Merge pull request #193 from mgenov/gcs_tokens

docker_auth/github: store tokens in google cloud storage

Author: rojer

auth_server/authn/github_auth.go

@@ -32,15 +32,21 @@ import (
 )
 
 type GitHubAuthConfig struct {
-	Organization     string        `yaml:"organization,omitempty"`
-	ClientId         string        `yaml:"client_id,omitempty"`
-	ClientSecret     string        `yaml:"client_secret,omitempty"`
-	ClientSecretFile string        `yaml:"client_secret_file,omitempty"`
-	TokenDB          string        `yaml:"token_db,omitempty"`
-	HTTPTimeout      time.Duration `yaml:"http_timeout,omitempty"`
-	RevalidateAfter  time.Duration `yaml:"revalidate_after,omitempty"`
-	GithubWebUri     string        `yaml:"github_web_uri,omitempty"`
-	GithubApiUri     string        `yaml:"github_api_uri,omitempty"`
+	Organization     string                `yaml:"organization,omitempty"`
+	ClientId         string                `yaml:"client_id,omitempty"`
+	ClientSecret     string                `yaml:"client_secret,omitempty"`
+	ClientSecretFile string                `yaml:"client_secret_file,omitempty"`
+	TokenDB          string                `yaml:"token_db,omitempty"`
+	GCSTokenDB       *GitHubGCSStoreConfig `yaml:"gcs_token_db,omitempty"`
+	HTTPTimeout      time.Duration         `yaml:"http_timeout,omitempty"`
+	RevalidateAfter  time.Duration         `yaml:"revalidate_after,omitempty"`
+	GithubWebUri     string                `yaml:"github_web_uri,omitempty"`
+	GithubApiUri     string                `yaml:"github_api_uri,omitempty"`
+}
+
+type GitHubGCSStoreConfig struct {
+	Bucket           string `yaml:"bucket,omitempty"`
+	ClientSecretFile string `yaml:"client_secret_file,omitempty"`
 }
 
 type GitHubAuthRequest struct {
@@ -62,11 +68,20 @@ type GitHubAuth struct {
 }
 
 func NewGitHubAuth(c *GitHubAuthConfig) (*GitHubAuth, error) {
-	db, err := NewTokenDB(c.TokenDB)
+	var db TokenDB
+	var err error
+	dbName := c.TokenDB
+	if c.GCSTokenDB == nil {
+		db, err = NewTokenDB(c.TokenDB)
+	} else {
+		db, err = NewGCSTokenDB(c.GCSTokenDB.Bucket, c.GCSTokenDB.ClientSecretFile)
+		dbName = "GCS: " + c.GCSTokenDB.Bucket
+	}
+
 	if err != nil {
 		return nil, err
 	}
-	glog.Infof("GitHub auth token DB at %s", c.TokenDB)
+	glog.Infof("GitHub auth token DB at %s", dbName)
 	return &GitHubAuth{
 		config: c,
 		db:     db,

auth_server/authn/tokendb.go

@@ -24,8 +24,8 @@ import (
 
 	"golang.org/x/crypto/bcrypt"
 
-	"github.com/dchest/uniuri"
 	"github.com/cesanta/glog"
+	"github.com/dchest/uniuri"
 	"github.com/syndtr/goleveldb/leveldb"
 )
 
@@ -93,7 +93,7 @@ func (db *TokenDBImpl) GetValue(user string) (*TokenDBValue, error) {
 	err = json.Unmarshal(valueStr, &dbv)
 	if err != nil {
 		glog.Errorf("bad DB value for %q (%q): %s", user, string(valueStr), err)
-		return nil, fmt.Errorf("bad DB value", err)
+		return nil, fmt.Errorf("bad DB value due: %v", err)
 	}
 	return &dbv, nil
 }

