Compare commits
11 Commits
v0.1.1
...
9c5865df00
| Author | SHA1 | Date | |
|---|---|---|---|
| 9c5865df00 | |||
| 9c05d2f38a | |||
| 67716a883d | |||
| 4afa9a01b6 | |||
| 2888905ab1 | |||
| d4ecf80f94 | |||
| 746fb73d2f | |||
| 1510a746ec | |||
| 037d347ef3 | |||
| 2d908e913d | |||
| 8286336c32 |
@@ -1,7 +1,9 @@
|
||||
FROM golang:alpine as build
|
||||
RUN apk add --no-cache git
|
||||
WORKDIR /app
|
||||
COPY go.sum /app/go.sum
|
||||
COPY go.mod /app/go.mod
|
||||
ENV GOPRIVATE=git.t-juice.club
|
||||
RUN go mod download
|
||||
COPY . /app
|
||||
RUN go build -o mf-auth cmd/main.go
|
||||
|
||||
118
authmw/token.go
118
authmw/token.go
@@ -8,39 +8,26 @@ import (
|
||||
"net/http"
|
||||
"slices"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"git.t-juice.club/microfilm/auth"
|
||||
"github.com/golang-jwt/jwt/v5"
|
||||
"go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp"
|
||||
"go.opentelemetry.io/otel"
|
||||
)
|
||||
|
||||
type ctxType string
|
||||
|
||||
var ctxKeyClaims ctxType = "claims"
|
||||
|
||||
var ErrNoClaimsInRequest = fmt.Errorf("no claims in request")
|
||||
|
||||
func VerifyToken(authURL string, permittedRoles []string) func(http.Handler) http.Handler {
|
||||
// Fetch current pubkey
|
||||
url := fmt.Sprintf("%s/key", authURL)
|
||||
req, err := http.NewRequest(http.MethodGet, url, nil)
|
||||
if err != nil {
|
||||
panic(err)
|
||||
}
|
||||
|
||||
resp, err := http.DefaultClient.Do(req)
|
||||
if err != nil {
|
||||
panic(err)
|
||||
}
|
||||
defer resp.Body.Close()
|
||||
|
||||
var authResponse auth.PubkeyResponse
|
||||
decoder := json.NewDecoder(resp.Body)
|
||||
if err := decoder.Decode(&authResponse); err != nil {
|
||||
panic(err)
|
||||
}
|
||||
|
||||
// Parse pubkey
|
||||
pub, err := x509.ParsePKIXPublicKey(authResponse.PubKey)
|
||||
if err != nil {
|
||||
panic(err)
|
||||
}
|
||||
|
||||
fn := func(next http.Handler) http.Handler {
|
||||
fn := func(w http.ResponseWriter, r *http.Request) {
|
||||
ctx, span := otel.GetTracerProvider().Tracer("").Start(r.Context(), "verify-token")
|
||||
defer span.End()
|
||||
|
||||
authHeader := r.Header.Get("Authorization")
|
||||
if !strings.Contains(authHeader, "Bearer ") {
|
||||
// No token, pass if unathorized in permitted
|
||||
@@ -61,6 +48,74 @@ func VerifyToken(authURL string, permittedRoles []string) func(http.Handler) htt
|
||||
return
|
||||
}
|
||||
|
||||
// Fetch current pubkey
|
||||
url := fmt.Sprintf("%s/key", authURL)
|
||||
ctx, cancel := context.WithTimeout(ctx, 5*time.Second)
|
||||
defer cancel()
|
||||
|
||||
req, err := http.NewRequestWithContext(ctx, http.MethodGet, url, nil)
|
||||
if err != nil {
|
||||
// TODO: Should log
|
||||
w.WriteHeader(http.StatusInternalServerError)
|
||||
errResp := &auth.ErrorResponse{
|
||||
Message: fmt.Sprintf("Error getting pubkey for token verification: %s", err),
|
||||
Status: http.StatusUnauthorized,
|
||||
}
|
||||
|
||||
encoder := json.NewEncoder(w)
|
||||
_ = encoder.Encode(&errResp)
|
||||
return
|
||||
}
|
||||
|
||||
client := &http.Client{
|
||||
Transport: otelhttp.NewTransport(http.DefaultTransport),
|
||||
}
|
||||
|
||||
resp, err := client.Do(req)
