Added api key auth module to be used between API's (#1)

geiralund · web-flow · commit 9c87faf52e8d · 2019-05-16T15:00:03.000+02:00
diff --git a/.gitignore b/.gitignore
@@ -5,6 +5,9 @@
 # Covers JetBrains IDEs: IntelliJ, RubyMine, PhpStorm, AppCode, PyCharm, CLion, Android Studio and WebStorm
 # Reference: https://intellij-support.jetbrains.com/hc/en-us/articles/206544839
 
+# kotlinttest
+.kotlintest
+
 # User-specific stuff
 .idea/**/workspace.xml
 .idea/**/tasks.xml
diff --git a/build.gradle.kts b/build.gradle.kts
@@ -8,6 +8,7 @@ import org.jetbrains.kotlin.gradle.tasks.KotlinCompile
 plugins {
     kotlin("jvm") version "1.3.21"
     id("org.jetbrains.dokka") version "0.9.17" apply false
+    id("com.diffplug.gradle.spotless") version "3.13.0"
     `java-library`
     `maven-publish`
 }
@@ -30,6 +31,7 @@ subprojects {
     val scmUrl = "scm:git:https://github.com/navikt/dp-biblioteker.git"
 
     apply(plugin = "org.jetbrains.kotlin.jvm")
+    apply(plugin = "com.diffplug.gradle.spotless")
     apply(plugin = "java-library")
     apply(plugin = "org.jetbrains.dokka")
     apply(plugin = "maven-publish")
@@ -42,6 +44,9 @@ subprojects {
         testCompile("org.junit.jupiter:junit-jupiter-params:$junitJupiterVersion")
         testRuntime("org.junit.jupiter:junit-jupiter-engine:$junitJupiterVersion")
         testRuntimeOnly("org.junit.vintage:junit-vintage-engine:$junitJupiterVersion")
+        testImplementation("io.kotlintest:kotlintest-runner-junit5:3.3.0")
+        testImplementation(kotlin("test"))
+        testImplementation(kotlin("test-junit"))
     }
 
