199 lines
7.1 KiB
Go
199 lines
7.1 KiB
Go
// Copyright (c) All respective contributors to the Peridot Project. All rights reserved.
|
|
// Copyright (c) 2021-2022 Rocky Enterprise Software Foundation, Inc. All rights reserved.
|
|
// Copyright (c) 2021-2022 Ctrl IQ, Inc. All rights reserved.
|
|
//
|
|
// Redistribution and use in source and binary forms, with or without
|
|
// modification, are permitted provided that the following conditions are met:
|
|
//
|
|
// 1. Redistributions of source code must retain the above copyright notice,
|
|
// this list of conditions and the following disclaimer.
|
|
//
|
|
// 2. Redistributions in binary form must reproduce the above copyright notice,
|
|
// this list of conditions and the following disclaimer in the documentation
|
|
// and/or other materials provided with the distribution.
|
|
//
|
|
// 3. Neither the name of the copyright holder nor the names of its contributors
|
|
// may be used to endorse or promote products derived from this software without
|
|
// specific prior written permission.
|
|
//
|
|
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
|
|
// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
// ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
|
|
// LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
|
|
// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
|
|
// SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
|
|
// INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
|
|
// CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
|
// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
|
// POSSIBILITY OF SUCH DAMAGE.
|
|
|
|
package utils
|
|
|
|
import (
|
|
"context"
|
|
"fmt"
|
|
"github.com/ory/hydra-client-go/v2"
|
|
|
|
"github.com/sirupsen/logrus"
|
|
"google.golang.org/grpc"
|
|
"google.golang.org/grpc/codes"
|
|
"google.golang.org/grpc/metadata"
|
|
"google.golang.org/grpc/status"
|
|
"strings"
|
|
)
|
|
|
|
type InterceptorFunc func(ctx context.Context, req interface{}, usi *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (interface{}, error)
|
|
type ServerInterceptorFunc func(srv interface{}, ss grpc.ServerStream, info *grpc.StreamServerInfo, handler grpc.StreamHandler) error
|
|
|
|
type ContextUser struct {
|
|
ID string `json:"id"`
|
|
AuthToken string `json:"authToken"`
|
|
Name string `json:"name"`
|
|
Email string `json:"email"`
|
|
}
|
|
|
|
// Finish chains all interceptors
|
|
func (a InterceptorFunc) Finish(ctx context.Context, req interface{}, usi *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (interface{}, error) {
|
|
return a(ctx, req, usi, handler)
|
|
}
|
|
func (a ServerInterceptorFunc) Finish(srv interface{}, ss grpc.ServerStream, info *grpc.StreamServerInfo, handler grpc.StreamHandler) error {
|
|
return a(srv, ss, info, handler)
|
|
}
|
|
|
|
// EndInterceptor should be used in the end of an interceptor chain
|
|
func EndInterceptor(ctx context.Context, req interface{}, _ *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (interface{}, error) {
|
|
return handler(ctx, req)
|
|
}
|
|
func ServerEndInterceptor(srv interface{}, ss grpc.ServerStream, _ *grpc.StreamServerInfo, handler grpc.StreamHandler) error {
|
|
return handler(srv, ss)
|
|
}
|
|
|
|
func checkAuth(ctx context.Context, hydraSDK *client.APIClient, hydraAdmin *client.APIClient) (context.Context, error) {
|
|
// fetch metadata from grpc
|
|
meta, ok := metadata.FromIncomingContext(ctx)
|
|
if !ok {
|
|
return ctx, status.Error(codes.InvalidArgument, "invalid request sent")
|
|
}
|
|
|
|
// get authorization header
|
|
authHeader := meta["authorization"]
|
|
if len(authHeader) == 0 {
|
|
return ctx, status.Error(codes.InvalidArgument, "empty authorization header")
|
|
}
|
|
|
|
// verify that the authorization header contains a Bearer token