|
||||
if err != nil {
|
||||
// TODO: Should log
|
||||
w.WriteHeader(http.StatusInternalServerError)
|
||||
errResp := &auth.ErrorResponse{
|
||||
Message: fmt.Sprintf("Error getting pubkey for token verification: %s", err),
|
||||
Status: http.StatusUnauthorized,
|
||||
}
|
||||
|
||||
encoder := json.NewEncoder(w)
|
||||
_ = encoder.Encode(&errResp)
|
||||
return
|
||||
}
|
||||
defer resp.Body.Close()
|
||||
|
||||
var authResponse auth.PubkeyResponse
|
||||
decoder := json.NewDecoder(resp.Body)
|
||||
if err := decoder.Decode(&authResponse); err != nil {
|
||||
// TODO: Should log
|
||||
w.WriteHeader(http.StatusInternalServerError)
|
||||
errResp := &auth.ErrorResponse{
|
||||
Message: fmt.Sprintf("Error getting pubkey for token verification: %s", err),
|
||||
Status: http.StatusUnauthorized,
|
||||
}
|
||||
|
||||
encoder := json.NewEncoder(w)
|
||||
_ = encoder.Encode(&errResp)
|
||||
return
|
||||
}
|
||||
|
||||
// Parse pubkey
|
||||
pub, err := x509.ParsePKIXPublicKey(authResponse.PubKey)
|
||||
if err != nil {
|
||||
// TODO: Should log
|
||||
w.WriteHeader(http.StatusInternalServerError)
|
||||
errResp := &auth.ErrorResponse{
|
||||
Message: fmt.Sprintf("Error getting pubkey for token verification: %s", err),
|
||||
Status: http.StatusUnauthorized,
|
||||
}
|
||||
|
||||
encoder := json.NewEncoder(w)
|
||||
_ = encoder.Encode(&errResp)
|
||||
return
|
||||
}
|
||||
|
||||
// Validate token
|
||||
tokenString := strings.Split(authHeader, " ")[1]
|
||||
token, err := jwt.ParseWithClaims(tokenString, &auth.MicrofilmClaims{}, func(t *jwt.Token) (interface{}, error) { return pub, nil })
|
||||
@@ -75,10 +130,11 @@ func VerifyToken(authURL string, permittedRoles []string) func(http.Handler) htt
|
||||
_ = encoder.Encode(&errResp)
|
||||
return
|
||||
}
|
||||
// TODO: Check that it is in permitted
|
||||
|
||||
// Add claims to request context
|
||||
if claims, ok := token.Claims.(*auth.MicrofilmClaims); ok && token.Valid {
|
||||
ctx := context.WithValue(r.Context(), "claims", claims)
|
||||
ctx := context.WithValue(r.Context(), ctxKeyClaims, claims)
|
||||
next.ServeHTTP(w, r.WithContext(ctx))
|
||||
return
|
||||
}
|
||||
@@ -90,3 +146,13 @@ func VerifyToken(authURL string, permittedRoles []string) func(http.Handler) htt
|
||||
|
||||
return fn
|
||||
}
|
||||
|
||||
func ClaimsFromCtx(ctx context.Context) (*auth.MicrofilmClaims, error) {
|
||||
rawValue := ctx.Value(ctxKeyClaims)
|
||||
value, ok := rawValue.(*auth.MicrofilmClaims)
|
||||
if ok {
|
||||
return value, nil
|
||||
}
|
||||
|
||||
return nil, ErrNoClaimsInRequest
|
||||
}
|
||||
|
||||
31
authmw/token_test.go
Normal file
31
authmw/token_test.go
Normal file
@@ -0,0 +1,31 @@
|
||||
package authmw
|
||||
|
||||
import (
|
||||
"context"
|
||||
"testing"
|
||||
|
||||
"git.t-juice.club/microfilm/auth"
|
||||
"github.com/golang-jwt/jwt/v5"
|
||||
"github.com/google/go-cmp/cmp"
|
||||
)
|
||||
|
||||
func TestClaimsFromContext(t *testing.T) {
|
||||
claims := &auth.MicrofilmClaims{
|
||||
Role: "admin",
|
||||
RegisteredClaims: jwt.RegisteredClaims{
|
||||
Issuer: "test",
|
||||
Subject: "subject",
|
||||
},
|
||||
}
|
||||
