-
Notifications
You must be signed in to change notification settings - Fork 84
/
user_context_provider.go
116 lines (90 loc) · 4.4 KB
/
user_context_provider.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
package tenantmapping
import (
"context"
"crypto/sha256"
"strings"
"github.com/kyma-incubator/compass/components/director/pkg/graphql"
"github.com/kyma-incubator/compass/components/hydrator/pkg/tenantmapping"
directorErrors "github.com/kyma-incubator/compass/components/hydrator/internal/director"
"github.com/kyma-incubator/compass/components/director/pkg/str"
"github.com/sirupsen/logrus"
"github.com/kyma-incubator/compass/components/director/pkg/apperrors"
"github.com/kyma-incubator/compass/components/director/pkg/consumer"
"github.com/kyma-incubator/compass/components/director/pkg/log"
"github.com/kyma-incubator/compass/components/hydrator/pkg/oathkeeper"
"github.com/pkg/errors"
)
// NewUserContextProvider missing godoc
func NewUserContextProvider(clientProvider DirectorClient, staticGroupRepo StaticGroupRepository) *userContextProvider {
return &userContextProvider{
directorClient: clientProvider,
staticGroupRepo: staticGroupRepo,
tenantKeys: KeysExtra{
TenantKey: tenantmapping.ConsumerTenantKey,
ExternalTenantKey: tenantmapping.ExternalTenantKey,
},
}
}
type userContextProvider struct {
directorClient DirectorClient
staticGroupRepo StaticGroupRepository
tenantKeys KeysExtra
}
// GetObjectContext missing godoc
func (m *userContextProvider) GetObjectContext(ctx context.Context, reqData oathkeeper.ReqData, authDetails oathkeeper.AuthDetails) (ObjectContext, error) {
var externalTenantID string
var err error
logger := log.C(ctx).WithFields(logrus.Fields{
"consumer_type": consumer.User,
})
ctx = log.ContextWithLogger(ctx, logger)
log.C(ctx).Info("Getting scopes from groups")
scopes := m.getScopesForUserGroups(ctx, reqData)
externalTenantID, err = reqData.GetExternalTenantID()
if err != nil {
if !apperrors.IsKeyDoesNotExist(err) {
return ObjectContext{}, errors.Wrapf(err, "could not parse external ID for user: REDACTED_%x", sha256.Sum256([]byte(authDetails.AuthID)))
}
log.C(ctx).Warningf("Could not get tenant external id, error: %s", err.Error())
log.C(ctx).Info("Could not create tenant context, returning empty context...")
return NewObjectContext(&graphql.Tenant{}, m.tenantKeys, scopes, intersectWithOtherScopes, authDetails.Region, "", authDetails.AuthID, authDetails.AuthFlow, consumer.User, tenantmapping.UserObjectContextProvider, ""), nil
}
log.C(ctx).Infof("Getting the tenant with external ID: %s", externalTenantID)
tenantMapping, region, err := getTenantWithRegion(ctx, m.directorClient, externalTenantID)
if err != nil {
if directorErrors.IsGQLNotFoundError(err) {
log.C(ctx).Warningf("Could not find tenant with external ID: %s, error: %s", externalTenantID, err.Error())
log.C(ctx).Infof("Returning tenant context with empty internal tenant ID and external ID %s", externalTenantID)
return NewObjectContext(&graphql.Tenant{ID: externalTenantID}, m.tenantKeys, scopes, intersectWithOtherScopes, "", "", authDetails.AuthID, authDetails.AuthFlow, consumer.User, tenantmapping.UserObjectContextProvider, ""), nil
}
return ObjectContext{}, errors.Wrapf(err, "while getting external tenant mapping [ExternalTenantID=%s]", externalTenantID)
}
authDetails.Region = region
objCtx := NewObjectContext(tenantMapping, m.tenantKeys, scopes, intersectWithOtherScopes, authDetails.Region, "", authDetails.AuthID, authDetails.AuthFlow, consumer.User, tenantmapping.UserObjectContextProvider, "")
log.C(ctx).Infof("Successfully got object context: %+v", RedactConsumerIDForLogging(objCtx))
return objCtx, nil
}
func (m *userContextProvider) Match(_ context.Context, data oathkeeper.ReqData) (bool, *oathkeeper.AuthDetails, error) {
if usernameVal, ok := data.Body.Extra[oathkeeper.UsernameKey]; ok {
username, err := str.Cast(usernameVal)
if err != nil {
return false, nil, errors.Wrapf(err, "while parsing the value for %s", oathkeeper.UsernameKey)
}
return true, &oathkeeper.AuthDetails{AuthID: username, AuthFlow: oathkeeper.JWTAuthFlow}, nil
}
return false, nil, nil
}
func (m *userContextProvider) getScopesForUserGroups(ctx context.Context, reqData oathkeeper.ReqData) string {
userGroups := reqData.GetUserGroups()
if len(userGroups) == 0 {
return ""
}
log.C(ctx).Debugf("Found user groups: %s", strings.Join(userGroups, " "))
staticGroups := m.staticGroupRepo.Get(ctx, userGroups)
if len(staticGroups) == 0 {
return ""
}
scopes := staticGroups.GetGroupScopes()
log.C(ctx).Debugf("Found scopes: %s", scopes)
return scopes
}