Feat: API Keys CRUD and use it for authentication and authorisation (#1782)

* wip

* wip2

* wip

* wire_gen

* bug fixes

* api token integration

* lastUsedAt and lastUsedByIp updated in user for api-user case

* bug fix

* deleted

* renamed

* fix : Name should be reusable if API-token is deleted

* code comments incorporate :
1) added validation : name can not have whitespace and comma while creating api-token
2) api-token email prefix capital
3) moved RBAC before validations in rest handler of api-token
4) user audit table

* code comment incorporate :
1) using attributes table/service/repo to store secret

* wiring fix

* fix

* sql file number changed

* some fields added in crud apis

Author: manish-agrawal-ai

Wire.go

@@ -21,6 +21,7 @@
 package main
 
 import (
+	"github.com/devtron-labs/devtron/api/apiToken"
 	appStoreRestHandler "github.com/devtron-labs/devtron/api/appStore"
 	appStoreDeployment "github.com/devtron-labs/devtron/api/appStore/deployment"
 	appStoreDiscover "github.com/devtron-labs/devtron/api/appStore/discover"
@@ -123,6 +124,7 @@ func InitializeApp() (*App, error) {
 		appStoreDeployment.AppStoreDeploymentWireSet,
 		server.ServerWireSet,
 		module.ModuleWireSet,
+		apiToken.ApiTokenWireSet,
 		// -------wireset end ----------
 		gitSensor.GetGitSensorConfig,
 		gitSensor.NewGitSensorSession,
@@ -600,6 +602,7 @@ func InitializeApp() (*App, error) {
 		wire.Bind(new(router.CommonRouter), new(*router.CommonRouterImpl)),
 		restHandler.NewCommonRestHanlderImpl,
 		wire.Bind(new(restHandler.CommonRestHanlder), new(*restHandler.CommonRestHanlderImpl)),
+		
 		util.NewGitCliUtil,
 
