call [docker] with auth (#9803)

* allow user to set dockerhub credentials

* add withJwtAuth function to AuthHelper

* use withJwtAuth in DockerHub badges

* add unit tests for JWT auth

* use auth when calling docker cloud

* refactor and assert fetch helpers call withJwtAuth

* store token for a max duration (defaults to 1 hour)

* tangent: update test example

core/base-service/auth-helper.js

@@ -1,5 +1,13 @@
 import { URL } from 'url'
-import { InvalidParameter } from './errors.js'
+import dayjs from 'dayjs'
+import Joi from 'joi'
+import checkErrorResponse from './check-error-response.js'
+import { InvalidParameter, InvalidResponse } from './errors.js'
+import { fetch } from './got.js'
+import { parseJson } from './json.js'
+import validate from './validate.js'
+
+let jwtCache = Object.create(null)
 
 class AuthHelper {
   constructor(
@@ -87,7 +95,7 @@ class AuthHelper {
     }
   }
 
-  shouldAuthenticateRequest({ url, options = {} }) {
+  isAllowedOrigin(url) {
     let parsed
     try {
       parsed = new URL(url)
@@ -97,7 +105,11 @@ class AuthHelper {
 
     const { protocol, host } = parsed
     const origin = `${protocol}//${host}`
-    const originViolation = !this._authorizedOrigins.includes(origin)
+    return this._authorizedOrigins.includes(origin)
+  }
+
+  shouldAuthenticateRequest({ url, options = {} }) {
+    const originViolation = !this.isAllowedOrigin(url)
 
     const strictSslCheckViolation =
       this._requireStrictSslToAuthenticate &&
@@ -218,6 +230,103 @@ class AuthHelper {
       }),
     )
   }
+
+  static _getJwtExpiry(token, max = dayjs().add(1, 'hours').unix()) {
+    // get the expiry timestamp for this JWT (capped at a max length)
+    const parts = token.split('.')
+
+    if (parts.length < 2) {
+      throw new InvalidResponse({
+        prettyMessage: 'invalid response data from auth endpoint',
+      })
+    }
+
+    const json = validate(
+      {
+        ErrorClass: InvalidResponse,
+        prettyErrorMessage: 'invalid response data from auth endpoint',
+      },
+      parseJson(Buffer.from(parts[1], 'base64').toString()),
+      Joi.object({ exp: Joi.number().required() }).required(),
+    )
+
+    return Math.min(json.exp, max)
+  }
+
+  static _isJwtValid(expiry) {
+    // we consider the token valid if the expiry
+    // datetime is later than (now + 1 minute)
+    return dayjs.unix(expiry).isAfter(dayjs().add(1, 'minutes'))
+  }
+
+  async _getJwt(loginEndpoint) {
+    const { _user: username, _pass: password } = this
+
+    // attempt to get JWT from cache
+    if (
+      jwtCache?.[loginEndpoint]?.[username]?.token &&
+      jwtCache?.[loginEndpoint]?.[username]?.expiry &&
+      this.constructor._isJwtValid(jwtCache[loginEndpoint][username].expiry)
+    ) {
+      // cache hit
+      return jwtCache[loginEndpoint][username].token
+    }
+
+    // cache miss - request a new JWT
+    const originViolation = !this.isAllowedOrigin(loginEndpoint)
+    if (originViolation) {
+      throw new InvalidParameter({
+        prettyMessage: 'requested origin not authorized',
+      })
+    }
+
+    const { buffer } = await checkErrorResponse({})(
+      await fetch(loginEndpoint, {
+        method: 'POST',
+        form: { username, password },
+      }),
+    )
+
+    const json = validate(
+      {
+        ErrorClass: InvalidResponse,
+        prettyErrorMessage: 'invalid response data from auth endpoint',
+      },
+      parseJson(buffer),
+      Joi.object({ token: Joi.string().required() }).required(),
+    )
+
+    const token = json.token
+    const expiry = this.constructor._getJwtExpiry(token)
+
+    // store in the cache
+    if (!(loginEndpoint in jwtCache)) {
+      jwtCache[loginEndpoint] = {}
+    }
+    jwtCache[loginEndpoint][username] = { token, expiry }
+
+    return token
+  }
+
+  async _getJwtAuthHeader(loginEndpoint) {
+    if (!this.isConfigured) {
+      return undefined
+    }
+
+    const token = await this._getJwt(loginEndpoint)
+    return { Authorization: `Bearer ${token}` }
+  }
+
+  async withJwtAuth(requestParams, loginEndpoint) {
+    const authHeader = await this._getJwtAuthHeader(loginEndpoint)
+    return this._withAnyAuth(requestParams, requestParams =>
+      this.constructor._mergeHeaders(requestParams, authHeader),
+    )
+  }
 }
 
