initial commit

Signed-off-by: Mark Sagi-Kazar <[email protected]>

.editorconfig

@@ -0,0 +1,21 @@
+root = true
+
+[*]
+charset = utf-8
+end_of_line = lf
+indent_size = 4
+indent_style = space
+insert_final_newline = true
+trim_trailing_whitespace = true
+
+[*.nix]
+indent_size = 2
+
+[*.go]
+indent_style = tab
+
+[{Makefile,*.mk}]
+indent_style = tab
+
+[{*.yml,*.yaml}]
+indent_size = 2

.envrc

@@ -0,0 +1,4 @@
+if ! has nix_direnv_version || ! nix_direnv_version 2.3.0; then
+  source_url "https://raw.githubusercontent.com/nix-community/nix-direnv/2.3.0/direnvrc" "sha256-Dmd+j63L84wuzgyjITIfSxSD57Tx7v51DMxVZOsiUD8="
+fi
+use flake . --impure

.github/.editorconfig

@@ -0,0 +1,2 @@
+[{*.yaml,*.yml}]
+indent_size = 2

.github/dependabot.yaml

@@ -0,0 +1,12 @@
+version: 2
+
+updates:
+  - package-ecosystem: gomod
+    directory: /
+    schedule:
+      interval: daily
+
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: daily

.github/workflows/ci.yaml

@@ -0,0 +1,101 @@
+name: CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+
+jobs:
+  test:
+    name: Test
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        go: ['1.21']
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
+
+      - name: Set up Nix
+        uses: cachix/install-nix-action@6a9a9e84a173d90b3ffb42c5ddaf9ea033fad011 # v23
+        with:
+          extra_nix_config: |
+            access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}
+
+      - name: Set up magic Nix cache
+        uses: DeterminateSystems/magic-nix-cache-action@8a218f9e264e9c3803c9a1ee1c30d8e4ab55be63 # v2
+
+      - name: Shell name
+        id: shell
+        run: echo "value=ci_$(echo "${{ matrix.go }}" | sed 's/\./_/')" >> "$GITHUB_OUTPUT"
+
+      - name: Prepare Nix shell
+        run: nix develop --impure .#${{ steps.shell.outputs.value }}
+
+      - name: Launch Docker Compose
+        run: docker compose up -d
+
+      - name: Test
+        run: nix develop --impure .#${{ steps.shell.outputs.value }} -c go test -race -v ./...
+        env:
+          CERBOS_ADDRESS: 127.0.0.1:3593
+
+      - name: Cleanup Docker Compose
+        run: docker compose down -v
+        if: always()
+
+  lint:
+    name: Lint
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
+
+      - name: Set up Nix
+        uses: cachix/install-nix-action@6a9a9e84a173d90b3ffb42c5ddaf9ea033fad011 # v23
+        with:
+          extra_nix_config: |
+            access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}
+
+      - name: Set up magic Nix cache
+        uses: DeterminateSystems/magic-nix-cache-action@8a218f9e264e9c3803c9a1ee1c30d8e4ab55be63 # v2
+
+      - name: Lint
+        run: nix develop --impure .#ci -c golangci-lint run --out-format github-actions
+
+  dev:
+    name: Developer environment
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
+
+      - name: Set up Nix
+        uses: cachix/install-nix-action@6a9a9e84a173d90b3ffb42c5ddaf9ea033fad011 # v23
+        with:
+          extra_nix_config: |
+            access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}
+
+      - name: Set up magic Nix cache
+        uses: DeterminateSystems/magic-nix-cache-action@8a218f9e264e9c3803c9a1ee1c30d8e4ab55be63 # v2
+
+      - name: Check
+        run: nix flake check --impure
+
+      - name: Dev shell
+        run: nix develop --impure
+
+  dependency-review:
+    name: Dependency review
+    runs-on: ubuntu-latest
+    if: github.event_name == 'pull_request'
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
+
+      - name: Dependency Review
+        uses: actions/dependency-review-action@6c5ccdad469c9f8a2996bfecaec55a631a347034 # v3.1.0

.gitignore

@@ -0,0 +1,4 @@
+/.devenv/
+/.direnv/
+/go.work
+/go.work.sum

.golangci.yaml

@@ -0,0 +1,27 @@
+run:
+  timeout: 10m
+
+linters-settings:
+  gci:
+    sections:
+      - standard
+      - default
+      - prefix(github.com/portward/unkey-authenticator)
+  goimports:
+    local-prefixes: github.com/portward/unkey-authenticator
+  misspell:
+    locale: US
+  nolintlint:
+    allow-leading-space: false # require machine-readable nolint directives (with no leading space)
+    allow-unused: false # report any unused nolint directives
+    require-specific: false # don't require nolint directives to be specific about which linter is being skipped
+  revive:
+    confidence: 0
+
+linters:
+  enable:
+    - gci
+    - goimports
+    - misspell
+    - nolintlint
+    - revive

LICENSE

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2023 Márk Sági-Kazár <[email protected]>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is furnished
+to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

