ctx context.Context, components *repository.Service, config *Config, metrics *gmetric.Service, statusHandler http.Handler, authorizer Authorizer) (*Router, error) {
+func NewRouter(ctx context.Context, components *repository.Service, config *Config, metrics *gmetric.Service, statusHandler http.Handler) (*Router, error) {
 	r := &Router{
 		config:        config,
 		metrics:       metrics,
 		statusHandler: statusHandler,
-		authorizer:    authorizer,
 		repository:    components,
 		operator:      operator.New(),
 		apiKeyMatcher: newApiKeyMatcher(config.APIKeys),
@@ -101,9 +99,6 @@ func (r *Router) handle(writer http.ResponseWriter, request *http.Request) {
 		r.handleErrorCode(writer, http.StatusInternalServerError, err)
 		return
 	}
-	if !r.authorizeRequestIfNeeded(writer, request) {
-		return
-	}
 	errStatusCode, err := r.handleRoute(writer, request)
 	r.handleErrorCode(writer, errStatusCode, err)
 }
@@ -154,7 +149,10 @@ func (r *Router) HandleJob(ctx context.Context, aJob *async.Job) error {
 	request := &http.Request{Method: aJob.Method, URL: URL, RequestURI: aPath.URI}
 	unmarshal := aComponent.UnmarshalFunc(request)
 	locatorOptions := append(aComponent.LocatorOptions(request, hstate.NewForm(), unmarshal))
-	aSession := session.New(aComponent.View, session.WithLocatorOptions(locatorOptions...), session.WithOperate(r.operator.Operate))
+	aSession := session.New(aComponent.View,
+		session.WithAuth(r.repository.Auth()),
+		session.WithLocatorOptions(locatorOptions...),
+		session.WithOperate(r.operator.Operate))
 	if err != nil {
 		return err
 	}
@@ -267,13 +265,6 @@ func (r *Router) ensureRequestURL(request *http.Request) error {
 	return err
 }
 
-func (r *Router) authorizeRequestIfNeeded(writer http.ResponseWriter, request *http.Request) bool {
-	if r.authorizer == nil {
-		return true
-	}
-	return r.authorizer.Authorize(writer, request)
-}
-
 func (r *Router) PreCacheables(ctx context.Context, method string, uri string) ([]*view.View, error) {
 	route, err := r.Match(method, uri, nil)
 	if err != nil {
@@ -342,7 +333,7 @@ func (r *Router) newMatcher(ctx context.Context) (*matcher.Matcher, []*contract.
 				if err != nil {
 					return nil, nil, fmt.Errorf("failed to locate component provider: %w", err)
 				}
-				routes = append(routes, r.NewRouteHandler(router.New(aPath, provider, r.repository.Registry())))
+				routes = append(routes, r.NewRouteHandler(router.New(aPath, provider, r.repository.Registry(), r.repository.Auth())))
 				if aPath.Cors != nil {
 					optionsPaths[aPath.URI] = append(optionsPaths[aPath.URI], aPath)
 				}

gateway/router.go

@@ -18,6 +18,7 @@ import (
 	"github.com/viant/datly/repository/contract"
 	"github.com/viant/datly/repository/path"
 	"github.com/viant/datly/service"
+	"github.com/viant/datly/service/auth"
 	"github.com/viant/datly/service/executor/expand"
 	"github.com/viant/datly/service/operator"
 	"github.com/viant/datly/service/session"
@@ -47,6 +48,7 @@ type (
 		Provider   *repository.Provider
 		dispatcher *operator.Service
 		registry   *repository.Registry
+		auth       *auth.Service
 	}
 )
 
@@ -80,12 +82,13 @@ func (r *Handler) AuthorizeRequest(request *http.Request, aPath *path.Path) erro
 	return nil
 }
 
