Merge pull request #12 from ndrufin-crto/authentication-custom-jwt

feat: add custom jwt

Author: mazurov

README.md

@@ -212,7 +212,7 @@ Flags:
                            Default: info
   --log-format string      Log format (json|text)
                            Default: json
-  --auth-type string       Authentication type (none|basic|ldap)
+  --auth-type string       Authentication type (none|basic|ldap|custom_jwt)
                            Default: none
   --auth-ldap-server string      LDAP server URL (e.g., ldap://ldap.example.com)
   --auth-ldap-bind-dn string     LDAP bind DN for service account
@@ -236,6 +236,38 @@ export COLA_REGISTRY_AUTH_TYPE=basic
 export COLA_REGISTRY_AUTH_USERS_FILE=./users.yaml  # Environment-only (no CLI flag)
 ```
 
+### Custom JWT Authentication
+
+Custom JWT authentication delegates token validation to an external script. This allows integration with any JWT provider.
+
+**Configuration:**
+```bash
+export COLA_REGISTRY_AUTH_TYPE=custom_jwt
+export COLA_REGISTRY_AUTH_CUSTOM_JWT_SCRIPT=/path/to/jwt-validator.sh
+export COLA_REGISTRY_AUTH_CUSTOM_JWT_REQUIRED_GROUP=my-admin-group  # Optional
+```
+
+**Custom JWT configuration options:**
+
+| Setting | Environment Variable | CLI Flag | Default | Description |
+|---------|---------------------|----------|---------|-------------|
+| Script | `COLA_REGISTRY_AUTH_CUSTOM_JWT_SCRIPT` | `--auth-custom-jwt-script` | (required) | Path to JWT validator script |
+| Required Group | `COLA_REGISTRY_AUTH_CUSTOM_JWT_REQUIRED_GROUP` | `--auth-custom-jwt-required-group` | - | Group required to access registry |
+
+**Script requirements:**
+- Must be executable and in PATH or specified as absolute path
+- Receives JWT token as first argument
+- Exit code 0 = valid token, non-zero = invalid token
+- Output format: one group per line (optionally `username:value` on first line)
+
+**Example script output:**
+```
+username:john.doe
+admin-group
+developers
+readonly-users
+```
+
 Priority order: **CLI flags > Environment variables > Defaults**
 
 ### LDAP Authentication

internal/auth/auth.go

@@ -8,6 +8,7 @@ import (
 var (
 	ErrUnauthorized = errors.New("unauthorized")
 	ErrForbidden    = errors.New("forbidden")
+	ErrInternal     = errors.New("internal error")
 )
 
 // User represents an authenticated user

internal/auth/custom_jwt.go

@@ -0,0 +1,169 @@
+package auth
+
+import (
+	"bytes"
+	"errors"
+	"fmt"
+	"log/slog"
+	"net/http"
+	"os/exec"
+	"strings"
+
+	"github.com/criteo/command-launcher-registry/internal/config"
+)
+
+// CustomJWTAuth implements custom JWT authentication via external script
+type CustomJWTAuth struct {
+	config config.CustomJWTConfig
+	logger *slog.Logger
+}
+
+// NewCustomJWTAuth creates a new CustomJWT authenticator
+func NewCustomJWTAuth(cfg config.CustomJWTConfig, logger *slog.Logger) (*CustomJWTAuth, error) {
+	if cfg.Script == "" {
+		return nil, fmt.Errorf("custom_jwt script is required")
+	}
+	if _, err := exec.LookPath(cfg.Script); err != nil {
+		return nil, fmt.Errorf("custom_jwt script not found or not executable: %v", err)
+	}
+
+	logger.Info("CustomJWT auth initialized",
+		"script", cfg.Script,
+		"required_group", cfg.RequiredGroup)
+
+	return &CustomJWTAuth{
+		config: cfg,
+		logger: logger,
+	}, nil
+}
+
+// Authenticate validates Bearer token using external script
+func (a *CustomJWTAuth) Authenticate(r *http.Request) (*User, error) {
+	token, err := a.extractBearerToken(r)
+	if err != nil {
+		return nil, err
+	}
+
+	groups, username, err := a.executeScript(token)
