Feature/horusec auth

.github/workflows/auth-pipeline.yml

@@ -0,0 +1,48 @@
+name: HorusecAuthPipeline
+
+on:
+  push:
+    branches: [ "master", "develop" ]
+  pull_request:
+    branches: [ "**" ]
+
+jobs:
+  install-build-test-fmt-lint:
+    name: install-build-test-fmt-lint
+    runs-on: ubuntu-latest
+    if: "!contains(github.event.head_commit.message, '[skip ci]')"
+    steps:
+      - name: Set up Go 1.14
+        uses: actions/setup-go@v1
+        with:
+          go-version: 1.14
+        id: go
+      - name: Check out code
+        uses: actions/checkout@v2
+      - name: Setup External Dependences
+        run: COMPOSE_FILE_NAME="docker-compose.test.yaml" make compose
+      - name: fmt
+        run: |
+          echo "==> Checking that code complies with gofmt requirements..."
+          gofmt_files=$(gofmt -l `find ./horusec-auth -name '*.go' | grep -v vendor`)
+          echo $gofmt_files
+          if [ ! -z $gofmt_files ]; then
+              echo 'gofmt needs running on the following files:'
+              echo "$gofmt_files"
+              echo "You can use the command: \`gofmt -w \$(gofmt -l \'find ./horusec-auth -name \'*.go\' | grep -v vendor)\` to reformat code."
+              exit 1
+          fi
+          echo "=) The project horusec-auth it's OK!"
+      - name: lint
+        run: |
+          curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s v1.25.0
+          ./bin/golangci-lint run -v --timeout=2m -c .golangci.yml ./horusec-auth/...
+      - name: test
+        run: |
+          go clean -testcache
+          go test -v ./horusec-auth/... -timeout=2m -parallel=1 -failfast -short
+      - name: coverage
+        run: make coverage-horusec-auth
+      - name: build
+        run: go build -o "./tmp/bin/horusec-auth" ./horusec-auth/cmd/app/main.go
+

.github/workflows/security-pipeline.yml

@@ -18,7 +18,7 @@ jobs:
         shell: bash
         run: |
           curl -fsSL https://horusec-cli.s3.amazonaws.com/install.sh | bash
-          horusec start -p="./"
+          horusec start -p="./" -e="true"
       - name: Running Horusec Security Running current version
         shell: bash
         run: |

Makefile

@@ -8,7 +8,7 @@ fmt:
 	$(GOFMT) -w $(GOFMT_FILES)
 
 # Run converage with threshold
-coverage: coverage-development-kit coverage-horusec-api coverage-horusec-cli coverage-horusec-messages coverage-horusec-account coverage-horusec-analytic
+coverage: coverage-development-kit coverage-horusec-api coverage-horusec-cli coverage-horusec-messages coverage-horusec-account coverage-horusec-analytic coverage-horusec-auth
 
 coverage-development-kit:
 	chmod +x deployments/scripts/coverage.sh
@@ -28,6 +28,9 @@ coverage-horusec-account:
 coverage-horusec-analytic:
 	chmod +x deployments/scripts/coverage.sh
 	deployments/scripts/coverage.sh 98 "./horusec-analytic"
+coverage-horusec-auth:
+	chmod +x deployments/scripts/coverage.sh
+	deployments/scripts/coverage.sh 99 "./horusec-auth"
 