ctx := context.WithValue(context.Background(), ctxKeyClaims, claims)
|
||||
|
||||
retrieved, err := ClaimsFromCtx(ctx)
|
||||
if err != nil {
|
||||
t.Fatalf("Unable to retrieve claims")
|
||||
}
|
||||
|
||||
if diff := cmp.Diff(claims, retrieved); diff != "" {
|
||||
t.Fatalf("Claims diff: %s", diff)
|
||||
}
|
||||
return
|
||||
}
|
||||
28
go.mod
28
go.mod
@@ -3,21 +3,43 @@ module git.t-juice.club/microfilm/auth
|
||||
go 1.21.3
|
||||
|
||||
require (
|
||||
git.t-juice.club/microfilm/users v0.1.2
|
||||
github.com/go-chi/chi/v5 v5.0.10
|
||||
github.com/golang-jwt/jwt/v5 v5.0.0
|
||||
github.com/google/go-cmp v0.6.0
|
||||
github.com/google/uuid v1.3.1
|
||||
github.com/nats-io/nats.go v1.31.0
|
||||
github.com/nats-io/nkeys v0.4.5
|
||||
github.com/pelletier/go-toml/v2 v2.1.0
|
||||
github.com/urfave/cli/v2 v2.25.7
|
||||
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.45.0
|
||||
go.opentelemetry.io/otel v1.19.0
|
||||
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.19.0
|
||||
go.opentelemetry.io/otel/sdk v1.19.0
|
||||
go.opentelemetry.io/otel/trace v1.19.0
|
||||
)
|
||||
|
||||
require (
|
||||
github.com/cenkalti/backoff/v4 v4.2.1 // indirect
|
||||
github.com/cpuguy83/go-md2man/v2 v2.0.3 // indirect
|
||||
github.com/felixge/httpsnoop v1.0.3 // indirect
|
||||
github.com/go-logr/logr v1.2.4 // indirect
|
||||
github.com/go-logr/stdr v1.2.2 // indirect
|
||||
github.com/golang/protobuf v1.5.3 // indirect
|
||||
github.com/grpc-ecosystem/grpc-gateway/v2 v2.16.0 // indirect
|
||||
github.com/klauspost/compress v1.17.0 // indirect
|
||||
github.com/nats-io/nkeys v0.4.5 // indirect
|
||||
github.com/nats-io/nuid v1.0.1 // indirect
|
||||
github.com/russross/blackfriday/v2 v2.1.0 // indirect
|
||||
github.com/xrash/smetrics v0.0.0-20201216005158-039620a65673 // indirect
|
||||
golang.org/x/crypto v0.6.0 // indirect
|
||||
golang.org/x/sys v0.5.0 // indirect
|
||||
go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.19.0 // indirect
|
||||
go.opentelemetry.io/otel/metric v1.19.0 // indirect
|
||||
go.opentelemetry.io/proto/otlp v1.0.0 // indirect
|
||||
golang.org/x/crypto v0.14.0 // indirect
|
||||
golang.org/x/net v0.12.0 // indirect
|
||||
golang.org/x/sys v0.13.0 // indirect
|
||||
golang.org/x/text v0.13.0 // indirect
|
||||
google.golang.org/genproto/googleapis/api v0.0.0-20230711160842-782d3b101e98 // indirect
|
||||
google.golang.org/genproto/googleapis/rpc v0.0.0-20230711160842-782d3b101e98 // indirect
|
||||
google.golang.org/grpc v1.58.2 // indirect
|
||||
google.golang.org/protobuf v1.31.0 // indirect
|
||||
)
|
||||
|
||||
62
go.sum
62
go.sum
@@ -1,14 +1,35 @@
|
||||
git.t-juice.club/microfilm/users v0.1.2 h1:wudwa4C5ecUGmbe+Y6A77lVHx8dFSy/ib47HBOrQ7AU=
|
||||
git.t-juice.club/microfilm/users v0.1.2/go.mod h1:CWb2XYyifeaiLMdEqPyLB4EEj2MKcGogt+wt+PGdcSw=
|
||||
github.com/cenkalti/backoff/v4 v4.2.1 h1:y4OZtCnogmCPw98Zjyt5a6+QwPLGkiQsYW5oUqylYbM=
|
||||
github.com/cenkalti/backoff/v4 v4.2.1/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
|
||||
github.com/cpuguy83/go-md2man/v2 v2.0.3 h1:qMCsGGgs+MAzDFyp9LpAe1Lqy/fY/qCovCm0qnXZOBM=
|
||||
