Allow usersFile to be specified for basic or digest auth

[krancour]

Closes #1055

[krancour]

Possible someone can review this? I think it's a straightforward change.

[emilevauge]

LGTM!
Thanks @krancour :)
/cc @containous/traefik

[timoreimann]

By direct, you mean auth information embedded in the request?

Shouldn't the direct specifications have precedence, similar to CLI arguments usually taking precedence over file or environment variable configuration settings?

[krancour]

By direct, you mean auth information embedded in the request?

I'm not sure what request you are referring to. This is configuration. The users can be specified directly in the toml (as is done currently) or (after this PR) in a file, which you reference in the toml (i.e. indirectly).

[timoreimann]

Apologies, I got confused.

Maybe it makes sense to distinguish the two file types more clearly in the documentation by extending the sentence in line 554 like (emphasis by me)

Users can be specified directly in the toml file, or indirectly by referencing an external file;

WDYT?

[krancour]

Sure. That seems like a reasonable change. Will do.

[timoreimann]

Should we check basic for nil?

[krancour]

If you look at where this function is invoked, basic is known not to be nil before this function is called.

[timoreimann]

You're right.

[timoreimann]

Check for nil?

[krancour]

As with parserBasicUsers() function, there's no need to check because this function is already only invoked under circumstances where the argument known not to be nil.

[timoreimann]

👍

[timoreimann]

Why do we need this?

[krancour]

Because the strings (lines from a file) that we get back from getUserStringsFromFile() can legitimately contain blank lines. Those need to be discarded since there's no username / password information we can parse out of an empty string.

[timoreimann]

Makes sense. Do we possibly also need to skip whitespace-only lines?

Also, do we test this case somewhere?

[krancour]

Yes... I will amend this to trim the line before checking if it's an empty string. Nice catch. As for the tests, there is already trailing blank line... the tests actually failed before the lines above were added.

[timoreimann]

👌

[timoreimann]

The reading logic is identical to the part above, right? Could we move it straight into getUserStringsFromFile (maybe with adjusted function signature)?

[krancour]

I'm not sure I understand the question. getUserStringsFromFile() just returns the a slice of strings where each string is a single line from the file. What follows the invocation of that function is logic for decomposing each of those strings into user and password (for basic auth) or user, password, and realm (for digest auth). The logic for those two is, necessarily, different. I'm not sure I can spot here what you are perceiving to be a missed opportunity to factor out more common code.

[timoreimann]

At first sight, lines 69 to 81 and 92 to 104 seem to match up quite well. On a second look, the reason why we seemingly cannot extract these parts into a common function (possibly getUserStringsFromFile()) easily is because we use two different types (types.Basic and types.Digest) that are structurally equivalent. While I can't see why they have to be distinct, I admit it might be better to keep it this way for now (mostly because it's not clear to me what the struct field tags do exactly).

We could still extend getUserStringsFromFile() to filter out empty strings. I'll leave the decision up to you.

[krancour]

Ok. And I agree that maybe two types aren't needed for basic and digest. That design decision should be revisited separately from this PR maybe? But for now... ya... I agree that the function that reads lines should probably filter out the blanks so that bit of logic doesn't have to be repeated in two other places. Good call.

[timoreimann]

Agreed, let's leave the basic / digest type design decision to a different time and PR.

[timoreimann]

How about turning the two tests into a single one using test tables? They look pretty identical except for a few parts.

[krancour]

Wouldn't a table-driven test make sense when the all the inputs (in a given column) are are of the same? Or when the function under test is the same for each row?

In these two tests, the fixtures (inputs) are different types and the functions under test are distinct. i.e. I humbly suggest the similarity between these two tests is on a superficial level and trying to combine these will not be trivial... if accomplished, it's certain to obfuscate what is otherwise some very simple, straightforward test logic.

[timoreimann]

To me, the decision to use a table-driven test or not is determined by the trade-off to be made between the amount of variance that needs to go into the test and the level of duplication you can remove. The two tests do seem to have quite a bit of code in common.