 		router.NewTelemetryRouterImpl,

api/apiToken/ApiTokenRestHandler.go

@@ -0,0 +1,219 @@
+/*
+ * Copyright (c) 2020 Devtron Labs
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package apiToken
+
+import (
+	"encoding/json"
+	openapi "github.com/devtron-labs/devtron/api/openapi/openapiClient"
+	"github.com/devtron-labs/devtron/api/restHandler/common"
+	"github.com/devtron-labs/devtron/pkg/apiToken"
+	"github.com/devtron-labs/devtron/pkg/user"
+	"github.com/devtron-labs/devtron/pkg/user/casbin"
+	"github.com/gorilla/mux"
+	"github.com/juju/errors"
+	"go.uber.org/zap"
+	"gopkg.in/go-playground/validator.v9"
+	"net/http"
+	"strconv"
+)
+
+type ApiTokenRestHandler interface {
+	GetAllApiTokens(w http.ResponseWriter, r *http.Request)
+	CreateApiToken(w http.ResponseWriter, r *http.Request)
+	UpdateApiToken(w http.ResponseWriter, r *http.Request)
+	DeleteApiToken(w http.ResponseWriter, r *http.Request)
+}
+
+type ApiTokenRestHandlerImpl struct {
+	logger          *zap.SugaredLogger
+	apiTokenService apiToken.ApiTokenService
+	userService     user.UserService
+	enforcer        casbin.Enforcer
+	validator       *validator.Validate
+}
+
+func NewApiTokenRestHandlerImpl(logger *zap.SugaredLogger, apiTokenService apiToken.ApiTokenService, userService user.UserService,
+	enforcer casbin.Enforcer, validator *validator.Validate) *ApiTokenRestHandlerImpl {
+	return &ApiTokenRestHandlerImpl{
+		logger:          logger,
+		apiTokenService: apiTokenService,
+		userService:     userService,
+		enforcer:        enforcer,
+		validator:       validator,
+	}
+}
+
+func (impl ApiTokenRestHandlerImpl) GetAllApiTokens(w http.ResponseWriter, r *http.Request) {
+	userId, err := impl.userService.GetLoggedInUser(r)
+	if userId == 0 || err != nil {
+		common.WriteJsonResp(w, err, "Unauthorized User", http.StatusUnauthorized)
+		return
+	}
+
+	// handle super-admin RBAC
+	token := r.Header.Get("token")
+	if ok := impl.enforcer.Enforce(token, casbin.ResourceGlobal, casbin.ActionUpdate, "*"); !ok {
+		common.WriteJsonResp(w, errors.New("unauthorized"), nil, http.StatusForbidden)
+		return
+	}
+
+	// service call
+	res, err := impl.apiTokenService.GetAllActiveApiTokens()
+	if err != nil {
+		impl.logger.Errorw("service err, GetAllActiveApiTokens", "err", err)
+		common.WriteJsonResp(w, err, nil, http.StatusInternalServerError)
+		return
+	}
+	common.WriteJsonResp(w, err, res, http.StatusOK)
+}
+
+func (impl ApiTokenRestHandlerImpl) CreateApiToken(w http.ResponseWriter, r *http.Request) {
+	userId, err := impl.userService.GetLoggedInUser(r)
+	if userId == 0 || err != nil {
+		common.WriteJsonResp(w, err, "Unauthorized User", http.StatusUnauthorized)
+		return
+	}
+
+	// handle super-admin RBAC
+	token := r.Header.Get("token")
+	if ok := impl.enforcer.Enforce(token, casbin.ResourceGlobal, casbin.ActionUpdate, "*"); !ok {
+		common.WriteJsonResp(w, errors.New("unauthorized"), nil, http.StatusForbidden)
+		return
+	}
+
+	// decode request
+	decoder := json.NewDecoder(r.Body)
+	var request *openapi.CreateApiTokenRequest
+	err = decoder.Decode(&request)
+	if err != nil {
+		impl.logger.Errorw("err in decoding request in CreateApiToken", "err", err)
+		common.WriteJsonResp(w, err, nil, http.StatusBadRequest)
+		return
+	}
+
+	// validate request
+	err = impl.validator.Struct(request)
+	if err != nil {
+		impl.logger.Errorw("validation err in CreateApiToken", "err", err, "request", request)
+		common.WriteJsonResp(w, err, nil, http.StatusBadRequest)
+		return
+	}
+	if len(*request.Name) == 0 {
+		common.WriteJsonResp(w, errors.New("name cannot be blank in the request"), nil, http.StatusBadRequest)
+		return
+	}
+	if len(*request.Description) == 0 {
+		common.WriteJsonResp(w, errors.New("description cannot be blank in the request"), nil, http.StatusBadRequest)
+		return
+	}
+
+	// service call
+	res, err := impl.apiTokenService.CreateApiToken(request, userId)
+	if err != nil {
+		impl.logger.Errorw("service err, CreateApiToken", "err", err, "payload", request)
+		common.WriteJsonResp(w, err, nil, http.StatusInternalServerError)
+		return
+	}
+	common.WriteJsonResp(w, err, res, http.StatusOK)
+}
+
+func (impl ApiTokenRestHandlerImpl) UpdateApiToken(w http.ResponseWriter, r *http.Request) {
+	userId, err := impl.userService.GetLoggedInUser(r)
+	if userId == 0 || err != nil {
+		common.WriteJsonResp(w, err, "Unauthorized User", http.StatusUnauthorized)
+		return
+	}
+
+	// handle super-admin RBAC
+	token := r.Header.Get("token")
+	if ok := impl.enforcer.Enforce(token, casbin.ResourceGlobal, casbin.ActionUpdate, "*"); !ok {
+		common.WriteJsonResp(w, errors.New("unauthorized"), nil, http.StatusForbidden)
+		return
+	}
+
+	// get api-token Id
+	vars := mux.Vars(r)
+	apiTokenId, err := strconv.Atoi(vars["id"])
+	if err != nil {
+		impl.logger.Errorw("request err in getting apiTokenId in UpdateApiToken", "err", err)
+		common.WriteJsonResp(w, err, nil, http.StatusBadRequest)
+		return
+	}
+
+	// decode request
+	decoder := json.NewDecoder(r.Body)
+	var request *openapi.UpdateApiTokenRequest
+	err = decoder.Decode(&request)
+	if err != nil {
+		impl.logger.Errorw("err in decoding request, UpdateApiToken", "err", err)
+		common.WriteJsonResp(w, err, nil, http.StatusBadRequest)
+		return
+	}
+
+	// validate request
+	err = impl.validator.Struct(request)
+	if err != nil {
+		impl.logger.Errorw("validation err in UpdateApiToken", "err", err, "request", request)
+		common.WriteJsonResp(w, err, nil, http.StatusBadRequest)
+		return
+	}
+	if len(*request.Description) == 0 {
+		common.WriteJsonResp(w, errors.New("description cannot be blank in the request"), nil, http.StatusBadRequest)
+		return
+	}
+
+	res, err := impl.apiTokenService.UpdateApiToken(apiTokenId, request, userId)
+	if err != nil {
+		impl.logger.Errorw("service err, UpdateApiToken", "err", err, "apiTokenId", apiTokenId, "request", request)
+		common.WriteJsonResp(w, err, nil, http.StatusInternalServerError)
+		return
+	}
+	common.WriteJsonResp(w, err, res, http.StatusOK)
+}
+
+func (impl ApiTokenRestHandlerImpl) DeleteApiToken(w http.ResponseWriter, r *http.Request) {
+	userId, err := impl.userService.GetLoggedInUser(r)
+	if userId == 0 || err != nil {
+		common.WriteJsonResp(w, err, "Unauthorized User", http.StatusUnauthorized)
+		return
+	}
+
+	// handle super-admin RBAC
+	token := r.Header.Get("token")
+	if ok := impl.enforcer.Enforce(token, casbin.ResourceGlobal, casbin.ActionUpdate, "*"); !ok {
+		common.WriteJsonResp(w, errors.New("unauthorized"), nil, http.StatusForbidden)
+		return
+	}
+
+	// get api-token Id
+	vars := mux.Vars(r)
+	apiTokenId, err := strconv.Atoi(vars["id"])
+	if err != nil {
+		impl.logger.Errorw("request err in getting apiTokenId in DeleteApiToken", "err", err)
+		common.WriteJsonResp(w, err, nil, http.StatusBadRequest)
+		return
+	}
+
+	res, err := impl.apiTokenService.DeleteApiToken(apiTokenId, userId)
+	if err != nil {
+		impl.logger.Errorw("service err, DeleteApiToken", "err", err, "apiTokenId", apiTokenId)
+		common.WriteJsonResp(w, err, nil, http.StatusInternalServerError)
+		return
+	}
+	common.WriteJsonResp(w, err, res, http.StatusOK)
+}