-func New(aPath *path.Path, provider *repository.Provider, registry *repository.Registry) *Handler {
+func New(aPath *path.Path, provider *repository.Provider, registry *repository.Registry, authService *auth.Service) *Handler {
 	ret := &Handler{
 		Path:       aPath,
 		Provider:   provider,
 		dispatcher: operator.New(),
 		registry:   registry,
+		auth:       authService,
 	}
 	return ret
 }
@@ -358,7 +361,11 @@ func (r *Handler) handleComponent(ctx context.Context, request *http.Request, aC
 	anOperator := operator.New()
 	unmarshal := aComponent.UnmarshalFunc(request)
 	locatorOptions := append(aComponent.LocatorOptions(request, hstate.NewForm(), unmarshal))
-	aSession := session.New(aComponent.View, session.WithLocatorOptions(locatorOptions...), session.WithRegistry(r.registry), session.WithOperate(anOperator.Operate))
+	aSession := session.New(aComponent.View,
+		session.WithAuth(r.auth),
+		session.WithLocatorOptions(locatorOptions...),
+		session.WithRegistry(r.registry),
+		session.WithOperate(anOperator.Operate))
 	err := aSession.InitKinds(state.KindComponent, state.KindHeader, state.KindRequestBody, state.KindForm, state.KindQuery)
 	if err != nil {
 		return nil, err

gateway/router/handler.go

@@ -27,7 +27,7 @@ func HandleHttpRequest(writer http.ResponseWriter, apiRequest *adapter.Request)
 	if err != nil {
 		return err
 	}
-	httpRequest := apiRequest.Request(service.JWTSigner)
+	httpRequest := apiRequest.Request(service.JWTSigner())
 	service.LogInitTimeIfNeeded(now, writer)
 	service.ServeHTTP(writer, httpRequest)
 	service.LogInitTimeIfNeeded(now, writer)

gateway/runtime/apigw/handler.go

@@ -23,7 +23,7 @@ func GetService() (*gateway.Service, error) {
 		return nil, fmt.Errorf("config was emty")
 	}
 	service, err := gateway.Singleton(context.Background(),
-		gateway.WithAuthProvider(func(config *gateway.Config, fs *embed.FS) (gateway.Authorizer, error) {
+		gateway.WithInitializer(func(config *gateway.Config, fs *embed.FS) error {
 			return jwt.Init(gatewayConfig, fs)
 		}),
 		gateway.WithConfigURL(configURL),

gateway/runtime/serverless/service.go

@@ -2,9 +2,7 @@ package standalone
 
 import (
 	"context"
-	"embed"
 	"github.com/viant/datly/gateway"
-	"github.com/viant/datly/service/auth/jwt"
 )
 
 // Options represents standalone options
@@ -28,9 +26,7 @@ func NewOptions(ctx context.Context, opts ...Option) (*Options, error) {
 	for _, opt := range opts {
 		opt(options)
 	}
-	options.options = append(options.options, gateway.WithAuthProvider(func(config *gateway.Config, fs *embed.FS) (gateway.Authorizer, error) {
-		return jwt.Init(config, fs)
-	}))
+
 	if options.config != nil {
 		options.options = append(options.options, gateway.WithConfig(options.config.Config))
 	} else if options.ConfigURL != "" {

gateway/runtime/standalone/auth.go

@@ -17,7 +17,6 @@ import (
 type Server struct {
 	http.Server
 	Service      *gateway.Service
-	auth         gateway.Authorizer
 	useSingleton *bool //true by default
 }
 

gateway/runtime/standalone/option.go

@@ -29,13 +29,15 @@ type (
 		metrics       *gmetric.Service
 		mainRouter    *Router
 		cancelFn      context.CancelFunc
-		JWTSigner     *signer.Service
 		mux           sync.RWMutex
 		statusHandler http.Handler
-		authorizer    Authorizer
 	}
 )
 
