Add gateway authentication

golem-api-grpc/proto/golem/apidefinition/api_definition.proto

@@ -31,6 +31,11 @@ message HttpApiDefinition {
   repeated HttpRoute routes = 1;
 }
 
+// Used in api definition repo and needs to be backward compatible
+message SecuritySchemeReference {
+  string security_scheme_identifier = 1;
+}
+
 // Used in api definition repo and needs to be backward compatible
 message CompiledHttpApiDefinition {
   repeated CompiledHttpRoute routes = 1;
@@ -46,13 +51,15 @@ message HttpRoute {
   HttpMethod method = 1;
   string path = 2;
   GatewayBinding binding = 3;
+  Middleware middleware = 4;
 }
 
 // Used in api definition repo and needs to be backward compatible
 message CompiledHttpRoute {
    HttpMethod method = 1;
    string path = 2;
    CompiledGatewayBinding binding = 3;
+   Middleware middleware = 4;
 }
 
 // Used in api definition repo and needs to be backward compatible
@@ -79,7 +86,6 @@ message GatewayBinding {
   // type discriminator to keep backward compatibility
   optional GatewayBindingType binding_type = 5;
   optional StaticBinding static_binding = 6;
-  optional Middleware middleware = 7;
 }
 
 // Used in api definition repo and needs to be backward compatible
@@ -99,8 +105,10 @@ message CompiledGatewayBinding {
     // type discriminator to keep backward compatibility
     optional GatewayBindingType binding_type = 12;
     optional StaticBinding static_binding = 13;
-    // middleware
-    optional Middleware middleware = 14;
+}
+
+message SecuritySchemaReference {
+    string security_scheme_identifier = 1;
 }
 
 // Used in api definition repo and needs to be backward compatible
@@ -113,15 +121,19 @@ enum GatewayBindingType {
 // Used in api definition repo and needs to be backward compatible
 message Middleware {
   optional CorsPreflight cors = 1;
+  optional SecurityWithProviderMetadata http_authentication = 2;
 }
 
 // Used in api definition repo and needs to be backward compatible
 message StaticBinding {
   oneof static_binding {
     CorsPreflight http_cors_preflight = 1;
+    AuthCallBack auth_callback = 2;
   }
 }
 
+message AuthCallBack {}
+
 // Used in api definition repo and needs to be backward compatible
 message CorsPreflight {
   optional string allow_origin = 1;
@@ -130,4 +142,36 @@ message CorsPreflight {
   optional string expose_headers = 4;
   optional uint64 max_age = 5;
   optional bool allow_credentials = 6;
-}
+}
+
+message SecurityWithProviderMetadata {
+  SecurityScheme security_scheme = 1;
+  IdentityProviderMetadata identity_provider_metadata = 2;
+}
+
+message SecurityScheme {
+  Provider provider = 1;
+  string scheme_identifier = 2;
+  string client_id = 3;
+  string client_secret = 4;
+  string redirect_url = 5;
+  repeated string scopes = 6;
+}
+
+message Provider {
+  oneof provider {
+    Google google = 1;
+    Facebook facebook = 2;
+    Microsoft microsoft = 3;
+    Gitlab gitlab = 4;
+  }
+}
+
+message Google{}
+message Facebook{}
+message Microsoft{}
+message Gitlab{}
+
+message IdentityProviderMetadata {
+  string metadata = 1;
+}

golem-api-grpc/proto/golem/apidefinition/v1/api_definition_error.proto

@@ -19,7 +19,7 @@ message ApiDefinitionError {
 }
 
 message RouteValidationErrorsBody {
-    repeated RouteValidationError errors = 1;
+    repeated string errors = 1;
 }
 
 message RouteValidationError {

golem-cli/src/clients.rs

@@ -14,6 +14,7 @@
 
 pub mod api_definition;
 pub mod api_deployment;
+pub mod api_security;
 pub mod component;
 pub mod file_download;
 pub mod health_check;

golem-cli/src/clients/api_definition.rs

@@ -16,7 +16,7 @@ use crate::model::{
     ApiDefinitionFileFormat, ApiDefinitionId, ApiDefinitionVersion, GolemError, PathBufOrStdin,
 };
 use async_trait::async_trait;
-use golem_client::model::HttpApiDefinitionWithTypeInfo;
+use golem_client::model::HttpApiDefinitionResponseData;
 
