chore: add internal Requester (#79)

Author: shaj13

auth/internal/requestor.go

@@ -0,0 +1,127 @@
+package internal
+
+import (
+	"bytes"
+	"context"
+	"crypto/tls"
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"strings"
+
+	"github.com/shaj13/go-guardian/v2/auth"
+)
+
+// Requester sends an HTTP request to query
+// an authorization server to determine the active state of an
+// access token and to determine meta-information about this token.
+type Requester struct {
+	Addr     string
+	Endpoint string
+	Client   *http.Client
+	// AdditionalData add more data to http request
+	AdditionalData func(r *http.Request)
+}
+
+// Do sends the HTTP request and parse the HTTP response.
+func (r *Requester) Do(ctx context.Context, data, review, status interface{}) error {
+	body, err := json.Marshal(data)
+	if err != nil {
+		return fmt.Errorf("Failed to marshal request body data, Type: %T, Err: %w", data, err)
+	}
+
+	url := r.Addr + r.Endpoint
+
+	req, err := http.NewRequestWithContext(ctx, http.MethodPost, url, bytes.NewBuffer(body))
+	if err != nil {
+		return fmt.Errorf("Failed to create new HTTP request, Method: POST, URL: %s, Err: %w", url, err)
+	}
+
+	if r.AdditionalData != nil {
+		r.AdditionalData(req)
+	}
+
+	req.Header.Set("Content-Type", "application/json")
+	req.Header.Set("Accept", "application/json")
+
+	resp, err := r.Client.Do(req)
+	if err != nil {
+		return fmt.Errorf("Failed to send the HTTP request, Method: POST, URL: %s, Err: %w", url, err)
+	}
+
+	body, err = ioutil.ReadAll(resp.Body)
+	if err != nil {
+		return fmt.Errorf("Failed to read the HTTP response, Method: POST, URL: %s, Err: %w", url, err)
+	}
+
+	defer resp.Body.Close()
+
+	if err := json.Unmarshal(body, status); err == nil {
+		return nil
+	}
+
+	if err := json.Unmarshal(body, review); err != nil {
+		return fmt.Errorf("Failed to unmarshal response body data, Type: %T Err: %w", review, err)
+	}
+
+	return nil
+}
+
+// SetRequesterBearerToken sets ruqester token.
+func SetRequesterBearerToken(token string) auth.Option {
+	return auth.OptionFunc(func(v interface{}) {
+		if r, ok := v.(*Requester); ok {
+			r.AdditionalData = func(r *http.Request) {
+				r.Header.Set("Authorization", "Bearer "+token)
+			}
+		}
+	})
+}
+
+// SetRequesterHTTPClient sets underlying requester http client.
+func SetRequesterHTTPClient(c *http.Client) auth.Option {
+	return auth.OptionFunc(func(v interface{}) {
+		if r, ok := v.(*Requester); ok {
+			r.Client = c
+		}
+	})
+}
+
+// SetRequesterTLSConfig sets underlying requester http client tls config.
+func SetRequesterTLSConfig(tls *tls.Config) auth.Option {
+	return auth.OptionFunc(func(v interface{}) {
+		if r, ok := v.(*Requester); ok {
+			r.Client.Transport.(*http.Transport).TLSClientConfig = tls
+		}
+	})
+}
+
+// SetRequesterClientTransport sets underlying requester http client transport.
+func SetRequesterClientTransport(rt http.RoundTripper) auth.Option {
+	return auth.OptionFunc(func(v interface{}) {
+		if r, ok := v.(*Requester); ok {
+			r.Client.Transport = rt
+		}
+	})
+}
+
+// SetRequesterAddress sets requester origin server address
+// e.g http://host:port or https://host:port.
+func SetRequesterAddress(addr string) auth.Option {
+	return auth.OptionFunc(func(v interface{}) {
+		if r, ok := v.(*Requester); ok {
+			r.Addr = strings.TrimSuffix(addr, "/")
+		}
+	})
+}
+
+// SetRequesterEndpoint sets requester origin server endpoint.
+// e.g /api/v1/token
+func SetRequesterEndpoint(endpoint string) auth.Option {
+	return auth.OptionFunc(func(v interface{}) {
+		if r, ok := v.(*Requester); ok {
+			r.Addr = "/" + strings.TrimSuffix(endpoint, "/")
+		}
+	})
+}