 # Check lint of project setup on file .golangci.yml
 lint:

deployments/docker-compose.dev.yaml

@@ -60,6 +60,22 @@ services:
       HORUSEC_DATABASE_SQL_URI: "postgresql://root:root@postgresql:5432/horusec_db?sslmode=disable"
       HORUSEC_DATABASE_SQL_DIALECT: "postgres"
       HORUSEC_JWT_SECRET_KEY: "horusec-secret"
+      HORUSEC_AUTH_URL: "http://horusec-auth:8006"
+  horusec-auth:
+    build:
+      context: ../
+      dockerfile: ./horusec-auth/deployments/Dockerfile.dev
+    depends_on:
+      - postgresql
+    restart: always
+    container_name: horusec-auth
+    ports:
+      - "8006:8006"
+    environment:
+      HORUSEC_DATABASE_SQL_URI: "postgresql://root:root@postgresql:5432/horusec_db?sslmode=disable"
+      HORUSEC_DATABASE_SQL_DIALECT: "postgres"
+      HORUSEC_AUTH_TYPE: "horusec"
+      HORUSEC_JWT_SECRET_KEY: "horusec-secret"
   horusec-analytic:
     build:
       context: ../
@@ -73,6 +89,7 @@ services:
     environment:
       HORUSEC_DATABASE_SQL_URI: "postgresql://root:root@postgresql:5432/horusec_db?sslmode=disable"
       HORUSEC_DATABASE_SQL_DIALECT: "postgres"
+      HORUSEC_AUTH_URL: "http://horusec-auth:8006"
   horusec-api:
     build:
       context: ../
@@ -92,6 +109,7 @@ services:
       HORUSEC_DATABASE_SQL_URI: "postgresql://root:root@postgresql:5432/horusec_db?sslmode=disable"
       HORUSEC_DATABASE_SQL_DIALECT: "postgres"
       HORUSEC_JWT_SECRET_KEY: "horusec-secret"
+      HORUSEC_AUTH_URL: "http://horusec-auth:8006"
   horusec-manager:
     build:
       context: ../

deployments/docker-compose.test.yaml

@@ -63,6 +63,26 @@ services:
       HORUSEC_DATABASE_SQL_URI: "postgresql://root:root@postgresql:5432/horusec_db?sslmode=disable"
       HORUSEC_DATABASE_SQL_DIALECT: "postgres"
       HORUSEC_JWT_SECRET_KEY: "horusec-secret"
+      HORUSEC_AUTH_URL: "http://horusec-auth:8006"
+  horusec-auth:
+    build:
+      context: ../
+      dockerfile: ./horusec-auth/deployments/Dockerfile
+    depends_on:
+      - postgresql
+    restart: always
+    container_name: horusec-auth
+    ports:
+      - "8006:8006"
+    environment:
+      HORUSEC_DATABASE_SQL_URI: "postgresql://root:root@postgresql:5432/horusec_db?sslmode=disable"
+      HORUSEC_DATABASE_SQL_DIALECT: "postgres"
+      HORUSEC_JWT_SECRET_KEY: "horusec-secret"
+      HORUSEC_AUTH_TYPE: "horusec"
+      HORUSEC_KEYCLOAK_BASE_PATH: ${HORUSEC_KEYCLOAK_BASE_PATH}
+      HORUSEC_KEYCLOAK_CLIENT_ID: ${HORUSEC_KEYCLOAK_CLIENT_ID}
+      HORUSEC_KEYCLOAK_CLIENT_SECRET: ${HORUSEC_KEYCLOAK_CLIENT_SECRET}
+      HORUSEC_KEYCLOAK_REALM: ${HORUSEC_KEYCLOAK_REALM}
   horusec-analytic:
     build:
       context: ../
@@ -76,6 +96,7 @@ services:
     environment:
       HORUSEC_DATABASE_SQL_URI: "postgresql://root:root@postgresql:5432/horusec_db?sslmode=disable"
       HORUSEC_DATABASE_SQL_DIALECT: "postgres"
+      HORUSEC_AUTH_URL: "http://horusec-auth:8006"
   horusec-api:
     build:
       context: ../
@@ -91,6 +112,7 @@ services:
       HORUSEC_DATABASE_SQL_URI: "postgresql://root:root@postgresql:5432/horusec_db?sslmode=disable"
       HORUSEC_DATABASE_SQL_DIALECT: "postgres"
       HORUSEC_JWT_SECRET_KEY: "horusec-secret"
+      HORUSEC_AUTH_URL: "http://horusec-auth:8006"
   horusec-manager:
     build:
       context: ../

