feat: supporting namespaced auth tokens

build/testing/integration/api/authenticated.go

@@ -34,15 +34,30 @@ func Authenticated(t *testing.T, client sdk.SDK) {
 		t.Run("Static Token", func(t *testing.T) {
 			t.Log(`Create token.`)
 
-			resp, err := client.Auth().AuthenticationMethodTokenService().CreateToken(ctx, &auth.CreateTokenRequest{
-				Name:        "Access Token",
-				Description: "Some kind of access token.",
+			t.Run("With name and description", func(t *testing.T) {
+				resp, err := client.Auth().AuthenticationMethodTokenService().CreateToken(ctx, &auth.CreateTokenRequest{
+					Name:        "Access Token",
+					Description: "Some kind of access token.",
+				})
+				require.NoError(t, err)
+
+				assert.NotEmpty(t, resp.ClientToken)
+				assert.Equal(t, "Access Token", resp.Authentication.Metadata["io.flipt.auth.token.name"])
+				assert.Equal(t, "Some kind of access token.", resp.Authentication.Metadata["io.flipt.auth.token.description"])
 			})
-			require.NoError(t, err)
 
-			assert.NotEmpty(t, resp.ClientToken)
-			assert.Equal(t, "Access Token", resp.Authentication.Metadata["io.flipt.auth.token.name"])
-			assert.Equal(t, "Some kind of access token.", resp.Authentication.Metadata["io.flipt.auth.token.description"])
+			t.Run("With name and namespaceKey", func(t *testing.T) {
+				resp, err := client.Auth().AuthenticationMethodTokenService().CreateToken(ctx, &auth.CreateTokenRequest{
+					Name:         "Scoped Access Token",
+					NamespaceKey: "some-namespace",
+				})
+				require.NoError(t, err)
+
+				assert.NotEmpty(t, resp.ClientToken)
+				assert.Equal(t, "Scoped Access Token", resp.Authentication.Metadata["io.flipt.auth.token.name"])
+				assert.Empty(t, resp.Authentication.Metadata["io.flipt.auth.token.description"])
+				assert.Equal(t, "some-namespace", resp.Authentication.Metadata["io.flipt.auth.token.namespace"])
+			})
 		})
 
 		t.Run("Expire Self", func(t *testing.T) {

config/local.yml

@@ -10,6 +10,21 @@ log:
 # ui:
 #   enabled: true
 
+# authentication:
+#   required: false
+#   session:
+#     domain: "localhost:8080"
+#     secure: false
+#   methods:
+#     token:
+#       enabled: true
+#       bootstrap:
+#         token: "secret"
+#         expiration: 24h
+#       cleanup:
+#         interval: 2h
+#         grace_period: 48h
+
 cors:
   enabled: true
   allowed_origins: ["*"]

internal/cmd/auth.go

@@ -167,6 +167,10 @@ func authenticationGRPC(
 			interceptors = append(interceptors, auth.EmailMatchingInterceptor(logger, rgxs))
 		}
 
+		if authCfg.Methods.Token.Enabled {
+			interceptors = append(interceptors, auth.NamespaceMatchingInterceptor(logger))
+		}
+
 		logger.Info("authentication middleware enabled")
 	}
 

internal/server/auth/method/token/server.go

@@ -13,6 +13,7 @@ import (
 const (
 	storageMetadataNameKey        = "io.flipt.auth.token.name"
 	storageMetadataDescriptionKey = "io.flipt.auth.token.description"
+	storageMetadataNamespaceKey   = "io.flipt.auth.token.namespace"
 )
 
 // Server is an implementation of auth.AuthenticationMethodTokenServiceServer
@@ -40,17 +41,25 @@ func (s *Server) RegisterGRPC(server *grpc.Server) {
 // CreateToken adapts and delegates the token request to the backing AuthenticationStore.
 //
 // Implicitly, the Authentication created will be of type auth.Method_TOKEN.
-// Name and Description are both stored in Authentication.Metadata.
+// Name, Description, and NamespaceKey are both stored in Authentication.Metadata.
 // Given the token is created successfully, the generate clientToken string is returned.
 // Along with the created Authentication, which includes it's identifier and associated timestamps.
 func (s *Server) CreateToken(ctx context.Context, req *auth.CreateTokenRequest) (*auth.CreateTokenResponse, error) {
+	metadata := map[string]string{
+		storageMetadataNameKey: req.GetName(),
+	}
+
+	if req.GetDescription() != "" {
+		metadata[storageMetadataDescriptionKey] = req.GetDescription()
+	}
+	if req.GetNamespaceKey() != "" {
+		metadata[storageMetadataNamespaceKey] = req.GetNamespaceKey()
+	}
+
 	clientToken, authentication, err := s.store.CreateAuthentication(ctx, &storageauth.CreateAuthenticationRequest{
 		Method:    auth.Method_METHOD_TOKEN,
 		ExpiresAt: req.ExpiresAt,
-		Metadata: map[string]string{
-			storageMetadataNameKey:        req.GetName(),
-			storageMetadataDescriptionKey: req.GetDescription(),
-		},
+		Metadata:  metadata,
 	})
 	if err != nil {
 		return nil, fmt.Errorf("attempting to create token: %w", err)

internal/server/auth/method/token/server_test.go

@@ -6,7 +6,6 @@ import (
 	"testing"
 