 #[async_trait]
 pub trait ApiDefinitionClient {
@@ -26,31 +26,31 @@ pub trait ApiDefinitionClient {
         &self,
         id: Option<&ApiDefinitionId>,
         project: &Self::ProjectContext,
-    ) -> Result<Vec<HttpApiDefinitionWithTypeInfo>, GolemError>;
+    ) -> Result<Vec<HttpApiDefinitionResponseData>, GolemError>;
     async fn get(
         &self,
         id: ApiDefinitionId,
         version: ApiDefinitionVersion,
         project: &Self::ProjectContext,
-    ) -> Result<HttpApiDefinitionWithTypeInfo, GolemError>;
+    ) -> Result<HttpApiDefinitionResponseData, GolemError>;
     async fn create(
         &self,
         path: PathBufOrStdin,
         project: &Self::ProjectContext,
         format: &ApiDefinitionFileFormat,
-    ) -> Result<HttpApiDefinitionWithTypeInfo, GolemError>;
+    ) -> Result<HttpApiDefinitionResponseData, GolemError>;
     async fn update(
         &self,
         path: PathBufOrStdin,
         project: &Self::ProjectContext,
         format: &ApiDefinitionFileFormat,
-    ) -> Result<HttpApiDefinitionWithTypeInfo, GolemError>;
+    ) -> Result<HttpApiDefinitionResponseData, GolemError>;
     async fn import(
         &self,
         path: PathBufOrStdin,
         project: &Self::ProjectContext,
         format: &ApiDefinitionFileFormat,
-    ) -> Result<HttpApiDefinitionWithTypeInfo, GolemError>;
+    ) -> Result<HttpApiDefinitionResponseData, GolemError>;
     async fn delete(
         &self,
         id: ApiDefinitionId,

golem-cli/src/clients/api_security.rs

@@ -0,0 +1,35 @@
+// Copyright 2024 Golem Cloud
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+use crate::model::{ApiSecurityScheme, GolemError};
+use async_trait::async_trait;
+use golem_client::model::Provider;
+
+#[async_trait]
+pub trait ApiSecurityClient {
+    type ProjectContext;
+
+    async fn create(
+        &self,
+        id: String,
+        provider_type: Provider,
+        client_id: String,
+        client_secret: String,
+        scope: Vec<String>,
+        redirect_url: String,
+        project: &Self::ProjectContext,
+    ) -> Result<ApiSecurityScheme, GolemError>;
+
+    async fn get(&self, id: &str) -> Result<ApiSecurityScheme, GolemError>;
+}

golem-cli/src/command.rs

@@ -18,6 +18,7 @@ use golem_common::uri::oss::uri::ComponentUri;
 
 pub mod api_definition;
 pub mod api_deployment;
+pub mod api_security;
 pub mod component;
 pub mod plugin;
 pub mod profile;

