#144 Deliver prometheus auth token via env

botalka/src/main/kotlin/ru/vityaman/lms/botalka/app/spring/security/SpringAuthenticationManager.kt

@@ -0,0 +1,48 @@
+package ru.vityaman.lms.botalka.app.spring.security
+
+import kotlinx.coroutines.reactor.mono
+import org.springframework.security.authentication.ReactiveAuthenticationManager
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken
+import org.springframework.security.core.GrantedAuthority
+import org.springframework.stereotype.Component
+import reactor.core.publisher.Mono
+import ru.vityaman.lms.botalka.core.exception.AuthenticationException
+import ru.vityaman.lms.botalka.core.security.auth.AccessToken
+import ru.vityaman.lms.botalka.core.security.auth.Authentication
+import ru.vityaman.lms.botalka.core.security.auth.TokenGuard
+import org.springframework.security.core.Authentication as SpringAuthentication
+
+@Component
+class SpringAuthenticationManager(private val guard: TokenGuard) :
+    ReactiveAuthenticationManager {
+    override fun authenticate(
+        authentication: SpringAuthentication,
+    ): Mono<SpringAuthentication> = mono { doAuthenticate(authentication) }
+
+    private suspend fun doAuthenticate(
+        authentication: SpringAuthentication,
+    ): SpringAuthentication {
+        val credentials = authentication.credentials.toString()
+        val token = AccessToken(credentials)
+        val auth = guard.authenticate(token)
+            ?: throw AuthenticationException("unknown auth token")
+        return converted(auth)
+    }
+
+    private fun converted(auth: Authentication): SpringAuthentication {
+        val roles = emptyList<GrantedAuthority>()
+        return when (auth) {
+            is Authentication.Client -> {
+                UsernamePasswordAuthenticationToken(auth.user, null, roles)
+            }
+
+            is Authentication.Fuzzer -> {
+                UsernamePasswordAuthenticationToken(auth.user, null, roles)
+            }
+
+            Authentication.Monitoring -> {
+                UsernamePasswordAuthenticationToken(null, null, null)
+            }
+        }
+    }
+}

botalka/src/main/kotlin/ru/vityaman/lms/botalka/app/spring/security/SpringJwtContextRepository.kt

@@ -17,7 +17,7 @@ import ru.vityaman.lms.botalka.core.exception.DomainException
 @Component
 class SpringJwtContextRepository(
     private val marshalling: DomainExceptionMarshalling,
-    private val authManager: SpringJwtAuthManager,
+    private val authManager: SpringAuthenticationManager,
 ) : ServerSecurityContextRepository {
     private val headerName = HttpHeaders.AUTHORIZATION
     private val bearerPrefix = "Bearer "

botalka/src/main/kotlin/ru/vityaman/lms/botalka/app/spring/security/SpringSecurityConfig.kt

@@ -18,7 +18,7 @@ private typealias And = AndServerWebExchangeMatcher
 @Configuration
 @EnableWebFluxSecurity
 class SpringSecurityConfig(
-    private val authManager: SpringJwtAuthManager,
+    private val authManager: SpringAuthenticationManager,
     private val contextRepository: SpringJwtContextRepository,
 ) {
     @Bean

botalka/src/main/kotlin/ru/vityaman/lms/botalka/app/spring/security/SpringTokenGuard.kt

@@ -0,0 +1,22 @@
+package ru.vityaman.lms.botalka.app.spring.security
+
+import org.springframework.beans.factory.annotation.Value
+import org.springframework.stereotype.Component
+import ru.vityaman.lms.botalka.core.logic.UserService
+import ru.vityaman.lms.botalka.core.security.auth.CombinedTokenGuard
+import ru.vityaman.lms.botalka.core.security.auth.JwtClientTokenGuard
+import ru.vityaman.lms.botalka.core.security.auth.MonitoringTokenGuard
+import ru.vityaman.lms.botalka.core.security.auth.TokenGuard
+import ru.vityaman.lms.botalka.core.security.auth.TokenService
+
+@Component
+class SpringTokenGuard(
+    tokens: TokenService,
+    users: UserService,
+
+    @Value("\${security.token.special.monitoring}")
+    monitoringToken: String,
+) : TokenGuard by CombinedTokenGuard(
+    MonitoringTokenGuard(monitoringToken),
+    JwtClientTokenGuard(tokens, users),
+)

