This repository has been archived by the owner on Oct 9, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 63
/
claims_verifier.go
68 lines (55 loc) · 2 KB
/
claims_verifier.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
package authzserver
import (
"encoding/json"
"fmt"
"github.com/ory/x/jwtx"
"k8s.io/apimachinery/pkg/util/sets"
"github.com/flyteorg/flyteadmin/auth"
"github.com/flyteorg/flyteadmin/auth/interfaces"
"github.com/flyteorg/flyteidl/gen/pb-go/flyteidl/service"
)
func verifyClaims(expectedAudience sets.String, claimsRaw map[string]interface{}) (interfaces.IdentityContext, error) {
claims := jwtx.ParseMapStringInterfaceClaims(claimsRaw)
foundAudIndex := -1
for audIndex, aud := range claims.Audience {
if expectedAudience.Has(aud) {
foundAudIndex = audIndex
break
}
}
if foundAudIndex < 0 {
return nil, fmt.Errorf("invalid audience [%v]", claims)
}
userInfo := &service.UserInfoResponse{}
if userInfoClaim, found := claimsRaw[UserIDClaim]; found && userInfoClaim != nil {
userInfoRaw := userInfoClaim.(map[string]interface{})
raw, err := json.Marshal(userInfoRaw)
if err != nil {
return nil, err
}
if err = json.Unmarshal(raw, userInfo); err != nil {
return nil, fmt.Errorf("failed to unmarshal user info claim into UserInfo type. Error: %w", err)
}
}
clientID := ""
if clientIDClaim, found := claimsRaw[ClientIDClaim]; found {
clientID = clientIDClaim.(string)
}
scopes := sets.NewString()
if scopesClaim, found := claimsRaw[ScopeClaim]; found {
switch sct := scopesClaim.(type) {
case []interface{}:
scopes = sets.NewString(interfaceSliceToStringSlice(sct)...)
case string:
sets.NewString(fmt.Sprintf("%v", scopesClaim))
default:
return nil, fmt.Errorf("failed getting scope claims due to unknown type %T with value %v", sct, sct)
}
}
// If this is a user-only access token with no scopes defined then add `all` scope by default because it's equivalent
// to having a user's login cookie or an ID Token as means of accessing the service.
if len(clientID) == 0 && scopes.Len() == 0 {
scopes.Insert(auth.ScopeAll)
}
return auth.NewIdentityContext(claims.Audience[foundAudIndex], claims.Subject, clientID, claims.IssuedAt, scopes, userInfo, claimsRaw), nil
}