feat: resources segregation by tenant

2024-02-26 18:20:40 +01:00
parent 79f53010a0
commit ca4211daef
45 changed files with 704 additions and 429 deletions
--- a/internal/auth/agent/authenticator.go
+++ b/internal/auth/agent/authenticator.go
@ -11,6 +11,7 @@ import (
 	"github.com/lestrrat-go/jwx/v2/jws"
 	"github.com/lestrrat-go/jwx/v2/jwt"
 	"github.com/pkg/errors"
+	"gitlab.com/wpetit/goweb/logger"
 )

 const DefaultAcceptableSkew = 5 * time.Minute
@ -34,17 +35,19 @@ func (a *Authenticator) Authenticate(ctx context.Context, r *http.Request) (auth

 	token, err := jwt.Parse([]byte(rawToken), jwt.WithVerify(false))
 	if err != nil {
-		return nil, errors.WithStack(err)
+		logger.Debug(ctx, "could not parse jwt token", logger.CapturedE(errors.WithStack(err)))
+		return nil, errors.WithStack(auth.ErrUnauthenticated)
 	}

 	rawThumbprint, exists := token.Get(keyThumbprint)
 	if !exists {
-		return nil, errors.Errorf("could not find '%s' claim", keyThumbprint)
+		return nil, errors.WithStack(auth.ErrUnauthenticated)
 	}

 	thumbrint, ok := rawThumbprint.(string)
 	if !ok {
-		return nil, errors.Errorf("unexpected '%s' claim value: '%v'", keyThumbprint, rawThumbprint)
+		logger.Debug(ctx, "unexpected claim value", logger.F("claim", rawThumbprint), logger.F("value", rawThumbprint))
+		return nil, errors.WithStack(auth.ErrUnauthenticated)
 	}

 	agents, _, err := a.repo.Query(
@ -57,7 +60,8 @@ func (a *Authenticator) Authenticate(ctx context.Context, r *http.Request) (auth
 	}

 	if len(agents) != 1 {
-		return nil, errors.Errorf("unexpected number of found agents: '%d'", len(agents))
+		logger.Debug(ctx, "unexpected number of found agents", logger.F("total", len(agents)))
+		return nil, errors.WithStack(auth.ErrUnauthenticated)
 	}

 	agent, err := a.repo.Get(
@ -75,14 +79,15 @@ func (a *Authenticator) Authenticate(ctx context.Context, r *http.Request) (auth
 		jwt.WithAcceptableSkew(a.acceptableSkew),
 	)
 	if err != nil {
-		return nil, errors.WithStack(err)
+		logger.Error(ctx, "could not parse jwt", logger.CapturedE(errors.WithStack(err)))
+		return nil, errors.WithStack(auth.ErrUnauthenticated)
 	}

 	contactedAt := time.Now()

 	agent, err = a.repo.Update(ctx, agent.ID, datastore.WithAgentUpdateContactedAt(contactedAt))
 	if err != nil {
-		return nil, errors.WithStack(err)
+		return nil, errors.WithStack(auth.ErrUnauthenticated)
 	}

 	user := &User{
--- a/internal/auth/agent/user.go
+++ b/internal/auth/agent/user.go
@ -16,6 +16,15 @@ func (u *User) Subject() string {
 	return fmt.Sprintf("agent-%d", u.agent.ID)
 }

+// Subject implements auth.User
+func (u *User) Tenant() datastore.TenantID {
+	if u.agent.TenantID == nil {
+		return ""
+	}
+
+	return *u.agent.TenantID
+}
+
 func (u *User) Agent() *datastore.Agent {
 	return u.agent
 }