github.com/cpuguy83/go-md2man/v2 v2.0.3/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
|
||||
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
|
||||
github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
|
||||
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
|
||||
github.com/felixge/httpsnoop v1.0.3 h1:s/nj+GCswXYzN5v2DpNMuMQYe+0DDwt5WVCU6CWBdXk=
|
||||
github.com/felixge/httpsnoop v1.0.3/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
|
||||
github.com/go-chi/chi/v5 v5.0.10 h1:rLz5avzKpjqxrYwXNfmjkrYYXOyLJd37pz53UFHC6vk=
|
||||
github.com/go-chi/chi/v5 v5.0.10/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITLSKoi8=
|
||||
github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
|
||||
github.com/go-logr/logr v1.2.4 h1:g01GSCwiDw2xSZfjJ2/T9M+S6pFdcNtFYsp+Y43HYDQ=
|
||||
github.com/go-logr/logr v1.2.4/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
|
||||
github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
|
||||
github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
|
||||
github.com/golang-jwt/jwt/v5 v5.0.0 h1:1n1XNM9hk7O9mnQoNBGolZvzebBQ7p93ULHRc28XJUE=
|
||||
github.com/golang-jwt/jwt/v5 v5.0.0/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
|
||||
github.com/golang/glog v1.1.0 h1:/d3pCKDPWNnvIWe0vVUpNP32qc8U3PDVxySP/y360qE=
|
||||
github.com/golang/glog v1.1.0/go.mod h1:pfYeQZ3JWZoXTV5sFc986z3HTpwQs9At6P4ImfuP3NQ=
|
||||
github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
|
||||
github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg=
|
||||
github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
|
||||
github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
|
||||
github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
|
||||
github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
|
||||
github.com/google/uuid v1.3.1 h1:KjJaJ9iWZ3jOFZIf1Lqf4laDRCasjl0BCmnEGxkdLb4=
|
||||
github.com/google/uuid v1.3.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
|
||||
github.com/grpc-ecosystem/grpc-gateway/v2 v2.16.0 h1:YBftPWNWd4WwGqtY2yeZL2ef8rHAxPBD8KFhJpmcqms=
|
||||
github.com/grpc-ecosystem/grpc-gateway/v2 v2.16.0/go.mod h1:YN5jB8ie0yfIUg6VvR9Kz84aCaG7AsGZnLjhHbUqwPg=
|
||||
github.com/klauspost/compress v1.17.0 h1:Rnbp4K9EjcDuVuHtd0dgA4qNuv9yKDYKK1ulpJwgrqM=
|
||||
github.com/klauspost/compress v1.17.0/go.mod h1:ntbaceVETuRiXiv4DpjP66DpAtAGkEQskQzEyD//IeE=
|
||||
github.com/nats-io/nats.go v1.31.0 h1:/WFBHEc/dOKBF6qf1TZhrdEfTmOZ5JzdJ+Y3m6Y/p7E=
|
||||
@@ -34,10 +55,43 @@ github.com/urfave/cli/v2 v2.25.7 h1:VAzn5oq403l5pHjc4OhD54+XGO9cdKVL/7lDjF+iKUs=
|
||||
github.com/urfave/cli/v2 v2.25.7/go.mod h1:8qnjx1vcq5s2/wpsqoZFndg2CE5tNFyrTvS6SinrnYQ=
|
||||
github.com/xrash/smetrics v0.0.0-20201216005158-039620a65673 h1:bAn7/zixMGCfxrRTfdpNzjtPYqr8smhKouy9mxVdGPU=
|
||||
github.com/xrash/smetrics v0.0.0-20201216005158-039620a65673/go.mod h1:N3UwUGtsrSj3ccvlPHLoLsHnpR27oXr4ZE984MbSER8=
|
||||
golang.org/x/crypto v0.6.0 h1:qfktjS5LUO+fFKeJXZ+ikTRijMmljikvG68fpMMruSc=
|
||||
golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58=
|
||||
golang.org/x/sys v0.5.0 h1:MUK/U/4lj1t1oPg0HfuXDN/Z1wv31ZJ/YcPiGccS4DU=
|
||||
golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
