registry and external service requests

Author: edshadi

pkg/externalsvc/auth.go

@@ -0,0 +1,109 @@
+package externalsvc
+
+import (
+	"errors"
+	"os"
+	"time"
+
+	jwt "github.com/dgrijalva/jwt-go"
+)
+
+const (
+	ExpirationKey   = "exp"
+	UserIDKey       = "uid"
+	IssuerKey       = "iss"
+	JWTIDKey        = "jti"
+	AudienceKey     = "aud"
+	SessionDuration = 8760 * time.Hour // 1 year
+)
+
+func parser(token *jwt.Token) (interface{}, error) {
+	if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
+		return nil, errors.New("Unexpected signing method")
+	}
+	return getJWTSecret(), nil
+}
+
+func GenerateSessionJWT(userID uint64) (string, error) {
+	expiration := time.Now().Add(SessionDuration).Unix()
+	claims := jwt.MapClaims{
+		IssuerKey:     os.Getenv("FRONTEND_ADDRESS"),
+		ExpirationKey: expiration,
+		UserIDKey:     userID,
+	}
+	return generateJWT(claims, getJWTSecret())
+}
+
+func GenerateAPIKeyJWT(userID uint64, jwtID string) (string, error) {
+	claims := jwt.MapClaims{
+		IssuerKey: os.Getenv("FRONTEND_ADDRESS"),
+		JWTIDKey:  jwtID,
+		UserIDKey: userID,
+	}
+	return generateJWT(claims, getJWTSecret())
+}
+
+func GenerateWebhookJWT(url string, secret []byte) (string, error) {
+	claims := jwt.MapClaims{
+		IssuerKey:   os.Getenv("FRONTEND_ADDRESS"),
+		AudienceKey: url,
+	}
+	return generateJWT(claims, secret)
+}
+
+func generateJWT(claims jwt.MapClaims, secret []byte) (string, error) {
+	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
+	return token.SignedString(secret)
+}
+
+func ParseAPIKeyJWT(tokenString string) (uint64, string, error) {
+	claims, err := parseJWT(tokenString)
+	if err != nil {
+		return 0, "", err
+	}
+
+	issuer := claims[IssuerKey].(string)
+	if issuer != os.Getenv("FRONTEND_ADDRESS") {
+		return 0, "", errors.New("Incorrect issuer")
+	}
+
+	jwtID := claims[JWTIDKey].(string)
+	userID := uint64(claims[UserIDKey].(float64))
+	return userID, jwtID, nil
+}
+
+func ParseSessionJWT(tokenString string) (uint64, error) {
+	claims, err := parseJWT(tokenString)
+	if err != nil {
+		return 0, err
+	}
+
+	issuer := claims[IssuerKey].(string)
+	if issuer != os.Getenv("FRONTEND_ADDRESS") {
+		return 0, errors.New("Incorrect issuer")
+	}
+
+	expiration := int64(claims[ExpirationKey].(float64))
+	if expiration < time.Now().Unix() {
+		return 0, errors.New("Authorization token expired")
+	}
+
+	userID := uint64(claims[UserIDKey].(float64))
+	return userID, nil
+}
+
+func parseJWT(tokenString string) (jwt.MapClaims, error) {
+	token, err := jwt.Parse(tokenString, parser)
+	if err != nil {
+		return nil, err
+	}
+
+	if claims, ok := token.Claims.(jwt.MapClaims); ok && token.Valid {
+		return claims, nil
+	}
+	return nil, errors.New("Unable to parse JWT")
+}
+
+func getJWTSecret() []byte {
+	return []byte(os.Getenv("JWT_SECRET"))
+}

pkg/externalsvc/errors.go

@@ -0,0 +1,7 @@
+package externalsvc
+
+type AssignmentRejectedByJobOwner struct{}
+
+func (err AssignmentRejectedByJobOwner) Error() string {
+	return "Job owner has rejected this assignment through external service"
+}

