This repository has been archived by the owner on Feb 29, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 4
/
asap.go
152 lines (135 loc) · 4.53 KB
/
asap.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
package components
import (
"context"
"fmt"
"net/http"
"strings"
"time"
asap "bitbucket.org/atlassian/go-asap"
"github.com/SermoDigital/jose/crypto"
"github.com/vincent-petithory/dataurl"
)
type asapValidateTransport struct {
Wrapped http.RoundTripper
Validator asap.Validator
}
func (c *asapValidateTransport) RoundTrip(r *http.Request) (*http.Response, error) {
var bearer = r.Header.Get("Authorization")
if len(bearer) < len("Bearer ") {
return newError(http.StatusUnauthorized, "missing bearer token"), nil
}
var rawToken = bearer[len("Bearer "):]
var token, e = asap.ParseToken(rawToken)
if e != nil {
return newError(http.StatusUnauthorized, e.Error()), nil
}
e = c.Validator.Validate(token)
if e != nil {
return newError(http.StatusUnauthorized, e.Error()), nil
}
return c.Wrapped.RoundTrip(r)
}
// ASAPValidateConfig is used to configure ASAP validation.
type ASAPValidateConfig struct {
AllowedIssuers []string `description:"Acceptable issuer strings."`
AllowedAudience string `description:"Acceptable audience string."`
KeyURLs []string `description:"Public key download URLs."`
}
// Name of the config root.
func (m *ASAPValidateConfig) Name() string {
return "asapvalidate"
}
// ASAPValidateComponent is an ASAP validation plugin.
type ASAPValidateComponent struct{}
// ASAPValidate satisfies the NewComponent signature.
func ASAPValidate(_ context.Context, _ string, _ string, _ string) (interface{}, error) {
return &ASAPValidateComponent{}, nil
}
// Settings generates a config populated with defaults.
func (m *ASAPValidateComponent) Settings() *ASAPValidateConfig {
return &ASAPValidateConfig{}
}
// New generates the middleware.
func (m *ASAPValidateComponent) New(ctx context.Context, conf *ASAPValidateConfig) (func(http.RoundTripper) http.RoundTripper, error) {
if len(conf.AllowedIssuers) < 1 {
return nil, fmt.Errorf("allowed issuers list is empty")
}
if conf.AllowedAudience == "" {
return nil, fmt.Errorf("allowed audience value is empty")
}
if len(conf.KeyURLs) < 1 {
return nil, fmt.Errorf("public key url list is empty")
}
fetchers := make(asap.MultiKeyFetcher, 0, len(conf.KeyURLs))
for _, keyURL := range conf.KeyURLs {
fetchers = append(fetchers, asap.NewHTTPKeyFetcher(keyURL, &http.Client{}))
}
var validator = asap.NewValidatorChain(
asap.DefaultValidator,
asap.NewAllowedStringsValidator(asap.ClaimIssuer, conf.AllowedIssuers...),
asap.NewAllowedAudienceValidator(conf.AllowedAudience),
asap.NewSignatureValidator(
asap.NewCachingFetcher(
fetchers,
),
),
)
return func(next http.RoundTripper) http.RoundTripper {
return &asapValidateTransport{
Wrapped: next,
Validator: validator,
}
}, nil
}
// ASAPTokenConfig is used to configure ASAP token generation.
type ASAPTokenConfig struct {
PrivateKey string `description:"RSA private key to use when signing tokens."`
KID string `description:"JWT kid value to include in tokens."`
TTL time.Duration `description:"Lifetime of a token."`
Issuer string `description:"JWT issuer value to include in tokens."`
Audiences []string `description:"JWT audience values to include in tokens."`
}
// Name of the config root.
func (c *ASAPTokenConfig) Name() string {
return "asaptoken"
}
// ASAPTokenComponent is an ASAP decorator plugin.
type ASAPTokenComponent struct{}
// ASAPToken satisfies the NewComponent signature.
func ASAPToken(_ context.Context, _ string, _ string, _ string) (interface{}, error) {
return &ASAPTokenComponent{}, nil
}
// Settings generates a config populated with defaults.
func (m *ASAPTokenComponent) Settings() *ASAPTokenConfig {
return &ASAPTokenConfig{}
}
// New generates the middleware.
func (*ASAPTokenComponent) New(ctx context.Context, conf *ASAPTokenConfig) (func(http.RoundTripper) http.RoundTripper, error) {
if len(conf.PrivateKey) < 1 {
return nil, fmt.Errorf("private key value is empty")
}
if len(conf.Issuer) < 1 {
return nil, fmt.Errorf("issuer value is empty")
}
if len(conf.Audiences) < 1 {
return nil, fmt.Errorf("audience list is empty")
}
if len(conf.KID) < 1 {
return nil, fmt.Errorf("kid value is empty")
}
rawKey := conf.PrivateKey
if strings.HasPrefix(rawKey, "data:") {
url, _ := dataurl.DecodeString(rawKey)
rawKey = string(url.Data)
}
privateKey, err := asap.NewPrivateKey([]byte(rawKey))
if err != nil {
return nil, err
}
return asap.NewTransportDecorator(
asap.NewCachingProvisioner(
asap.NewProvisioner(conf.KID, conf.TTL, conf.Issuer, conf.Audiences, crypto.SigningMethodRS256),
),
privateKey,
), nil
}