2023-03-07 23:10:42 +01:00
|
|
|
package agent
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"context"
|
|
|
|
|
"net/http"
|
|
|
|
|
"strings"
|
2023-04-01 14:33:19 +02:00
|
|
|
"time"
|
2023-03-07 23:10:42 +01:00
|
|
|
|
|
|
|
|
"forge.cadoles.com/Cadoles/emissary/internal/auth"
|
|
|
|
|
"forge.cadoles.com/Cadoles/emissary/internal/datastore"
|
|
|
|
|
"github.com/lestrrat-go/jwx/v2/jws"
|
|
|
|
|
"github.com/lestrrat-go/jwx/v2/jwt"
|
|
|
|
|
"github.com/pkg/errors"
|
|
|
|
|
"gitlab.com/wpetit/goweb/logger"
|
|
|
|
|
)
|
|
|
|
|
|
2023-04-01 19:30:45 +02:00
|
|
|
const DefaultAcceptableSkew = 5 * time.Minute
|
|
|
|
|
|
2023-03-07 23:10:42 +01:00
|
|
|
type Authenticator struct {
|
2023-04-01 19:30:45 +02:00
|
|
|
repo datastore.AgentRepository
|
|
|
|
|
acceptableSkew time.Duration
|
2023-03-07 23:10:42 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Authenticate implements auth.Authenticator.
|
|
|
|
|
func (a *Authenticator) Authenticate(ctx context.Context, r *http.Request) (auth.User, error) {
|
|
|
|
|
ctx = logger.With(r.Context(), logger.F("remoteAddr", r.RemoteAddr))
|
|
|
|
|
|
|
|
|
|
authorization := r.Header.Get("Authorization")
|
|
|
|
|
if authorization == "" {
|
|
|
|
|
return nil, errors.WithStack(auth.ErrUnauthenticated)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
rawToken := strings.TrimPrefix(authorization, "Bearer ")
|
|
|
|
|
if rawToken == "" {
|
|
|
|
|
return nil, errors.WithStack(auth.ErrUnauthenticated)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
token, err := jwt.Parse([]byte(rawToken), jwt.WithVerify(false))
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, errors.WithStack(err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
rawThumbprint, exists := token.Get(keyThumbprint)
|
|
|
|
|
if !exists {
|
|
|
|
|
return nil, errors.Errorf("could not find '%s' claim", keyThumbprint)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
thumbrint, ok := rawThumbprint.(string)
|
|
|
|
|
if !ok {
|
|
|
|
|
return nil, errors.Errorf("unexpected '%s' claim value: '%v'", keyThumbprint, rawThumbprint)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
agents, _, err := a.repo.Query(
|
|
|
|
|
ctx,
|
|
|
|
|
datastore.WithAgentQueryThumbprints(thumbrint),
|
|
|
|
|
datastore.WithAgentQueryLimit(1),
|
|
|
|
|
)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, errors.WithStack(err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if len(agents) != 1 {
|
|
|
|
|
return nil, errors.Errorf("unexpected number of found agents: '%d'", len(agents))
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
agent, err := a.repo.Get(
|
|
|
|
|
ctx,
|
|
|
|
|
agents[0].ID,
|
|
|
|
|
)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, errors.WithStack(err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
_, err = jwt.Parse(
|
|
|
|
|
[]byte(rawToken),
|
|
|
|
|
jwt.WithKeySet(agent.KeySet.Set, jws.WithRequireKid(false)),
|
|
|
|
|
jwt.WithValidate(true),
|
2023-04-01 19:30:45 +02:00
|
|
|
jwt.WithAcceptableSkew(a.acceptableSkew),
|
2023-03-07 23:10:42 +01:00
|
|
|
)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, errors.WithStack(err)
|
|
|
|
|
}
|
|
|
|
|
|
2023-04-01 14:33:19 +02:00
|
|
|
contactedAt := time.Now()
|
|
|
|
|
|
|
|
|
|
agent, err = a.repo.Update(ctx, agent.ID, datastore.WithAgentUpdateContactedAt(contactedAt))
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, errors.WithStack(err)
|
|
|
|
|
}
|
|
|
|
|
|
2023-03-07 23:10:42 +01:00
|
|
|
user := &User{
|
|
|
|
|
agent: agent,
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return user, nil
|
|
|
|
|
}
|
|
|
|
|
|
2023-04-01 19:30:45 +02:00
|
|
|
func NewAuthenticator(repo datastore.AgentRepository, acceptableSkew time.Duration) *Authenticator {
|
2023-03-07 23:10:42 +01:00
|
|
|
return &Authenticator{
|
2023-04-01 19:30:45 +02:00
|
|
|
repo: repo,
|
|
|
|
|
acceptableSkew: acceptableSkew,
|
2023-03-07 23:10:42 +01:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
var _ auth.Authenticator = &Authenticator{}
|