deployments/docker-compose.yaml

@@ -39,6 +39,19 @@ services:
       HORUSEC_SMTP_HOST: "smtp.mailtrap.io"
       HORUSEC_SMTP_PORT: "2525"
       HORUSEC_EMAIL_FROM: "horusec@zup.com.br"
+  horusec-auth:
+    image: horuszup/horusec-auth:latest
+    depends_on:
+      - postgresql
+    restart: always
+    container_name: horusec-auth
+    ports:
+      - "8006:8006"
+    environment:
+      HORUSEC_DATABASE_SQL_URI: "postgresql://root:root@postgresql:5432/horusec_db?sslmode=disable"
+      HORUSEC_DATABASE_SQL_DIALECT: "postgres"
+      HORUSEC_AUTH_TYPE: "horusec"
+      HORUSEC_JWT_SECRET_KEY: "horusec-secret"
   horusec-account:
     image: horuszup/horusec-account:latest
     depends_on:
@@ -57,6 +70,7 @@ services:
       HORUSEC_DATABASE_SQL_URI: "postgresql://root:root@postgresql:5432/horusec_db?sslmode=disable"
       HORUSEC_DATABASE_SQL_DIALECT: "postgres"
       HORUSEC_JWT_SECRET_KEY: "horusec-secret"
+      HORUSEC_AUTH_URL: "http://horusec-auth:8006"
   horusec-analytic:
     image: horuszup/horusec-analytic:latest
     depends_on:
@@ -68,6 +82,7 @@ services:
     environment:
       HORUSEC_DATABASE_SQL_URI: "postgresql://root:root@postgresql:5432/horusec_db?sslmode=disable"
       HORUSEC_DATABASE_SQL_DIALECT: "postgres"
+      HORUSEC_AUTH_URL: "http://horusec-auth:8006"
   horusec-api:
     image: horuszup/horusec-api:latest
     depends_on:
@@ -81,6 +96,7 @@ services:
       HORUSEC_DATABASE_SQL_URI: "postgresql://root:root@postgresql:5432/horusec_db?sslmode=disable"
       HORUSEC_DATABASE_SQL_DIALECT: "postgres"
       HORUSEC_JWT_SECRET_KEY: "horusec-secret"
+      HORUSEC_AUTH_URL: "http://horusec-auth:8006"
   horusec-manager:
     image: horuszup/horusec-manager:latest
     restart: always

vendor/github.com/prometheus/procfs/internal/util/sysreadfile_compat.go → development-kit/pkg/entities/account/keycloak_token.go

@@ -1,26 +1,36 @@
-// Copyright 2019 The Prometheus Authors
+// Copyright 2020 ZUP IT SERVICOS EM TECNOLOGIA E INOVACAO SA
+//
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
-// http://www.apache.org/licenses/LICENSE-2.0
+//     http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-// +build linux,appengine !linux
-
-package util
+package account
 
 import (
-	"fmt"
+	"encoding/json"
+
+	validation "github.com/go-ozzo/ozzo-validation/v4"
 )
 
-// SysReadFile is here implemented as a noop for builds that do not support
-// the read syscall. For example Windows, or Linux on Google App Engine.
-func SysReadFile(file string) (string, error) {
-	return "", fmt.Errorf("not supported on this platform")
+type KeycloakToken struct {
+	AccessToken string `json:"accessToken"`
+}
+
+func (l *KeycloakToken) Validate() error {
+	return validation.ValidateStruct(l,
+		validation.Field(&l.AccessToken, validation.Required),
+	)
+}
+
+func (l *KeycloakToken) ToBytes() []byte {
+	bytes, _ := json.Marshal(l)
+	return bytes
 }