||||
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.45.0 h1:x8Z78aZx8cOF0+Kkazoc7lwUNMGy0LrzEMxTm4BbTxg=
|
||||
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.45.0/go.mod h1:62CPTSry9QZtOaSsE3tOzhx6LzDhHnXJ6xHeMNNiM6Q=
|
||||
go.opentelemetry.io/otel v1.19.0 h1:MuS/TNf4/j4IXsZuJegVzI1cwut7Qc00344rgH7p8bs=
|
||||
go.opentelemetry.io/otel v1.19.0/go.mod h1:i0QyjOq3UPoTzff0PJB2N66fb4S0+rSbSB15/oyH9fY=
|
||||
go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.19.0 h1:Mne5On7VWdx7omSrSSZvM4Kw7cS7NQkOOmLcgscI51U=
|
||||
go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.19.0/go.mod h1:IPtUMKL4O3tH5y+iXVyAXqpAwMuzC1IrxVS81rummfE=
|
||||
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.19.0 h1:IeMeyr1aBvBiPVYihXIaeIZba6b8E1bYp7lbdxK8CQg=
|
||||
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.19.0/go.mod h1:oVdCUtjq9MK9BlS7TtucsQwUcXcymNiEDjgDD2jMtZU=
|
||||
go.opentelemetry.io/otel/metric v1.19.0 h1:aTzpGtV0ar9wlV4Sna9sdJyII5jTVJEvKETPiOKwvpE=
|
||||
go.opentelemetry.io/otel/metric v1.19.0/go.mod h1:L5rUsV9kM1IxCj1MmSdS+JQAcVm319EUrDVLrt7jqt8=
|
||||
go.opentelemetry.io/otel/sdk v1.19.0 h1:6USY6zH+L8uMH8L3t1enZPR3WFEmSTADlqldyHtJi3o=
|
||||
go.opentelemetry.io/otel/sdk v1.19.0/go.mod h1:NedEbbS4w3C6zElbLdPJKOpJQOrGUJ+GfzpjUvI0v1A=
|
||||
go.opentelemetry.io/otel/trace v1.19.0 h1:DFVQmlVbfVeOuBRrwdtaehRrWiL1JoVs9CPIQ1Dzxpg=
|
||||
go.opentelemetry.io/otel/trace v1.19.0/go.mod h1:mfaSyvGyEJEI0nyV2I4qhNQnbBOUUmYZpYojqMnX2vo=
|
||||
go.opentelemetry.io/proto/otlp v1.0.0 h1:T0TX0tmXU8a3CbNXzEKGeU5mIVOdf0oykP+u2lIVU/I=
|
||||
go.opentelemetry.io/proto/otlp v1.0.0/go.mod h1:Sy6pihPLfYHkr3NkUbEhGHFhINUSI/v80hjKIs5JXpM=
|
||||
golang.org/x/crypto v0.14.0 h1:wBqGXzWJW6m1XrIKlAH0Hs1JJ7+9KBwnIO8v66Q9cHc=
|
||||
golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4=
|
||||
golang.org/x/net v0.12.0 h1:cfawfvKITfUsFCeJIHJrbSxpeu/E81khclypR0GVT50=
|
||||
golang.org/x/net v0.12.0/go.mod h1:zEVYFnQC7m/vmpQFELhcD1EWkZlX69l4oqgmer6hfKA=
|
||||
golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE=
|
||||
golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
||||
golang.org/x/text v0.13.0 h1:ablQoSUd0tRdKxZewP80B+BaqeKJuVhuRxj/dkrun3k=
|
||||
golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
|
||||
golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
|
||||
google.golang.org/genproto v0.0.0-20230711160842-782d3b101e98 h1:Z0hjGZePRE0ZBWotvtrwxFNrNE9CUAGtplaDK5NNI/g=
|
||||
google.golang.org/genproto v0.0.0-20230711160842-782d3b101e98/go.mod h1:S7mY02OqCJTD0E1OiQy1F72PWFB4bZJ87cAtLPYgDR0=
|
||||
google.golang.org/genproto/googleapis/api v0.0.0-20230711160842-782d3b101e98 h1:FmF5cCW94Ij59cfpoLiwTgodWmm60eEV0CjlsVg2fuw=
|
||||
google.golang.org/genproto/googleapis/api v0.0.0-20230711160842-782d3b101e98/go.mod h1:rsr7RhLuwsDKL7RmgDDCUc6yaGr1iqceVb5Wv6f6YvQ=
|
||||
google.golang.org/genproto/googleapis/rpc v0.0.0-20230711160842-782d3b101e98 h1:bVf09lpb+OJbByTj913DRJioFFAjf/ZGxEz7MajTp2U=
|
||||
google.golang.org/genproto/googleapis/rpc v0.0.0-20230711160842-782d3b101e98/go.mod h1:TUfxEVdsvPg18p6AslUXFoLdpED4oBnGwyqk3dV1XzM=
|
||||
google.golang.org/grpc v1.58.2 h1:SXUpjxeVF3FKrTYQI4f4KvbGD5u2xccdYdurwowix5I=
