emissary/internal/auth/user/authenticator.go

package user

import (
	"context"
	"net/http"
	"strings"
	"time"

	"forge.cadoles.com/Cadoles/emissary/internal/auth"
	"forge.cadoles.com/Cadoles/emissary/internal/datastore"
	"forge.cadoles.com/Cadoles/emissary/internal/jwk"
	"github.com/lestrrat-go/jwx/v2/jwt"
	"github.com/pkg/errors"
	"gitlab.com/wpetit/goweb/logger"
)

const DefaultAcceptableSkew = 5 * time.Minute

type (
	GetKeySet      func(context.Context) (jwk.Set, error)
	GetTokenRole   func(context.Context, jwt.Token) (string, error)
	GetTokenTenant func(context.Context, jwt.Token) (string, error)
)

type Authenticator struct {
	getKeySet      GetKeySet
	getTokenRole   GetTokenRole
	getTokenTenant GetTokenTenant
	acceptableSkew time.Duration
}

// Authenticate implements auth.Authenticator.
func (a *Authenticator) Authenticate(ctx context.Context, r *http.Request) (auth.User, error) {
	authorization := r.Header.Get("Authorization")
	if authorization == "" {
		return nil, errors.WithStack(auth.ErrUnauthenticated)
	}

	rawToken := strings.TrimPrefix(authorization, "Bearer ")
	if rawToken == "" {
		return nil, errors.WithStack(auth.ErrUnauthenticated)
	}

	keys, err := a.getKeySet(ctx)
	if err != nil {
		return nil, errors.WithStack(err)
	}

	token, err := parseToken(ctx, keys, rawToken, a.acceptableSkew)
	if err != nil {
		logger.Debug(ctx, "could not parse jwt token", logger.CapturedE(errors.WithStack(err)))
		return nil, errors.WithStack(auth.ErrUnauthenticated)
	}

	rawRole, err := a.getTokenRole(ctx, token)
	if err != nil {
		logger.Debug(ctx, "could not retrieve token role", logger.CapturedE(errors.WithStack(err)))
		return nil, errors.WithStack(auth.ErrUnauthenticated)
	}

	if !isValidRole(rawRole) {
		return nil, errors.WithStack(auth.ErrUnauthorized)
	}

	rawTenantID, err := a.getTokenTenant(ctx, token)
	if err != nil {
		logger.Debug(ctx, "could not retrieve token tenant", logger.CapturedE(errors.WithStack(err)))
		return nil, errors.WithStack(auth.ErrUnauthenticated)
	}

	tenantID, err := datastore.ParseTenantID(rawTenantID)
	if err != nil {
		logger.Debug(ctx, "could not retrieve token tenant", logger.CapturedE(errors.WithStack(err)))
		return nil, errors.WithStack(auth.ErrUnauthenticated)
	}

	user := &User{
		subject:  token.Subject(),
		role:     Role(rawRole),
		tenantID: tenantID,
	}

	return user, nil
}

func NewAuthenticator(getKeySet GetKeySet, getTokenRole GetTokenRole, getTokenTenant GetTokenTenant, acceptableSkew time.Duration) *Authenticator {
	return &Authenticator{
		getTokenRole:   getTokenRole,
		getTokenTenant: getTokenTenant,
		getKeySet:      getKeySet,
		acceptableSkew: acceptableSkew,
	}
}

var _ auth.Authenticator = &Authenticator{}
feat(client): tenant management commands 2024-02-27 14:14:30 +01:00			`package user`
feat: authenticate users and agents requests 2023-03-07 23:10:42 +01:00
			`import (`
			`"context"`
			`"net/http"`
			`"strings"`
feat(auth): accept clock skew for token validation 2023-04-01 19:30:45 +02:00			`"time"`
feat: authenticate users and agents requests 2023-03-07 23:10:42 +01:00
			`"forge.cadoles.com/Cadoles/emissary/internal/auth"`
feat: resources segregation by tenant 2024-02-26 18:20:40 +01:00			`"forge.cadoles.com/Cadoles/emissary/internal/datastore"`
feat: authenticate users and agents requests 2023-03-07 23:10:42 +01:00			`"forge.cadoles.com/Cadoles/emissary/internal/jwk"`
feat(auth): remote and local third-party authentication 2023-07-26 15:14:49 +02:00			`"github.com/lestrrat-go/jwx/v2/jwt"`
feat: authenticate users and agents requests 2023-03-07 23:10:42 +01:00			`"github.com/pkg/errors"`
feat: resources segregation by tenant 2024-02-26 18:20:40 +01:00			`"gitlab.com/wpetit/goweb/logger"`
feat: authenticate users and agents requests 2023-03-07 23:10:42 +01:00			`)`

feat(auth): accept clock skew for token validation 2023-04-01 19:30:45 +02:00			`const DefaultAcceptableSkew = 5 * time.Minute`

feat(auth): remote and local third-party authentication 2023-07-26 15:14:49 +02:00			`type (`
feat: resources segregation by tenant 2024-02-26 18:20:40 +01:00			`GetKeySet func(context.Context) (jwk.Set, error)`
			`GetTokenRole func(context.Context, jwt.Token) (string, error)`
			`GetTokenTenant func(context.Context, jwt.Token) (string, error)`
feat(auth): remote and local third-party authentication 2023-07-26 15:14:49 +02:00			`)`

