-
Notifications
You must be signed in to change notification settings - Fork 0
/
jwt_opa_auth.go
121 lines (100 loc) · 3.44 KB
/
jwt_opa_auth.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
package clconnect
import (
"context"
"encoding/json"
"fmt"
"strings"
"connectrpc.com/connect"
"github.com/crewlinker/clgo/clauthn"
"github.com/crewlinker/clgo/clauthz"
"github.com/lestrrat-go/jwx/v2/jwt/openid"
"go.uber.org/zap"
)
// JWTOPAAuth provides authn and authz as an injector.
type JWTOPAAuth struct {
cfg Config
logs *zap.Logger
authn *clauthn.Authn
authz *clauthz.Authz
envInput map[string]any
connect.Interceptor
}
// NewJWTOPAAuth inits an interceptor that uses JWT for Authn and OPA for Authz.
func NewJWTOPAAuth(
cfg Config, logs *zap.Logger, authn *clauthn.Authn, authz *clauthz.Authz,
) (lgr *JWTOPAAuth, err error) {
lgr = &JWTOPAAuth{
cfg: cfg,
logs: logs.Named("jwt_opa_auth"),
authn: authn,
authz: authz,
envInput: map[string]any{},
}
if err = json.Unmarshal([]byte(cfg.AuthzPolicyEnvInput), &lgr.envInput); err != nil {
return nil, fmt.Errorf("failed to parse authz policy env input `%s`: %w", cfg.AuthzPolicyEnvInput, err)
}
lgr.Interceptor = connect.UnaryInterceptorFunc(lgr.intercept)
return lgr, nil
}
// WithIdentity returns a context with the openid token.
func WithIdentity(ctx context.Context, tok openid.Token) context.Context {
return context.WithValue(ctx, ctxKey("openid_token"), tok)
}
// IdentityFromContext returns the identity from context as an OpenID token. If there is no
// token in the context it returns an empty (anonymous) openid token.
func IdentityFromContext(ctx context.Context) openid.Token {
v, ok := ctx.Value(ctxKey("openid_token")).(openid.Token)
if !ok || v == nil {
v = openid.New() // anonymous token
}
return v
}
// AuthzInput encodes the full input into the authorization (AuthZ) policy system OPA.
// It should provide ALL data required to make authorization decisions. It should be fully
// serializable to JSON.
type AuthzInput struct {
// Input from the process environment
Env map[string]any `json:"env"`
// OpenID token as claims
Claims openid.Token `json:"claims"`
// Procedure encodes the full RPC procedure name. e.g: /acme.foo.v1.FooService/Bar
Procedure string `json:"procedure"`
}
// intercept implements the actual authorization.
func (l JWTOPAAuth) intercept(next connect.UnaryFunc) connect.UnaryFunc {
return connect.UnaryFunc(func(
ctx context.Context,
req connect.AnyRequest,
) (resp connect.AnyResponse, err error) {
bearer := strings.TrimSpace(strings.TrimPrefix(req.Header().Get("Authorization"), "Bearer"))
token := openid.New() // anonymous token
// authenticate non-anonymous token
if bearer != "" {
token, err = l.authn.AuthenticateJWT(ctx, []byte(bearer))
if err != nil {
l.logs.Info("failed to authenticate JWT",
zap.String("raw_header", req.Header().Get("Authorization")),
zap.String("bearer_token", bearer),
zap.NamedError("auth_err", err))
return nil, connect.NewError(connect.CodeUnauthenticated, err)
}
}
// authorization input
input := &AuthzInput{
Env: l.envInput,
Claims: token,
Procedure: req.Spec().Procedure,
}
// authorize
isAuthorized, err := l.authz.IsAuthorized(ctx, input)
if err != nil {
return nil, fmt.Errorf("error while authorizing: %w", err)
} else if !isAuthorized {
l.logs.Info("failed to authorize", zap.Any("token", token))
return nil, connect.NewError(connect.CodePermissionDenied,
fmt.Errorf("unauthorized, subject: '%s'", token.Subject())) //nolint:goerr113
}
ctx = WithIdentity(ctx, token)
return next(ctx, req)
})
}