auth/strategies/kubernetes/kubernetes.go

@@ -5,103 +5,54 @@
 package kubernetes
 
 import (
-	"bytes"
 	"context"
-	"encoding/json"
 	"fmt"
-	"io/ioutil"
 	"net/http"
-	"strings"
 	"time"
 
 	kubeauth "k8s.io/api/authentication/v1"
 	kubemeta "k8s.io/apimachinery/pkg/apis/meta/v1"
 
 	"github.com/shaj13/go-guardian/v2/auth"
+	"github.com/shaj13/go-guardian/v2/auth/internal"
 	"github.com/shaj13/go-guardian/v2/auth/strategies/token"
 )
 
 type kubeReview struct {
-	addr string
-	// service account token
-	token      string
-	apiVersion string
-	audiences  []string
-	client     *http.Client
+	requester *internal.Requester
+	audiences []string
 }
 
 func (k *kubeReview) authenticate(ctx context.Context, r *http.Request, token string) (auth.Info, time.Time, error) {
-	var t time.Time
-
-	tr := &kubeauth.TokenReview{
+	t := time.Time{}
+	status := &kubemeta.Status{}
+	review := &kubeauth.TokenReview{}
+	data := &kubeauth.TokenReview{
 		Spec: kubeauth.TokenReviewSpec{
 			Token:     token,
 			Audiences: k.audiences,
 		},
 	}
 
-	body, err := json.Marshal(tr)
-	if err != nil {
-		return nil, t, fmt.Errorf(
-			"strategies/kubernetes: Failed to Marshal TokenReview Err: %s",
-			err,
-		)
-	}
-
-	url := k.addr + "/apis/" + k.apiVersion + "/tokenreviews"
-
-	req, err := http.NewRequest(http.MethodPost, url, bytes.NewBuffer(body))
-	if err != nil {
-		return nil, t, err
-	}
-
-	req.Header.Set("Authorization", "Bearer "+k.token)
-	req.Header.Set("Content-Type", "application/json")
-	req.Header.Set("Accept", "application/json")
-
-	resp, err := k.client.Do(req)
-	if err != nil {
-		return nil, t, err
-	}
-
-	body, err = ioutil.ReadAll(resp.Body)
-	if err != nil {
-		return nil, t, err
-	}
-
-	defer resp.Body.Close()
+	err := k.requester.Do(ctx, data, review, status)
 
-	// verify the response is not an kubernetes status error.
-	status := &kubemeta.Status{}
-	err = json.Unmarshal(body, status)
-	if err == nil && status.Status != kubemeta.StatusSuccess {
+	switch {
+	case err != nil:
+		return nil, t, fmt.Errorf("strategies/kubernetes: %w", err)
+	case len(status.Status) > 0 && status.Status != kubemeta.StatusSuccess:
 		return nil, t, fmt.Errorf("strategies/kubernetes: %s", status.Message)
-	}
-
-	tr = &kubeauth.TokenReview{}
-	err = json.Unmarshal(body, tr)
-	if err != nil {
-		return nil, t, fmt.Errorf(
-			"strategies/kubernetes: Failed to Unmarshal Response body to TokenReview Err: %s",
-			err,
-		)
-	}
-
-	if len(tr.Status.Error) > 0 {
-		return nil, t, fmt.Errorf("strategies/kubernetes: %s", tr.Status.Error)
-	}
-
-	if !tr.Status.Authenticated {
+	case len(review.Status.Error) > 0:
+		return nil, t, fmt.Errorf("strategies/kubernetes: Failed to authenticate token")
+	case !review.Status.Authenticated:
 		return nil, t, fmt.Errorf("strategies/kubernetes: Token Unauthorized")
+	default:
+		user := review.Status.User
+		extensions := make(map[string][]string)
+		for k, v := range user.Extra {
+			extensions[k] = v
+		}
+		return auth.NewUserInfo(user.Username, user.UID, user.Groups, extensions), t, nil
 	}
-
-	user := tr.Status.User
-	extensions := make(map[string][]string)
-	for k, v := range user.Extra {
-		extensions[k] = v
-	}
-
-	return auth.NewUserInfo(user.Username, user.UID, user.Groups, extensions), t, nil
 }
 
