Replay Server

IAM Client

Replay server has a ready to use IAM Client in the api router api/v1/api.go that allows for ease of authentication

and identity verification

Setting up an IAM Application

A IAM dev application has been setup for replay server in iam-dev.quantummetric.com. Currently there is not a

production IAM application for replay server and will need to be added.

Secret management

Its important to note that the clientSecret is a sensitive value and should not be

stored in source. Client secret out of source by using gcloud secrets locally to create and retrieve the secret value.

To use the client secret for local development:

export CONFIG_IAM_CLIENTSECRET=$(gcloud secrets versions access latest --secret replay-server-iam_client_secret)

Chart

Replay server's helm chart currently sets the IAM clientid and issuer in build/values/dev.yaml under the top level

iam key.

The client secret is manged by external secret in build/chart/templates/externalsecret.yaml and is configured to be

set to the latest version of replay-server-iam_client_secret.

IAM Auth Middleware

The SDK http auth middleware allows applications to use IAM JWT tokens as a means of authorization to a backend go

service. A thin wrapper has been included for replay server to handle the configuration needed to setup the sdk auth

middleware as well as handle cases where the environment does not have the necessary values set.

Usage

The JWT middleware is currently set up for only the /auth-check route in replay server to test configuration.

The route also serves as an example for adding other routes:

    r.HandleFunc("/auth-check", auth.Restrict(healthFunc)).Methods("Get")

auth.Restrict when wrapping any http.Handler function will serve the wrapped function's results if the bearer token

passed in is valid. All requests made with invalid tokens will receive a 401 status code.

If the middleware environment configuration is misconfigured auth.Restrict will instead return the wrapped function

without checking the bearer token while logging out a warning. This is to allow a more permissive local development

experience. This behavior can be adjusted in the auth.Restrict function by removing the wrapped function call

n(w, r) from the nil check on the authenticator.