golem-cli/src/command/api_security.rs

@@ -0,0 +1,95 @@
+// Copyright 2024 Golem Cloud
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+use crate::model::{GolemError, GolemResult, IdentityProviderType};
+use crate::service::api_security::ApiSecuritySchemeService;
+use crate::service::project::ProjectResolver;
+use clap::Subcommand;
+
+#[derive(Subcommand, Debug)]
+#[command()]
+pub enum ApiSecuritySchemeSubcommand<ProjectRef: clap::Args> {
+    /// Create or update deployment
+    #[command()]
+    Create {
+        /// The newly created component's owner project
+        #[command(flatten)]
+        project_ref: ProjectRef,
+
+        /// Api definition id with version
+        #[arg(short = 'i', long = "scheme.id")]
+        id: String,
+
+        #[arg(short = 'p', long = "provider.type")]
+        provider_type: IdentityProviderType,
+
+        #[arg(long = "client.id")]
+        client_id: String,
+
+        #[arg(long = "client.secret")]
+        client_secret: String,
+
+        #[arg(short = 's', long = "scopes")]
+        scopes: Vec<String>,
+
+        #[arg(short = 'r', long = "redirect.url")]
+        redirect_url: String,
+    },
+
+    /// Get api security
+    #[command()]
+    Get {
+        /// The newly created component's owner project
+        #[command(flatten)]
+        project_ref: ProjectRef,
+
+        /// Security Scheme Id
+        #[arg(value_name = "scheme.id")]
+        id: String,
+    },
+}
+
+impl<ProjectRef: clap::Args + Send + Sync + 'static> ApiSecuritySchemeSubcommand<ProjectRef> {
+    pub async fn handle<ProjectContext>(
+        self,
+        service: &(dyn ApiSecuritySchemeService<ProjectContext = ProjectContext> + Send + Sync),
+        projects: &(dyn ProjectResolver<ProjectRef, ProjectContext> + Send + Sync),
+    ) -> Result<GolemResult, GolemError> {
+        match self {
+            ApiSecuritySchemeSubcommand::Create {
+                project_ref,
+                id,
+                provider_type,
+                client_id,
+                client_secret,
+                scopes,
+                redirect_url,
+            } => {
+                let project_id = projects.resolve_id_or_default(project_ref).await?;
+                service
+                    .create(
+                        id,
+                        provider_type.into(),
+                        client_id,
+                        client_secret,
+                        scopes,
+                        redirect_url,
+                        &project_id,
+                    )
+                    .await
+            }
+            ApiSecuritySchemeSubcommand::Get { id, .. } => service.get(id).await,
+        }
+    }
+}

golem-cli/src/factory.rs

@@ -20,6 +20,7 @@ use crate::clients::plugin::PluginClient;
 use crate::clients::worker::WorkerClient;
 use crate::service::api_definition::{ApiDefinitionService, ApiDefinitionServiceLive};
 use crate::service::api_deployment::{ApiDeploymentService, ApiDeploymentServiceLive};
+use crate::service::api_security::{ApiSecuritySchemeService, ApiSecuritySchemeServiceLive};
 use crate::service::component::{ComponentService, ComponentServiceLive};
 use crate::service::deploy::{DeployService, DeployServiceLive};
 use crate::service::project::ProjectResolver;
@@ -94,6 +95,23 @@ pub trait ServiceFactory {
         })
     }
 
+    fn api_security_scheme_client(
+        &self,
+    ) -> Box<
+        dyn crate::clients::api_security::ApiSecurityClient<ProjectContext = Self::ProjectContext>
+            + Send
+            + Sync,
+    >;
+
+    fn api_security_scheme_service(
+        &self,
+    ) -> Arc<dyn ApiSecuritySchemeService<ProjectContext = Self::ProjectContext> + Send + Sync>
+    {
+        Arc::new(ApiSecuritySchemeServiceLive {
+            client: self.api_security_scheme_client(),
+        })
+    }
+
     fn health_check_clients(&self) -> Vec<Arc<dyn HealthCheckClient + Send + Sync>>;
 
     fn version_service(&self) -> Arc<dyn VersionService + Send + Sync> {

golem-cli/src/init.rs

@@ -14,6 +14,7 @@
 
 use crate::command::api_definition::ApiDefinitionSubcommand;
 use crate::command::api_deployment::ApiDeploymentSubcommand;
+use crate::command::api_security::ApiSecuritySchemeSubcommand;
 use crate::command::component::ComponentSubCommand;
 use crate::command::plugin::PluginSubcommand;
 use crate::command::profile::{ProfileSubCommand, UniversalProfileAdd};
@@ -107,6 +108,13 @@ pub enum InitCommand<ProfileAdd: clap::Args> {
         subcommand: ApiDeploymentSubcommand<OssContext>,
     },
 
+    // Manage Api Security Schemes
+    #[command()]
+    ApiSecurityScheme {
+        #[command(subcommand)]
+        subcommand: ApiSecuritySchemeSubcommand<OssContext>,
+    },
+
     /// Manage plugins
     #[command()]
     Plugin {