Add basic auth support for interface

docs/flagr_env.md

@@ -65,3 +65,20 @@ The best way to configure service account for Flagr to use pubsub only use:
 FLAGR_RECORDER_PUBSUB_PROJECT_ID=google-project-id
 FLAGR_RECORDER_PUBSUB_KEYFILE=/path/to/service/account.json
 ```
+
+Basic Authentication for web interface
+
+```
+FLAGR_BASIC_AUTH_ENABLED=true
+FLAGR_BASIC_AUTH_USERNAME=admin
+FLAGR_BASIC_AUTH_PASSWORD=password
+```
+
+By default, UI access will prompt for a username/password login. Similar to JWT Auth, prefix and exact paths can be whitelisted to skip the username/password login. The default whitelist will allow api access to `/api/v1/flags` and `/api/v1/evaluation*`
+
+NOTE: this doesn't prevent people from directly curling /api/v1/flags to update flags.
+
+```
+FLAGR_BASIC_AUTH_WHITELIST_PATHS="/api/v1/flags,/api/v1/evaluation"
+FLAGR_BASIC_AUTH_EXACT_WHITELIST_PATHS=""
+```

pkg/config/env.go

@@ -189,6 +189,13 @@ var Config = struct {
 	HeaderAuthEnabled   bool   `env:"FLAGR_HEADER_AUTH_ENABLED" envDefault:"false"`
 	HeaderAuthUserField string `env:"FLAGR_HEADER_AUTH_USER_FIELD" envDefault:"X-Email"`
 
+	// Authenticate with basic auth
+	BasicAuthEnabled              bool     `env:"FLAGR_BASIC_AUTH_ENABLED" envDefault:"false"`
+	BasicAuthUsername             string   `env:"FLAGR_BASIC_AUTH_USERNAME" envDefault:""`
+	BasicAuthPassword             string   `env:"FLAGR_BASIC_AUTH_PASSWORD" envDefault:""`
+	BasicAuthPrefixWhitelistPaths []string `env:"FLAGR_BASIC_AUTH_WHITELIST_PATHS" envDefault:"/api/v1/flags,/api/v1/evaluation" envSeparator:","`
+	BasicAuthExactWhitelistPaths  []string `env:"FLAGR_BASIC_AUTH_EXACT_WHITELIST_PATHS" envDefault:"" envSeparator:","`
+
 	// WebPrefix - base path for web and API
 	// e.g. FLAGR_WEB_PREFIX=/foo
 	// UI path  => localhost:18000/foo"

pkg/config/middleware.go

@@ -1,6 +1,7 @@
 package config
 
 import (
+	"crypto/subtle"
 	"fmt"
 	"net/http"
 	"strconv"
@@ -78,6 +79,10 @@ func SetupGlobalMiddleware(handler http.Handler) http.Handler {
 		n.Use(setupJWTAuthMiddleware())
 	}
 
+	if Config.BasicAuthEnabled {
+		n.Use(setupBasicAuthMiddleware())
+	}
+
 	n.Use(&negroni.Static{
 		Dir:       http.Dir("./browser/flagr-ui/dist/"),
 		Prefix:    Config.WebPrefix,
@@ -118,7 +123,7 @@ func setupRecoveryMiddleware() *negroni.Recovery {
 /**
 setupJWTAuthMiddleware setup an JWTMiddleware from the ENV config
 */
-func setupJWTAuthMiddleware() *auth {
+func setupJWTAuthMiddleware() *jwtAuth {
 	var signingMethod jwt.SigningMethod
 	var validationKey interface{}
 	var errParsingKey error
@@ -138,7 +143,7 @@ func setupJWTAuthMiddleware() *auth {
 		validationKey = []byte("")
 	}
 
-	return &auth{
+	return &jwtAuth{
 		PrefixWhitelistPaths: Config.JWTAuthPrefixWhitelistPaths,
 		ExactWhitelistPaths:  Config.JWTAuthExactWhitelistPaths,
 		JWTMiddleware: jwtmiddleware.New(jwtmiddleware.Options{
@@ -175,13 +180,13 @@ func jwtErrorHandler(w http.ResponseWriter, r *http.Request, err string) {
 	}
 }
 
-type auth struct {
+type jwtAuth struct {
 	PrefixWhitelistPaths []string
 	ExactWhitelistPaths  []string
 	JWTMiddleware        *jwtmiddleware.JWTMiddleware
 }
 
-func (a *auth) whitelist(req *http.Request) bool {
+func (a *jwtAuth) whitelist(req *http.Request) bool {
 	path := req.URL.Path
 
 	// If we set to 401 unauthorized, let the client handles the 401 itself
@@ -201,14 +206,66 @@ func (a *auth) whitelist(req *http.Request) bool {
 	return false
 }
 
-func (a *auth) ServeHTTP(w http.ResponseWriter, req *http.Request, next http.HandlerFunc) {
+func (a *jwtAuth) ServeHTTP(w http.ResponseWriter, req *http.Request, next http.HandlerFunc) {
 	if a.whitelist(req) {
 		next(w, req)
 		return
 	}
 	a.JWTMiddleware.HandlerWithNext(w, req, next)
 }
 
+/**
+setupBasicAuthMiddleware setup an BasicMiddleware from the ENV config
+*/
+func setupBasicAuthMiddleware() *basicAuth {
+	return &basicAuth{
+		Username:             []byte(Config.BasicAuthUsername),
