-
Notifications
You must be signed in to change notification settings - Fork 153
/
jwt.go
168 lines (137 loc) · 4.75 KB
/
jwt.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
package auth
import (
"context"
"errors"
"fmt"
"net/http"
"reflect"
"strings"
"github.com/coreos/go-oidc/v3/oidc"
"github.com/go-logr/logr"
"github.com/weaveworks/weave-gitops/core/logger"
)
// PrincipalGetter implementations are responsible for extracting a named
// principal from an HTTP request.
type PrincipalGetter interface {
// Principal extracts a principal from the http.Request.
// It's not an error for there to be no principal in the request.
Principal(r *http.Request) (*UserPrincipal, error)
}
type tokenVerifier interface {
Verify(ctx context.Context, rawIDToken string) (*oidc.IDToken, error)
}
// JWTCookiePrincipalGetter inspects a cookie for a JWT token
// and returns a principal object.
type JWTCookiePrincipalGetter struct {
log logr.Logger
verifier tokenVerifier
cookieName string
claimsConfig *ClaimsConfig
}
// NewJWTCookiePrincipalGetter looks for a cookie in the provided name and
// treats that as a JWT token that can be decoded to a Principal.
func NewJWTCookiePrincipalGetter(log logr.Logger, verifier tokenVerifier, cookieName string, config *ClaimsConfig) PrincipalGetter {
return &JWTCookiePrincipalGetter{
log: log,
verifier: verifier,
cookieName: cookieName,
claimsConfig: config,
}
}
func (pg *JWTCookiePrincipalGetter) Principal(r *http.Request) (*UserPrincipal, error) {
cookie, err := r.Cookie(pg.cookieName)
if err == http.ErrNoCookie {
return nil, nil
}
pg.log.V(logger.LogLevelDebug).Info("parsing cookie JWT token", "claimsConfig", pg.claimsConfig)
return parseJWTToken(r.Context(), pg.verifier, cookie.Value, pg.claimsConfig)
}
// JWTAuthorizationHeaderPrincipalGetter inspects the Authorization
// header (bearer token) for a JWT token and returns a principal
// object.
type JWTAuthorizationHeaderPrincipalGetter struct {
log logr.Logger
verifier tokenVerifier
claimsConfig *ClaimsConfig
}
func NewJWTAuthorizationHeaderPrincipalGetter(log logr.Logger, verifier tokenVerifier, config *ClaimsConfig) PrincipalGetter {
return &JWTAuthorizationHeaderPrincipalGetter{
log: log,
verifier: verifier,
claimsConfig: config,
}
}
func (pg *JWTAuthorizationHeaderPrincipalGetter) Principal(r *http.Request) (*UserPrincipal, error) {
pg.log.V(logger.LogLevelDebug).Info("attempt to read token from auth header")
header := r.Header.Get("Authorization")
if header == "" {
return nil, nil
}
pg.log.V(logger.LogLevelDebug).Info("parsing authorization header JWT token", "claimsConfig", pg.claimsConfig)
return parseJWTToken(r.Context(), pg.verifier, extractToken(header), pg.claimsConfig)
}
func extractToken(s string) string {
parts := strings.Split(s, " ")
if len(parts) != 2 {
return ""
}
if strings.TrimSpace(parts[0]) != "Bearer" {
return ""
}
return strings.TrimSpace(parts[1])
}
func parseJWTToken(ctx context.Context, verifier tokenVerifier, rawIDToken string, cc *ClaimsConfig) (*UserPrincipal, error) {
token, err := verifier.Verify(ctx, rawIDToken)
if err != nil {
return nil, fmt.Errorf("failed to verify JWT token: %w", err)
}
return cc.PrincipalFromClaims(token)
}
type JWTAdminCookiePrincipalGetter struct {
log logr.Logger
verifier TokenSignerVerifier
cookieName string
}
func NewJWTAdminCookiePrincipalGetter(log logr.Logger, verifier TokenSignerVerifier, cookieName string) PrincipalGetter {
return &JWTAdminCookiePrincipalGetter{
log: log,
verifier: verifier,
cookieName: cookieName,
}
}
func (pg *JWTAdminCookiePrincipalGetter) Principal(r *http.Request) (*UserPrincipal, error) {
cookie, err := r.Cookie(pg.cookieName)
if err == http.ErrNoCookie {
return nil, nil
}
return parseJWTAdminToken(pg.verifier, cookie.Value)
}
func parseJWTAdminToken(verifier TokenSignerVerifier, rawIDToken string) (*UserPrincipal, error) {
claims, err := verifier.Verify(rawIDToken)
if err != nil {
// FIXME: do some better handling here
// return nil, fmt.Errorf("failed to verify JWT token: %w", err)
// ANYWAY:, its probably not our token? e.g. an OIDC one
return nil, nil
}
return &UserPrincipal{ID: claims.Subject, Groups: []string{}}, nil
}
// MultiAuthPrincipal looks for a principal in an array of principal getters and
// if it finds an error or a principal it returns, otherwise it returns (nil,nil).
type MultiAuthPrincipal struct {
Log logr.Logger
Getters []PrincipalGetter
}
func (m MultiAuthPrincipal) Principal(r *http.Request) (*UserPrincipal, error) {
for _, v := range m.Getters {
p, err := v.Principal(r)
if err != nil {
return nil, err
}
if p != nil {
m.Log.V(logger.LogLevelDebug).Info("Found principal", "user", p.ID, "groups", p.Groups, "tokenLength", len(p.Token()), "method", reflect.TypeOf(v))
return p, nil
}
}
return nil, errors.New("could not find valid principal")
}