+	if err != nil {
+		return nil, err
+	}
+
+	if a.config.RequiredGroup != "" {
+		if !a.hasGroup(groups, a.config.RequiredGroup) {
+			a.logger.Warn("User is not a member of required group",
+				"required_group", a.config.RequiredGroup,
+				"source_ip", r.RemoteAddr)
+			return nil, ErrForbidden
+		}
+	}
+
+	a.logger.Debug("CustomJWT authentication successful",
+		"username", username,
+		"source_ip", r.RemoteAddr)
+
+	return &User{Username: username}, nil
+}
+
+// Middleware returns HTTP middleware for CustomJWT authentication
+func (a *CustomJWTAuth) Middleware() func(http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			_, err := a.Authenticate(r)
+			if err != nil {
+				if errors.Is(err, ErrForbidden) {
+					http.Error(w, "Forbidden", http.StatusForbidden)
+					return
+				}
+				if errors.Is(err, ErrUnauthorized) {
+					http.Error(w, "Unauthorized", http.StatusUnauthorized)
+					return
+				}
+				http.Error(w, "Internal Server Error", http.StatusInternalServerError)
+				return
+			}
+
+			next.ServeHTTP(w, r)
+		})
+	}
+}
+
+// extractBearerToken extracts the Bearer token from Authorization header
+func (a *CustomJWTAuth) extractBearerToken(r *http.Request) (string, error) {
+	authHeader := r.Header.Get("Authorization")
+	if authHeader == "" {
+		return "", ErrUnauthorized
+	}
+
+	parts := strings.SplitN(authHeader, " ", 2)
+	if len(parts) != 2 || !strings.EqualFold(parts[0], "Bearer") {
+		return "", ErrUnauthorized
+	}
+
+	token := strings.TrimSpace(parts[1])
+	if token == "" {
+		return "", ErrUnauthorized
+	}
+
+	return token, nil
+}
+
+// executeScript runs the JWT validation script and returns groups and username
+func (a *CustomJWTAuth) executeScript(token string) ([]string, string, error) {
+	cmd := exec.Command(a.config.Script, token)
+
+	var stdout, stderr bytes.Buffer
+	cmd.Stdout = &stdout
+	cmd.Stderr = &stderr
+
+	err := cmd.Run()
+	if err != nil {
+		if exitError, ok := err.(*exec.ExitError); ok {
+			a.logger.Warn("Script failed",
+				"exit_code", exitError.ExitCode(),
+				"stderr", strings.TrimSpace(stderr.String()))
+			return nil, "", ErrForbidden
+		}
+		a.logger.Error("Failed to execute script",
+			"error", err)
+		return nil, "", ErrInternal
+	}
+
+	groups, username := a.parseOutput(stdout.String())
+	return groups, username, nil
+}
+
+// parseOutput parses the script output to extract groups and optionally username
+// Expected format: one group per line, optionally with "username:value" on first line
+func (a *CustomJWTAuth) parseOutput(output string) ([]string, string) {
+	var groups []string
+	username := "jwt-user"
+
+	lines := strings.Split(output, "\n")
+	for i, line := range lines {
+		line = strings.TrimSpace(line)
+		if line == "" {
+			continue
+		}
+
+		// First non-empty line might be username
+		if i == 0 && strings.HasPrefix(line, "username:") {
+			username = strings.TrimSpace(strings.TrimPrefix(line, "username:"))
+			continue
+		}
+
+		groups = append(groups, line)
+	}
+
+	return groups, username
+}
+
+// hasGroup checks if the user has the required group
+func (a *CustomJWTAuth) hasGroup(groups []string, requiredGroup string) bool {
+	for _, group := range groups {
+		if group == requiredGroup {
+			return true
+		}
+	}
+	return false
+}

internal/cli/server.go

@@ -59,11 +59,13 @@ func init() {
 	ServerCmd.Flags().String("host", "", "Bind address")
 	ServerCmd.Flags().String("log-level", "", "Log level (debug|info|warn|error)")
 	ServerCmd.Flags().String("log-format", "", "Log format (json|text)")
