Generic auth improvements (#257)

* Add capability to use user-provided ExtractAuthenticationToken on generic auth scheme
* adding support for returning 5XX status code for generic auth flow

security.go

@@ -10,7 +10,7 @@ import (
 	"strings"
 
 	"aahframe.work/ahttp"
-	"aahframe.work/essentials"
+	ess "aahframe.work/essentials"
 	"aahframe.work/internal/util"
 	"aahframe.work/security"
 	"aahframe.work/security/anticsrf"
@@ -198,7 +198,9 @@ func doAuthScheme(authScheme scheme.Schemer, ctx *Context) flowResult {
 	ctx.e.publishOnPreAuthEvent(ctx)
 
 	if doAuthentication(authScheme, ctx) == flowAbort {
-		ctx.Reply().Unauthorized().Error(newError(ErrAuthenticationFailed, http.StatusUnauthorized))
+		if ctx.Reply().err == nil {
+			ctx.Reply().Unauthorized().Error(newError(ErrAuthenticationFailed, http.StatusUnauthorized))
+		}
 		return flowAbort
 	}
 
@@ -241,6 +243,18 @@ func doAuthentication(authScheme scheme.Schemer, ctx *Context) flowResult {
 				ctx.Log().Infof("%s: Authentication is failed", authScheme.Key())
 				ctx.Reply().Header(ahttp.HeaderWWWAuthenticate, `Basic realm="`+sa.RealmName+`"`)
 				ctx.Reply().Unauthorized().Error(newError(ErrAuthenticationFailed, http.StatusUnauthorized))
+			case *scheme.GenericAuth:
+				switch err {
+				case authc.ErrAuthenticationFailed, authc.ErrAuthenticatorIsNil, authc.ErrPrincipalIsNil, authc.ErrSubjectNotExists:
+					ctx.Log().Infof("%s: Authentication is failed", authScheme.Key())
+					ctx.Reply().Unauthorized().Error(newError(ErrAuthenticationFailed, http.StatusUnauthorized))
+				case authc.ErrInternalServerError:
+					ctx.Log().Errorf("%s: Internal Server Error", authScheme.Key())
+					ctx.Reply().InternalServerError().Error(newError(err, http.StatusInternalServerError))
+				case authc.ErrServiceUnavailable:
+					ctx.Log().Errorf("%s: Service Unavailable", authScheme.Key())
+					ctx.Reply().ServiceUnavailable().Error(newError(err, http.StatusServiceUnavailable))
+				}
 			}
 
 			return flowAbort

security/authc/authc.go

@@ -8,7 +8,7 @@ import (
 	"errors"
 
 	"aahframe.work/config"
-	"aahframe.work/essentials"
+	ess "aahframe.work/essentials"
 )
 
 var (
@@ -25,6 +25,12 @@ var (
 	// ErrSubjectNotExists error is returned when Subject is not exists in the application
 	// datasource.
 	ErrSubjectNotExists = errors.New("security/authc: subject not exists")
+
+	// ErrInternalServerError error is returned when we specifically want to return a 500 response code
+	ErrInternalServerError = errors.New("security/authc: internal server error")
+
+	// ErrServiceUnavailable error is returned when we specifically want to return a 503 response code
+	ErrServiceUnavailable = errors.New("security/authc: service unavailable")
 )
 
 // Authenticator interface is used to provide authentication information of application

security/authc/authentication_info.go

@@ -42,6 +42,7 @@ type AuthenticationInfo struct {
 	IsLocked   bool
 	IsExpired  bool
 	Principals []*Principal
+	AuthenticationToken *AuthenticationToken
 }
 
 // PrimaryPrincipal method returns the primary Principal instance if principal

security/authc/authentication_token.go

@@ -25,9 +25,12 @@ type AuthenticationToken struct {
 
 	// Credential is an account or subject secret.
 	Credential string
+
+	// Values contains additional information needed for authc and or authz phase
+	Values map[string]interface{}
 }
 
 // String method is stringer interface implementation.
 func (a AuthenticationToken) String() string {
-	return fmt.Sprintf("authenticationtoken(scheme:%s identity:%s credential:*******)", a.Scheme, a.Identity)
+	return fmt.Sprintf("authenticationtoken(scheme:%s identity:%s credential:*******, values:%v)", a.Scheme, a.Identity, a.Values)
 }

security/authc/authentication_token_test.go

@@ -15,7 +15,11 @@ func TestAuthcAuthenticationToken(t *testing.T) {
 		Scheme:     "form",
 		Identity:   "jeeva",
 		Credential: "welcome123",
+		Values: map[string]interface{}{
+			"key1": "value 1",
+			"key2": "value 2",
+		},
 	}
 
-	assert.Equal(t, "authenticationtoken(scheme:form identity:jeeva credential:*******)", authToken.String())
+	assert.Equal(t, "authenticationtoken(scheme:form identity:jeeva credential:*******, values:map[key1:value 1 key2:value 2])", authToken.String())
 }

security/scheme/base.go

@@ -9,7 +9,7 @@ import (
 
 	"aahframe.work/ahttp"
 	"aahframe.work/config"
-	"aahframe.work/essentials"
+	ess "aahframe.work/essentials"
 	"aahframe.work/log"
 	"aahframe.work/security/acrypto"
 	"aahframe.work/security/authc"
@@ -109,9 +109,11 @@ func (b *BaseAuth) DoAuthenticate(authcToken *authc.AuthenticationToken) (*authc
 		if err != nil {
 			log.Error(err)
 		}
-		return nil, authc.ErrAuthenticationFailed
+		return nil, err
 	}
 
+	// Propagate the authentication token
+	authcInfo.AuthenticationToken = authcToken
 	return authcInfo, nil
 }
 

security/scheme/base_test.go

@@ -40,7 +40,7 @@ func TestSchemeBaseAuth(t *testing.T) {
 	authcToken := &authc.AuthenticationToken{}
 	authcInfo, err := baseAuth.DoAuthenticate(authcToken)
 	assert.NotNil(t, err)
-	assert.True(t, err == authc.ErrAuthenticationFailed)
+	assert.True(t, err == authc.ErrSubjectNotExists)
 	assert.Nil(t, authcInfo)
 
 	authcInfo, err = baseAuth.DoAuthenticate(nil)

security/scheme/generic_auth.go

@@ -32,9 +32,18 @@ func (g *GenericAuth) Init(cfg *config.Config, keyName string) error {
 	return nil
 }
 
-// ExtractAuthenticationToken method extracts the authentication token information
+type acauthenticator interface {
+	ExtractAuthenticationToken(r *ahttp.Request) *authc.AuthenticationToken
+}
+
+// ExtractAuthenticationToken method extracts an authentication token information
 // from the HTTP request.
 func (g *GenericAuth) ExtractAuthenticationToken(r *ahttp.Request) *authc.AuthenticationToken {
+	// Invoke the user provided method if exists for extracting authentication token
+	if ac, found := g.authenticator.(acauthenticator); found {
+		return ac.ExtractAuthenticationToken(r)
+	}
+
 	return &authc.AuthenticationToken{
 		Scheme:     g.Scheme(),
 		Identity:   r.Header.Get(g.IdentityHeader),