|
||||
google.golang.org/grpc v1.58.2/go.mod h1:tgX3ZQDlNJGU96V6yHh1T/JeoBQ2TXdr43YbYSsCJk0=
|
||||
google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
|
||||
google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
|
||||
google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8=
|
||||
google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
|
||||
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
|
||||
gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
|
||||
gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
|
||||
|
||||
@@ -1,5 +1,8 @@
|
||||
ListenAddr = ":8082"
|
||||
NATSAddr = "nats:4222"
|
||||
BaseSubject = "microfilm.auth.v1"
|
||||
UserServiceBaseURL = "http://mf-users:8080"
|
||||
|
||||
UserServiceBaseURL = "http://mf-users:8080"
|
||||
[NATS]
|
||||
Enabled = true
|
||||
Addr = "nats://nats1:4222,nats://nats2:4222,nats://nats3:4222"
|
||||
NKeySeed = "SUAOUHJPINF4CK6TSNZMRR5G4DKGW5S76XRNIYURPEISNMWXJIXSVWIO7Y"
|
||||
Subject = "microfilm.auth.v1"
|
||||
@@ -7,13 +7,20 @@ import (
|
||||
)
|
||||
|
||||
type Config struct {
|
||||
ListenAddr string `toml:"ListenAddr"`
|
||||
NATSAddr string `toml:"NATSAddr"`
|
||||
BaseSubject string `toml:"BaseSubject"`
|
||||
ListenAddr string `toml:"ListenAddr"`
|
||||
NATS *NATSConfig `toml:"NATS"`
|
||||
BaseSubject string `toml:"BaseSubject"`
|
||||
|
||||
UserServiceBaseURL string `toml:"UserServiceBaseURL"`
|
||||
}
|
||||
|
||||
type NATSConfig struct {
|
||||
Enabled bool `toml:"Enabled"`
|
||||
NKeySeed string `toml:"NKeySeed"`
|
||||
Addr string `toml:"Addr"`
|
||||
Subject string `toml:"Subject"`
|
||||
}
|
||||
|
||||
func ConfigFromReader(r io.Reader) (*Config, error) {
|
||||
decoder := toml.NewDecoder(r)
|
||||
var c Config
|
||||
|
||||
@@ -1,10 +1,13 @@
|
||||
package server
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"net/http"
|
||||
"time"
|
||||
|
||||
"github.com/go-chi/chi/v5/middleware"
|
||||
"go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp"
|
||||
"go.opentelemetry.io/otel/trace"
|
||||
)
|
||||
|
||||
func (s *Server) MiddlewareLogging(next http.Handler) http.Handler {
|
||||
@@ -28,3 +31,14 @@ func (s *Server) MiddlewareLogging(next http.Handler) http.Handler {
|
||||
}
|
||||
return http.HandlerFunc(fn)
|
||||
}
|
||||
|
||||
func (s *Server) MiddlewareTracing(next http.Handler) http.Handler {
|
||||
fn := func(w http.ResponseWriter, r *http.Request) {
|
||||
span := trace.SpanFromContext(r.Context())
|
||||
span.AddEvent("event")
|
||||
|
||||
h := otelhttp.NewHandler(next, fmt.Sprintf("%s %s", r.Method, r.URL.Path))
|
||||
h.ServeHTTP(w, r)
|
||||
}
|
||||
return http.HandlerFunc(fn)
|
||||
}
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
package server
|
||||
|
||||
import (
|
||||
"context"
|
||||
"crypto/ecdsa"
|
||||
"crypto/elliptic"
|
||||
"crypto/rand"
|
||||
@@ -19,6 +20,14 @@ import (
|
||||
"github.com/golang-jwt/jwt/v5"
|
||||
"github.com/google/uuid"
|
||||
"github.com/nats-io/nats.go"
|
||||
"github.com/nats-io/nkeys"
|
||||
"go.opentelemetry.io/otel"
|
||||
"go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp"
|
||||
