-
Notifications
You must be signed in to change notification settings - Fork 14
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: support gcp iap authentication for api calls (#552)
* feat: support gcp iap authentication for api calls BREAKING CHANGE: casbin policy requires adjustment The casbin policy needs to change the request to support an additional provider field in requests. * test: add provider in api tests * test: add api auth provider to integration test
- Loading branch information
1 parent
f8ce79a
commit 77324d7
Showing
8 changed files
with
80 additions
and
33 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,53 @@ | ||
// Copyright 2023 PayPal Inc. | ||
|
||
// This Source Code Form is subject to the terms of the MIT License. | ||
// If a copy of the MIT License was not distributed with this file, | ||
// you can obtain one at https://mit-license.org/. | ||
|
||
// Package auth-gcp-iap enables Honeydipper to authenticate/authorize incoming web requests through GCP IAP. | ||
package main | ||
|
||
import ( | ||
"context" | ||
"flag" | ||
"fmt" | ||
"os" | ||
|
||
"github.com/honeydipper/honeydipper/pkg/dipper" | ||
"google.golang.org/api/idtoken" | ||
) | ||
|
||
func initFlags() { | ||
flag.Usage = func() { | ||
fmt.Printf("%s [ -h ] <service name>\n", os.Args[0]) | ||
fmt.Printf(" This driver supports receiver and API service.") | ||
fmt.Printf(" This program provides honeydipper with the capability of authenticating the web request with gcloud IAP.") | ||
} | ||
} | ||
|
||
var driver *dipper.Driver | ||
|
||
func main() { | ||
initFlags() | ||
flag.Parse() | ||
|
||
driver = dipper.NewDriver(os.Args[1], "auth-gcp-iap") | ||
driver.RPCHandlers["auth_web_request"] = authWebRequest | ||
driver.Reload = func(*dipper.Message) {} | ||
driver.Run() | ||
} | ||
|
||
func authWebRequest(m *dipper.Message) { | ||
m = dipper.DeserializePayload(m) | ||
driver.GetLogger().Debugf("payloads are: %+v", m.Payload) | ||
token := dipper.InterpolateStr("$headers.X-Goog-Iap-Jwt-Assertion.0,headers.x-goog-iap-jwt-assertion.0", m.Payload) | ||
audience := dipper.MustGetMapDataStr(driver.Options, "data.audience") | ||
|
||
payload := dipper.Must(idtoken.Validate(context.Background(), token, audience)).(*idtoken.Payload) | ||
driver.GetLogger().Debugf("claims are: %+v", payload.Claims) | ||
subject := dipper.MustGetMapDataStr(payload.Claims, "email") | ||
|
||
m.Reply <- dipper.Message{ | ||
Payload: subject, | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters