-
Notifications
You must be signed in to change notification settings - Fork 0
/
ory_auth.go
80 lines (66 loc) · 2.15 KB
/
ory_auth.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
package clconnect
import (
"context"
"connectrpc.com/connect"
"github.com/crewlinker/clgo/clory"
"github.com/crewlinker/clgo/clzap"
orysdk "github.com/ory/client-go"
"github.com/samber/lo"
"go.uber.org/fx"
"go.uber.org/zap"
)
// Ory interface provides our interface onto ory.
type Ory interface {
// Authenticate implements the authentication logic.
Authenticate(ctx context.Context, cookie string, allowAnonymous bool) (*orysdk.Session, error)
}
// OryAuth provides authn and authz as an injector.
type OryAuth struct {
cfg Config
logs *zap.Logger
ory Ory
connect.Interceptor
}
// NewOryAuth inits an interceptor that uses JWT for Authn and OPA for Authz.
func NewOryAuth(
cfg Config, logs *zap.Logger, ory Ory,
) (inj *OryAuth, err error) {
inj = &OryAuth{
cfg: cfg,
logs: logs.Named("ory_auth"),
ory: ory,
}
inj.Interceptor = connect.UnaryInterceptorFunc(inj.intercept)
logs.Info("ory auth initialized", zap.Strings("public_rpc_procedures", lo.Keys(cfg.PublicRPCProcedures)))
return inj, nil
}
// IsPublicRPCProcedure returns true if a request is done to public rpc method.
func (l OryAuth) IsPublicRPCMethod(spec connect.Spec) bool {
return l.cfg.PublicRPCProcedures[spec.Procedure]
}
// intercept implements the actual authorization.
func (l OryAuth) intercept(next connect.UnaryFunc) connect.UnaryFunc {
return connect.UnaryFunc(func(
ctx context.Context,
req connect.AnyRequest,
) (resp connect.AnyResponse, err error) {
clzap.Log(ctx, l.logs).Debug("auth interceptor started",
zap.Any("headers", req.Header()),
zap.String("http_method", req.HTTPMethod()),
zap.Stringer("spec_idempotency_level", req.Spec().IdempotencyLevel),
zap.String("spec_procedure", req.Spec().Procedure))
sess, err := l.ory.Authenticate(ctx, req.Header().Get("cookie"), l.IsPublicRPCMethod(req.Spec()))
if err != nil {
return nil, connect.NewError(connect.CodeUnauthenticated, err)
}
ctx = clory.WithSession(ctx, sess)
return next(ctx, req)
})
}
// ProvideOryAuth provides injector for ory-based auth.
func ProvideOryAuth() fx.Option {
return fx.Options(
fx.Provide(NewOryAuth),
fx.Provide(func(o *clory.Ory) Ory { return o }),
)
}