-export { AuthHelper }
+function clearJwtCache() {
+  jwtCache = Object.create(null)
+}
+
+export { AuthHelper, clearJwtCache }

core/base-service/auth-helper.spec.js

@@ -1,7 +1,32 @@
+import dayjs from 'dayjs'
+import nock from 'nock'
 import { expect } from 'chai'
 import { test, given, forCases } from 'sazerac'
-import { AuthHelper } from './auth-helper.js'
-import { InvalidParameter } from './errors.js'
+import { AuthHelper, clearJwtCache } from './auth-helper.js'
+import { InvalidParameter, InvalidResponse } from './errors.js'
+
+function base64UrlEncode(input) {
+  const base64 = btoa(JSON.stringify(input))
+  return base64.replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '')
+}
+
+function getMockJwt(extras) {
+  // this function returns a mock JWT that contains enough
+  // for a unit test but ignores important aspects e.g: signing
+
+  const header = {
+    alg: 'HS256',
+    typ: 'JWT',
+  }
+  const payload = {
+    iat: Math.floor(Date.now() / 1000),
+    ...extras,
+  }
+
+  const encodedHeader = base64UrlEncode(header)
+  const encodedPayload = base64UrlEncode(payload)
+  return `${encodedHeader}.${encodedPayload}`
+}
 
