create custom forward request authenticator

[vladr11]

Adds a new authenticator which forwards the requests to an upstream service to perform the authentication. This adds the possibility to authenticate a request where the request body is needed.

Related issue(s)

Related to issue #841

Checklist

• I have read the contributing guidelines.
• I have referenced an issue containing the design document if my change
  introduces a new feature.
• I am following the
  contributing code guidelines.
• I have read the security policy.
• I confirm that this pull request does not address a security
  vulnerability. If this pull request addresses a security. vulnerability, I
  confirm that I got green light (please contact
  security@ory.sh) from the maintainers to push
  the changes.
• I have added tests that prove my fix is effective or that my feature
  works.
• I have added or changed the documentation.

[CLAassistant]

All committers have signed the CLA.

[codecov]

Codecov Report

Attention: Patch coverage is 60.82474% with 38 lines in your changes missing coverage. Please review.

Project coverage is 77.57%. Comparing base (6e3844e) to head (53ead8f).
Report is 156 commits behind head on master.

Files with missing lines	Patch %	Lines
pipeline/authn/authenticator_remote_json.go	60.41%	29 Missing and 9 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master     #949      +/-   ##
==========================================
- Coverage   78.05%   77.57%   -0.49%     
==========================================
  Files          83       84       +1     
  Lines        3992     4089      +97     
==========================================
+ Hits         3116     3172      +56     
- Misses        597      628      +31     
- Partials      279      289      +10     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[aeneasr]

Not sure if you have done that already, but could you also please create a PR against ory/docs to document this new functionality? :)

[aeneasr]

I would prefer calling this remote_json similar to the authorizer, as we expect a JSON response from the upstream! :)

[vladr11]

Renamed the authenticator into remote_json

[vladr11]

Not sure if you have done that already, but could you also please create a PR against ory/docs to document this new functionality? :)

Created a new PR into ory/docs: ory/docs#827

[vladr11]

A polite reminder here, as the change requests have been addressed 😄

Fixed linting issues, as well.

[jendrikjoe]

A polite ping here again 😉

[aeneasr]

@hperl could you please help review this one? :)

[hperl]

Thanks for the PR. It looks very good already, I left just a few comments :)

[hperl]

Minor: Please break long lines into multiple lines, e.g., after the dots.

[vladr11]

Solved

[hperl]

I think by reassigning r.Body you will leak the original body, which will not be closed. Usually, the HTTP server takes care of closing the body after the handler is done, but in this case we are replacing the body with a NopCloser and are leaving the original r.Body unclosed. I think it should be fine to manually Close() the original body here, but I'd feel more comfortable having a test for this.

[vladr11]

Added a manual close to the original body stream. Not sure how to add a specific test for it.

[hperl]

Are these checks really necessary, given that you already set the default values in the JSON schema?

[vladr11]

Removed unnecessary checks

[hperl]

ioutil is deprecated. Please replace with calls from the io package. (Here and elsewhere). Thanks :)

[vladr11]

Replace ioutil with io

[hperl]

Suggested change

	json.RawMessage(fmt.Sprintf(`{"check_session_url": "%s"}`, testServer.URL)),
	json.RawMessage(fmt.Sprintf(`{"service_url": "%s"}`, testServer.URL)),

;)

[vladr11]

Fixed :) Thanks

[jaspeen]

Hey guys, @hperl, @aeneasr. What else do we need there except all these checks to be pushed to main?