Removing oauth2 proxy in favor of jwt middleware (#4)

* Removing oauth2-proxy

* Renaming username field

* Cleaning unused config

* Fixing tests

deployment/kubernetes/client-registration-api.yaml

@@ -48,70 +48,6 @@ spec:
                 secretKeyRef:
                   name: auth-secrets
                   key: user_auth_realm
-      initContainers:
-        - name: client-registration-auth
-          image: quay.io/oauth2-proxy/oauth2-proxy:v7.2.1
-          restartPolicy: Always
-          imagePullPolicy: IfNotPresent
-          ports:
-            - containerPort: 4181
-          env:
-            - name: OAUTH2_PROXY_PROVIDER
-              value: "keycloak-oidc"
-            - name: OAUTH2_PROXY_CLIENT_ID
-              valueFrom:
-                secretKeyRef:
-                  name: auth-secrets
-                  key: user_client_id
-            - name: OAUTH2_PROXY_CLIENT_SECRET
-              valueFrom:
-                secretKeyRef:
-                  name: auth-secrets
-                  key: user_client_secret
-            - name: OAUTH2_PROXY_COOKIE_SECRET
-              valueFrom:
-                secretKeyRef:
-                  name: auth-secrets
-                  key: user_cookie_secret
-            - name: OAUTH2_PROXY_REDIRECT_URL
-              value: /client-registration/oauth2/callback
-            - name: OAUTH2_PROXY_OIDC_ISSUER_URL
-              valueFrom:
-                secretKeyRef:
-                  name: auth-secrets
-                  key: user_auth_url
-            - name: OAUTH2_PROXY_COOKIE_SECURE
-              value: "true"
-            - name: OAUTH2_PROXY_INSECURE_OIDC_ALLOW_UNVERIFIED_EMAIL
-              value: "true"
-            - name: OAUTH2_PROXY_HTTP_ADDRESS
-              value: "0.0.0.0:4181"
-            - name: OAUTH2_PROXY_UPSTREAMS
-              value: "static://200"
-            - name: OAUTH2_PROXY_SKIP_PROVIDER_BUTTON
-              value: "true"
-            - name: OAUTH2_PROXY_SSL_UPSTREAM_INSECURE_SKIP_VERIFY
-              value: "true"
-            - name: OAUTH2_PROXY_SCOPE
-              value: "openid email profile"
-            - name: OAUTH2_PROXY_SET_XAUTHREQUEST
-              value: "true"
-            - name: OAUTH2_PROXY_REVERSE_PROXY
-              value: "true"
-            - name: OAUTH2_PROXY_COOKIE_DOMAINS
-              value: ".openepi.io"
-            - name: OAUTH2_PROXY_EMAIL_DOMAINS
-              value: "*"
-            - name: OAUTH2_PROXY_SESSION_COOKIE_MINIMAL
-              value: "true"
-            - name: OAUTH2_PROXY_PROXY_PREFIX
-              value: "/client-registration/oauth2"
-            - name: OAUTH2_PROXY_ALLOW_RELATIVE_REDIRECT_URL
-              value: "true"
-            - name: OAUTH2_PROXY_FORCE_JSON_ERRORS
-              value: "true"
-            - name: OAUTH2_PROXY_COOKIE_NAME
-              value: "__Secure-openepi_user"
 ---
 apiVersion: v1
 kind: Service
@@ -139,36 +75,6 @@ spec:
     forceSlash: true
 ---
 apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
-  name: client-registration-auth
-spec:
-  forwardAuth:
-    address: http://client-registration-api.apps.svc.cluster.local:4181
-    trustForwardHeader: true
-    authResponseHeaders:
-        - X-Forwarded-User
-        - X-Auth-Request-Access-Token
-        - X-Auth-Request-Email
-        - X-Auth-Request-User
-        - X-Auth-Request-Username
-        - X-Auth-Request-Preferred-Username
-        - Authorization
----
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
-  name: cors-client-registration
-spec:
-  headers:
-    accessControlAllowMethods:
-      - "GET"
-    accessControlAllowHeaders:
-      - "*"
-    accessControlAllowOriginList:
-      - "*"
----
-apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
   name: client-registration-api
@@ -177,18 +83,12 @@ spec:
     - websecure
   routes:
   - kind: Rule
-    match: PathPrefix(`/client-registration`) && !PathPrefix(`/client-registration/metrics`) && !PathPrefix(`/client-registration/oauth2`)
+    match: PathPrefix(`/client-registration`) && !PathPrefix(`/client-registration/metrics`)
     services:
     - kind: Service
       name: client-registration-api
       port: 80
     middlewares:
     - name: traefikmiddleware-cors-for-internal-apps@kubernetescrd
-    - name: client-registration-auth
+    - name: traefikmiddleware-jwt@kubernetescrd
     - name: stripprefix-client-registration
-  - kind: Rule
-    match: PathPrefix(`/client-registration/oauth2`) && !PathPrefix(`/client-registration/oauth2/metrics`)
-    services:
-    - kind: Service
-      name: client-registration-api
-      port: 4181

middleware/user.go

@@ -1,13 +1,14 @@
 package middleware
 
 import (
-	"github.com/gin-gonic/gin"
 	"net/http"
+
+	"github.com/gin-gonic/gin"
 )
 
 func UserRequired() gin.HandlerFunc {
 	return func(c *gin.Context) {
-		username := c.Request.Header.Get("X-Auth-Request-Preferred-Username")
+		username := c.Request.Header.Get("X-Preferred-Username")
 		if username == "" {
 			c.JSON(http.StatusForbidden, gin.H{
 				"error": "Not supported without user",

tests/unit/middleware/user_test.go

@@ -1,12 +1,13 @@
 package middleware
 
 import (
-	"github.com/gin-gonic/gin"
-	"github.com/openearthplatforminitiative/client-registration-api/middleware"
-	"github.com/stretchr/testify/assert"
 	"net/http"
 	"net/http/httptest"
 	"testing"
+
+	"github.com/gin-gonic/gin"
+	"github.com/openearthplatforminitiative/client-registration-api/middleware"
+	"github.com/stretchr/testify/assert"
 )
 
 func TestUserRequired(t *testing.T) {
@@ -51,7 +52,7 @@ func TestUserRequired(t *testing.T) {
 
 			req, _ := http.NewRequest("GET", "/test", nil)
 			if tc.usernameHeader != "" {
-				req.Header.Set("X-Auth-Request-Preferred-Username", tc.usernameHeader)
+				req.Header.Set("X-Preferred-Username", tc.usernameHeader)
 			}
 
 			router.ServeHTTP(w, req)