Merge pull request #190 from mattrent/admin_check

Add Admin auth check on `/subjects` endpoints

Author: mattrent

Dockerfile.core

@@ -14,10 +14,10 @@
 
 # The version of Alpine to use for the final image
 # This should match the version of Alpine that the `elixir:1.14-alpine` image uses
-ARG ALPINE_VERSION=3.16
+ARG ALPINE_VERSION=3.17
 ARG SECRET_KEY_BASE
 
-FROM elixir:1.13-alpine AS builder
+FROM elixir:1.14-alpine AS builder
 
 ARG MIX_ENV=prod
 
@@ -34,11 +34,6 @@ RUN apk update && \
     mix local.rebar --force && \
     mix local.hex --force
 
-# Get Rust
-RUN curl https://sh.rustup.rs -sSf | bash -s -- -y
-ENV PATH="/root/.cargo/bin:${PATH}"
-ENV RUSTFLAGS='--codegen target-feature=-crt-static'
-
 # This copies our app source code into the build container
 COPY . .
 

Dockerfile.worker

@@ -14,9 +14,9 @@
 
 # The version of Alpine to use for the final image
 # This should match the version of Alpine that the `elixir:1.13.4-alpine` image uses
-ARG ALPINE_VERSION=3.16
+ARG ALPINE_VERSION=3.17
 
-FROM elixir:1.13-alpine AS builder
+FROM elixir:1.14-alpine AS builder
 
 # The following are build arguments used to change variable parts of the image.
 # The name of your application/release (required)
@@ -35,11 +35,6 @@ RUN apk update && \
     mix local.rebar --force && \
     mix local.hex --force
 
-# Get Rust
-RUN curl https://sh.rustup.rs -sSf | bash -s -- -y
-ENV PATH="/root/.cargo/bin:${PATH}"
-ENV RUSTFLAGS='--codegen target-feature=-crt-static'
-
 # This copies our app source code into the build container
 COPY . .
 

apps/core/lib/core/domain/admins.ex

@@ -0,0 +1,135 @@
+# Copyright 2023 Giuseppe De Palma, Matteo Trentin
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+defmodule Core.Domain.Admins do
+  @moduledoc """
+  The Admins context.
+  """
+
+  import Ecto.Query, warn: false
+  alias Core.SubjectsRepo, as: Repo
+
+  alias Core.Schemas.Admin
+
+  @doc """
+  Returns the list of admins.
+
+  ## Examples
+
+      iex> list_admins()
+      [%Admin{}, ...]
+
+  """
+  def list_admins do
+    Repo.all(Admin)
+  end
+
+  @doc """
+  Gets a single admin.
+
+  Raises `Ecto.NoResultsError` if the Admin does not exist.
+
+  ## Examples
+
+      iex> get_admin!(123)
+      %Admin{}
+
+      iex> get_admin!(456)
+      ** (Ecto.NoResultsError)
+
+  """
+  def get_admin!(id), do: Repo.get!(Admin, id)
+
+  @doc """
+  Gets a single admin by name.
+
+  Returns `nil` if the Admin does not exist.
+
+  ## Examples
+
+      iex> get_admin_by_name("name")
+      %Admin{}
+
+      iex> get_admin_by_name("not_found")
+      nil
+  """
+  def get_admin_by_name(name) do
+    Repo.get_by(Admin, name: name)
+  end
+
+  @doc """
+  Creates a admin.
+
+  ## Examples
+
+      iex> create_admin(%{field: value})
+      {:ok, %Admin{}}
+
+      iex> create_admin(%{field: bad_value})
+      {:error, %Ecto.Changeset{}}
+
+  """
+  def create_admin(attrs \\ %{}) do
+    %Admin{}
+    |> Admin.changeset(attrs)
+    |> Repo.insert()
+  end
+
+  @doc """
+  Updates a admin.
+
+  ## Examples
+
+      iex> update_admin(admin, %{field: new_value})
+      {:ok, %Admin{}}
+
+      iex> update_admin(admin, %{field: bad_value})
+      {:error, %Ecto.Changeset{}}
+
+  """
+  def update_admin(%Admin{} = admin, attrs) do
+    admin
+    |> Admin.changeset(attrs)
+    |> Repo.update()
+  end
+
+  @doc """
+  Deletes a admin.
+
+  ## Examples
+
+      iex> delete_admin(admin)
+      {:ok, %Admin{}}
+
+      iex> delete_admin(admin)
+      {:error, %Ecto.Changeset{}}
+
+  """
+  def delete_admin(%Admin{} = admin) do
+    Repo.delete(admin)
+  end
+
+  @doc """
+  Returns an `%Ecto.Changeset{}` for tracking admin changes.
+
+  ## Examples
+
+      iex> change_admin(admin)
+      %Ecto.Changeset{data: %Admin{}}
+
+  """
+  def change_admin(%Admin{} = admin, attrs \\ %{}) do
+    Admin.changeset(admin, attrs)
+  end
+end