+func (r *Service) JWTSigner() *signer.Service {
+	return r.repository.JWTSigner()
+}
+
 func (r *Service) ServeHTTP(writer http.ResponseWriter, request *http.Request) {
 	aRouter, writer, ok := r.router(writer)
 	if !ok {
@@ -56,7 +58,7 @@ func (r *Service) router(writer http.ResponseWriter) (*Router, http.ResponseWrit
 }
 
 func (r *Service) Router() (*Router, bool) {
-	if err := r.syncChanges(context.Background(), r.metrics, r.statusHandler, r.authorizer, false); err != nil {
+	if err := r.syncChanges(context.Background(), r.metrics, r.statusHandler, false); err != nil {
 		fmt.Printf("[ERROR] failed to sync changes: %v\n", err)
 	}
 	mainRouter := r.mainRouter
@@ -89,20 +91,27 @@ func New(ctx context.Context, opts ...Option) (*Service, error) {
 	}
 	componentRepository := options.repository
 	if componentRepository == nil {
+
 		componentRepository, err = repository.New(ctx, repository.WithComponentURL(aConfig.RouteURL),
 			repository.WithResourceURL(aConfig.DependencyURL),
 			repository.WithPluginURL(aConfig.PluginsURL),
 			repository.WithApiPrefix(aConfig.APIPrefix),
 			repository.WithExtensions(options.extensions),
 			repository.WithMetrics(options.metrics),
+			repository.WithJWTSigner(aConfig.JwtSigner),
+			repository.WithJWTVerifier(aConfig.JWTValidator),
+			repository.WithCognitoAuth(aConfig.Cognito),
+			repository.WithFirebaseAuth(aConfig.Firebase),
+			repository.WithCustomAuth(aConfig.Custom),
+			repository.WithDependencyURL(aConfig.DependencyURL),
 			repository.WithRefreshFrequency(aConfig.SyncFrequency()),
 			repository.WithDispatcher(dispatcher.New),
 		)
 		if err != nil {
 			return nil, fmt.Errorf("failed to initialise component service: %w", err)
 		}
 	}
-	mainRouter, err := NewRouter(ctx, componentRepository, aConfig, options.metrics, options.statusHandler, options.authorizer)
+	mainRouter, err := NewRouter(ctx, componentRepository, aConfig, options.metrics, options.statusHandler)
 	if err != nil {
 		return nil, err
 	}
@@ -113,15 +122,8 @@ func New(ctx context.Context, opts ...Option) (*Service, error) {
 		mux:           sync.RWMutex{},
 		fs:            fs,
 		statusHandler: options.statusHandler,
-		authorizer:    options.authorizer,
 		mainRouter:    mainRouter,
 	}
-	if aConfig.JwtSigner != nil {
-		srv.JWTSigner = signer.New(aConfig.JwtSigner)
-		if err = srv.JWTSigner.Init(context.Background()); err != nil {
-			return nil, err
-		}
-	}
 	go srv.watchAsyncJob(context.Background())
 	fmt.Printf("[INFO]: started gatweay after: %s\n", time.Since(start))
 	return srv, err
@@ -189,7 +191,7 @@ func CommonURL(URLs ...string) (string, error) {
 	return base, nil
 }
 
-func (r *Service) syncChanges(ctx context.Context, metrics *gmetric.Service, statusHandler http.Handler, authorizer Authorizer, isFirst bool) error {
+func (r *Service) syncChanges(ctx context.Context, metrics *gmetric.Service, statusHandler http.Handler, isFirst bool) error {
 	changed, err := r.repository.SyncChanges(ctx)
 	if err != nil {
 		return err
@@ -199,7 +201,7 @@ func (r *Service) syncChanges(ctx context.Context, metrics *gmetric.Service, sta
 	}
 	start := time.Now()
 	fmt.Printf("[INFO] detected resources changes, rebuilding routers\n")
-	mainRouter, err := NewRouter(ctx, r.repository, r.Config, metrics, statusHandler, authorizer)
+	mainRouter, err := NewRouter(ctx, r.repository, r.Config, metrics, statusHandler)
 	if err != nil {
 		return err
 	}