 
@@ -95,6 +100,17 @@ subprojects {
         add("archives", javadocJar)
     }
 
+
+    spotless {
+        kotlin {
+            ktlint()
+        }
+        kotlinGradle {
+            target("*.gradle.kts", "additionalScripts/*.gradle.kts")
+            ktlint("0.31.0")
+        }
+    }
+
     publishing {
         publications {
             create<MavenPublication>("maven") {
diff --git a/ktor-utils/build.gradle.kts b/ktor-utils/build.gradle.kts
@@ -0,0 +1,7 @@
+val ktorVersion = "1.2.0"
+
+dependencies {
+    implementation("io.ktor:ktor-server:$ktorVersion")
+    implementation("io.ktor:ktor-auth:$ktorVersion")
+    testImplementation("io.ktor:ktor-server-test-host:$ktorVersion")
+}
diff --git a/ktor-utils/src/main/kotlin/no/nav/dagpenger/ktor/auth/ApiKeyAuth.kt b/ktor-utils/src/main/kotlin/no/nav/dagpenger/ktor/auth/ApiKeyAuth.kt
@@ -0,0 +1,104 @@
+package no.nav.dagpenger.ktor.auth
+
+import io.ktor.application.ApplicationCall
+import io.ktor.application.call
+import io.ktor.auth.Authentication
+import io.ktor.auth.AuthenticationFailedCause
+import io.ktor.auth.AuthenticationPipeline
+import io.ktor.auth.AuthenticationProvider
+import io.ktor.auth.Credential
+import io.ktor.auth.Principal
+import io.ktor.auth.UnauthorizedResponse
+import io.ktor.http.auth.HeaderValueEncoding
+import io.ktor.http.auth.HttpAuthHeader
+import io.ktor.request.ApplicationRequest
+import io.ktor.response.respond
+
+enum class ApiKeyLocation(val location: String) {
+    QUERY("query"),
+    HEADER("header")
+}
+
+data class ApiKeyCredential(val value: String) : Credential
+data class ApiPrincipal(val apiKeyCredential: ApiKeyCredential?) : Principal
+
+/**
+ * Represents a Api Key authentication provider
+ * @param name is the name of the provider, or `null` for a default provider
+ */
+
+class ApiKeyAuthenticationProvider internal constructor(config: Configuration) : AuthenticationProvider(config) {
+
+    internal var apiKeyName: String = config.apiKeyName
+    internal var apiKeyLocation: ApiKeyLocation = config.apiKeyLocation
+    internal val authenticationFunction = config.authenticationFunction
+
+    class Configuration(name: String?) : AuthenticationProvider.Configuration(name) {
+        internal var authenticationFunction: suspend ApplicationCall.(ApiKeyCredential) -> Principal? = { null }
+
+        var apiKeyName: String = ""
+
+        var apiKeyLocation: ApiKeyLocation = ApiKeyLocation.HEADER
+
+        fun validate(body: suspend ApplicationCall.(ApiKeyCredential) -> Principal?) {
+            authenticationFunction = body
+        }
+
+        internal fun build() = ApiKeyAuthenticationProvider(this)
+    }
+}
+
+fun Authentication.Configuration.apiKeyAuth(
+    name: String? = null,
+    configure: ApiKeyAuthenticationProvider.Configuration.() -> Unit
+) {
+    val provider = ApiKeyAuthenticationProvider.Configuration(name).apply(configure).build()
+    val apiKeyName = provider.apiKeyName
+    val apiKeyLocation = provider.apiKeyLocation
+    val authenticate = provider.authenticationFunction
+
+    provider.pipeline.intercept(AuthenticationPipeline.RequestAuthentication) { context ->
+        val credentials = call.request.apiKeyAuthenticationCredentials(apiKeyName, apiKeyLocation)
+        val principal = credentials?.let { authenticate(call, it) }
+
+        val cause = when {
+            credentials == null -> AuthenticationFailedCause.NoCredentials
+            principal == null -> AuthenticationFailedCause.InvalidCredentials
+            else -> null
+        }
+
+        if (cause != null) {
+            context.challenge(apiKeyName, cause) {
+                call.respond(
+                    UnauthorizedResponse(
+                        HttpAuthHeader.Parameterized(
+                            "API_KEY",
+                            mapOf("key" to apiKeyName),
+                            HeaderValueEncoding.QUOTED_ALWAYS
+                        )
+                    )
+                )
+                it.complete()
+            }
+        }
+
+        if (principal != null) {
+            context.principal(principal)
+        }
+    }
+
+    register(provider)
+}
+
+fun ApplicationRequest.apiKeyAuthenticationCredentials(
+    apiKeyName: String,
+    apiKeyLocation: ApiKeyLocation
+): ApiKeyCredential? {
+    return when (val value: String? = when (apiKeyLocation) {
+        ApiKeyLocation.QUERY -> this.queryParameters[apiKeyName]
+        ApiKeyLocation.HEADER -> this.headers[apiKeyName]
+    }) {
+        null -> null
+        else -> ApiKeyCredential(value)
+    }
+}
diff --git a/ktor-utils/src/test/kotlin/no/nav/dagpenger/ktor/auth/ApiKeyAuthTest.kt b/ktor-utils/src/test/kotlin/no/nav/dagpenger/ktor/auth/ApiKeyAuthTest.kt
@@ -0,0 +1,118 @@
+package no.nav.dagpenger.ktor.auth
+
+import io.kotlintest.shouldBe
+import io.ktor.application.Application
+import io.ktor.application.call
+import io.ktor.application.install
+import io.ktor.auth.Authentication
+import io.ktor.auth.authenticate
+import io.ktor.http.HttpMethod
+import io.ktor.http.HttpStatusCode
+import io.ktor.response.respondText
+import io.ktor.routing.get
+import io.ktor.routing.route
+import io.ktor.routing.routing
+import io.ktor.server.testing.handleRequest
+import io.ktor.server.testing.withTestApplication
+import org.junit.jupiter.api.Test
+
+class ApiKeyAuthTest {
+
+    @Test
+    fun `Request with api key in header ok`() {
+        withTestApplication({
+            apiKeyHeader()
+        }) {
+            handleRequest(HttpMethod.Get, "/foo") {
+                addHeader("X-API-KEY", "test")
+            }.apply {
+                response.status() shouldBe HttpStatusCode.OK
+            }
+        }
+    }
+
+    @Test
+    fun `Request with no api key in header is unauthorized`() {
+        withTestApplication({
+            apiKeyHeader()
+        }) {
+            handleRequest(HttpMethod.Get, "/foo") {
+            }.apply {
+                response.status() shouldBe HttpStatusCode.Unauthorized
+            }
+        }
+    }
+
+    @Test
+    fun `Request with api key in query ok`() {
+        withTestApplication({
+            apiKeyQuery()
+        }) {
+            handleRequest(HttpMethod.Get, "/foo?apiKey=test") {
+            }.apply {
+                response.status() shouldBe HttpStatusCode.OK
+            }
+        }
+    }
+
+    @Test
+    fun `Request with no api key in query is unauthorized`() {
+        withTestApplication({
+            apiKeyQuery()
+        }) {
+            handleRequest(HttpMethod.Get, "/foo") {
+            }.apply {
+                response.status() shouldBe HttpStatusCode.Unauthorized
+            }
+        }
+    }
+}
+
+fun Application.apiKeyHeader() {
+    install(Authentication) {
+        apiKeyAuth {
+            apiKeyName = "X-API-KEY"
+            validate { apikeyCredential: ApiKeyCredential ->
+                when {
+                    apikeyCredential.value == "test" -> ApiPrincipal(apikeyCredential)
+                    else -> null
+                }
+            }
+        }
+    }
+
+    routing {
+        authenticate {
+            route("/foo") {
+                get {
+                    call.respondText { "bar" }
+                }
+            }
+        }
+    }
+}
+
+fun Application.apiKeyQuery() {
+    install(Authentication) {
+        apiKeyAuth {
+            apiKeyName = "apiKey"
+            apiKeyLocation = ApiKeyLocation.QUERY
+            validate { apikeyCredential: ApiKeyCredential ->
+                when {
+                    apikeyCredential.value == "test" -> ApiPrincipal(apikeyCredential)
+                    else -> null
+                }
+            }
+        }
+    }
+
+    routing {
+        authenticate {
+            route("/foo") {
+                get {
+                    call.respondText { "bar" }
+                }
+            }
+        }
+    }
+}
diff --git a/settings.gradle.kts b/settings.gradle.kts
@@ -1,3 +1,4 @@
 rootProject.name = "dp-biblioteker"
 