README.md

@@ -0,0 +1,51 @@
+# Unkey authenticator
+
+[![GitHub Workflow Status](https://img.shields.io/github/actions/workflow/status/portward/unkey-authenticator/ci.yaml?style=flat-square)](https://github.com/portward/unkey-authenticator/actions/workflows/ci.yaml)
+[![go.dev reference](https://img.shields.io/badge/go.dev-reference-007d9c?logo=go&logoColor=white&style=flat-square)](https://pkg.go.dev/mod/github.com/portward/unkey-authenticator)
+[![built with nix](https://img.shields.io/badge/builtwith-nix-7d81f7?style=flat-square)](https://builtwithnix.org)
+
+**Authenticate API keys using [Unkey](https://unkey.dev).**
+
+> [!WARNING]
+> **Project is under development. Backwards compatibility is not guaranteed.**
+
+## Development
+
+**For an optimal developer experience, it is recommended to install [Nix](https://nixos.org/download.html) and [direnv](https://direnv.net/docs/installation.html).**
+
+Run tests:
+
+```shell
+go test -race -v ./...
+```
+
+Run linter:
+
+```shell
+golangci-lint run
+```
+
+To test changes made in [registry-auth](https://github.com/portward/registry-auth) and [registry-auth-config](https://github.com/portward/registry-auth-config):
+
+Make sure [registry-auth](https://github.com/portward/registry-auth) and [registry-auth-config](https://github.com/portward/registry-auth-config) are checked out in the same directory:
+
+```shell
+cd ..
+git clone [email protected]:portward/registry-auth.git
+git clone [email protected]:portward/registry-auth-config.git
+cd unkey-authenticator
+```
+
+Set up a Go workspace:
+
+```shell
+go work init
+go work use .
+go work use ../registry-auth
+go work use ../registry-auth-config
+go work sync
+```
+
+## License
+
+The project is licensed under the [MIT License](LICENSE).

authenticator.go

@@ -0,0 +1,133 @@
+package unkeyauthenticator
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"maps"
+	"net/http"
+	"net/url"
+
+	"github.com/portward/registry-auth/auth"
+)
+
+var _ auth.PasswordAuthenticator = Authenticator{}
+
+// Authenticator uses [Unkey] to authenticate API keys.
+//
+// [Unkey]: https://unkey.dev
+type Authenticator struct {
+	url *url.URL
+
+	// TODO: make client configurable
+	httpClient *http.Client
+}
+
+// NewAuthenticator returns a new [Authenticator].
+func NewAuthenticator(u *url.URL) Authenticator {
+	if u == nil {
+		u, _ = url.Parse("https://api.unkey.dev")
+	}
+
+	return Authenticator{
+		url:        u,
+		httpClient: http.DefaultClient,
+	}
+}
+
+// AuthenticatePassword implements the [auth.PasswordAuthenticator] interface.
+func (a Authenticator) AuthenticatePassword(ctx context.Context, username string, password string) (auth.Subject, error) {
+	if username != "token" { // TODO: support other usernames
+		// TODO: log reason or enrich returned error
+		return nil, auth.ErrAuthenticationFailed
+	}
+
+	data := map[string]string{
+		"key": password,
+	}
+
+	var buf bytes.Buffer
+
+	err := json.NewEncoder(&buf).Encode(data)
+	if err != nil {
+		return nil, err
+	}
+
+	u := *a.url
+	u.Path = "/v1/keys/verify"
+
+	req, err := http.NewRequestWithContext(ctx, http.MethodPost, u.String(), &buf)
+	if err != nil {
+		return nil, err
+	}
+
+	req.Header.Set("Content-Type", "application/json")
+
+	resp, err := a.httpClient.Do(req)
+	if err != nil {
+		return nil, err
+	}
+	defer resp.Body.Close()
+
+	var apiResponse verifyKeyResponse
+	err = json.NewDecoder(resp.Body).Decode(&apiResponse)
+	if err != nil {
+		return nil, err
+	}
+
+	if !apiResponse.Valid {
+		switch apiResponse.Code {
+		case "NOT_FOUND", "FORBIDDEN", "KEY_USAGE_EXCEEDED":
+			// TODO: add more context to the error
+			return nil, auth.ErrAuthenticationFailed
+
+		case "RATELIMITED":
+			return nil, errors.New("rate limit error while trying to verify key")
+
+		default:
+			return nil, fmt.Errorf("unknown error code: %s", apiResponse.Code)
+		}
+	}
+
+	if apiResponse.OwnerID == "" {
+		return nil, errors.New("owner ID is required")
+	}
+
+	return subject{
+		id:    auth.SubjectIDFromString(apiResponse.OwnerID),
+		attrs: apiResponse.Meta,
+	}, nil
+}
+
+type verifyKeyResponse struct {
+	Valid   bool           `json:"valid"`
+	Code    string         `json:"code"`
+	OwnerID string         `json:"ownerId"`
+	Meta    map[string]any `json:"meta"`
+
+	// TODO: add support for rate limit
+}
+
+type subject struct {
+	id    auth.SubjectID
+	attrs map[string]any
+}
+
+// ID implements auth.Subject.
+func (s subject) ID() auth.SubjectID {
+	return s.id
+}
+
+// Attribute implements auth.Subject.
+func (s subject) Attribute(key string) (any, bool) {
+	v, ok := s.attrs[key]
+
+	return v, ok
+}
+
+// Attributes implements auth.Subject.
+func (s subject) Attributes() map[string]any {
+	return maps.Clone(s.attrs)
+}