-
Notifications
You must be signed in to change notification settings - Fork 134
/
oidc.go
116 lines (98 loc) · 3 KB
/
oidc.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
package authorization
import (
"context"
"encoding/json"
"strings"
"github.com/coreos/go-oidc"
grpc_auth "github.com/grpc-ecosystem/go-grpc-middleware/auth"
"github.com/armadaproject/armada/internal/common/armadaerrors"
"github.com/armadaproject/armada/internal/common/auth/configuration"
"github.com/armadaproject/armada/internal/common/auth/permission"
)
type PermissionClaimQueries map[permission.Permission]string
type OpenIdAuthService struct {
verifier *oidc.IDTokenVerifier
groupsClaim string
}
func NewOpenIdAuthServiceForProvider(ctx context.Context, config *configuration.OpenIdAuthenticationConfig) (*OpenIdAuthService, error) {
provider, err := oidc.NewProvider(ctx, config.ProviderUrl)
if err != nil {
return nil, err
}
verifier := provider.Verifier(&oidc.Config{
SkipClientIDCheck: config.SkipClientIDCheck,
ClientID: config.ClientId,
})
return NewOpenIdAuthService(verifier, config.GroupsClaim), nil
}
func NewOpenIdAuthService(verifier *oidc.IDTokenVerifier, groupsClaim string) *OpenIdAuthService {
return &OpenIdAuthService{verifier, groupsClaim}
}
func (authService *OpenIdAuthService) Name() string {
return "OIDC"
}
func (authService *OpenIdAuthService) Authenticate(ctx context.Context) (Principal, error) {
token, err := grpc_auth.AuthFromMD(ctx, "bearer")
if err != nil {
return nil, &armadaerrors.ErrMissingCredentials{
AuthService: authService.Name(),
Message: err.Error(),
}
}
verifiedToken, err := authService.verifier.Verify(ctx, token)
if err != nil {
return nil, &armadaerrors.ErrInvalidCredentials{
AuthService: authService.Name(),
Message: err.Error(),
}
}
rawClaims, err := extractRawClaims(verifiedToken)
if err != nil {
return nil, &armadaerrors.ErrInvalidCredentials{
AuthService: authService.Name(),
Message: err.Error(),
}
}
return NewStaticPrincipalWithScopesAndClaims(
verifiedToken.Subject,
authService.extractGroups(rawClaims),
authService.extractScopes(verifiedToken),
authService.extractClaims(rawClaims)), nil
}
func (authService *OpenIdAuthService) extractGroups(rawClaims map[string]*json.RawMessage) []string {
rawGroups, ok := rawClaims[authService.groupsClaim]
if !ok {
return []string{}
}
groups := []string{}
err := json.Unmarshal(*rawGroups, &groups)
if err != nil {
return []string{}
}
return groups
}
func (authService *OpenIdAuthService) extractScopes(token *oidc.IDToken) []string {
scopeClaim := struct {
Scope string `json:"scope"`
}{}
err := token.Claims(&scopeClaim)
if err != nil {
return []string{}
}
return strings.Split(scopeClaim.Scope, " ")
}
func (authService *OpenIdAuthService) extractClaims(rawClaims map[string]*json.RawMessage) []string {
claims := []string{}
for key := range rawClaims {
claims = append(claims, key)
}
return claims
}
func extractRawClaims(token *oidc.IDToken) (map[string]*json.RawMessage, error) {
rawClaims := map[string]*json.RawMessage{}
err := token.Claims(&rawClaims)
if err != nil {
return nil, err
}
return rawClaims, nil
}