emissary/internal/auth/user/authenticator.go

96 lines
2.6 KiB
Go
Raw Permalink Normal View History

package user
import (
"context"
"net/http"
"strings"
"time"
"forge.cadoles.com/Cadoles/emissary/internal/auth"
2024-02-26 18:20:40 +01:00
"forge.cadoles.com/Cadoles/emissary/internal/datastore"
"forge.cadoles.com/Cadoles/emissary/internal/jwk"
"github.com/lestrrat-go/jwx/v2/jwt"
"github.com/pkg/errors"
2024-02-26 18:20:40 +01:00
"gitlab.com/wpetit/goweb/logger"
)
const DefaultAcceptableSkew = 5 * time.Minute
type (
2024-02-26 18:20:40 +01:00
GetKeySet func(context.Context) (jwk.Set, error)
GetTokenRole func(context.Context, jwt.Token) (string, error)
GetTokenTenant func(context.Context, jwt.Token) (string, error)
)
type Authenticator struct {
getKeySet GetKeySet
getTokenRole GetTokenRole
2024-02-26 18:20:40 +01:00
getTokenTenant GetTokenTenant
acceptableSkew time.Duration
}
// Authenticate implements auth.Authenticator.
func (a *Authenticator) Authenticate(ctx context.Context, r *http.Request) (auth.User, error) {
authorization := r.Header.Get("Authorization")
if authorization == "" {
return nil, errors.WithStack(auth.ErrUnauthenticated)
}
rawToken := strings.TrimPrefix(authorization, "Bearer ")
if rawToken == "" {
return nil, errors.WithStack(auth.ErrUnauthenticated)
}
keys, err := a.getKeySet(ctx)
if err != nil {
return nil, errors.WithStack(err)
}
token, err := parseToken(ctx, keys, rawToken, a.acceptableSkew)
if err != nil {
2024-02-26 18:20:40 +01:00
logger.Debug(ctx, "could not parse jwt token", logger.CapturedE(errors.WithStack(err)))
return nil, errors.WithStack(auth.ErrUnauthenticated)
}
rawRole, err := a.getTokenRole(ctx, token)
if err != nil {
2024-02-26 18:20:40 +01:00
logger.Debug(ctx, "could not retrieve token role", logger.CapturedE(errors.WithStack(err)))
return nil, errors.WithStack(auth.ErrUnauthenticated)
}
if !isValidRole(rawRole) {
2024-02-26 18:20:40 +01:00
return nil, errors.WithStack(auth.ErrUnauthorized)
}
rawTenantID, err := a.getTokenTenant(ctx, token)
if err != nil {
logger.Debug(ctx, "could not retrieve token tenant", logger.CapturedE(errors.WithStack(err)))
return nil, errors.WithStack(auth.ErrUnauthenticated)
}
tenantID, err := datastore.ParseTenantID(rawTenantID)
if err != nil {
logger.Debug(ctx, "could not retrieve token tenant", logger.CapturedE(errors.WithStack(err)))
return nil, errors.WithStack(auth.ErrUnauthenticated)
}
user := &User{
2024-02-26 18:20:40 +01:00
subject: token.Subject(),
role: Role(rawRole),
tenantID: tenantID,
}
return user, nil
}
2024-02-26 18:20:40 +01:00
func NewAuthenticator(getKeySet GetKeySet, getTokenRole GetTokenRole, getTokenTenant GetTokenTenant, acceptableSkew time.Duration) *Authenticator {
return &Authenticator{
getTokenRole: getTokenRole,
2024-02-26 18:20:40 +01:00
getTokenTenant: getTokenTenant,
getKeySet: getKeySet,
acceptableSkew: acceptableSkew,
}
}
var _ auth.Authenticator = &Authenticator{}