forked from netlify/git-gateway
-
Notifications
You must be signed in to change notification settings - Fork 0
/
middleware.go
91 lines (76 loc) · 2.61 KB
/
middleware.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
package api
import (
"context"
"net/http"
"github.com/dgrijalva/jwt-go"
"github.com/netlify/git-gateway/models"
)
const (
jwsSignatureHeaderName = "x-nf-sign"
)
type NetlifyMicroserviceClaims struct {
SiteURL string `json:"site_url"`
InstanceID string `json:"id"`
NetlifyID string `json:"netlify_id"`
jwt.StandardClaims
}
func (a *API) loadJWSSignatureHeader(w http.ResponseWriter, r *http.Request) (context.Context, error) {
ctx := r.Context()
signature := r.Header.Get(jwsSignatureHeaderName)
if signature == "" {
return nil, badRequestError("Operator microservice headers missing")
}
return withSignature(ctx, signature), nil
}
func (a *API) loadInstanceConfig(w http.ResponseWriter, r *http.Request) (context.Context, error) {
ctx := r.Context()
signature := getSignature(ctx)
if signature == "" {
return nil, badRequestError("Operator signature missing")
}
claims := NetlifyMicroserviceClaims{}
p := jwt.Parser{ValidMethods: []string{jwt.SigningMethodHS256.Name}}
_, err := p.ParseWithClaims(signature, &claims, func(token *jwt.Token) (interface{}, error) {
return []byte(a.config.OperatorToken), nil
})
if err != nil {
return nil, badRequestError("Operator microservice signature is invalid: %v", err)
}
instanceID := claims.InstanceID
if instanceID == "" {
return nil, badRequestError("Instance ID is missing")
}
logEntrySetField(r, "instance_id", instanceID)
logEntrySetField(r, "netlify_id", claims.NetlifyID)
instance, err := a.db.GetInstance(instanceID)
if err != nil {
if models.IsNotFoundError(err) {
return nil, notFoundError("Unable to locate site configuration")
}
return nil, internalServerError("Database error loading instance").WithInternalError(err)
}
config, err := instance.Config()
if err != nil {
return nil, internalServerError("Error loading environment config").WithInternalError(err)
}
ctx = withNetlifyID(ctx, claims.NetlifyID)
ctx, err = WithInstanceConfig(ctx, config, instanceID)
if err != nil {
return nil, internalServerError("Error loading instance config").WithInternalError(err)
}
return ctx, nil
}
func (a *API) verifyOperatorRequest(w http.ResponseWriter, req *http.Request) (context.Context, error) {
c, _, err := a.extractOperatorRequest(w, req)
return c, err
}
func (a *API) extractOperatorRequest(w http.ResponseWriter, req *http.Request) (context.Context, string, error) {
token, err := a.extractBearerToken(w, req)
if err != nil {
return nil, token, err
}
if token == "" || token != a.config.OperatorToken {
return nil, token, unauthorizedError("Request does not include an Operator token")
}
return req.Context(), token, nil
}