 // GetAuthenticateFunc return function to authenticate request using kubernetes token review.
@@ -118,19 +69,21 @@ func New(c auth.Cache, opts ...auth.Option) auth.Strategy {
 }
 
 func newKubeReview(opts ...auth.Option) *kubeReview {
+
 	kr := &kubeReview{
-		addr:       "http://127.0.0.1:6443",
-		apiVersion: "authentication.k8s.io/v1",
-		client: &http.Client{
-			Transport: &http.Transport{},
+		requester: &internal.Requester{
+			Addr:     "http://127.0.0.1:6443",
+			Endpoint: "/apis/authentication.k8s.io/v1/tokenreviews",
+			Client: &http.Client{
+				Transport: &http.Transport{},
+			},
 		},
 	}
 
 	for _, opt := range opts {
 		opt.Apply(kr)
+		opt.Apply(kr.requester)
 	}
 
-	kr.addr = strings.TrimSuffix(kr.addr, "/")
-	kr.apiVersion = strings.TrimPrefix(strings.TrimSuffix(kr.apiVersion, "/"), "/")
 	return kr
 }

auth/strategies/kubernetes/kubernetes_test.go

@@ -16,17 +16,10 @@ import (
 func TestNewKubeReview(t *testing.T) {
 	// Round #1 -- check default
 	kr := newKubeReview()
-	assert.NotNil(t, kr.client)
-	assert.NotNil(t, kr.client.Transport)
-	assert.Equal(t, kr.apiVersion, "authentication.k8s.io/v1")
-	assert.Equal(t, kr.addr, "http://127.0.0.1:6443")
-
-	// Round #2 -- apply opt and trim "/"
-	ver := SetAPIVersion("/test/v1/")
-	addr := SetAddress("http://127.0.0.1:8080/")
-	kr = newKubeReview(ver, addr)
-	assert.Equal(t, kr.apiVersion, "test/v1")
-	assert.Equal(t, kr.addr, "http://127.0.0.1:8080")
+	assert.NotNil(t, kr.requester.Client)
+	assert.NotNil(t, kr.requester.Client.Transport)
+	assert.Equal(t, kr.requester.Endpoint, "/apis/authentication.k8s.io/v1/tokenreviews")
+	assert.Equal(t, kr.requester.Addr, "http://127.0.0.1:6443")
 }
 
 func TestKubeReview(t *testing.T) {
@@ -47,7 +40,7 @@ func TestKubeReview(t *testing.T) {
 			name: "it return error when server return invalid token review",
 			code: 200,
 			file: "invalid_token_review",
-			err:  fmt.Errorf(`strategies/kubernetes: Failed to Unmarshal Response body to TokenReview Err: invalid character 'i' looking for beginning of value`),
+			err:  fmt.Errorf(`strategies/kubernetes: Failed to unmarshal response body data, Type: *v1.TokenReview Err: invalid character 'i' looking for beginning of value`),
 		},
 		{
 			name: "it return error when server return Status.Error",
@@ -72,14 +65,15 @@ func TestKubeReview(t *testing.T) {
 	for _, tt := range table {
 		t.Run(tt.name, func(t *testing.T) {
 			srv := mockKubeAPIServer(t, tt.file, tt.code)
-			kr := &kubeReview{
-				addr:   srv.URL,
-				client: srv.Client(),
-			}
+			addr := SetAddress(srv.URL)
+			client := SetHTTPClient(srv.Client())
+			kr := newKubeReview(addr, client)
 			r, _ := http.NewRequest("", "", nil)
 			info, _, err := kr.authenticate(r.Context(), r, "")
 
-			assert.Equal(t, tt.err, err)
+			if tt.err != nil {
+				assert.EqualError(t, err, tt.err.Error())
+			}
 			assert.Equal(t, tt.info, info)
 		})
 	}