-
Notifications
You must be signed in to change notification settings - Fork 797
/
verifier.go
163 lines (142 loc) · 4.88 KB
/
verifier.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
package jwtauthn
import (
"fmt"
jwtauthnv3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/jwt_authn/v3"
"mosn.io/api"
)
// Verifier supports verification of JWTs with configured requirements.
type Verifier interface {
Verify(headers api.HeaderMap, requestArg string) error
}
// NewVerifier creates a new Verifier.
func NewVerifier(require *jwtauthnv3.JwtRequirement, providers map[string]*jwtauthnv3.JwtProvider, parentProviderNames []string, fetcher JwksFetcher) (Verifier, error) {
parentProviders := make(map[string]*jwtauthnv3.JwtProvider)
for _, name := range parentProviderNames {
provider, exists := providers[name]
if !exists {
return nil, fmt.Errorf("required provider ['%s'] is not configured", name)
}
parentProviders[name] = provider
}
var providerName string
switch {
case require.GetProviderName() != "":
providerName = require.GetProviderName()
case require.GetRequiresAny() != nil:
return newAnyVerifier(require.GetRequiresAny().GetRequirements(), providers, fetcher)
case require.GetAllowMissing() != nil:
return newAllowMissingVerifier(require, parentProviders, fetcher), nil
}
provider, exists := providers[providerName]
if !exists {
return nil, fmt.Errorf("required provider ['%s'] is not configured", providerName)
}
// TODO(huangrh): ProviderAndAudienceVerifier
return newProviderVerifier(require, provider, fetcher), nil
}
type providerVerifier struct {
providerName string
extractor Extractor
jwksCache JwksCache
fetcher JwksFetcher
}
func newProviderVerifier(require *jwtauthnv3.JwtRequirement, provider *jwtauthnv3.JwtProvider, fetcher JwksFetcher) *providerVerifier {
jwksCache := NewJwksCache(map[string]*jwtauthnv3.JwtProvider{
require.GetProviderName(): provider,
})
extractor := NewExtractor([]*jwtauthnv3.JwtProvider{provider})
return &providerVerifier{
providerName: require.GetProviderName(),
extractor: extractor,
jwksCache: jwksCache,
fetcher: fetcher,
}
}
func (p *providerVerifier) Verify(headers api.HeaderMap, requestArg string) error {
auth := newAuthenticator(p.providerName, p.jwksCache, p.fetcher, false, false)
tokens := p.extractor.Extract(headers, requestArg)
return auth.Verify(headers, tokens)
}
// Base verifier for requires all or any.
type baseGroupVerifier struct {
verifiers []Verifier
}
func (b *baseGroupVerifier) Verify(headers api.HeaderMap, requestArg string) error {
var err error
for _, verifier := range b.verifiers {
err = verifier.Verify(headers, requestArg)
if err == nil {
return nil
}
}
return err
}
// Requires any verifier.
type anyVerifier struct {
baseGroupVerifier
}
func newAnyVerifier(requires []*jwtauthnv3.JwtRequirement, providers map[string]*jwtauthnv3.JwtProvider, fetcher JwksFetcher) (*anyVerifier, error) {
var verifiers []Verifier
var byPassTypeRequirement *jwtauthnv3.JwtRequirement
var usedProviders []string
for _, require := range requires {
isRegularRequirement := true
// TODO(huangrh): ProviderAndAudiences
switch {
case require.GetProviderName() != "":
usedProviders = append(usedProviders, require.GetProviderName())
case require.GetAllowMissing() != nil:
// TODO(huangrh): AllowMissingOrFailed
isRegularRequirement = false
if byPassTypeRequirement == nil || byPassTypeRequirement.GetAllowMissing() != nil {
// We need to keep only one by_pass_type_requirement. If both
// kAllowMissing and kAllowMissingOrFailed are set, use
// kAllowMissingOrFailed.
byPassTypeRequirement = require
}
}
if isRegularRequirement {
verifier, err := NewVerifier(require, providers, nil, fetcher)
if err != nil {
return nil, err
}
verifiers = append(verifiers, verifier)
}
}
if byPassTypeRequirement != nil {
verifier, err := NewVerifier(byPassTypeRequirement, providers, usedProviders, fetcher)
if err != nil {
return nil, err
}
verifiers = append(verifiers, verifier)
}
anyVerifier := &anyVerifier{}
anyVerifier.verifiers = verifiers
return anyVerifier, nil
}
type allowMissingVerifier struct {
providerName string
extractor Extractor
jwksCache JwksCache
fetcher JwksFetcher
}
func newAllowMissingVerifier(require *jwtauthnv3.JwtRequirement, providers map[string]*jwtauthnv3.JwtProvider, fetcher JwksFetcher) *allowMissingVerifier {
// TODO(huangrh): use jwksCache from context
jwksCache := NewJwksCache(providers)
var provs []*jwtauthnv3.JwtProvider
for _, provider := range providers {
provs = append(provs, provider)
}
extractor := NewExtractor(provs)
return &allowMissingVerifier{
providerName: require.GetProviderName(),
extractor: extractor,
jwksCache: jwksCache,
fetcher: fetcher,
}
}
func (a *allowMissingVerifier) Verify(headers api.HeaderMap, requestArg string) error {
auth := newAuthenticator(a.providerName, a.jwksCache, a.fetcher, false, true)
tokens := a.extractor.Extract(headers, requestArg)
return auth.Verify(headers, tokens)
}