-include("sts-klient")
+include("sts-klient")
+include("ktor-utils")
diff --git a/sts-klient/build.gradle.kts b/sts-klient/build.gradle.kts
@@ -5,5 +5,3 @@ dependencies {
     implementation("com.github.kittinunf.fuel:fuel-gson:$fuelVersion")
     testImplementation("com.github.tomakehurst:wiremock-standalone:2.19.0")
 }
-
-
diff --git a/sts-klient/src/main/kotlin/no/nav/dagpenger/oidc/StsOidcClient.kt b/sts-klient/src/main/kotlin/no/nav/dagpenger/oidc/StsOidcClient.kt
@@ -1,6 +1,5 @@
 package no.nav.dagpenger.oidc
 
-
 import com.github.kittinunf.fuel.gson.responseObject
 import com.github.kittinunf.fuel.httpGet
 import com.github.kittinunf.result.Result
@@ -12,11 +11,14 @@ import java.time.LocalDateTime.now
  */
 class StsOidcClient(stsBaseUrl: String, private val username: String, private val password: String) : OidcClient {
     private val timeToRefresh: Long = 60
-    private val stsTokenUrl: String = if (stsBaseUrl.endsWith("/")) "${stsBaseUrl}rest/v1/sts/token/" else "$stsBaseUrl/rest/v1/sts/token/"
+    private val stsTokenUrl: String =
+        if (stsBaseUrl.endsWith("/")) "${stsBaseUrl}rest/v1/sts/token/" else "$stsBaseUrl/rest/v1/sts/token/"
 
-    @Volatile private var tokenExpiryTime = now().minus(Duration.ofSeconds(timeToRefresh))
+    @Volatile
+    private var tokenExpiryTime = now().minus(Duration.ofSeconds(timeToRefresh))
 
-    @Volatile private lateinit var oidcToken: OidcToken
+    @Volatile
+    private lateinit var oidcToken: OidcToken
 
     override fun oidcToken(): OidcToken {
         return if (now().isBefore(tokenExpiryTime)) {
@@ -44,7 +46,8 @@ class StsOidcClient(stsBaseUrl: String, private val username: String, private va
     }
 }
 
-class StsOidcClientException(override val message: String, override val cause: Throwable) : RuntimeException(message, cause)
+class StsOidcClientException(override val message: String, override val cause: Throwable) :
+    RuntimeException(message, cause)
 
 data class OidcToken(
     val access_token: String,
diff --git a/sts-klient/src/test/kotlin/no/nav/dagpenger/oidc/StsOidcClientTest.kt b/sts-klient/src/test/kotlin/no/nav/dagpenger/oidc/StsOidcClientTest.kt

Original file line number	Diff line number	Diff line change
`@@ -5,5 +5,3 @@ dependencies {`
`5`	`5`	`implementation("com.github.kittinunf.fuel:fuel-gson:$fuelVersion")`
`6`	`6`	`testImplementation("com.github.tomakehurst:wiremock-standalone:2.19.0")`
`7`	`7`	`}`
`8`		`-`
`9`		`-`