feat: resources segregation by tenant

2024-02-26 18:20:40 +01:00
parent 79f53010a0
commit ca4211daef
45 changed files with 704 additions and 429 deletions
--- a/internal/auth/agent/authenticator.go
+++ b/internal/auth/agent/authenticator.go
@ -11,6 +11,7 @@ import (
 	"github.com/lestrrat-go/jwx/v2/jws"
 	"github.com/lestrrat-go/jwx/v2/jwt"
 	"github.com/pkg/errors"
+	"gitlab.com/wpetit/goweb/logger"
 )

 const DefaultAcceptableSkew = 5 * time.Minute
@ -34,17 +35,19 @@ func (a *Authenticator) Authenticate(ctx context.Context, r *http.Request) (auth

 	token, err := jwt.Parse([]byte(rawToken), jwt.WithVerify(false))
 	if err != nil {
-		return nil, errors.WithStack(err)
+		logger.Debug(ctx, "could not parse jwt token", logger.CapturedE(errors.WithStack(err)))
+		return nil, errors.WithStack(auth.ErrUnauthenticated)
 	}

 	rawThumbprint, exists := token.Get(keyThumbprint)
 	if !exists {
-		return nil, errors.Errorf("could not find '%s' claim", keyThumbprint)
+		return nil, errors.WithStack(auth.ErrUnauthenticated)
 	}

 	thumbrint, ok := rawThumbprint.(string)
 	if !ok {
-		return nil, errors.Errorf("unexpected '%s' claim value: '%v'", keyThumbprint, rawThumbprint)
+		logger.Debug(ctx, "unexpected claim value", logger.F("claim", rawThumbprint), logger.F("value", rawThumbprint))
+		return nil, errors.WithStack(auth.ErrUnauthenticated)
 	}

 	agents, _, err := a.repo.Query(
@ -57,7 +60,8 @@ func (a *Authenticator) Authenticate(ctx context.Context, r *http.Request) (auth
 	}

 	if len(agents) != 1 {
-		return nil, errors.Errorf("unexpected number of found agents: '%d'", len(agents))
+		logger.Debug(ctx, "unexpected number of found agents", logger.F("total", len(agents)))
+		return nil, errors.WithStack(auth.ErrUnauthenticated)
 	}

 	agent, err := a.repo.Get(
@ -75,14 +79,15 @@ func (a *Authenticator) Authenticate(ctx context.Context, r *http.Request) (auth
 		jwt.WithAcceptableSkew(a.acceptableSkew),
 	)
 	if err != nil {
-		return nil, errors.WithStack(err)
+		logger.Error(ctx, "could not parse jwt", logger.CapturedE(errors.WithStack(err)))
+		return nil, errors.WithStack(auth.ErrUnauthenticated)
 	}

 	contactedAt := time.Now()

 	agent, err = a.repo.Update(ctx, agent.ID, datastore.WithAgentUpdateContactedAt(contactedAt))
 	if err != nil {
-		return nil, errors.WithStack(err)
+		return nil, errors.WithStack(auth.ErrUnauthenticated)
 	}

 	user := &User{
--- a/internal/auth/agent/user.go
+++ b/internal/auth/agent/user.go
@ -16,6 +16,15 @@ func (u *User) Subject() string {
 	return fmt.Sprintf("agent-%d", u.agent.ID)
 }

+// Subject implements auth.User
+func (u *User) Tenant() datastore.TenantID {
+	if u.agent.TenantID == nil {
+		return ""
+	}
+
+	return *u.agent.TenantID
+}
+
 func (u *User) Agent() *datastore.Agent {
 	return u.agent
 }
--- a/internal/auth/error.go
+++ b/internal/auth/error.go
@ -0,0 +1,8 @@
+package auth
+
+import "github.com/pkg/errors"
+
+var (
+	ErrUnauthenticated = errors.New("unauthenticated")
+	ErrUnauthorized    = errors.New(("unauthorized"))
+)
--- a/internal/auth/middleware.go
+++ b/internal/auth/middleware.go
@ -4,6 +4,7 @@ import (
 	"context"
 	"net/http"

+	"forge.cadoles.com/Cadoles/emissary/internal/datastore"
 	"github.com/pkg/errors"
 	"gitlab.com/wpetit/goweb/api"
 	"gitlab.com/wpetit/goweb/logger"
@ -29,10 +30,9 @@ func CtxUser(ctx context.Context) (User, error) {
 	return user, nil
 }