api/apiToken/ApiTokenRouter.go

@@ -0,0 +1,24 @@
+package apiToken
+
+import (
+	"github.com/gorilla/mux"
+)
+
+type ApiTokenRouter interface {
+	InitApiTokenRouter(configRouter *mux.Router)
+}
+
+type ApiTokenRouterImpl struct {
+	apiTokenRestHandler ApiTokenRestHandler
+}
+
+func NewApiTokenRouterImpl(apiTokenRestHandler ApiTokenRestHandler) *ApiTokenRouterImpl {
+	return &ApiTokenRouterImpl{apiTokenRestHandler: apiTokenRestHandler}
+}
+
+func (impl ApiTokenRouterImpl) InitApiTokenRouter(configRouter *mux.Router) {
+	configRouter.Path("").HandlerFunc(impl.apiTokenRestHandler.GetAllApiTokens).Methods("GET")
+	configRouter.Path("").HandlerFunc(impl.apiTokenRestHandler.CreateApiToken).Methods("POST")
+	configRouter.Path("/{id}").HandlerFunc(impl.apiTokenRestHandler.UpdateApiToken).Methods("PUT")
+	configRouter.Path("/{id}").HandlerFunc(impl.apiTokenRestHandler.DeleteApiToken).Methods("DELETE")
+}

