Add API implementation for auth service #3178
Conversation
guy-har
force-pushed
the
feature/auth-service-api
branch
from
ce7e6b4 to
38f0d6e
Compare
pkg/auth/service.go
Outdated
| } | ||
|
|
||
| // getNonRequiredString returns empty string in case of nil | ||
| func getNonRequiredString(s *string) string { |
There was a problem hiding this comment.
This one can be found in swag and api packages - we can move in a different pr all the api.StringValue functions into apiutil package
There was a problem hiding this comment.
don't think we need this one - already have couple in our code and in packages we bring.
| return *s | ||
| } | ||
|
|
||
| func toPagination(paginator Pagination) *model.Paginator { |
There was a problem hiding this comment.
same as the above function - looks like a set of functions we require to build api client or api user
pkg/auth/service.go
Outdated
| return expectedStatusCode(resp, 201) | ||
| } | ||
|
|
||
| var ErrUnexpectedStatusCode = errors.New("unexpected status code") |
pkg/auth/service.go
Outdated
| if err != nil { | ||
| return InvalidUserID, err | ||
| } | ||
| if err := expectedStatusCode(resp, 201); err != nil { |
There was a problem hiding this comment.
As I see it we can have one function that handles all the remote api return values (errors) and map them to the local error. Alternative will be to have a switch case per status code to handle the local error mapping.
pkg/auth/service.go
Outdated
| @@ -1,15 +1,20 @@ | |||
| package auth | |||
|
|
|||
| //go:generate oapi-codegen -package auth -generate "types,client,spec" -o client.gen.go api/swagger.yml | |||
There was a problem hiding this comment.
I think it should in placed on the /api directory.
| cache Cache | ||
| } | ||
|
|
||
| func (a *APIAuthService) SecretStore() crypt.SecretStore { |
There was a problem hiding this comment.
I think the only thing the service needs to expose is the shared secret. Can be handled in a different PR.
pkg/auth/service.go
Outdated
| } | ||
|
|
||
| func (a *APIAuthService) DeleteUser(ctx context.Context, username string) error { | ||
| u, err := a.GetUser(ctx, username) |
There was a problem hiding this comment.
why do we need to get the user first - this is not the remote implementation's work?
There was a problem hiding this comment.
delete user is the only one that works with ID - the service can delete user by name
pkg/auth/service.go
Outdated
| if err != nil { | ||
| return nil, err | ||
| } | ||
| logging.Default().Info("initialized Auth service") |
There was a problem hiding this comment.
consider accepting logger - or initialize one here with field "service" set to remote authorization service
pkg/auth/service.go
Outdated
| // avoid redirect automatically | ||
| CheckRedirect: func(req *http.Request, via []*http.Request) error { | ||
| return http.ErrUseLastResponse | ||
| }, |
There was a problem hiding this comment.
- not sure this one is required for this client
- needs a way to handle timeout or at least have a default set
pkg/auth/service.go
Outdated
| policies, _, err := a.listUserPolicies(ctx, username, params, true) | ||
| return policies, err |
There was a problem hiding this comment.
use a different names inside the scope so the reader will not get mixed. or just return the 3 of them and ignore the middle one outside
There was a problem hiding this comment.
🥇 added some comments, the main one is error handling and the second one is the authorized which looks like a client-side implementation and not server side implemented. which make you think it should be extracted out of the service that provides the authorization information.
api/authorization.yml
Outdated
| format: byte | ||
| required: | ||
| - username | ||
| SetupState: |
api/authorization.yml
Outdated
| default: | ||
| $ref: "#/components/responses/ServerError" | ||
|
|
||
| /auth/userbyname: |
api/authorization.yml
Outdated
| default: | ||
| $ref: "#/components/responses/ServerError" | ||
|
|
||
| /auth/userbyemail: |
There was a problem hiding this comment.
/auth/users?email={email}
pkg/auth/service.go
Outdated
|
|
||
| func NewAPIAuthService(apiEndpoint, token string, secretStore crypt.SecretStore, cacheConf params.ServiceCache) (*APIAuthService, error) { | ||
| // TODO(Guys): currently token is used, maybe we should consider using APIKey | ||
| basicAuthProvider, err := securityprovider.NewSecurityProviderBearerToken(token) |
There was a problem hiding this comment.
- This is a bearer token - why assign it to basic auth? name
- At some point we should consider reload as we do for the logging level - so it will be easy to roll and update
There was a problem hiding this comment.
- Done
- It will be done soon in a different PR
pkg/auth/service.go
Outdated
| } | ||
| httpClient := &http.Client{ | ||
| // avoid redirect automatically | ||
| CheckRedirect: func(req *http.Request, via []*http.Request) error { |
There was a problem hiding this comment.
- Can remove this one - prefer to support the default redirect if needed.
- We should enable configurable timeout
pkg/auth/service.go
Outdated
| } | ||
| func (a *APIAuthService) ListUsers(ctx context.Context, params *model.PaginationParams) ([]*model.User, *model.Paginator, error) { |
There was a problem hiding this comment.
| } | |
| func (a *APIAuthService) ListUsers(ctx context.Context, params *model.PaginationParams) ([]*model.User, *model.Paginator, error) { | |
| } | |
| func (a *APIAuthService) ListUsers(ctx context.Context, params *model.PaginationParams) ([]*model.User, *model.Paginator, error) { |
pkg/auth/service.go
Outdated
| func paginationPrefix(prefix string) *PaginationPrefix { | ||
| p := PaginationPrefix(prefix) | ||
| return &p | ||
| } | ||
| func paginationAfter(after string) *PaginationAfter { | ||
| p := PaginationAfter(after) | ||
| return &p | ||
| } | ||
| func paginationAmount(amount int) *PaginationAmount { | ||
| p := PaginationAmount(amount) | ||
| return &p | ||
| } |
There was a problem hiding this comment.
| func paginationPrefix(prefix string) *PaginationPrefix { | |
| p := PaginationPrefix(prefix) | |
| return &p | |
| } | |
| func paginationAfter(after string) *PaginationAfter { | |
| p := PaginationAfter(after) | |
| return &p | |
| } | |
| func paginationAmount(amount int) *PaginationAmount { | |
| p := PaginationAmount(amount) | |
| return &p | |
| } | |
| func paginationPrefix(prefix string) *PaginationPrefix { | |
| p := PaginationPrefix(prefix) | |
| return &p | |
| } | |
| func paginationAfter(after string) *PaginationAfter { | |
| p := PaginationAfter(after) | |
| return &p | |
| } | |
| func paginationAmount(amount int) *PaginationAmount { | |
| p := PaginationAmount(amount) | |
| return &p | |
| } |
pkg/auth/service.go
Outdated
| } | ||
|
|
||
| func (a *APIAuthService) AddCredentials(ctx context.Context, username, accessKeyID, secretAccessKey string) (*model.Credential, error) { | ||
| // TODO(Guys): decide if we want to support this - We do! for ldap, we could not support in globalIAM |
There was a problem hiding this comment.
support/unsupport should be on the server side - return an unsupported error, but implement this one.
pkg/auth/service.go
Outdated
| } | ||
|
|
||
| func (a *APIAuthService) DeleteUser(ctx context.Context, username string) error { | ||
| u, err := a.GetUser(ctx, username) |
There was a problem hiding this comment.
delete user is the only one that works with ID - the service can delete user by name
guy-har
added
the
include-changelog
No description provided.