-var ErrUnauthenticated = errors.New("unauthenticated")
-
 type User interface {
 	Subject() string
+	Tenant() datastore.TenantID
 }

 type Authenticator interface {
@ -49,11 +49,12 @@ func Middleware(authenticators ...Authenticator) func(http.Handler) http.Handler
 				err  error
 			)

+			var errs []error
+
 			for _, auth := range authenticators {
 				user, err = auth.Authenticate(ctx, r)
 				if err != nil {
-					logger.Debug(ctx, "could not authenticate request", logger.E(errors.WithStack(err)))
-
+					errs = append(errs, errors.WithStack(err))
 					continue
 				}

@ -63,9 +64,22 @@ func Middleware(authenticators ...Authenticator) func(http.Handler) http.Handler
 			}

 			if user == nil {
-				api.ErrorResponse(w, http.StatusUnauthorized, ErrCodeUnauthorized, nil)
+				isUnauthorized, isUnauthenticated, isUnknown := checkErrors(errs)

-				return
+				switch {
+				case isUnauthorized && !isUnknown:
+					api.ErrorResponse(w, http.StatusForbidden, api.ErrCodeForbidden, nil)
+					return
+				case isUnauthenticated && !isUnknown:
+					api.ErrorResponse(w, http.StatusForbidden, api.ErrCodeForbidden, nil)
+					return
+				case isUnknown:
+					api.ErrorResponse(w, http.StatusInternalServerError, api.ErrCodeUnknownError, nil)
+					return
+				default:
+					api.ErrorResponse(w, http.StatusUnauthorized, ErrCodeUnauthorized, nil)
+					return
+				}
 			}

 			ctx = logger.With(ctx, logger.F("user", user.Subject()))
@ -77,3 +91,24 @@ func Middleware(authenticators ...Authenticator) func(http.Handler) http.Handler
 		return http.HandlerFunc(fn)
 	}
 }
+
+func checkErrors(errs []error) (isUnauthorized bool, isUnauthenticated bool, isUnknown bool) {
+	isUnauthenticated = false
+	isUnauthorized = false
+	isUnknown = false
+
+	for _, e := range errs {
+		switch {
+		case errors.Is(e, ErrUnauthorized):
+			isUnauthorized = true
+			continue
+		case errors.Is(e, ErrUnauthenticated):
+			isUnauthenticated = true
+			continue
+		default:
+			isUnknown = true
+		}
+	}
+
+	return
+}
--- a/internal/auth/thirdparty/authenticator.go
+++ b/internal/auth/thirdparty/authenticator.go
@ -7,21 +7,25 @@ import (
 	"time"

 	"forge.cadoles.com/Cadoles/emissary/internal/auth"
+	"forge.cadoles.com/Cadoles/emissary/internal/datastore"
 	"forge.cadoles.com/Cadoles/emissary/internal/jwk"
 	"github.com/lestrrat-go/jwx/v2/jwt"
 	"github.com/pkg/errors"
+	"gitlab.com/wpetit/goweb/logger"
 )

 const DefaultAcceptableSkew = 5 * time.Minute

 type (
-	GetKeySet    func(context.Context) (jwk.Set, error)
-	GetTokenRole func(context.Context, jwt.Token) (string, error)
+	GetKeySet      func(context.Context) (jwk.Set, error)
+	GetTokenRole   func(context.Context, jwt.Token) (string, error)
+	GetTokenTenant func(context.Context, jwt.Token) (string, error)
 )

 type Authenticator struct {
 	getKeySet      GetKeySet
 	getTokenRole   GetTokenRole
+	getTokenTenant GetTokenTenant
 	acceptableSkew time.Duration
 }