development-kit/pkg/entities/account/keycloak_token_test.go

@@ -0,0 +1,39 @@
+// Copyright 2020 ZUP IT SERVICOS EM TECNOLOGIA E INOVACAO SA
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package account
+
+import (
+	"github.com/stretchr/testify/assert"
+	"testing"
+)
+
+func TestKeycloakTokenToBytes(t *testing.T) {
+	t.Run("should success parse to bytes", func(t *testing.T) {
+		keyCloakToken := &KeycloakToken{}
+		assert.NotEmpty(t, keyCloakToken.ToBytes())
+	})
+}
+
+func TestKeycloakTokenValidate(t *testing.T) {
+	t.Run("should return no error when not empty", func(t *testing.T) {
+		keyCloakToken := &KeycloakToken{AccessToken: "test"}
+		assert.NoError(t, keyCloakToken.Validate())
+	})
+
+	t.Run("should return error when empty access token", func(t *testing.T) {
+		keyCloakToken := &KeycloakToken{}
+		assert.Error(t, keyCloakToken.Validate())
+	})
+}

development-kit/pkg/entities/account/roles/account_company.go

@@ -61,3 +61,7 @@ func (a *AccountCompany) SetCompanyAndAccountID(companyID, accountID uuid.UUID)
 	a.AccountID = accountID
 	return a
 }
+
+func (a *AccountCompany) IsNotAdmin() bool {
+	return a.Role != accountEnums.Admin
+}

development-kit/pkg/entities/account/roles/account_company_test.go

@@ -71,3 +71,15 @@ func TestSetCompanyAndAccountID(t *testing.T) {
 		assert.NotEmpty(t, accountCompany.AccountID)
 	})
 }
+
+func TestIsNotAdmin(t *testing.T) {
+	t.Run("should return true when its not admin", func(t *testing.T) {
+		accountCompany := &AccountCompany{Role: "member"}
+		assert.True(t, accountCompany.IsNotAdmin())
+	})
+
+	t.Run("should return false when is admin", func(t *testing.T) {
+		accountCompany := &AccountCompany{Role: "admin"}
+		assert.False(t, accountCompany.IsNotAdmin())
+	})
+}

development-kit/pkg/entities/account/roles/account_repository.go

@@ -62,3 +62,11 @@ func (a *AccountRepository) SetRepositoryAndAccountID(repositoryID, accountID uu
 	a.AccountID = accountID
 	return a
 }
+
+func (a *AccountRepository) IsNotSupervisorOrAdmin() bool {
+	return a.Role != accountEnums.Supervisor && a.Role != accountEnums.Admin
+}
+
+func (a *AccountRepository) IsNotAdmin() bool {
+	return a.Role != accountEnums.Admin
+}

development-kit/pkg/entities/account/roles/account_repository_test.go

@@ -71,3 +71,30 @@ func TestSetRepositoryAndAccountID(t *testing.T) {
 		assert.NotEqual(t, uuid.UUID{}, accountRepository.AccountID)
 	})
 }
+
+func TestIsNotSupervisorOrAdmin(t *testing.T) {
+	t.Run("should return true when its not admin or supervisor", func(t *testing.T) {
+		accountRepository := &AccountRepository{Role: "member"}
+		assert.True(t, accountRepository.IsNotSupervisorOrAdmin())
+	})
+
+	t.Run("should return false when is admin or supervisor", func(t *testing.T) {
+		accountRepository := &AccountRepository{Role: "admin"}
+		assert.False(t, accountRepository.IsNotSupervisorOrAdmin())
+
+		accountRepository = &AccountRepository{Role: "supervisor"}
+		assert.False(t, accountRepository.IsNotSupervisorOrAdmin())
+	})
+}
+
+func TestIsNotAdminRepository(t *testing.T) {
+	t.Run("should return true when its not admin", func(t *testing.T) {
+		accountRepository := &AccountRepository{Role: "member"}
+		assert.True(t, accountRepository.IsNotAdmin())
+	})
+
+	t.Run("should return false when is admin ", func(t *testing.T) {
+		accountRepository := &AccountRepository{Role: "admin"}
+		assert.False(t, accountRepository.IsNotAdmin())
+	})
+}