feat(client): tenant management commands

2024-02-27 14:14:30 +01:00
parent 15a0bf6ecc
commit c851a1f51b
61 changed files with 1376 additions and 272 deletions
--- a/internal/auth/user/authenticator.go
+++ b/internal/auth/user/authenticator.go
@ -0,0 +1,95 @@
+package user
+
+import (
+	"context"
+	"net/http"
+	"strings"
+	"time"
+
+	"forge.cadoles.com/Cadoles/emissary/internal/auth"
+	"forge.cadoles.com/Cadoles/emissary/internal/datastore"
+	"forge.cadoles.com/Cadoles/emissary/internal/jwk"
+	"github.com/lestrrat-go/jwx/v2/jwt"
+	"github.com/pkg/errors"
+	"gitlab.com/wpetit/goweb/logger"
+)
+
+const DefaultAcceptableSkew = 5 * time.Minute
+
+type (
+	GetKeySet      func(context.Context) (jwk.Set, error)
+	GetTokenRole   func(context.Context, jwt.Token) (string, error)
+	GetTokenTenant func(context.Context, jwt.Token) (string, error)
+)
+
+type Authenticator struct {
+	getKeySet      GetKeySet
+	getTokenRole   GetTokenRole
+	getTokenTenant GetTokenTenant
+	acceptableSkew time.Duration
+}
+
+// Authenticate implements auth.Authenticator.
+func (a *Authenticator) Authenticate(ctx context.Context, r *http.Request) (auth.User, error) {
+	authorization := r.Header.Get("Authorization")
+	if authorization == "" {
+		return nil, errors.WithStack(auth.ErrUnauthenticated)
+	}
+
+	rawToken := strings.TrimPrefix(authorization, "Bearer ")
+	if rawToken == "" {
+		return nil, errors.WithStack(auth.ErrUnauthenticated)
+	}
+
+	keys, err := a.getKeySet(ctx)
+	if err != nil {
+		return nil, errors.WithStack(err)
+	}
+
+	token, err := parseToken(ctx, keys, rawToken, a.acceptableSkew)
+	if err != nil {
+		logger.Debug(ctx, "could not parse jwt token", logger.CapturedE(errors.WithStack(err)))
+		return nil, errors.WithStack(auth.ErrUnauthenticated)
+	}
+
+	rawRole, err := a.getTokenRole(ctx, token)
+	if err != nil {
+		logger.Debug(ctx, "could not retrieve token role", logger.CapturedE(errors.WithStack(err)))
+		return nil, errors.WithStack(auth.ErrUnauthenticated)
+	}
+
+	if !isValidRole(rawRole) {
+		return nil, errors.WithStack(auth.ErrUnauthorized)
+	}
+
+	rawTenantID, err := a.getTokenTenant(ctx, token)
+	if err != nil {
+		logger.Debug(ctx, "could not retrieve token tenant", logger.CapturedE(errors.WithStack(err)))
+		return nil, errors.WithStack(auth.ErrUnauthenticated)
+	}
+
+	tenantID, err := datastore.ParseTenantID(rawTenantID)
+	if err != nil {
+		logger.Debug(ctx, "could not retrieve token tenant", logger.CapturedE(errors.WithStack(err)))
+		return nil, errors.WithStack(auth.ErrUnauthenticated)
+	}
+
+	user := &User{
+		subject:  token.Subject(),
+		role:     Role(rawRole),
+		tenantID: tenantID,
+	}
+
+	return user, nil
+}
+
+func NewAuthenticator(getKeySet GetKeySet, getTokenRole GetTokenRole, getTokenTenant GetTokenTenant, acceptableSkew time.Duration) *Authenticator {
+	return &Authenticator{
+		getTokenRole:   getTokenRole,
+		getTokenTenant: getTokenTenant,
+		getKeySet:      getKeySet,
+		acceptableSkew: acceptableSkew,
+	}
+}
+
+var _ auth.Authenticator = &Authenticator{}
--- a/internal/auth/user/jwt.go
+++ b/internal/auth/user/jwt.go
@ -0,0 +1,66 @@
+package user
+
+import (
+	"context"
+	"time"
+
+	"forge.cadoles.com/Cadoles/emissary/internal/datastore"
+	"forge.cadoles.com/Cadoles/emissary/internal/jwk"
+	"github.com/lestrrat-go/jwx/v2/jwa"
+	"github.com/lestrrat-go/jwx/v2/jws"
+	"github.com/lestrrat-go/jwx/v2/jwt"
+	"github.com/pkg/errors"
+)
+
+func parseToken(ctx context.Context, keys jwk.Set, rawToken string, acceptableSkew time.Duration) (jwt.Token, error) {
+	token, err := jwt.Parse(
+		[]byte(rawToken),
+		jwt.WithKeySet(keys, jws.WithRequireKid(false)),
+		jwt.WithValidate(true),
+		jwt.WithAcceptableSkew(acceptableSkew),
+		jwt.WithContext(ctx),
+	)
+	if err != nil {
+		return nil, errors.WithStack(err)
+	}
+
+	return token, nil
+}
+
+const (
+	DefaultRoleKey   string = "role"
+	DefaultTenantKey string = "tenant"
+)
+
+func GenerateToken(ctx context.Context, key jwk.Key, tenant datastore.TenantID, subject string, role Role) (string, error) {
+	token := jwt.New()
+
+	if err := token.Set(jwt.SubjectKey, subject); err != nil {
+		return "", errors.WithStack(err)
+	}
+
+	if err := token.Set(DefaultRoleKey, role); err != nil {
+		return "", errors.WithStack(err)
+	}
+
+	if err := token.Set(DefaultTenantKey, tenant); err != nil {
+		return "", errors.WithStack(err)
+	}
+
+	now := time.Now().UTC()
+
+	if err := token.Set(jwt.NotBeforeKey, now); err != nil {
+		return "", errors.WithStack(err)
+	}
+
+	if err := token.Set(jwt.IssuedAtKey, now); err != nil {
+		return "", errors.WithStack(err)
+	}
+
+	rawToken, err := jwt.Sign(token, jwt.WithKey(jwa.RS256, key))
+	if err != nil {
+		return "", errors.WithStack(err)
+	}
+
+	return string(rawToken), nil
+}
--- a/internal/auth/user/user.go
+++ b/internal/auth/user/user.go
@ -0,0 +1,42 @@
+package user
+
+import (
+	"forge.cadoles.com/Cadoles/emissary/internal/auth"
+	"forge.cadoles.com/Cadoles/emissary/internal/datastore"
+)
+
+type Role string
+
+const (
+	RoleWriter Role = "writer"
+	RoleReader Role = "reader"
+	RoleAdmin  Role = "admin"
+)
+
+func isValidRole(r string) bool {
+	rr := Role(r)
+
+	return rr == RoleWriter || rr == RoleReader || rr == RoleAdmin
+}
+
+type User struct {
+	subject  string
+	tenantID datastore.TenantID
+	role     Role
+}
+
+// Subject implements auth.User
+func (u *User) Subject() string {
+	return u.subject
+}
+
+// Tenant implements auth.User
+func (u *User) Tenant() datastore.TenantID {
+	return u.tenantID
+}
+
+func (u *User) Role() Role {
+	return u.role
+}
+
+var _ auth.User = &User{}