api/apiToken/wire_apiToken.go

@@ -0,0 +1,17 @@
+package apiToken
+
+import (
+	"github.com/devtron-labs/devtron/pkg/apiToken"
+	"github.com/google/wire"
+)
+
+var ApiTokenWireSet = wire.NewSet(
+	apiToken.NewApiTokenRepositoryImpl,
+	wire.Bind(new(apiToken.ApiTokenRepository), new(*apiToken.ApiTokenRepositoryImpl)),
+	apiToken.NewApiTokenServiceImpl,
+	wire.Bind(new(apiToken.ApiTokenService), new(*apiToken.ApiTokenServiceImpl)),
+	NewApiTokenRestHandlerImpl,
+	wire.Bind(new(ApiTokenRestHandler), new(*ApiTokenRestHandlerImpl)),
+	NewApiTokenRouterImpl,
+	wire.Bind(new(ApiTokenRouter), new(*ApiTokenRouterImpl)),
+)

api/apiToken/wire_apiTokenSecret.go

@@ -0,0 +1,13 @@
+package apiToken
+
+import (
+	apiTokenAuth "github.com/devtron-labs/authenticator/apiToken"
+	"github.com/devtron-labs/devtron/pkg/apiToken"
+	"github.com/google/wire"
+)
+
+var ApiTokenSecretWireSet = wire.NewSet(
+	apiTokenAuth.InitApiTokenSecretStore,
+	apiToken.NewApiTokenSecretServiceImpl,
+	wire.Bind(new(apiToken.ApiTokenSecretService), new(*apiToken.ApiTokenSecretServiceImpl)),
+)

api/bean/UserRequest.go

@@ -17,7 +17,10 @@
 
 package bean
 
-import "encoding/json"
+import (
+	"encoding/json"
+	"time"
+)
 
 type UserRole struct {
 	Id      int32  `json:"id" validate:"number"`
@@ -26,16 +29,19 @@ type UserRole struct {
 }
 
 type UserInfo struct {
-	Id          int32        `json:"id" validate:"number"`
-	EmailId     string       `json:"email_id" validate:"required"`
-	Roles       []string     `json:"roles,omitempty"`
-	AccessToken string       `json:"access_token,omitempty"`
-	Exist       bool         `json:"-"`
-	UserId      int32        `json:"-"` // created or modified user id
-	RoleFilters []RoleFilter `json:"roleFilters"`
-	Status      string       `json:"status,omitempty"`
-	Groups      []string     `json:"groups"`
-	SuperAdmin  bool         `json:"superAdmin,notnull"`
+	Id           int32        `json:"id" validate:"number"`
+	EmailId      string       `json:"email_id" validate:"required"`
+	Roles        []string     `json:"roles,omitempty"`
+	AccessToken  string       `json:"access_token,omitempty"`
+	UserType     string       `json:"-"`
+	LastUsedAt   time.Time    `json:"-"`
+	LastUsedByIp string       `json:"-"`
+	Exist        bool         `json:"-"`
+	UserId       int32        `json:"-"` // created or modified user id
+	RoleFilters  []RoleFilter `json:"roleFilters"`
+	Status       string       `json:"status,omitempty"`
+	Groups       []string     `json:"groups"`
+	SuperAdmin   bool         `json:"superAdmin,notnull"`
 }
 
 type RoleGroup struct {
@@ -95,3 +101,5 @@ const (
 
 const SUPERADMIN = "role:super-admin___"
 const APP_ACCESS_TYPE_HELM = "helm-app"
+
+const USER_TYPE_API_TOKEN = "apiToken"