auth_server/authn/tokendb_gcs.go

@@ -0,0 +1,121 @@
+/*
+   Copyright 2017 Cesanta Software Ltd.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       https://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+package authn
+
+import (
+	"encoding/json"
+	"fmt"
+	"time"
+
+	"cloud.google.com/go/storage"
+	"github.com/cesanta/glog"
+	"github.com/dchest/uniuri"
+	"golang.org/x/crypto/bcrypt"
+	"golang.org/x/net/context"
+	"google.golang.org/api/option"
+)
+
+// NewGCSTokenDB return a new TokenDB structure which uses Google Cloud Storage as backend. The
+// created DB uses file-per-user strategy and stores credentials independently for each user.
+//
+// Note: it's not recomanded bucket to be shared with other apps or services
+func NewGCSTokenDB(bucket, clientSecretFile string) (TokenDB, error) {
+	gcs, err := storage.NewClient(context.Background(), option.WithServiceAccountFile(clientSecretFile))
+	return &gcsTokenDB{gcs, bucket}, err
+}
+
+type gcsTokenDB struct {
+	gcs    *storage.Client
+	bucket string
+}
+
+// GetValue gets token value associated with the provided user. Each user
+// in the bucket is having it's own file for tokens and it's recomanded bucket
+// to not be shared with other apps
+func (db *gcsTokenDB) GetValue(user string) (*TokenDBValue, error) {
+	rd, err := db.gcs.Bucket(db.bucket).Object(user).NewReader(context.Background())
+	if err == storage.ErrObjectNotExist {
+		return nil, nil
+	}
+	if err != nil {
+		return nil, fmt.Errorf("could not retrieved token for user '%s' due: %v", user, err)
+	}
+	defer rd.Close()
+
+	var dbv TokenDBValue
+	if err := json.NewDecoder(rd).Decode(&dbv); err != nil {
+		glog.Errorf("bad DB value for %q: %v", user, err)
+		return nil, fmt.Errorf("could not read token for user '%s' due: %v", user, err)
+	}
+
+	return &dbv, nil
+}
+
+// StoreToken stores token in the GCS file in a JSON format. Note that separate file is
+// used for each user
+func (db *gcsTokenDB) StoreToken(user string, v *TokenDBValue, updatePassword bool) (dp string, err error) {
+	if updatePassword {
+		dp = uniuri.New()
+		dph, _ := bcrypt.GenerateFromPassword([]byte(dp), bcrypt.DefaultCost)
+		v.DockerPassword = string(dph)
+	}
+
+	wr := db.gcs.Bucket(db.bucket).Object(user).NewWriter(context.Background())
+
+	if err := json.NewEncoder(wr).Encode(v); err != nil {
+		glog.Errorf("failed to set token data for %s: %s", user, err)
+		return "", fmt.Errorf("failed to set token data for %s due: %v", user, err)
+	}
+
+	err = wr.Close()
+	return
+}
+
+// ValidateToken verifies whether the provided token passed as password field
+// is still valid, e.g available and not expired
+func (db *gcsTokenDB) ValidateToken(user string, password PasswordString) error {
+	dbv, err := db.GetValue(user)
+	if err != nil {
+		return err
+	}
+	if dbv == nil {
+		return NoMatch
+	}
+
+	if bcrypt.CompareHashAndPassword([]byte(dbv.DockerPassword), []byte(password)) != nil {
+		return WrongPass
+	}
+	if time.Now().After(dbv.ValidUntil) {
+		return ExpiredToken
+	}
+
+	return nil
+}
+
+// DeleteToken deletes the GCS file that is associated with the provided user.
+func (db *gcsTokenDB) DeleteToken(user string) error {
+	ctx := context.Background()
+	err := db.gcs.Bucket(db.bucket).Object(user).Delete(ctx)
+	if err == storage.ErrObjectNotExist {
+		return nil
+	}
+	return err
+}
+
+// Close is a nop operation for this db
+func (db *gcsTokenDB) Close() error {
+	return nil
+}

auth_server/server/config.go

@@ -120,8 +120,12 @@ func validate(c *Config) error {
 			}
 			ghac.ClientSecret = strings.TrimSpace(string(contents))
 		}
-		if ghac.ClientId == "" || ghac.ClientSecret == "" || ghac.TokenDB == "" {
-			return errors.New("github_auth.{client_id,client_secret,token_db} are required.")
+		if ghac.ClientId == "" || ghac.ClientSecret == "" || (ghac.TokenDB == "" && ghac.GCSTokenDB == nil) {
+			return errors.New("github_auth.{client_id,client_secret,token_db} are required")
+		}
+
+		if ghac.ClientId == "" || ghac.ClientSecret == "" || (ghac.GCSTokenDB != nil && (ghac.GCSTokenDB.Bucket == "" || ghac.GCSTokenDB.ClientSecretFile == "")) {
+			return errors.New("github_auth.{client_id,client_secret,gcs_token_db{bucket,client_secret_file}} are required")
 		}
 		if ghac.HTTPTimeout <= 0 {
 			ghac.HTTPTimeout = time.Duration(10 * time.Second)

auth_server/vendor/vendor.json

@@ -2,6 +2,12 @@
 	"comment": "",
 	"ignore": "",
 	"package": [
+		{
+			"checksumSHA1": "0ot8Hk23WGrT0lE2BmQXeqe4bRo=",
+			"path": "cloud.google.com/go/storage",
+			"revision": "2b74e2e25316cfd9e46b74e444cdeceb78786dc5",
+			"revisionTime": "2017-08-20T12:51:33Z"
+		},
 		{
 			"checksumSHA1": "CujWu7+PWlZSX5+zAPJH91O5AVQ=",
 			"origin": "github.com/docker/distribution/vendor/github.com/Sirupsen/logrus",
@@ -397,11 +403,17 @@
 			"revisionTime": "2017-03-21T17:14:25Z"
 		},
 		{
-			"checksumSHA1": "AK65RmsGNBl0/e11OVrf2mW78gU=",
+			"checksumSHA1": "1WoWjPiwUEFahi5xz29FRMtd8sA=",
 			"path": "golang.org/x/sys/unix",
 			"revision": "493114f68206f85e7e333beccfabc11e98cba8dd",
 			"revisionTime": "2017-03-31T21:25:38Z"
 		},
+		{
+			"checksumSHA1": "RpAaByicZuXzN7bReX8YXKf8gP0=",
+			"path": "google.golang.org/api/option",
+			"revision": "955a3ae66b420f3adc0d77da3d8ed767a74e2b4f",
+			"revisionTime": "2017-09-01T00:04:07Z"
+		},
 		{
 			"checksumSHA1": "fRERF7JFq7KYgM9I48onMlEgFm4=",
 			"path": "gopkg.in/asn1-ber.v1",

examples/reference.yml

@@ -101,8 +101,12 @@ github_auth:
   # want to have sensitive information checked in.
   # client_secret: "verysecret"
   client_secret_file: "/path/to/client_secret.txt"
-  # Where to store server tokens. Required.
+  # Either token_db file for storing of server tokens. 
   token_db: "/somewhere/to/put/github_tokens.ldb"
+  # or google cloud storage for storing of the sensitive information. 
+  gcs_token_db: 
+    bucket: "tokenBucket"
+    client_secret_file: "/path/to/client_secret.json"
   # How long to wait when talking to GitHub servers. Optional.
   http_timeout: "10s"
   # How long to wait before revalidating the GitHub token. Optional.