auth: support "authorization" token for grpc-gateway

[hexfusion]

The allows native use of grpc-gateway authorization header, providing direct access to metadata context while using intuitive naming.

Fixes #6643

[heyitsanthony]

avoid looping over all the metadata?

token := ""
if token, ok = md["token"]; !ok {
    token = md["authorization"]
}
if token == "" {
    return nil, nil
}
authInfo, uok := as.authInfoFromToken(ctx, token)
...

[hexfusion]

@heyitsanthony 👍

[heyitsanthony]

will this be clobbered after running scripts/genproto.sh?

[hexfusion]

@heyitsanthony yes, please excuse my ignorance I am just learning how all of this tooling works together. I will research proper solution further.

[xiang90]

if we do want the debugging logging here, it needs to contain more context. checking value in a loop is too vague.

[hexfusion]

@xiang90 yes sir. I will clean this up on my next run, I appreciate the notes.

[mitake]

The already existing key "token" is used because I defined it in here: https://github.com/coreos/etcd/blob/master/clientv3/client.go#L168
If "authorization" cannot be changed because of swagger, I think changing the existing "token" would be good in the future. It breaks compatibility so it cannot be done immediately. Possibly putting a comment of todo would be fine?

[hexfusion]

@mitake grpc-gateway for now only allows direct access to authorization header. This may change if you follow issue. Otherwise I think that token could be used if you passed header Grpc-Metadata-Token but this is not very intuitive. grpc-ecosystem/grpc-gateway#311

So perhaps time will resolve this question. In the meantime I will add your comment

[mitake]

Yes, I don't think unifying the key names immediately. Just putting a comment or opening an issue for a remainder is ok.

[mitake]

@hexfusion thanks a lot for your PR. I think your change can support jwt tokens so the commit title shouldn't say about simple token explicitly.

[hexfusion]

@mitake well I can see that adding these security definitions to the root of swagger is a complicated matter to automate, Currently proto files do not support the definition directly. So using the methods offered by grpc-gateway will not facilitate.

I have found ways of merging swagger json or defining a json/yml stub using go-swagger but this is not ideal either. I would like this to be seamless and not a hack of genproto.sh but that maybe the only option until you decide to move to OpenApi 3 and perhaps protobuf adds support for security definitions compatibe with swagger. My final solution involved using https://goswagger.io/generate/spec/meta.html. This seems interesting concept for automation but again not optimal.

But this is only my discovery if you have other ways please let me know. I will keep digging for now :)

[heyitsanthony]

@hexfusion a hack in genproto.sh that inserts the swagger snippet into the generated json should be OK, the script is already doing some gross stuff to get around inadequate/impossible tooling so the seamless ship has sailed on that one.

Could this also have a curl e2e test like the ones in https://github.com/coreos/etcd/blob/master/e2e/v3_curl_test.go? It'd help as an example for how to use auth with grpc/json in addition to checking it all works via CI.

[hexfusion]

@mitake I created a Go script to append swagger security stubs using https://github.com/go-openapi tools in a programmatic way. Although I could not find a clean way to do this directly using proto files, I feel this is a fair compromise. The downside is the spec tools use a different order then method used by grpc-gateway so the diff is quite large. But this order should stay consistent on future iterations. If this seems reasonable I will finish the curl tests. Finally to deal with missing descriptions as a result of the process I resulted to appending (empty) vs "".

[heyitsanthony]

@hexfusion please rebase this patchset? It's difficult to see how the code differs from master and review.

The approach looks OK but the schwag package should probably checkout to a fixed commit SHA like the other go get packages in the script.

[mitake]

@hexfusion I see, now the script/genproto.sh is updated so I think your way would be acceptable. Do you have any opinions about the change? @xiang90 @heyitsanthony

[heyitsanthony]

@hexfusion OK, this is shaping up. Two last nits:

1. This would be good as just two separate patches:

• auth: support "authorization" token for grpc-gateway (with the auth/store.go changes)
• scripts: generate swagger with authorization support (with the scripts/* and swagger json files)

2. Need a test case in e2e/v3_curl_test.go that tries to access etcd using auth through curl.

Thanks!

[hexfusion]

@heyitsanthony PTAL, thanks!

