Merge branch 'main' into 3271-update-circleci-image

bacalhau-project · Jan 27, 2024 · ea2a9ff · ea2a9ff
2 parents 4b038af + 7414c04
commit ea2a9ff
Show file tree

Hide file tree

Showing 39 changed files with 2,072 additions and 54 deletions.
diff --git a/apps/job-info-consumer/consumer/go.mod b/apps/job-info-consumer/consumer/go.mod
@@ -323,7 +323,7 @@ require (
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.26.0 // indirect
 	go4.org v0.0.0-20230225012048-214862532bf5 // indirect
-	golang.org/x/crypto v0.17.0 // indirect
+	golang.org/x/crypto v0.18.0 // indirect
 	golang.org/x/exp v0.0.0-20230321023759-10a507213a29 // indirect
 	golang.org/x/mod v0.14.0 // indirect
 	golang.org/x/net v0.19.0 // indirect

diff --git a/apps/job-info-consumer/consumer/go.sum b/apps/job-info-consumer/consumer/go.sum
@@ -1183,7 +1183,7 @@ golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0
 golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.3.1-0.20221117191849-2c476679df9a/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
 golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU=
-golang.org/x/crypto v0.17.0 h1:r8bRNjWL3GshPW3gkd+RpvzWrZAwPS49OmTGZ/uhM4k=
+golang.org/x/crypto v0.18.0 h1:PGVlW0xEltQnzFZ55hkuX5+KLyrMYhHld1YHO4AKcdc=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=

diff --git a/cmd/util/auth/ask.go b/cmd/util/auth/ask.go
@@ -0,0 +1,77 @@
+package auth
+
+import (
+	"bufio"
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"os"
+
+	"github.com/santhosh-tekuri/jsonschema/v5"
+	"github.com/spf13/cobra"
+	"golang.org/x/term"
+)
+
+// Returns a responder that responds to authentication requirements of type
+// `authn.MethodTypeAsk`. Reads the JSON Schema returned by the `ask` endpoint
+// and uses it to ask appropriate questions to the user on their terminal, and
+// then returns their response as serialized JSON.
+func askResponder(cmd *cobra.Command) responder {
+	return func(request *json.RawMessage) ([]byte, error) {
+		compiler := jsonschema.NewCompiler()
+		compiler.ExtractAnnotations = true
+
+		if err := compiler.AddResource("", bytes.NewReader(*request)); err != nil {
+			return nil, err
+		}
+
+		schema, err := compiler.Compile("")
+		if err != nil {
+			return nil, err
+		}
+
+		response := make(map[string]any, len(schema.Properties))
+		for _, name := range schema.Required {
+			subschema := schema.Properties[name]
+
+			if len(subschema.Types) < 1 {
+				return nil, fmt.Errorf("invalid schema: property %q has no type", name)
+			}
+
+			typ := subschema.Types[0]
+			if typ == "object" {
+				return nil, fmt.Errorf("invalid schema: property %q has non-scalar type", name)
+			}
+
+			fmt.Fprintf(cmd.ErrOrStderr(), "%s: ", name)
+
+			var input []byte
+			var err error
+
+			// If the property is marked as write only, assume it is a sensitive
+			// value and make sure we don't display it in the terminal
+			if subschema.WriteOnly {
+				input, err = term.ReadPassword(int(os.Stdin.Fd()))
+				fmt.Fprintln(cmd.ErrOrStderr())
+			} else {
+				reader := bufio.NewScanner(cmd.InOrStdin())
+				if reader.Scan() {
+					input = reader.Bytes()
+				}
+				err = reader.Err()
+			}
+
+			if err != nil {
+				return nil, err
+			}
+			response[name] = string(input)
+		}
+
+		respBytes, err := json.Marshal(response)
+		if err != nil {
+			return nil, err
+		}
+
+		return respBytes, schema.Validate(response)
+	}
+}
diff --git a/cmd/util/auth/auth.go b/cmd/util/auth/auth.go
@@ -19,11 +19,12 @@ import (
 
 type responder = func(request *json.RawMessage) (response []byte, err error)
 
