fixes for cli auth

pkg/auth/v3/interceptor.go

@@ -63,6 +63,8 @@ func (ac authContext) NewAuthUnaryInterceptor(opt Option) grpc.UnaryServerInterc
 			url    string
 			method string
 			token  string
+			apiKey string
+			apiTkn string
 			cookie string
 			host   string
 			ua     string
@@ -77,6 +79,12 @@ func (ac authContext) NewAuthUnaryInterceptor(opt Option) grpc.UnaryServerInterc
 		if len(md.Get(gateway.GatewayAPIKey)) != 0 {
 			token = md.Get(gateway.GatewayAPIKey)[0]
 		}
+		if len(md.Get("X-API-KEYID")) != 0 {
+			apiKey = md.Get("X-API-KEYID")[0]
+		}
+		if len(md.Get("X-API-TOKEN")) != 0 {
+			apiTkn = md.Get("X-API-TOKEN")[0]
+		}
 		if len(md.Get("grpcgateway-cookie")) != 0 {
 			cookie = md.Get("grpcgateway-cookie")[0]
 		}
@@ -94,11 +102,14 @@ func (ac authContext) NewAuthUnaryInterceptor(opt Option) grpc.UnaryServerInterc
 			Url:           url,
 			Method:        method,
 			XSessionToken: token,
+			XApiKey:       apiKey,
+			XApiToken:     apiTkn,
 			Cookie:        cookie,
 			Org:           org,
 			Project:       project,
 			NoAuthz:       noAuthz, // FIXME: any better way to do this?
 		}
+
 		res, err := ac.IsRequestAllowed(ctx, nil, acReq)
 		if err != nil {
 			_log.Errorf("Failed to authenticate a request: %s", err)

pkg/auth/v3/middleware.go

@@ -77,7 +77,8 @@ func (am *authMiddleware) ServeHTTP(rw http.ResponseWriter, r *http.Request, nex
 		Url:           r.URL.String(),
 		Method:        r.Method,
 		XSessionToken: r.Header.Get("X-Session-Token"),
-		XApiKey:       r.Header.Get("X-RAFAY-API-KEYID"),
+		XApiKey:       r.Header.Get("X-API-KEYID"),
+		XApiToken:     r.Header.Get("X-API-TOKEN"),
 		Cookie:        r.Header.Get("Cookie"),
 		Project:       poResp.Project,
 		Org:           poResp.Organization,

pkg/auth/v3/service.go

@@ -2,6 +2,8 @@ package authv3
 
 import (
 	"context"
+	"crypto/md5"
+	"encoding/base64"
 	"errors"
 	"net/http"
 	"strings"
@@ -9,7 +11,6 @@ import (
 	rpcv3 "github.com/RafayLabs/rcloud-base/proto/rpc/user"
 	authzv1 "github.com/RafayLabs/rcloud-base/proto/types/authz"
 	commonv3 "github.com/RafayLabs/rcloud-base/proto/types/commonpb/v3"
-	"github.com/spacemonkeygo/httpsig"
 )
 
 var (
@@ -48,6 +49,12 @@ func (ac *authContext) IsRequestAllowed(ctx context.Context, httpreq *http.Reque
 	return res, nil
 }
 
+func getTokenCheckSum(body []byte) string {
+	hash := md5.New()
+	hash.Write(body)
+	return base64.StdEncoding.EncodeToString(hash.Sum(nil))
+}
+
 // authenticate validate whether the request is from a legitimate user
 // and populate relevant information in res.
 func (ac *authContext) authenticate(ctx context.Context, httpreq *http.Request, req *commonv3.IsRequestAllowedRequest, res *commonv3.IsRequestAllowedResponse) (bool, error) {
@@ -59,16 +66,10 @@ func (ac *authContext) authenticate(ctx context.Context, httpreq *http.Request,
 			_log.Infow("unable to get api key", "key", req.XApiKey, "error", err)
 			return false, ErrInvalidAPIKey
 		}
-		var kg httpsig.KeyGetterFunc = func(id string) interface{} {
-			return []byte(resp.Secret)
-		}
-
-		verifier := httpsig.NewVerifier(kg)
-		verifier.SetRequiredHeaders([]string{"content-md5", "date", "host", "nonce"})
-		err = verifier.Verify(httpreq)
-		if err != nil {
+		if !(req.XApiToken == getTokenCheckSum([]byte(resp.Secret))) {
 			return false, ErrInvalidSignature
 		}
+		_log.Info("successfully validated api key ", req.XApiKey)
 		res.Status = commonv3.RequestStatus_RequestAllowed
 		res.SessionData.Username = resp.Name
 		res.SessionData.Account = resp.AccountID.String()

pkg/gateway/annotator.go

@@ -13,6 +13,8 @@ const (
 	GatewayURL           = "x-gateway-url"
 	GatewaySessionCookie = "ory_kratos_session"
 	GatewayAPIKey        = "X-Session-Token"
+	APIKey               = "X-API-KEYID"
+	APIKeyToken          = "X-API-TOKEN"
 	GatewayMethod        = "x-gateway-method"
 	UserAgent            = "x-gateway-user-agent"
 	Host                 = "x-gateway-host"
@@ -24,17 +26,12 @@ var rafayGatewayAnnotator = func(ctx context.Context, r *http.Request) metadata.
 	return metadata.New(map[string]string{
 		GatewayRequest: "true",
 		GatewayURL:     r.URL.EscapedPath(),
-		// GatewaySessionCookie: func() string {
-		// 	sid, err := r.Cookie(GatewaySessionCookie)
-		// 	if err != nil {
-		// 		return ""
-		// 	}
-		// 	return sid.Value
-		// }(),
-		GatewayAPIKey: r.Header.Get(GatewayAPIKey),
-		GatewayMethod: r.Method,
-		UserAgent:     r.UserAgent(),
-		Host:          r.Host,
-		RemoteAddr:    r.RemoteAddr,
+		GatewayAPIKey:  r.Header.Get(GatewayAPIKey),
+		APIKey:         r.Header.Get(APIKey),
+		APIKeyToken:    r.Header.Get(APIKeyToken),
+		GatewayMethod:  r.Method,
+		UserAgent:      r.UserAgent(),
+		Host:           r.Host,
+		RemoteAddr:     r.RemoteAddr,
 	})
 }