feat: authenticate users and agents requests 2023-03-07 23:10:42 +01:00			`type Authenticator struct {`
feat(auth): remote and local third-party authentication 2023-07-26 15:14:49 +02:00			`getKeySet GetKeySet`
			`getTokenRole GetTokenRole`
feat: resources segregation by tenant 2024-02-26 18:20:40 +01:00			`getTokenTenant GetTokenTenant`
feat(auth): accept clock skew for token validation 2023-04-01 19:30:45 +02:00			`acceptableSkew time.Duration`
feat: authenticate users and agents requests 2023-03-07 23:10:42 +01:00			`}`

			`// Authenticate implements auth.Authenticator.`
			`func (a Authenticator) Authenticate(ctx context.Context, r http.Request) (auth.User, error) {`
			`authorization := r.Header.Get("Authorization")`
			`if authorization == "" {`
			`return nil, errors.WithStack(auth.ErrUnauthenticated)`
			`}`

			`rawToken := strings.TrimPrefix(authorization, "Bearer ")`
			`if rawToken == "" {`
			`return nil, errors.WithStack(auth.ErrUnauthenticated)`
			`}`

feat(auth): remote and local third-party authentication 2023-07-26 15:14:49 +02:00			`keys, err := a.getKeySet(ctx)`
feat: authenticate users and agents requests 2023-03-07 23:10:42 +01:00			`if err != nil {`
			`return nil, errors.WithStack(err)`
			`}`

feat(auth): remote and local third-party authentication 2023-07-26 15:14:49 +02:00			`token, err := parseToken(ctx, keys, rawToken, a.acceptableSkew)`
			`if err != nil {`
feat: resources segregation by tenant 2024-02-26 18:20:40 +01:00			`logger.Debug(ctx, "could not parse jwt token", logger.CapturedE(errors.WithStack(err)))`
			`return nil, errors.WithStack(auth.ErrUnauthenticated)`
feat: authenticate users and agents requests 2023-03-07 23:10:42 +01:00			`}`

feat(auth): remote and local third-party authentication 2023-07-26 15:14:49 +02:00			`rawRole, err := a.getTokenRole(ctx, token)`
			`if err != nil {`
feat: resources segregation by tenant 2024-02-26 18:20:40 +01:00			`logger.Debug(ctx, "could not retrieve token role", logger.CapturedE(errors.WithStack(err)))`
			`return nil, errors.WithStack(auth.ErrUnauthenticated)`
feat: authenticate users and agents requests 2023-03-07 23:10:42 +01:00			`}`

feat(auth): remote and local third-party authentication 2023-07-26 15:14:49 +02:00			`if !isValidRole(rawRole) {`
feat: resources segregation by tenant 2024-02-26 18:20:40 +01:00			`return nil, errors.WithStack(auth.ErrUnauthorized)`
			`}`

			`rawTenantID, err := a.getTokenTenant(ctx, token)`
			`if err != nil {`
			`logger.Debug(ctx, "could not retrieve token tenant", logger.CapturedE(errors.WithStack(err)))`
			`return nil, errors.WithStack(auth.ErrUnauthenticated)`
			`}`

			`tenantID, err := datastore.ParseTenantID(rawTenantID)`
			`if err != nil {`
			`logger.Debug(ctx, "could not retrieve token tenant", logger.CapturedE(errors.WithStack(err)))`
			`return nil, errors.WithStack(auth.ErrUnauthenticated)`
feat: authenticate users and agents requests 2023-03-07 23:10:42 +01:00			`}`

			`user := &User{`
feat: resources segregation by tenant 2024-02-26 18:20:40 +01:00			`subject: token.Subject(),`
			`role: Role(rawRole),`
			`tenantID: tenantID,`
feat: authenticate users and agents requests 2023-03-07 23:10:42 +01:00			`}`

			`return user, nil`
			`}`

feat: resources segregation by tenant 2024-02-26 18:20:40 +01:00			`func NewAuthenticator(getKeySet GetKeySet, getTokenRole GetTokenRole, getTokenTenant GetTokenTenant, acceptableSkew time.Duration) *Authenticator {`
feat: authenticate users and agents requests 2023-03-07 23:10:42 +01:00			`return &Authenticator{`
feat(auth): remote and local third-party authentication 2023-07-26 15:14:49 +02:00			`getTokenRole: getTokenRole,`
feat: resources segregation by tenant 2024-02-26 18:20:40 +01:00			`getTokenTenant: getTokenTenant,`
feat(auth): remote and local third-party authentication 2023-07-26 15:14:49 +02:00			`getKeySet: getKeySet,`
feat(auth): accept clock skew for token validation 2023-04-01 19:30:45 +02:00			`acceptableSkew: acceptableSkew,`
feat: authenticate users and agents requests 2023-03-07 23:10:42 +01:00			`}`
			`}`

			`var _ auth.Authenticator = &Authenticator{}`