apps/core/lib/core/schemas/admin.ex

@@ -0,0 +1,42 @@
+# Copyright 2023 Giuseppe De Palma, Matteo Trentin
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+defmodule Core.Schemas.Admin do
+  @moduledoc """
+  The Admin schema
+  """
+  use Ecto.Schema
+  import Ecto.Changeset
+
+  schema "admins" do
+    field(:name, :string)
+    field(:token, :string, redact: true)
+
+    timestamps()
+  end
+
+  @doc false
+  def changeset(admin, attrs) do
+    # only allow valid letters, numbers and underscores in the middle
+    regex = ~r/^[_a-zA-Z0-9]+$/
+    msg = "must contain only alphanumeric characters and underscores"
+
+    admin
+    |> cast(attrs, [:name, :token])
+    |> validate_required([:name, :token])
+    |> validate_format(:name, regex, message: msg)
+    |> validate_length(:name, min: 1, max: 160)
+    |> unique_constraint(:name)
+  end
+end

apps/core/lib/core_web/auth_admin.ex

@@ -0,0 +1,57 @@
+# Copyright 2022 Giuseppe De Palma, Matteo Trentin
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+defmodule CoreWeb.Plug.AuthenticateAdmin do
+  @moduledoc """
+  Plug to authenticate an admin user by token.
+  """
+  import Plug.Conn
+  require Logger
+
+  alias Core.Domain.Admins
+  alias CoreWeb.Token
+
+  def init(opts) do
+    opts
+  end
+
+  @spec call(Plug.Conn.t(), any) :: Plug.Conn.t()
+  def call(conn, _opts) do
+    with ["Bearer " <> token] <- get_req_header(conn, "authorization"),
+         {:ok, %{user: name}} <- Token.verify(token),
+         {:ok, stored_token} <- retrieve_admin(name),
+         {:ok, %{user: stored_name}} <- Token.verify(stored_token),
+         true <- stored_token == token && name == stored_name do
+      assign(conn, :current_user, name)
+    else
+      _error ->
+        conn
+        |> put_status(:unauthorized)
+        |> Phoenix.Controller.put_view(CoreWeb.ErrorView)
+        |> Phoenix.Controller.render(:"401")
+        |> halt()
+    end
+  end
+
+  @spec retrieve_admin(String.t()) :: {:ok, any()} | {:error, any()}
+  defp retrieve_admin(name) do
+    case Admins.get_admin_by_name(name) do
+      nil ->
+        {:error, :admin_not_found}
+
+      user ->
+        {:ok, user.token}
+    end
+  end
+end

apps/core/lib/core_web/router.ex

@@ -23,12 +23,20 @@ defmodule CoreWeb.Router do
     plug(CoreWeb.Plug.Authenticate)
   end
 
+  pipeline :admin do
+    plug(CoreWeb.Plug.AuthenticateAdmin)
+  end
+
   # Endpoints without authentication
   scope "/v1", CoreWeb do
     pipe_through(:api)
 
     # A simple get "/" to health check
     get("/", DefaultController, :index)
+  end
+
+  scope "/v1", CoreWeb do
+    pipe_through([:api, :admin])
 
     get("/admin/subjects", SubjectController, :index)
     post("/admin/subjects", SubjectController, :create)

apps/core/lib/core_web/token.ex

@@ -26,6 +26,12 @@ defmodule CoreWeb.Token do
   @spec sign(map()) :: binary()
   def sign(data) do
     Phoenix.Token.sign(CoreWeb.Endpoint, @signing_salt, data)
+  rescue
+    # if the ETS table does not exist (i.e. the application is not running),
+    # we pass the secret key itself as an argument
+    _ in ArgumentError ->
+      key_base = System.fetch_env!("SECRET_KEY_BASE")
+      Phoenix.Token.sign(key_base, @signing_salt, data)
   end
 
   @doc """

apps/core/priv/subjects_repo/migrations/20230318184753_create_admins.exs

@@ -0,0 +1,28 @@
+# Copyright 2023 Giuseppe De Palma, Matteo Trentin
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+defmodule Core.SubjectsRepo.Migrations.CreateAdmins do
+  use Ecto.Migration
+
+  def change do
+    create table(:admins) do
+      add :name, :string
+      add :token, :string
+
+      timestamps()
+    end
+
+    create unique_index(:admins, [:name])
+  end
+end

apps/core/priv/subjects_repo/seeds/seeds.exs

@@ -26,6 +26,17 @@
 
 alias Core.SubjectsRepo
 alias Core.Schemas.Subject
+alias Core.Schemas.Admin
 
 signed_token = CoreWeb.Token.sign(%{user: "guest"})
 SubjectsRepo.insert!(%Subject{name: "guest", token: signed_token})
+
+admin_token = CoreWeb.Token.sign(%{user: "admin"})
+SubjectsRepo.insert!(%Admin{name: "admin", token: admin_token})
+
+
+file_path = :core |> Application.compile_env!(Core.Seeds) |> Keyword.fetch!(:path)
+
+with :ok <- File.mkdir_p(Path.dirname(file_path)) do
+  File.write(file_path, "Admin=#{admin_token}\nGuest=#{signed_token}")
+end