[heyitsanthony]

testutil.AssertNil(t, err)

[heyitsanthony]

testutil.AssertNil(t, json.Unmarshall([]byte(cURLRes), &authRes))

[hexfusion]

@heyitsanthony thanks for notes, will resolve.

[heyitsanthony]

testutil.AssertNil(t, err)

[heyitsanthony]

testutil.AssertNil(t, err)

[heyitsanthony]

testutil.AssertNil(t, err)

[heyitsanthony]

testutil.AssertNil(t, err)

[heyitsanthony]

testutil.AssertNil(t, err)

[heyitsanthony]

use etcdserverpb.AuthenticationResponse instead of redeclaring?

[heyitsanthony]

revert?

[heyitsanthony]

can replace with testutil.AssertNil

[hexfusion]

@heyitsanthony could you please help me better understand the root of this problem?

https://play.golang.org/p/o-s0_LI9Tr

[gyuho]

@hexfusion Try without double-quotes on numbers inside JSON?

e.g.

{"header":{"cluster_id":8146361247912014845,"member_id":14895263327052482431,...

[hexfusion]

@gyuho right but this is the JSON format returned by curl in the test. I don't believe I can control this format it returns this same quoting if I were to perform the curl command manually.

Appending json:",string" allows this usage, but this I believe would need to be a manual grooming as I don't believe it is supported by proto.

https://play.golang.org/p/W0KBfT_bM5

I guess the main issue is https://developers.google.com/protocol-buffers/docs/proto3#json

The uint64 and int64 types are json strings not numbers.

This is very frustrating :)

[heyitsanthony]

there was some discussion about json output w/r/t 64-bit values on #7396; the decision at the time was to stick to the defaults

[hexfusion]

@heyitsanthony I understand, so could I groom the JSON manually for the test or how to proceeded?

[hexfusion]

perhaps something like this?

    cURLRes, err := proc.ExpectFunc(lineFunc)
    testutil.AssertNil(t, err)

    authRes := make(map[string]interface{})
    testutil.AssertNil(t, json.Unmarshal([]byte(cURLRes), &authRes))

    token, ok := authRes["token"].(string)
    if !ok {
        t.Fatalf("failed invalid token in authenticate response with curl")
    }

[heyitsanthony]

@hexfusion yeah that looks OK

[hexfusion]

@heyitsanthony PTAL, let me know if you need anything else. Thanks!

[heyitsanthony]

lgtm thanks!

[heyitsanthony]

@hexfusion can that Merge branch 'master' into grpc-gateway-auth commit be removed? Then this should be good to merge.

Defer to @mitake

[hexfusion]

@heyitsanthony @mitake ok I rebased but it shows a basic conflict that I resolved causing the merge message last time. So maybe that can be resolved during merge? The change is very obvious. Anyways thanks to all for the assistance and input, very exciting!

[heyitsanthony]

@hexfusion can you rebase on the current master branch? You should be able to resolve the conflict from there (the git SHAs were updated for a newer protobuf version)

[codecov-io]

Codecov Report

❗ No coverage uploaded for pull request base (master@ee0c805). Click here to learn what that means.
The diff coverage is n/a.

@@           Coverage Diff            @@
##             master   #7999   +/-   ##
========================================
  Coverage          ?   76.8%           
========================================
  Files             ?     342           
  Lines             ?   26701           
  Branches          ?       0           
========================================
  Hits              ?   20508           
  Misses            ?    4751           
  Partials          ?    1442

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update ee0c805...b19e2fa. Read the comment docs.

[hexfusion]

@heyitsanthony you sir are correct, resolved.

[heyitsanthony]

GOGO_PROTO_SHA="100ba4e885062801d56799d78530b73b178a78f3"
GRPC_GATEWAY_SHA="18d159699f2e83fc5bb9ef2f79465ca3f3122676"

otherwise clobbers update from 4ebeba0

[hexfusion]

@heyitsanthony yes I updated, PTAL, thank you!

[xiang90]

@hexfusion thanks. merging.

[davissp14]

Hey guys, are you guys planning on rolling this into 3.2.7?

[heyitsanthony]

@davissp14 it's planned for 3.3; backports are tagged with kind/need-backport