-
Notifications
You must be signed in to change notification settings - Fork 3.1k
/
claims.go
48 lines (44 loc) · 1.36 KB
/
claims.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
package serviceaccount
import (
"encoding/base64"
"encoding/json"
"fmt"
"io/ioutil"
"strings"
"github.com/go-jose/go-jose/v3/jwt"
"k8s.io/client-go/rest"
"github.com/argoproj/argo-workflows/v3/server/auth/types"
)
func ClaimSetFor(restConfig *rest.Config) (*types.Claims, error) {
username := restConfig.Username
if username != "" {
return &types.Claims{Claims: jwt.Claims{Subject: username}}, nil
} else if restConfig.BearerToken != "" || restConfig.BearerTokenFile != "" {
bearerToken := restConfig.BearerToken
if bearerToken == "" {
// should only ever be used for service accounts
data, err := ioutil.ReadFile(restConfig.BearerTokenFile)
if err != nil {
return nil, fmt.Errorf("failed to read bearer token file: %w", err)
}
bearerToken = string(data)
}
parts := strings.SplitN(bearerToken, ".", 3)
if len(parts) != 3 {
return nil, fmt.Errorf("expected bearer token to be a JWT and therefore have 3 dot-delimited parts")
}
payload := parts[1]
data, err := base64.RawStdEncoding.DecodeString(payload)
if err != nil {
return nil, fmt.Errorf("failed to decode bearer token's JWT payload: %w", err)
}
claims := &types.Claims{}
err = json.Unmarshal(data, &claims)
if err != nil {
return nil, fmt.Errorf("failed to unmarshal bearer token's JWT payload: %w", err)
}
return claims, nil
} else {
return nil, nil
}
}