 	"github.com/google/go-cmp/cmp"
-	grpc_middleware "github.com/grpc-ecosystem/go-grpc-middleware"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	middleware "go.flipt.io/flipt/internal/server/middleware/grpc"
@@ -27,7 +26,7 @@ func TestServer(t *testing.T) {
 		store    = memory.NewStore()
 		listener = bufconn.Listen(1024 * 1024)
 		server   = grpc.NewServer(
-			grpc_middleware.WithUnaryServerChain(
+			grpc.ChainUnaryInterceptor(
 				middleware.ErrorUnaryInterceptor,
 			),
 		)
@@ -65,15 +64,17 @@ func TestServer(t *testing.T) {
 
 	// attempt to create token
 	resp, err := client.CreateToken(ctx, &auth.CreateTokenRequest{
-		Name:        "access_all_areas",
-		Description: "Super secret skeleton key",
+		Name:         "access_all_areas",
+		Description:  "Super secret skeleton key",
+		NamespaceKey: "my-namespace",
 	})
 	require.NoError(t, err)
 
 	// assert auth is as expected
 	metadata := resp.Authentication.Metadata
 	assert.Equal(t, "access_all_areas", metadata["io.flipt.auth.token.name"])
 	assert.Equal(t, "Super secret skeleton key", metadata["io.flipt.auth.token.description"])
+	assert.Equal(t, "my-namespace", metadata["io.flipt.auth.token.namespace"])
 
 	// ensure client token can be used on store to fetch authentication
 	// and that the authentication returned matches the one received
@@ -94,5 +95,6 @@ func TestServer(t *testing.T) {
 		// invalid expires at, nanos must be positive
 		ExpiresAt: &timestamppb.Timestamp{Nanos: -1},
 	})
+
 	require.ErrorIs(t, err, status.Error(codes.InvalidArgument, "attempting to create token: invalid expiry time: nanos:-1"))
 }

internal/server/auth/middleware.go

@@ -9,6 +9,7 @@ import (
 	"time"
 
 	"go.flipt.io/flipt/internal/containers"
+	"go.flipt.io/flipt/rpc/flipt"
 	authrpc "go.flipt.io/flipt/rpc/flipt/auth"
 	"go.uber.org/zap"
 	"google.golang.org/grpc"
@@ -176,6 +177,52 @@ func EmailMatchingInterceptor(logger *zap.Logger, rgxs []*regexp.Regexp) grpc.Un
 	}
 }
 
+func NamespaceMatchingInterceptor(logger *zap.Logger) grpc.UnaryServerInterceptor {
+	return func(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (interface{}, error) {
+		auth := GetAuthenticationFrom(ctx)
+
+		if auth == nil {
+			return handler(ctx, req)
+		}
+
+		// this mechanism only applies to static toke authentications
+		if auth.Method != authrpc.Method_METHOD_TOKEN {
+			return handler(ctx, req)
+		}
+
+		namespace, ok := auth.Metadata["io.flipt.auth.token.namespace"]
+		if !ok {
+			// if no namespace is provided then we should allow the request
+			return handler(ctx, req)
+		}
+
+		namespace = strings.TrimSpace(namespace)
+
+		if namespace == "" {
+			return handler(ctx, req)
+		}
+
+		nsReq, ok := req.(flipt.Namespaced)
+		if !ok {
+			// if the the token has a namespace but the request does not then we should reject the request
+			logger.Error("unauthenticated", zap.String("reason", "namespace is not allowed"))
+			return ctx, errUnauthenticated
+		}
+
+		reqNamespace := nsReq.GetNamespaceKey()
+		if reqNamespace == "" {
+			reqNamespace = "default"
+		}
+
+		if reqNamespace != namespace {
+			logger.Error("unauthenticated", zap.String("reason", "namespace is not allowed"))
+			return ctx, errUnauthenticated
+		}
+
+		return handler(ctx, req)
+	}
+}
+
 func clientTokenFromMetadata(md metadata.MD) (string, error) {
 	if authenticationHeader := md.Get(authenticationHeaderKey); len(authenticationHeader) > 0 {
 		return clientTokenFromAuthorization(authenticationHeader[0])