-var supportedMethods map[authn.MethodType]responder = map[authn.MethodType]responder{
-	authn.MethodTypeChallenge: challenge.Respond,
-}
-
 func RunAuthenticationFlow(cmd *cobra.Command) (string, error) {
+	supportedMethods := map[authn.MethodType]responder{
+		authn.MethodTypeChallenge: challenge.Respond,
+		authn.MethodTypeAsk:       askResponder(cmd),
+	}
+
 	client := util.GetAPIClientV2(cmd.Context())
 	methods, err := client.Auth().Methods(&apimodels.ListAuthnMethodsRequest{})
 	if err != nil {

diff --git a/docs/docs/dev/auth_flow.md b/docs/docs/dev/auth_flow.md
@@ -83,6 +83,25 @@ return to the endpoint.
 }
 ```
 
+### `ask` authentication
+
+This method requires the user to manually input some information. This method
+can be used to implement username and password authentication, shared secret
+authentication, and even 2FA or security question auth.
+
+The required information is represented by a JSON Schema in the object itself.
+The implementation should parse the JSON Schema and ask the user questions to
+populate an object that is valid by it.
+
+```json
+{
+    "$schema": "https://json-schema.org/draft/2020-12/schema",
+    "$id": "https://bacalhau.org/auth/ask",
+    "type": "object",
+    "$ref": "https://json-schema.org/draft/2020-12/schema",
+}
+```
+
 ## 2. Run the authn flow and submit the result for an access token
 
 The user agent decides which authentication method to use (e.g. by asking the

diff --git a/docs/docs/running-node/auth.md b/docs/docs/running-node/auth.md
@@ -47,3 +47,22 @@ include acceptable client IDs, found by running `bacalhau id`.
 
 Once the node is restarted, only keys in the allowed list will be able to access
 any API.
+
+## Username and password access
+
+Users can authenticate using a username and password instead of specifying a
+private key for access. Again, this requires installation of an appropriate
+policy on the server.
+
+    curl -sL https://raw.githubusercontent.com/bacalhau-project/bacalhau/main/pkg/authn/ask/ask_ns_password.rego -o ~/.bacalhau/ask_ns_password.rego
+    bacalhau config set Node.Auth.Methods.Password.Type ask
+    bacalhau config set Node.Auth.Methods.Password.PolicyPath ~/.bacalhau/ask_ns_password.rego
+
+Passwords are not stored in plaintext and are salted. The downloaded policy
+expects password hashes and salts generated by `scrypt`. To generate a salted
+password, the helper script in `pkg/authn/ask/gen_password` can be used:
+
+    cd pkg/authn/ask/gen_password && go run .
+
+This will ask for a password and generate a salt and hash to authenticate with
+it. Add the encoded username, salt and hash into the `ask_ns_password.rego`.
diff --git a/go.mod b/go.mod
@@ -56,6 +56,7 @@ require (
 	github.com/pkg/errors v0.9.1
 	github.com/ricochet2200/go-disk-usage/du v0.0.0-20210707232629-ac9918953285
 	github.com/rs/zerolog v1.31.0
+	github.com/santhosh-tekuri/jsonschema/v5 v5.3.1
 	github.com/spf13/cobra v1.8.0
 	github.com/spf13/pflag v1.0.5
 	github.com/spf13/viper v1.16.0
@@ -82,7 +83,7 @@ require (
 	go.uber.org/mock v0.4.0
 	go.uber.org/multierr v1.11.0
 	go.uber.org/zap v1.26.0
-	golang.org/x/crypto v0.17.0
+	golang.org/x/crypto v0.18.0
 	golang.org/x/exp v0.0.0-20230321023759-10a507213a29