@ -44,29 +48,45 @@ func (a *Authenticator) Authenticate(ctx context.Context, r *http.Request) (auth

 	token, err := parseToken(ctx, keys, rawToken, a.acceptableSkew)
 	if err != nil {
-		return nil, errors.WithStack(err)
+		logger.Debug(ctx, "could not parse jwt token", logger.CapturedE(errors.WithStack(err)))
+		return nil, errors.WithStack(auth.ErrUnauthenticated)
 	}

 	rawRole, err := a.getTokenRole(ctx, token)
 	if err != nil {
-		return nil, errors.WithStack(err)
+		logger.Debug(ctx, "could not retrieve token role", logger.CapturedE(errors.WithStack(err)))
+		return nil, errors.WithStack(auth.ErrUnauthenticated)
 	}

 	if !isValidRole(rawRole) {
-		return nil, errors.Errorf("invalid role '%s'", rawRole)
+		return nil, errors.WithStack(auth.ErrUnauthorized)
+	}
+
+	rawTenantID, err := a.getTokenTenant(ctx, token)
+	if err != nil {
+		logger.Debug(ctx, "could not retrieve token tenant", logger.CapturedE(errors.WithStack(err)))
+		return nil, errors.WithStack(auth.ErrUnauthenticated)
+	}
+
+	tenantID, err := datastore.ParseTenantID(rawTenantID)
+	if err != nil {
+		logger.Debug(ctx, "could not retrieve token tenant", logger.CapturedE(errors.WithStack(err)))
+		return nil, errors.WithStack(auth.ErrUnauthenticated)
 	}

 	user := &User{
-		subject: token.Subject(),
-		role:    Role(rawRole),
+		subject:  token.Subject(),
+		role:     Role(rawRole),
+		tenantID: tenantID,
 	}

 	return user, nil
 }

-func NewAuthenticator(getKeySet GetKeySet, getTokenRole GetTokenRole, acceptableSkew time.Duration) *Authenticator {
+func NewAuthenticator(getKeySet GetKeySet, getTokenRole GetTokenRole, getTokenTenant GetTokenTenant, acceptableSkew time.Duration) *Authenticator {
 	return &Authenticator{
 		getTokenRole:   getTokenRole,
+		getTokenTenant: getTokenTenant,
 		getKeySet:      getKeySet,
 		acceptableSkew: acceptableSkew,
 	}
--- a/internal/auth/thirdparty/jwt.go
+++ b/internal/auth/thirdparty/jwt.go
@ -4,6 +4,7 @@ import (
 	"context"
 	"time"

+	"forge.cadoles.com/Cadoles/emissary/internal/datastore"
 	"forge.cadoles.com/Cadoles/emissary/internal/jwk"
 	"github.com/lestrrat-go/jwx/v2/jwa"
 	"github.com/lestrrat-go/jwx/v2/jws"
@ -26,9 +27,12 @@ func parseToken(ctx context.Context, keys jwk.Set, rawToken string, acceptableSk
 	return token, nil
 }

-const DefaultRoleKey string = "role"
+const (
+	DefaultRoleKey   string = "role"
+	DefaultTenantKey string = "tenant"
+)

-func GenerateToken(ctx context.Context, key jwk.Key, subject string, role Role) (string, error) {
+func GenerateToken(ctx context.Context, key jwk.Key, tenant datastore.TenantID, subject string, role Role) (string, error) {
 	token := jwt.New()

 	if err := token.Set(jwt.SubjectKey, subject); err != nil {
@ -39,6 +43,10 @@ func GenerateToken(ctx context.Context, key jwk.Key, subject string, role Role)
 		return "", errors.WithStack(err)
 	}

+	if err := token.Set(DefaultTenantKey, tenant); err != nil {
+		return "", errors.WithStack(err)
+	}
+
 	now := time.Now().UTC()

 	if err := token.Set(jwt.NotBeforeKey, now); err != nil {
--- a/internal/auth/thirdparty/user.go
+++ b/internal/auth/thirdparty/user.go
@ -1,6 +1,9 @@
 package thirdparty

-import "forge.cadoles.com/Cadoles/emissary/internal/auth"
+import (
+	"forge.cadoles.com/Cadoles/emissary/internal/auth"
+	"forge.cadoles.com/Cadoles/emissary/internal/datastore"
+)

 type Role string

@ -16,8 +19,9 @@ func isValidRole(r string) bool {
 }

 type User struct {
-	subject string
-	role    Role
+	subject  string
+	tenantID datastore.TenantID
+	role     Role
 }

 // Subject implements auth.User
@ -25,6 +29,11 @@ func (u *User) Subject() string {
 	return u.subject
 }

+// Tenant implements auth.User
+func (u *User) Tenant() datastore.TenantID {
+	return u.tenantID
+}
+
 func (u *User) Role() Role {
 	return u.role
 }