pkg/externalsvc/external.go

@@ -0,0 +1,60 @@
+package externalsvc
+
+import (
+	"encoding/json"
+	"io/ioutil"
+	"net/http"
+
+	"github.com/gemsorg/assignment/pkg/assignment"
+	"github.com/gemsorg/assignment/pkg/registrysvc"
+)
+
+type ValidationResponse struct {
+	Valid  bool   `json:"valid"`
+	Reason string `json:"reason"`
+}
+
+func Validate(reg registrysvc.Registration, a assignment.NewAssignment) (bool, error) {
+	esr := ValidationResponse{}
+	url := reg.Services[registrysvc.AssignmentValidator].URL
+	res, err := serviceRequest("POST", url, reg.APIKeyID, reg.RequesterID)
+	if err != nil {
+		return false, err
+	}
+
+	err = json.Unmarshal(res, &esr)
+	if err != nil {
+		return false, err
+	}
+
+	if !esr.Valid {
+		return false, AssignmentRejectedByJobOwner{}
+	}
+
+	return true, nil
+}
+
+func serviceRequest(action, url, key string, userID uint64) ([]byte, error) {
+	client := &http.Client{}
+
+	req, err := http.NewRequest(action, url, nil)
+	if err != nil {
+		return nil, err
+	}
+	apiKey, err := GenerateAPIKeyJWT(userID, key)
+	if err != nil {
+		return nil, err
+	}
+	req.Header.Add("Authorization", apiKey)
+	r, err := client.Do(req)
+	if err != nil {
+		return nil, err
+	}
+
+	body, err := ioutil.ReadAll(r.Body)
+	if err != nil {
+		return nil, err
+	}
+
+	return body, nil
+}

pkg/registrysvc/request.go

@@ -0,0 +1,70 @@
+package registrysvc
+
+import (
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"os"
+
+	"github.com/gemsorg/assignment/pkg/apierror"
+)
+
+const (
+	AssignmentValidator = "AssignmentValidator"
+	AssignmentCreator   = "AssignmentCreator"
+)
+
+type Registration struct {
+	ID          uint64   `json:"id"`
+	JobID       uint64   `json:"job_id"`
+	APIKeyID    string   `json:"api_key_id"`
+	Services    Services `json:"services"`
+	RequesterID uint64   `json:"requester_id"`
+}
+
+type Services map[string]*Service
+
+type Service struct {
+	URL string `json:"url"`
+}
+
+func GetRegistration(authToken string, jobID uint64) (*Registration, error) {
+	r := &Registration{}
+
+	url := fmt.Sprintf("registrations/%d", jobID)
+	res, err := serviceRequest("GET", url, authToken)
+	json.Unmarshal(res, r)
+
+	if err != nil {
+		return nil, err
+	}
+	fmt.Printf("R %+v\n", r)
+	return r, nil
+}
+
+func serviceRequest(action, route, authToken string) ([]byte, error) {
+	client := &http.Client{}
+	serviceURL := fmt.Sprintf("%s/%s", os.Getenv("REGISTRY_SVC_URL"), route)
+
+	req, err := http.NewRequest(action, serviceURL, nil)
+	if err != nil {
+		return nil, errorResponse(err)
+	}
+	req.Header.Add("Authorization", "Bearer "+authToken)
+	r, err := client.Do(req)
+	if err != nil {
+		return nil, errorResponse(err)
+	}
+
+	body, err := ioutil.ReadAll(r.Body)
+	if err != nil {
+		return nil, errorResponse(err)
+	}
+
+	return body, nil
+}
+
+func errorResponse(err error) *apierror.APIError {
+	return apierror.New(500, err.Error(), err)
+}

pkg/service/service.go

@@ -5,6 +5,8 @@ import (
 	"github.com/gemsorg/assignment/pkg/authentication"
 	"github.com/gemsorg/assignment/pkg/authorization"
 	"github.com/gemsorg/assignment/pkg/datastore"
+	"github.com/gemsorg/assignment/pkg/externalsvc"
+	"github.com/gemsorg/assignment/pkg/registrysvc"
 	"github.com/gemsorg/assignment/pkg/tasksvc"
 )
 
@@ -21,6 +23,7 @@ type AssignmentService interface {
 	CreateSettings(assignment.Settings) (*assignment.Settings, error)
 	GetStore() datastore.Storage
 	ValidateAssignment(a assignment.NewAssignment, set *assignment.Settings) (bool, error)
+	GetRegistration(jobID uint64) (*registrysvc.Registration, error)
 }
 
 type service struct {
@@ -128,11 +131,22 @@ func (s *service) ValidateAssignment(a assignment.NewAssignment, set *assignment
 	assigned, err := s.store.WorkerAlreadyAssigned(a.JobID, a.WorkerID)
 	a.WorkerAlreadyAssigned = assigned
 
+	// Check if there's an external service registered for this task
+	r, err := s.GetRegistration(a.JobID)
+	if r != nil && r.Services[registrysvc.AssignmentValidator] != nil {
+		return externalsvc.Validate(*r, a)
+	} else {
+		allowed, err = a.IsAllowed(set)
+	}
+
 	// Check if the assignment is allowed
-	allowed, err = a.IsAllowed(set)
 	if !allowed {
 		return false, err
 	}
 
 	return allowed, nil
 }
+
+func (s *service) GetRegistration(jobID uint64) (*registrysvc.Registration, error) {
+	return registrysvc.GetRegistration(s.authorizor.GetAuthToken(), jobID)
+}