emissary/internal/auth/user/authenticator.go

package user

import (
	"context"
	"net/http"
	"strings"

	"forge.cadoles.com/Cadoles/emissary/internal/auth"
	"forge.cadoles.com/Cadoles/emissary/internal/jwk"
	"github.com/pkg/errors"
	"gitlab.com/wpetit/goweb/logger"
)

type Authenticator struct {
	keys   jwk.Set
	issuer string
}

// Authenticate implements auth.Authenticator.
func (a *Authenticator) Authenticate(ctx context.Context, r *http.Request) (auth.User, error) {
	ctx = logger.With(r.Context(), logger.F("remoteAddr", r.RemoteAddr))

	authorization := r.Header.Get("Authorization")
	if authorization == "" {
		return nil, errors.WithStack(auth.ErrUnauthenticated)
	}

	rawToken := strings.TrimPrefix(authorization, "Bearer ")
	if rawToken == "" {
		return nil, errors.WithStack(auth.ErrUnauthenticated)
	}

	token, err := parseToken(ctx, a.keys, a.issuer, rawToken)
	if err != nil {
		return nil, errors.WithStack(err)
	}

	rawRole, exists := token.Get(keyRole)
	if !exists {
		return nil, errors.New("could not find 'thumbprint' claim")
	}

	role, ok := rawRole.(string)
	if !ok {
		return nil, errors.Errorf("unexpected '%s' claim value: '%v'", keyRole, rawRole)
	}

	if !isValidRole(role) {
		return nil, errors.Errorf("invalid role '%s'", role)
	}

	user := &User{
		subject: token.Subject(),
		role:    Role(role),
	}

	return user, nil
}

func NewAuthenticator(keys jwk.Set, issuer string) *Authenticator {
	return &Authenticator{
		keys:   keys,
		issuer: issuer,
	}
}

var _ auth.Authenticator = &Authenticator{}
feat: authenticate users and agents requests 2023-03-07 23:10:42 +01:00			`package user`

			`import (`
			`"context"`
			`"net/http"`
			`"strings"`

			`"forge.cadoles.com/Cadoles/emissary/internal/auth"`
			`"forge.cadoles.com/Cadoles/emissary/internal/jwk"`
			`"github.com/pkg/errors"`
			`"gitlab.com/wpetit/goweb/logger"`
			`)`

			`type Authenticator struct {`
			`keys jwk.Set`
			`issuer string`
			`}`

			`// Authenticate implements auth.Authenticator.`
			`func (a Authenticator) Authenticate(ctx context.Context, r http.Request) (auth.User, error) {`
			`ctx = logger.With(r.Context(), logger.F("remoteAddr", r.RemoteAddr))`

			`authorization := r.Header.Get("Authorization")`
			`if authorization == "" {`
			`return nil, errors.WithStack(auth.ErrUnauthenticated)`
			`}`

			`rawToken := strings.TrimPrefix(authorization, "Bearer ")`
			`if rawToken == "" {`
			`return nil, errors.WithStack(auth.ErrUnauthenticated)`
			`}`

			`token, err := parseToken(ctx, a.keys, a.issuer, rawToken)`
			`if err != nil {`
			`return nil, errors.WithStack(err)`
			`}`

			`rawRole, exists := token.Get(keyRole)`
			`if !exists {`
			`return nil, errors.New("could not find 'thumbprint' claim")`
			`}`

			`role, ok := rawRole.(string)`
			`if !ok {`
			`return nil, errors.Errorf("unexpected '%s' claim value: '%v'", keyRole, rawRole)`
			`}`

			`if !isValidRole(role) {`
			`return nil, errors.Errorf("invalid role '%s'", role)`
			`}`

			`user := &User{`
			`subject: token.Subject(),`
			`role: Role(role),`
			`}`

			`return user, nil`
			`}`

			`func NewAuthenticator(keys jwk.Set, issuer string) *Authenticator {`
			`return &Authenticator{`
			`keys: keys,`
			`issuer: issuer,`
			`}`
			`}`

			`var _ auth.Authenticator = &Authenticator{}`