For the sake of comparability, here are the new tests in a table-driven fashion:

func TestAuthUsersFromFile(t *testing.T) {
	tests := []struct {
		authType   string
		usersStr   string
		userKeys   []string
		parserFunc func(fileName string) (map[string]string, error)
	}{
		{
			authType: "basic",
			usersStr: "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/\ntest2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0\n",
			userKeys: []string{"test", "test2"},
			parserFunc: func(fileName string) (map[string]string, error) {
				basic := &types.Basic{
					UsersFile: fileName,
				}
				return parserBasicUsers(basic)
			},
		},
		{
			authType: "digest",
			usersStr: "test:traefik:a2688e031edb4be6a3797f3882655c05 \ntest2:traefik:518845800f9e2bfb1f1f740ec24f074e\n",
			userKeys: []string{"test:traefik", "test2:traefik"},
			parserFunc: func(fileName string) (map[string]string, error) {
				digest := &types.Digest{
					UsersFile: fileName,
				}
				return parserDigestUsers(digest)
			},
		},
	}

	for _, test := range tests {
		test := test
		t.Run(test.authType, func(t *testing.T) {
			t.Parallel()
			usersFile, err := ioutil.TempFile("", "auth-users")
			assert.NoError(t, err, "there should be no error")
			defer os.Remove(usersFile.Name())
			_, err = usersFile.Write([]byte(test.usersStr))
			assert.NoError(t, err, "there should be no error")
			users, err := test.parserFunc(usersFile.Name())
			assert.NoError(t, err, "there should be no error")
			assert.Equal(t, 2, len(users), "they should be equal")
			_, ok := users[test.userKeys[0]]
			assert.True(t, ok, "user test should be found")
			_, ok = users[test.userKeys[1]]
			assert.True(t, ok, "user test2 should be found")
		})
	}
}

For me, the only thing that tips this from a "pro" table-driven to a "maybe" is, again, the distinct authentication types. If those where the same, parserFunc could be directly assigned to the respective function under test.

Personally, I prefer the table-driven approach in this case. I'm fine with sticking with two tests as well though if you believe that's better.

[krancour]

I'll look into this further. Thanks for the example.

[timoreimann]

Basic and Digest seem type identical. Any particular reason we're not using a single type only?

[krancour]

Neither of those types are introduced by this PR. They existed previously. Your question may be valid, but this PR probably isn't the right venue for revisiting a design decision not made by this PR.

[timoreimann]

Agreed, this case might be too heavy to justify in terms of the boy scout rule.

[timoreimann]

Since this function is just generically loading a file into memory and splitting the content by newlines, should we rather call it something like getLinesFromFile?

[krancour]

That seems reasonable... but should it be moved into some util package then?

[timoreimann]

I'm not aware that we have any (yet). Did a real quick look but couldn't find anything.

I'd say let's keep it in this package for now. Once we see similar call needs surfacing, we can extract into a new library package.

[timoreimann]

Should the prefix be called "digest-users" for the sake of consistency?

[krancour]

Yep. Don't even know how I screwed that up. Good call. Will fix.

[timoreimann]

Found one small test bug in the second round. The rest is mostly debatable. :)

[timoreimann]

This should probably be test2:traefik.

[krancour]

Yep. Will fix. Thanks!

[krancour]

@timoreimann every actionable thing we discussed has been addressed now. Thank you for the help! Possible to re-review?

[emilevauge]

@krancour Could you also complete traefik.sample.toml?

[timoreimann]

This just creates an empty slice, correct? Any reason not to use a (IMHO) more clear var filteredLines []string instead?

[krancour]

I read somewhere that I could bypass an allocation this way. It's allegedly marginally faster. If you want to take that small hit for the sake of clarity, I am not opposed. Just let me know.

[krancour]

Has something to do with the array backing the first slice being reused for the second slice... I'll be honest, it sounds suspicious.

[timoreimann]

Ah, ok, I think I get the performance point. Nevertheless, I'd say let's go with the clearer approach unless there's true reason to be believe we need to micro-optimize.

[krancour]

@timoreimann, fixed.

[krancour]

@timoreimann back to a state of all actionable discussion points having been addressed.

[timoreimann]

Looking very good!

I think all that's left to do now is extend the sample file as mentioned by Emile.

[krancour]

Yep... just realized I overlooked that comment. Will do.

[krancour]

Could you also complete traefik.sample.toml?

@emilevauge @timoreimann this has now been addressed.

[timoreimann]

LGTM!