emissary/internal/auth/thirdparty/jwt.go

package thirdparty

import (
	"context"
	"time"

	"forge.cadoles.com/Cadoles/emissary/internal/datastore"
	"forge.cadoles.com/Cadoles/emissary/internal/jwk"
	"github.com/lestrrat-go/jwx/v2/jwa"
	"github.com/lestrrat-go/jwx/v2/jws"
	"github.com/lestrrat-go/jwx/v2/jwt"
	"github.com/pkg/errors"
)

func parseToken(ctx context.Context, keys jwk.Set, rawToken string, acceptableSkew time.Duration) (jwt.Token, error) {
	token, err := jwt.Parse(
		[]byte(rawToken),
		jwt.WithKeySet(keys, jws.WithRequireKid(false)),
		jwt.WithValidate(true),
		jwt.WithAcceptableSkew(acceptableSkew),
		jwt.WithContext(ctx),
	)
	if err != nil {
		return nil, errors.WithStack(err)
	}

	return token, nil
}

const (
	DefaultRoleKey   string = "role"
	DefaultTenantKey string = "tenant"
)

func GenerateToken(ctx context.Context, key jwk.Key, tenant datastore.TenantID, subject string, role Role) (string, error) {
	token := jwt.New()

	if err := token.Set(jwt.SubjectKey, subject); err != nil {
		return "", errors.WithStack(err)
	}

	if err := token.Set(DefaultRoleKey, role); err != nil {
		return "", errors.WithStack(err)
	}

	if err := token.Set(DefaultTenantKey, tenant); err != nil {
		return "", errors.WithStack(err)
	}

	now := time.Now().UTC()

	if err := token.Set(jwt.NotBeforeKey, now); err != nil {
		return "", errors.WithStack(err)
	}

	if err := token.Set(jwt.IssuedAtKey, now); err != nil {
		return "", errors.WithStack(err)
	}

	rawToken, err := jwt.Sign(token, jwt.WithKey(jwa.RS256, key))
	if err != nil {
		return "", errors.WithStack(err)
	}

	return string(rawToken), nil
}
feat: basic authorization model 2023-03-13 10:44:58 +01:00			`package thirdparty`
feat: authenticate users and agents requests 2023-03-07 23:10:42 +01:00
			`import (`
			`"context"`
			`"time"`

feat: resources segregation by tenant 2024-02-26 18:20:40 +01:00			`"forge.cadoles.com/Cadoles/emissary/internal/datastore"`
feat: authenticate users and agents requests 2023-03-07 23:10:42 +01:00			`"forge.cadoles.com/Cadoles/emissary/internal/jwk"`
			`"github.com/lestrrat-go/jwx/v2/jwa"`
			`"github.com/lestrrat-go/jwx/v2/jws"`
			`"github.com/lestrrat-go/jwx/v2/jwt"`
			`"github.com/pkg/errors"`
			`)`

feat(auth): remote and local third-party authentication 2023-07-26 15:14:49 +02:00			`func parseToken(ctx context.Context, keys jwk.Set, rawToken string, acceptableSkew time.Duration) (jwt.Token, error) {`
feat: authenticate users and agents requests 2023-03-07 23:10:42 +01:00			`token, err := jwt.Parse(`
			`[]byte(rawToken),`
			`jwt.WithKeySet(keys, jws.WithRequireKid(false)),`
			`jwt.WithValidate(true),`
feat(auth): accept clock skew for token validation 2023-04-01 19:30:45 +02:00			`jwt.WithAcceptableSkew(acceptableSkew),`
feat(auth): remote and local third-party authentication 2023-07-26 15:14:49 +02:00			`jwt.WithContext(ctx),`
feat: authenticate users and agents requests 2023-03-07 23:10:42 +01:00			`)`
			`if err != nil {`
			`return nil, errors.WithStack(err)`
			`}`

			`return token, nil`
			`}`

feat: resources segregation by tenant 2024-02-26 18:20:40 +01:00			`const (`
			`DefaultRoleKey string = "role"`
			`DefaultTenantKey string = "tenant"`
			`)`
feat(auth): remote and local third-party authentication 2023-07-26 15:14:49 +02:00
feat: resources segregation by tenant 2024-02-26 18:20:40 +01:00			`func GenerateToken(ctx context.Context, key jwk.Key, tenant datastore.TenantID, subject string, role Role) (string, error) {`
feat: authenticate users and agents requests 2023-03-07 23:10:42 +01:00			`token := jwt.New()`

			`if err := token.Set(jwt.SubjectKey, subject); err != nil {`
			`return "", errors.WithStack(err)`
			`}`

feat(auth): remote and local third-party authentication 2023-07-26 15:14:49 +02:00			`if err := token.Set(DefaultRoleKey, role); err != nil {`
feat: authenticate users and agents requests 2023-03-07 23:10:42 +01:00			`return "", errors.WithStack(err)`
			`}`

feat: resources segregation by tenant 2024-02-26 18:20:40 +01:00			`if err := token.Set(DefaultTenantKey, tenant); err != nil {`
			`return "", errors.WithStack(err)`
			`}`

feat(auth): use utc time 2023-03-29 20:49:44 +02:00			`now := time.Now().UTC()`
feat: authenticate users and agents requests 2023-03-07 23:10:42 +01:00
			`if err := token.Set(jwt.NotBeforeKey, now); err != nil {`
			`return "", errors.WithStack(err)`
			`}`

			`if err := token.Set(jwt.IssuedAtKey, now); err != nil {`
			`return "", errors.WithStack(err)`
			`}`

			`rawToken, err := jwt.Sign(token, jwt.WithKey(jwa.RS256, key))`
			`if err != nil {`
			`return "", errors.WithStack(err)`
			`}`

			`return string(rawToken), nil`
			`}`