|
|
authToken := strings.SplitN(authHeader[0], " ", 2)
|
|
if len(authToken) != 2 || authToken[0] != "Bearer" {
|
|
return ctx, status.Error(codes.InvalidArgument, "invalid authorization token")
|
|
}
|
|
|
|
userInfo, _, err := hydraSDK.OidcAPI.GetOidcUserInfo(context.WithValue(ctx, client.ContextAccessToken, authToken[1])).Execute()
|
|
if err != nil {
|
|
return ctx, err
|
|
}
|
|
if *userInfo.Sub == "" && hydraAdmin != nil {
|
|
introspect, _, err := hydraAdmin.OAuth2API.IntrospectOAuth2Token(ctx).Token(authToken[1]).Execute()
|
|
if err != nil {
|
|
logrus.Errorf("error introspecting token: %s", err)
|
|
return ctx, status.Errorf(codes.Unauthenticated, "invalid authorization token")
|
|
}
|
|
|
|
userInfo.Sub = introspect.ClientId
|
|
userInfo.Name = introspect.Sub
|
|
newEmail := fmt.Sprintf("%s@%s", *introspect.Sub, "serviceaccount.resf.org")
|
|
userInfo.Email = &newEmail
|
|
}
|
|
if *userInfo.Sub == "" {
|
|
return ctx, status.Errorf(codes.Unauthenticated, "invalid authorization token")
|
|
}
|
|
|
|
// supply subject and token to further requests
|
|
pairs := metadata.Pairs("x-user-id", *userInfo.Sub, "x-user-name", *userInfo.Name, "x-user-email", *userInfo.Email, "x-auth-token", authToken[1])
|
|
ctx = metadata.NewIncomingContext(ctx, metadata.Join(meta, pairs))
|
|
|
|
return ctx, nil
|
|
}
|
|
|
|
// AuthInterceptor requires OAuth2 authentication for all routes except listed
|
|
func AuthInterceptor(hydraSDK *client.APIClient, hydraAdminSDK *client.APIClient, excludedMethods []string, enforce bool, next InterceptorFunc) InterceptorFunc {
|
|
return func(ctx context.Context, req interface{}, usi *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (interface{}, error) {
|
|
// skip authentication for excluded methods
|
|
if !StrContains(usi.FullMethod, excludedMethods) {
|
|
var err error
|
|
if ctx, err = checkAuth(ctx, hydraSDK, hydraAdminSDK); err != nil {
|
|
if enforce {
|
|
return nil, err
|
|
}
|
|
}
|
|
}
|
|
|
|
return next(ctx, req, usi, handler)
|
|
}
|
|
}
|
|
|
|
type serverStream struct {
|
|
grpc.ServerStream
|
|
ctx context.Context
|
|
}
|
|
|
|
func (ss *serverStream) Context() context.Context {
|
|
return ss.ctx
|
|
}
|
|
func ServerAuthInterceptor(hydraSDK *client.APIClient, hydraAdminSDK *client.APIClient, excludedMethods []string, enforce bool, next ServerInterceptorFunc) ServerInterceptorFunc {
|
|
return func(srv interface{}, ss grpc.ServerStream, info *grpc.StreamServerInfo, handler grpc.StreamHandler) error {
|
|
newStream := serverStream{
|
|
ServerStream: ss,
|
|
ctx: ss.Context(),
|
|
}
|
|
// skip authentication for excluded methods
|
|
if !StrContains(info.FullMethod, excludedMethods) {
|
|
var ctx context.Context
|
|
var err error
|
|
if ctx, err = checkAuth(ss.Context(), hydraSDK, hydraAdminSDK); err != nil {
|
|
if enforce {
|
|
return err
|
|
}
|
|
}
|
|
if ctx != nil {
|
|
newStream.ctx = ctx
|
|
}
|
|
}
|
|
|
|
return next(srv, &newStream, info, handler)
|
|
}
|
|
}
|
|
|
|
func UserFromContext(ctx context.Context) (*ContextUser, error) {
|
|
meta, ok := metadata.FromIncomingContext(ctx)
|
|
if !ok {
|
|
return nil, status.Error(codes.InvalidArgument, "invalid request sent")
|
|
}
|
|
|
|
uid := meta["x-user-id"]
|
|
if len(uid) == 0 {
|
|
return nil, status.Error(codes.Unauthenticated, "no user id")
|
|
}
|
|
|
|
authTokens := meta["x-auth-token"]
|
|
if len(authTokens) == 0 {
|
|
return nil, status.Error(codes.Unauthenticated, "no auth token")
|
|
}
|
|
|
|
var name string
|
|
if names := meta["x-user-name"]; len(names) > 0 {
|
|
name = names[0]
|
|
}
|
|
var email string
|
|
if emails := meta["x-user-email"]; len(emails) > 0 {
|
|
email = emails[0]
|
|
}
|
|
|
|
return &ContextUser{
|
|
ID: uid[0],
|
|
AuthToken: authTokens[0],
|
|
Name: name,
|
|
Email: email,
|
|
}, nil
|
|
}
|