 describe('AuthHelper', function () {
   describe('constructor checks', function () {
@@ -381,4 +406,153 @@ describe('AuthHelper', function () {
       ).to.throw(InvalidParameter)
     })
   })
+
+  context('JTW Auth', function () {
+    describe('_isJwtValid', function () {
+      test(AuthHelper._isJwtValid, () => {
+        given(dayjs().add(1, 'month').unix()).expect(true)
+        given(dayjs().add(2, 'minutes').unix()).expect(true)
+        given(dayjs().add(30, 'seconds').unix()).expect(false)
+        given(dayjs().unix()).expect(false)
+        given(dayjs().subtract(1, 'seconds').unix()).expect(false)
+      })
+    })
+
+    describe('_getJwtExpiry', function () {
+      it('extracts expiry from valid JWT', function () {
+        const nowPlus30Mins = dayjs().add(30, 'minutes').unix()
+        expect(
+          AuthHelper._getJwtExpiry(getMockJwt({ exp: nowPlus30Mins })),
+        ).to.equal(nowPlus30Mins)
+      })
+
+      it('caps expiry at max', function () {
+        const nowPlus1Hour = dayjs().add(1, 'hours').unix()
+        const nowPlus2Hours = dayjs().add(2, 'hours').unix()
+        expect(
+          AuthHelper._getJwtExpiry(getMockJwt({ exp: nowPlus2Hours })),
+        ).to.equal(nowPlus1Hour)
+      })
+
+      it('throws if JWT does not contain exp', function () {
+        expect(() => {
+          AuthHelper._getJwtExpiry(getMockJwt({}))
+        }).to.throw(InvalidResponse)
+      })
+
+      it('throws if JWT is invalid', function () {
+        expect(() => {
+          AuthHelper._getJwtExpiry('abc')
+        }).to.throw(InvalidResponse)
+      })
+    })
+
+    describe('withJwtAuth', function () {
+      const authHelper = new AuthHelper(
+        {
+          userKey: 'jwt_user',
+          passKey: 'jwt_pass',
+          authorizedOrigins: ['https://example.com'],
+          isRequired: false,
+        },
+        { private: { jwt_user: 'fred', jwt_pass: 'abc123' } },
+      )
+
+      beforeEach(function () {
+        clearJwtCache()
+      })
+
+      it('should use cached response if valid', async function () {
+        // the expiry is far enough in the future that the token
+        // will still be valid on the second hit
+        const mockToken = getMockJwt({ exp: dayjs().add(1, 'hours').unix() })
+
+        // .times(1) ensures if we try to make a second call to this endpoint,
+        // we will throw `Nock: No match for request`
+        nock('https://example.com')
+          .post('/login')
+          .times(1)
+          .reply(200, { token: mockToken })
+        const params1 = await authHelper.withJwtAuth(
+          { url: 'https://example.com/some-endpoint' },
+          'https://example.com/login',
+        )
+        expect(nock.isDone()).to.equal(true)
+        expect(params1).to.deep.equal({
+          options: {
+            headers: {
+              Authorization: `Bearer ${mockToken}`,
+            },
+          },
+          url: 'https://example.com/some-endpoint',
+        })
+
+        // second time round, we'll get the same response again
+        // but this time served from cache
+        const params2 = await authHelper.withJwtAuth(
+          { url: 'https://example.com/some-endpoint' },
+          'https://example.com/login',
+        )
+        expect(params2).to.deep.equal({
+          options: {
+            headers: {
+              Authorization: `Bearer ${mockToken}`,
+            },
+          },
+          url: 'https://example.com/some-endpoint',
+        })
+
+        nock.cleanAll()
+      })
+
+      it('should not use cached response if expired', async function () {
+        // this time we define a token expiry is close enough
+        // that the token will not be valid on the second call
+        const mockToken1 = getMockJwt({
+          exp: dayjs().add(20, 'seconds').unix(),
+        })
+        nock('https://example.com')
+          .post('/login')
+          .times(1)
+          .reply(200, { token: mockToken1 })
+        const params1 = await authHelper.withJwtAuth(
+          { url: 'https://example.com/some-endpoint' },
+          'https://example.com/login',
+        )
+        expect(nock.isDone()).to.equal(true)
+        expect(params1).to.deep.equal({
+          options: {
+            headers: {
+              Authorization: `Bearer ${mockToken1}`,
+            },
+          },
+          url: 'https://example.com/some-endpoint',
+        })
+
+        // second time round we make another network request
+        const mockToken2 = getMockJwt({
+          exp: dayjs().add(20, 'seconds').unix(),
+        })
+        nock('https://example.com')
+          .post('/login')
+          .times(1)
+          .reply(200, { token: mockToken2 })
+        const params2 = await authHelper.withJwtAuth(
+          { url: 'https://example.com/some-endpoint' },
+          'https://example.com/login',
+        )
+        expect(nock.isDone()).to.equal(true)
+        expect(params2).to.deep.equal({
+          options: {
+            headers: {
+              Authorization: `Bearer ${mockToken2}`,
+            },
+          },
+          url: 'https://example.com/some-endpoint',
+        })
+
+        nock.cleanAll()
+      })
+    })
+  })
 })

core/server/server.js

@@ -165,6 +165,8 @@ const privateConfigSchema = Joi.object({
   azure_devops_token: Joi.string(),
   curseforge_api_key: Joi.string(),
   discord_bot_token: Joi.string(),
+  dockerhub_username: Joi.string(),
+  dockerhub_pat: Joi.string(),
   drone_token: Joi.string(),
   gh_client_id: Joi.string(),
   gh_client_secret: Joi.string(),