botalka/src/main/kotlin/ru/vityaman/lms/botalka/core/security/auth/TokenGuard.kt

@@ -0,0 +1,55 @@
+package ru.vityaman.lms.botalka.core.security.auth
+
+import ru.vityaman.lms.botalka.core.exception.AuthenticationException
+import ru.vityaman.lms.botalka.core.exception.orNotFound
+import ru.vityaman.lms.botalka.core.logic.UserService
+import ru.vityaman.lms.botalka.core.model.User
+
+sealed class Authentication {
+    data object Monitoring : Authentication()
+    data class Fuzzer(val user: User) : Authentication()
+    data class Client(val user: User) : Authentication()
+}
+
+interface TokenGuard {
+    suspend fun authenticate(token: AccessToken): Authentication?
+}
+
+class MonitoringTokenGuard(private val reference: String) : TokenGuard {
+    override suspend fun authenticate(
+        token: AccessToken,
+    ): Authentication.Monitoring? =
+        if (token.text == reference) {
+            Authentication.Monitoring
+        } else {
+            null
+        }
+}
+
+class JwtClientTokenGuard(
+    private val tokens: TokenService,
+    private val users: UserService,
+) : TokenGuard {
+    override suspend fun authenticate(
+        token: AccessToken,
+    ): Authentication.Client {
+        val payload = tokens.decode(token)
+        val user = users.getById(payload.userId)
+            .orNotFound("user with id ${payload.userId}")
+        return Authentication.Client(user)
+    }
+}
+
+class CombinedTokenGuard(vararg guards: TokenGuard) : TokenGuard {
+    private val guards = guards.toList()
+
+    override suspend fun authenticate(token: AccessToken): Authentication {
+        for (guard in guards) {
+            val auth = guard.authenticate(token)
+            if (auth != null) {
+                return auth
+            }
+        }
+        throw AuthenticationException("Unknown authentication token kind")
+    }
+}

botalka/src/main/resources/application-test.yml

@@ -2,6 +2,8 @@ security:
   token:
     signing:
       secret: lms0security0token0signing0key0secret0very0very0very0long
+    special:
+      monitoring: prometheus-top-top-top-secret-token
 external:
   service:
     yandex:

botalka/src/main/resources/application.yml

@@ -62,6 +62,8 @@ security:
     signing:
       secret: ${LMS_SECURITY_TOKEN_SIGNING_SECRET}
     duration: PT2H
+    special:
+      monitoring: ${LMS_PROMETHEUS_ACCESS_TOKEN}
 external:
   service:
     yandex:

compose.yml

@@ -27,6 +27,7 @@ services:
       LMS_SECURITY_TOKEN_SIGNING_SECRET: ${LMS_SECURITY_TOKEN_SIGNING_SECRET?:err}
       LMS_TEST_TELEGRAM_BOT_API_TOKEN: ${LMS_TEST_TELEGRAM_BOT_API_TOKEN?:err}
       LMS_TEST_TELEGRAM_ADMIN_CHAT_ID: ${LMS_TEST_TELEGRAM_ADMIN_CHAT_ID?:err}
+      LMS_PROMETHEUS_ACCESS_TOKEN: ${LMS_PROMETHEUS_ACCESS_TOKEN?:err}
     networks:
       - lms-network
     depends_on:

infra/env/setup.sh

@@ -0,0 +1,7 @@
+cd "$(dirname "$0")"/../.. || exit
+
+. ./infra/env/local.sh
+. ./infra/env/secret.sh
+
+LMS_PROMETHEUS_ACCESS_TOKEN="$(bash ./infra/prometheus/extract_token.bash)"
+export LMS_PROMETHEUS_ACCESS_TOKEN

infra/prometheus/extract_token.bash

@@ -0,0 +1,9 @@
+#!/usr/bin/env bash
+
+set -e
+
+cd "$(dirname "$0")"/../..  || exit
+
+TOKEN="$(awk '$1=="credentials:"{print $2}' infra/prometheus/prometheus.yml)"
+TOKEN="${TOKEN:1:${#TOKEN} - 2}"
+echo "$TOKEN"