ccsecurity

README

CC-GO-SECURITY

Security solutions for Golang project, includes:

• Authentication (inspired from Spring Security): JWT, Basic Auth
• Authorization (inspired from Spring Security): RBAC
• Http Client Security:
  • Proxy
  • Authentication

Setup instruction

Base setup, see CCGO Instruction

Both go get and go mod are supported.

go get github.com/crosect/cc-go-security

Usage

Using fx.Option to include dependencies for injection.

package main

import (
	"github.com/crosect/cc-go-security"
	"github.com/crosect/cc-go-security/testutil"
	"github.com/crosect/cc-go/web/client"
	"go.uber.org/fx"
)

func main() {
	_ = []fx.Option{

		// When you want to enable http security for your application
		ccsecurity.HttpSecurityOpt(),

		// When you want to register JWT authentication filter
		ccsecurity.JwtAuthFilterOpt(),

		// When you want to register Basic authentication filter
		ccsecurity.BasicAuthOpt(),

		// When you want to wrap default http client by a secured layer
		ccsecurity.SecuredHttpClientOpt(),

		// Example using http client
		fx.Provide(NewExampleService),

		// ==================== TEST UTILS =================
		// A useful util to easy to generate jwt token for test.
		// This option needs to come with the following configuration:
		//
		// app.security.http.jwt:
		//     privateKey: | # Private key to generate JWT token
		//	      -----BEGIN RSA PRIVATE KEY-----
		//	      MIIEpAIBAAKCAQEAibfYgV1ACadMfuvl5VsRV0H/llbi+zB0f6kTSQ0VwzNR9eYb
		//	      LSb3U5FtkHjBaULxK9Wk2btXvbSZ4HK0cdCf/FHnKpuPoguWOsHrQcVqxzN5XaR1
		//	      zBSVNXIuxry3AXWq8DDJ/GGXdsxcr0xZ2NGn3GAj0op8cvENes88Wg==
		//	      -----END RSA PRIVATE KEY-----
		testUtil.JwtTestUtilOpt(),
	}
}

type ExampleService struct {
	httpClient client.ContextualHttpClient
}

func NewExampleService(httpClient client.ContextualHttpClient) *ExampleService {
	return &ExampleService{httpClient: httpClient}
}

Configuration

app:
    security:
        # Configuration for HttpSecurityOpt()
        http:
            publicUrls: # Define urls can be accessed without authentication
                - /actuator/health
                - /actuator/info
                - /swagger/*

            protectedUrls: # Define urls with required roles can be accessed with authentication
                - { urlPattern: "/v1/api-with-jwt-auth", method: POST, roles: [ "SECURITY_SERVICE" ], unauthorizedWwwAuthenticateHeaders: [ "Bearer" ] }
                - { urlPattern: "/v1/api-with-basic-auth", method: POST, roles: [ "INTERNAL_SERVICE" ], unauthorizedWwwAuthenticateHeaders: [ "Basic" ] }

            # Required when using JwtAuthFilterOpt()
            jwt:
                type: JWT_TOKEN # Currently, we support JWT_TOKEN
                publicKey: | # Public Key to verify JWT token
                    -----BEGIN PUBLIC KEY-----
                    MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgE...
                    -----END PUBLIC KEY-----

            # Required when using BasicAuthOpt()
            basicAuth:
                users: # List of users with roles for basic auth
                    - { username: "internal_service1", password: "secret", roles: [ "INTERNAL_SERVICE" ] }
                    # Or you can use placeholder with format ${ENV_NAME}, it will be replaced by environment var
                    - { username: "internal_service2", password: "${EXPOSED_INTERNAL_SERVICE_PWD}", roles: [ "INTERNAL_SERVICE" ] }

            # Required when using SecuredHttpClientOpt()
            client:
                basicAuth: # Define url with corresponding username password, these credentials will be auto attached to header before execute request.
                    - { urlMatch: "https://foo.com/api/.*", username: "foo_user", password: "${FOO_SERVICE_PWD}" }
                    - { urlMatch: "https://bar.com/api/.*", username: "bar_user", password: "${BAR_SERVICE_PWD}" }

Documentation

Index

• func BasicAuthOpt() fx.Option
• func HttpSecurityOpt() fx.Option
• func JwtAuthFilterOpt() fx.Option
• func NewBasicAuthFilter(in BasicAuthFilterIn) (filter.AuthenticationFilter, error)
• func NewJwtAuthFilter(in JwtAuthFilterIn) (filter.AuthenticationFilter, error)
• func NewSecuredHttpClient(props *secHttpClient.SecurityProperties) ccgo.ContextualHttpClientWrapper
• func RegisterHttpSecurity(in RegisterHttpSecurityIn) error
• func SecuredHttpClientOpt() fx.Option
• type BasicAuthFilterIn
• type HttpSecurityOut
  • func NewHttpSecurity() HttpSecurityOut
• type JwtAuthFilterIn
• type RegisterHttpSecurityIn

Functions

func BasicAuthOpt

func BasicAuthOpt() fx.Option

func HttpSecurityOpt

func HttpSecurityOpt() fx.Option

func JwtAuthFilterOpt

func JwtAuthFilterOpt() fx.Option

func NewBasicAuthFilter

func NewBasicAuthFilter(in BasicAuthFilterIn) (filter.AuthenticationFilter, error)

func NewJwtAuthFilter

func NewJwtAuthFilter(in JwtAuthFilterIn) (filter.AuthenticationFilter, error)

func NewSecuredHttpClient

func NewSecuredHttpClient(props *secHttpClient.SecurityProperties) ccgo.ContextualHttpClientWrapper

func RegisterHttpSecurity

func RegisterHttpSecurity(in RegisterHttpSecurityIn) error

func SecuredHttpClientOpt

func SecuredHttpClientOpt() fx.Option

Types

type BasicAuthFilterIn

type BasicAuthFilterIn struct {
	fx.In
	SecurityProperties  *config.HttpSecurityProperties
	AuthProviderManager *authen.ProviderManager
}

type HttpSecurityOut

type HttpSecurityOut struct {
	fx.Out
	AuthProviderManager   *authen.ProviderManager
	AccessDecisionManager authorization.AccessDecisionManager
}

func NewHttpSecurity

func NewHttpSecurity() HttpSecurityOut

type JwtAuthFilterIn

type JwtAuthFilterIn struct {
	fx.In
	SecurityProperties  *config.HttpSecurityProperties
	AuthProviderManager *authen.ProviderManager
}

type RegisterHttpSecurityIn

type RegisterHttpSecurityIn struct {
	fx.In
	App                   *ccgo.App
	SecurityProperties    *config.HttpSecurityProperties
	AuthProviderManager   *authen.ProviderManager
	AccessDecisionManager authorization.AccessDecisionManager
	AuthenticationFilters []filter.AuthenticationFilter `group:"authentication_filter"`
}