-	ServerCmd.Flags().String("auth-type", "", "Authentication type (none|basic|ldap)")
+	ServerCmd.Flags().String("auth-type", "", "Authentication type (none|basic|ldap|custom_jwt)")
 	ServerCmd.Flags().String("auth-ldap-server", "", "LDAP server URL (e.g., ldap://ldap.example.com)")
 	ServerCmd.Flags().Int("auth-ldap-timeout", 30, "LDAP connection timeout (e.g., 30s)")
 	ServerCmd.Flags().String("auth-ldap-bind-dn", "", "LDAP bind DN for service account")
 	ServerCmd.Flags().String("auth-ldap-user-base-dn", "", "LDAP base DN for user searches")
+	ServerCmd.Flags().String("auth-custom-jwt-script", "", "Path to JWT validator script")
+	ServerCmd.Flags().String("auth-custom-jwt-required-group", "", "Required group for authorization")
 
 	// Bind CLI flags to viper
 	v.BindPFlag("storage.uri", ServerCmd.Flags().Lookup("storage-uri"))
@@ -77,6 +79,8 @@ func init() {
 	v.BindPFlag("auth.ldap.timeout", ServerCmd.Flags().Lookup("auth-ldap-timeout"))
 	v.BindPFlag("auth.ldap.bind_dn", ServerCmd.Flags().Lookup("auth-ldap-bind-dn"))
 	v.BindPFlag("auth.ldap.user_base_dn", ServerCmd.Flags().Lookup("auth-ldap-user-base-dn"))
+	v.BindPFlag("auth.custom_jwt.script", ServerCmd.Flags().Lookup("auth-custom-jwt-script"))
+	v.BindPFlag("auth.custom_jwt.required_group", ServerCmd.Flags().Lookup("auth-custom-jwt-required-group"))
 }
 
 func runServer(cmd *cobra.Command, args []string) error {
@@ -143,6 +147,14 @@ func runServer(cmd *cobra.Command, args []string) error {
 		logger.Info("LDAP authentication enabled",
 			"server", cfg.Auth.LDAP.Server,
 			"user_base_dn", cfg.Auth.LDAP.UserBaseDN)
+	case "custom_jwt":
+		authenticator, err = auth.NewCustomJWTAuth(cfg.Auth.CustomJWT, logger)
+		if err != nil {
+			logger.Error("Failed to initialize custom JWT auth",
+				"error", err)
+			os.Exit(ExitCodeStorageInitFailed)
+		}
+		logger.Info("Custom JWT authentication enabled")
 	default:
 		logger.Error("Unsupported auth type", "auth_type", cfg.Auth.Type)
 		os.Exit(ExitCodeInvalidConfig)

internal/config/config.go

@@ -31,9 +31,16 @@ type StorageConfig struct {
 
 // AuthConfig holds authentication configuration
 type AuthConfig struct {
-	Type      string     `mapstructure:"type"`       // none | basic | ldap
-	UsersFile string     `mapstructure:"users_file"` // for basic auth
-	LDAP      LDAPConfig `mapstructure:"ldap"`       // for LDAP auth
+	Type      string          `mapstructure:"type"`       // none | basic | custom_jwt | ldap
+	UsersFile string          `mapstructure:"users_file"` // for basic auth
+	LDAP      LDAPConfig      `mapstructure:"ldap"`       // for LDAP auth
+	CustomJWT CustomJWTConfig `mapstructure:"custom_jwt"` // for custom_jwt auth
+}
+
+// CustomJWTConfig holds custom JWT authentication configuration
+type CustomJWTConfig struct {
+	Script        string `mapstructure:"script"`         // Path to script that validates JWT and returns groups
+	RequiredGroup string `mapstructure:"required_group"` // Required group for authorization
 }
 
 // LDAPConfig holds LDAP authentication configuration
@@ -149,8 +156,9 @@ func (c *Config) Validate() error {
 	}
 
 	// Validate auth type
-	if c.Auth.Type != "none" && c.Auth.Type != "basic" && c.Auth.Type != "ldap" {
-		return fmt.Errorf("auth.type must be 'none', 'basic', or 'ldap'")
+	validAuthTypes := map[string]bool{"none": true, "basic": true, "ldap": true, "custom_jwt": true}
+	if !validAuthTypes[c.Auth.Type] {
+		return fmt.Errorf("auth.type must be 'none', 'basic', 'ldap', or 'custom_jwt'")
 	}
 
 	// Validate logging level