feat: resources segregation by tenant
This commit is contained in:
36
internal/auth/thirdparty/authenticator.go
vendored
36
internal/auth/thirdparty/authenticator.go
vendored
@@ -7,21 +7,25 @@ import (
|
||||
"time"
|
||||
|
||||
"forge.cadoles.com/Cadoles/emissary/internal/auth"
|
||||
"forge.cadoles.com/Cadoles/emissary/internal/datastore"
|
||||
"forge.cadoles.com/Cadoles/emissary/internal/jwk"
|
||||
"github.com/lestrrat-go/jwx/v2/jwt"
|
||||
"github.com/pkg/errors"
|
||||
"gitlab.com/wpetit/goweb/logger"
|
||||
)
|
||||
|
||||
const DefaultAcceptableSkew = 5 * time.Minute
|
||||
|
||||
type (
|
||||
GetKeySet func(context.Context) (jwk.Set, error)
|
||||
GetTokenRole func(context.Context, jwt.Token) (string, error)
|
||||
GetKeySet func(context.Context) (jwk.Set, error)
|
||||
GetTokenRole func(context.Context, jwt.Token) (string, error)
|
||||
GetTokenTenant func(context.Context, jwt.Token) (string, error)
|
||||
)
|
||||
|
||||
type Authenticator struct {
|
||||
getKeySet GetKeySet
|
||||
getTokenRole GetTokenRole
|
||||
getTokenTenant GetTokenTenant
|
||||
acceptableSkew time.Duration
|
||||
}
|
||||
|
||||
@@ -44,29 +48,45 @@ func (a *Authenticator) Authenticate(ctx context.Context, r *http.Request) (auth
|
||||
|
||||
token, err := parseToken(ctx, keys, rawToken, a.acceptableSkew)
|
||||
if err != nil {
|
||||
return nil, errors.WithStack(err)
|
||||
logger.Debug(ctx, "could not parse jwt token", logger.CapturedE(errors.WithStack(err)))
|
||||
return nil, errors.WithStack(auth.ErrUnauthenticated)
|
||||
}
|
||||
|
||||
rawRole, err := a.getTokenRole(ctx, token)
|
||||
if err != nil {
|
||||
return nil, errors.WithStack(err)
|
||||
logger.Debug(ctx, "could not retrieve token role", logger.CapturedE(errors.WithStack(err)))
|
||||
return nil, errors.WithStack(auth.ErrUnauthenticated)
|
||||
}
|
||||
|
||||
if !isValidRole(rawRole) {
|
||||
return nil, errors.Errorf("invalid role '%s'", rawRole)
|
||||
return nil, errors.WithStack(auth.ErrUnauthorized)
|
||||
}
|
||||
|
||||
rawTenantID, err := a.getTokenTenant(ctx, token)
|
||||
if err != nil {
|
||||
logger.Debug(ctx, "could not retrieve token tenant", logger.CapturedE(errors.WithStack(err)))
|
||||
return nil, errors.WithStack(auth.ErrUnauthenticated)
|
||||
}
|
||||
|
||||
tenantID, err := datastore.ParseTenantID(rawTenantID)
|
||||
if err != nil {
|
||||
logger.Debug(ctx, "could not retrieve token tenant", logger.CapturedE(errors.WithStack(err)))
|
||||
return nil, errors.WithStack(auth.ErrUnauthenticated)
|
||||
}
|
||||
|
||||
user := &User{
|
||||
subject: token.Subject(),
|
||||
role: Role(rawRole),
|
||||
subject: token.Subject(),
|
||||
role: Role(rawRole),
|
||||
tenantID: tenantID,
|
||||
}
|
||||
|
||||
return user, nil
|
||||
}
|
||||
|
||||
func NewAuthenticator(getKeySet GetKeySet, getTokenRole GetTokenRole, acceptableSkew time.Duration) *Authenticator {
|
||||
func NewAuthenticator(getKeySet GetKeySet, getTokenRole GetTokenRole, getTokenTenant GetTokenTenant, acceptableSkew time.Duration) *Authenticator {
|
||||
return &Authenticator{
|
||||
getTokenRole: getTokenRole,
|
||||
getTokenTenant: getTokenTenant,
|
||||
getKeySet: getKeySet,
|
||||
acceptableSkew: acceptableSkew,
|
||||
}
|
||||
|
||||
12
internal/auth/thirdparty/jwt.go
vendored
12
internal/auth/thirdparty/jwt.go
vendored
@@ -4,6 +4,7 @@ import (
|
||||
"context"
|
||||
"time"
|
||||
|
||||
"forge.cadoles.com/Cadoles/emissary/internal/datastore"
|
||||
"forge.cadoles.com/Cadoles/emissary/internal/jwk"
|
||||
"github.com/lestrrat-go/jwx/v2/jwa"
|
||||
"github.com/lestrrat-go/jwx/v2/jws"
|
||||
@@ -26,9 +27,12 @@ func parseToken(ctx context.Context, keys jwk.Set, rawToken string, acceptableSk
|
||||
return token, nil
|
||||
}
|
||||
|
||||
const DefaultRoleKey string = "role"
|
||||
const (
|
||||
DefaultRoleKey string = "role"
|
||||
DefaultTenantKey string = "tenant"
|
||||
)
|
||||
|
||||
func GenerateToken(ctx context.Context, key jwk.Key, subject string, role Role) (string, error) {
|
||||
func GenerateToken(ctx context.Context, key jwk.Key, tenant datastore.TenantID, subject string, role Role) (string, error) {
|
||||
token := jwt.New()
|
||||
|
||||
if err := token.Set(jwt.SubjectKey, subject); err != nil {
|
||||
@@ -39,6 +43,10 @@ func GenerateToken(ctx context.Context, key jwk.Key, subject string, role Role)
|
||||
return "", errors.WithStack(err)
|
||||
}
|
||||
|
||||
if err := token.Set(DefaultTenantKey, tenant); err != nil {
|
||||
return "", errors.WithStack(err)
|
||||
}
|
||||
|
||||
now := time.Now().UTC()
|
||||
|
||||
if err := token.Set(jwt.NotBeforeKey, now); err != nil {
|
||||
|
||||
15
internal/auth/thirdparty/user.go
vendored
15
internal/auth/thirdparty/user.go
vendored
@@ -1,6 +1,9 @@
|
||||
package thirdparty
|
||||
|
||||
import "forge.cadoles.com/Cadoles/emissary/internal/auth"
|
||||
import (
|
||||
"forge.cadoles.com/Cadoles/emissary/internal/auth"
|
||||
"forge.cadoles.com/Cadoles/emissary/internal/datastore"
|
||||
)
|
||||
|
||||
type Role string
|
||||
|
||||
@@ -16,8 +19,9 @@ func isValidRole(r string) bool {
|
||||
}
|
||||
|
||||
type User struct {
|
||||
subject string
|
||||
role Role
|
||||
subject string
|
||||
tenantID datastore.TenantID
|
||||
role Role
|
||||
}
|
||||
|
||||
// Subject implements auth.User
|
||||
@@ -25,6 +29,11 @@ func (u *User) Subject() string {
|
||||
return u.subject
|
||||
}
|
||||
|
||||
// Tenant implements auth.User
|
||||
func (u *User) Tenant() datastore.TenantID {
|
||||
return u.tenantID
|
||||
}
|
||||
|
||||
func (u *User) Role() Role {
|
||||
return u.role
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user