 	gopkg.in/alessio/shellescape.v1 v1.0.0-20170105083845-52074bc9df61
 	k8s.io/apimachinery v0.29.0
@@ -373,7 +374,7 @@ require (
 	golang.org/x/oauth2 v0.13.0 // indirect
 	golang.org/x/sync v0.6.0
 	golang.org/x/sys v0.16.0 // indirect
-	golang.org/x/term v0.16.0 // indirect
+	golang.org/x/term v0.16.0
 	golang.org/x/text v0.14.0 // indirect
 	golang.org/x/time v0.5.0
 	golang.org/x/tools v0.16.1 // indirect

diff --git a/go.sum b/go.sum
@@ -1069,6 +1069,8 @@ github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQD
 github.com/rwcarlsen/goexif v0.0.0-20190401172101-9e8deecbddbd/go.mod h1:hPqNNc0+uJM6H+SuU8sEs5K5IQeKccPqeSjfgcKGgPk=
 github.com/samber/lo v1.39.0 h1:4gTz1wUhNYLhFSKl6O+8peW0v2F4BCY034GRpU9WnuA=
 github.com/samber/lo v1.39.0/go.mod h1:+m/ZKRl6ClXCE2Lgf3MsQlWfh4bn1bz6CXEOxnEXnEA=
+github.com/santhosh-tekuri/jsonschema/v5 v5.3.1 h1:lZUw3E0/J3roVtGQ+SCrUrg3ON6NgVqpn3+iol9aGu4=
+github.com/santhosh-tekuri/jsonschema/v5 v5.3.1/go.mod h1:uToXkOrWAZ6/Oc07xWQrPOhJotwFIyu2bBVN41fcDUY=
 github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo=
 github.com/sergi/go-diff v1.3.1 h1:xkr+Oxo4BOQKmkn/B9eMK0g5Kg/983T9DqqPHwYqD+8=
 github.com/sergi/go-diff v1.3.1/go.mod h1:aMJSSKb2lpPvRNec0+w3fl7LP9IOFzdc9Pa4NFbPK1I=
@@ -1341,8 +1343,9 @@ golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0
 golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.3.1-0.20221117191849-2c476679df9a/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
 golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU=
-golang.org/x/crypto v0.17.0 h1:r8bRNjWL3GshPW3gkd+RpvzWrZAwPS49OmTGZ/uhM4k=
 golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4=
+golang.org/x/crypto v0.18.0 h1:PGVlW0xEltQnzFZ55hkuX5+KLyrMYhHld1YHO4AKcdc=
+golang.org/x/crypto v0.18.0/go.mod h1:R0j02AL6hcrfOiy9T4ZYp/rcWeMxM3L6QYxlOuEG1mg=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=

diff --git a/ops/aws/canary/lambda/go.mod b/ops/aws/canary/lambda/go.mod
@@ -304,14 +304,13 @@ require (
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.26.0 // indirect
 	go4.org v0.0.0-20230225012048-214862532bf5 // indirect
-	golang.org/x/crypto v0.17.0 // indirect
+	golang.org/x/crypto v0.18.0 // indirect
 	golang.org/x/exp v0.0.0-20230321023759-10a507213a29 // indirect
 	golang.org/x/mod v0.14.0 // indirect
 	golang.org/x/net v0.19.0 // indirect
 	golang.org/x/oauth2 v0.13.0 // indirect
 	golang.org/x/sync v0.6.0 // indirect
 	golang.org/x/sys v0.16.0 // indirect
-	golang.org/x/term v0.16.0 // indirect
 	golang.org/x/text v0.14.0 // indirect
 	golang.org/x/time v0.5.0 // indirect
 	golang.org/x/tools v0.16.1 // indirect

diff --git a/ops/aws/canary/lambda/go.sum b/ops/aws/canary/lambda/go.sum
@@ -1176,7 +1176,7 @@ golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0
 golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.3.1-0.20221117191849-2c476679df9a/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
 golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU=
-golang.org/x/crypto v0.17.0 h1:r8bRNjWL3GshPW3gkd+RpvzWrZAwPS49OmTGZ/uhM4k=
+golang.org/x/crypto v0.18.0 h1:PGVlW0xEltQnzFZ55hkuX5+KLyrMYhHld1YHO4AKcdc=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=