+		Password:             []byte(Config.BasicAuthPassword),
+		PrefixWhitelistPaths: Config.BasicAuthPrefixWhitelistPaths,
+		ExactWhitelistPaths:  Config.BasicAuthExactWhitelistPaths,
+	}
+}
+
+type basicAuth struct {
+	Username             []byte
+	Password             []byte
+	PrefixWhitelistPaths []string
+	ExactWhitelistPaths  []string
+}
+
+func (a *basicAuth) whitelist(req *http.Request) bool {
+	path := req.URL.Path
+
+	for _, p := range a.ExactWhitelistPaths {
+		if p == path {
+			return true
+		}
+	}
+
+	for _, p := range a.PrefixWhitelistPaths {
+		if p != "" && strings.HasPrefix(path, p) {
+			return true
+		}
+	}
+	return false
+}
+
+func (a *basicAuth) ServeHTTP(w http.ResponseWriter, req *http.Request, next http.HandlerFunc) {
+	if a.whitelist(req) {
+		next(w, req)
+		return
+	}
+
+	username, password, ok := req.BasicAuth()
+	if !ok || subtle.ConstantTimeCompare(a.Username, []byte(username)) != 1 || subtle.ConstantTimeCompare(a.Password, []byte(password)) != 1 {
+		w.Header().Set("WWW-Authenticate", `Basic realm="you shall not pass"`)
+		http.Error(w, "Not authorized", http.StatusUnauthorized)
+		return
+	}
+
+	next(w, req)
+}
+
 type statsdMiddleware struct {
 	StatsdClient *statsd.Client
 }

pkg/config/middleware_test.go

@@ -58,7 +58,7 @@ func TestSetupGlobalMiddleware(t *testing.T) {
 	Config.PProfEnabled = true
 }
 
-func TestAuthMiddleware(t *testing.T) {
+func TestJWTAuthMiddleware(t *testing.T) {
 	h := &okHandler{}
 
 	t.Run("it will redirect if jwt enabled but no cookie passed", func(t *testing.T) {
@@ -255,7 +255,7 @@ o2kQ+X5xK9cipRgEKwIDAQAB
 	})
 }
 
-func TestAuthMiddlewareWithUnauthorized(t *testing.T) {
+func TestJWTAuthMiddlewareWithUnauthorized(t *testing.T) {
 	h := &okHandler{}
 
 	t.Run("it will return 401 if no cookie passed", func(t *testing.T) {
@@ -315,3 +315,62 @@ func TestAuthMiddlewareWithUnauthorized(t *testing.T) {
 		}
 	})
 }
+
+func TestBasicAuthMiddleware(t *testing.T) {
+	h := &okHandler{}
+
+	t.Run("it will return 200 for web paths when disabled", func(t *testing.T) {
+		testPaths := []string{"/", "", "/#", "/#/", "/static", "/static/"}
+		for _, path := range testPaths {
+			t.Run(fmt.Sprintf("path: %s", path), func(t *testing.T) {
+				hh := SetupGlobalMiddleware(h)
+				res := httptest.NewRecorder()
+				res.Body = new(bytes.Buffer)
+				req, _ := http.NewRequest("GET", fmt.Sprintf("http://localhost:18000%s", path), nil)
+				hh.ServeHTTP(res, req)
+				assert.Equal(t, http.StatusOK, res.Code)
+			})
+		}
+	})
+
+	t.Run("it will return 200 for whitelist path if basic auth is enabled", func(t *testing.T) {
+		Config.BasicAuthEnabled = true
+		Config.BasicAuthUsername = "admin"
+		Config.BasicAuthPassword = "password"
+		defer func() {
+			Config.BasicAuthEnabled = false
+			Config.BasicAuthUsername = ""
+			Config.BasicAuthPassword = ""
+		}()
+
+		hh := SetupGlobalMiddleware(h)
+		res := httptest.NewRecorder()
+		res.Body = new(bytes.Buffer)
+		req, _ := http.NewRequest("GET", "http://localhost:18000/api/v1/flags", nil)
+		hh.ServeHTTP(res, req)
+		assert.Equal(t, http.StatusOK, res.Code)
+	})
+
+	t.Run("it will return 401 for web paths when enabled", func(t *testing.T) {
+		Config.BasicAuthEnabled = true
+		Config.BasicAuthUsername = "admin"
+		Config.BasicAuthPassword = "password"
+		defer func() {
+			Config.BasicAuthEnabled = false
+			Config.BasicAuthUsername = ""
+			Config.BasicAuthPassword = ""
+		}()
+
+		testPaths := []string{"/", "", "/#", "/#/", "/static", "/static/"}
+		for _, path := range testPaths {
+			t.Run(fmt.Sprintf("path: %s", path), func(t *testing.T) {
+				hh := SetupGlobalMiddleware(h)
+				res := httptest.NewRecorder()
+				res.Body = new(bytes.Buffer)
+				req, _ := http.NewRequest("GET", fmt.Sprintf("http://localhost:18000%s", path), nil)
+				hh.ServeHTTP(res, req)
+				assert.Equal(t, http.StatusUnauthorized, res.Code)
+			})
+		}
+	})
+}