"go.opentelemetry.io/otel/propagation"
|
||||
"go.opentelemetry.io/otel/sdk/resource"
|
||||
sdktrace "go.opentelemetry.io/otel/sdk/trace"
|
||||
semconv "go.opentelemetry.io/otel/semconv/v1.21.0"
|
||||
"go.opentelemetry.io/otel/trace"
|
||||
)
|
||||
|
||||
const DefaultTokenDuration time.Duration = 24 * time.Hour
|
||||
@@ -38,10 +47,17 @@ type Server struct {
|
||||
func NewServer(config *Config) (*Server, error) {
|
||||
srv := &Server{}
|
||||
|
||||
tp, err := tracerProvider("jaeger:4318")
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
otel.SetTracerProvider(tp)
|
||||
|
||||
r := chi.NewRouter()
|
||||
|
||||
r.Use(middleware.RequestID)
|
||||
r.Use(srv.MiddlewareLogging)
|
||||
r.Use(srv.MiddlewareTracing)
|
||||
|
||||
r.Get("/key", srv.PubkeyHandler)
|
||||
r.Post("/{id}/token", srv.TokenHandler)
|
||||
@@ -57,16 +73,34 @@ func NewServer(config *Config) (*Server, error) {
|
||||
|
||||
srv.store = store.NewMemoryAuthStore()
|
||||
|
||||
conn, err := nats.Connect(config.NATSAddr)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
encoded, err := nats.NewEncodedConn(conn, "json")
|
||||
if err != nil {
|
||||
return nil, err
|
||||
if config.NATS.Enabled {
|
||||
var opts []nats.Option
|
||||
if config.NATS.NKeySeed != "" {
|
||||
keys, err := nkeys.FromSeed([]byte(config.NATS.NKeySeed))
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
pubkey, err := keys.PublicKey()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
srv.Logger.Debug("NATS enabled with NKeys", "pubkey", pubkey)
|
||||
creds := nats.Nkey(pubkey, keys.Sign)
|
||||
opts = append(opts, creds)
|
||||
}
|
||||
|
||||
conn, err := nats.Connect(config.NATS.Addr, opts...)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
encoded, err := nats.NewEncodedConn(conn, "json")
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
srv.nats = encoded
|
||||
}
|
||||
|
||||
srv.nats = encoded
|
||||
srv.userClient = NewUserClient(config.UserServiceBaseURL)
|
||||
|
||||
// Generate keys
|
||||
@@ -79,6 +113,26 @@ func NewServer(config *Config) (*Server, error) {
|
||||
return srv, nil
|
||||
}
|
||||
|
||||
func tracerProvider(url string) (*sdktrace.TracerProvider, error) {
|
||||
exp, err := otlptracehttp.New(context.Background(), otlptracehttp.WithEndpoint(url), otlptracehttp.WithInsecure())
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
res := resource.NewWithAttributes(semconv.SchemaURL,
|
||||
semconv.ServiceName("mf-auth"),
|
||||
semconv.ServiceVersion(auth.Version),
|
||||
)
|
||||
tp := sdktrace.NewTracerProvider(
|
||||
sdktrace.WithBatcher(exp, sdktrace.WithBatchTimeout(time.Second)),
|
||||
sdktrace.WithResource(res),
|
||||
)
|
||||
otel.SetTracerProvider(tp)
|
||||
otel.SetTextMapPropagator(propagation.NewCompositeTextMapPropagator(propagation.TraceContext{}, propagation.Baggage{}))
|
||||
|
||||
return tp, nil
|
||||
}
|
||||
|
||||
func InfoHandler(w http.ResponseWriter, r *http.Request) {
|
||||
enc := json.NewEncoder(w)
|
||||
|
||||
@@ -96,6 +150,9 @@ func WriteError(w http.ResponseWriter, response auth.ErrorResponse) {
|
||||
}
|
||||
|
||||
func (s *Server) PubkeyHandler(w http.ResponseWriter, r *http.Request) {
|
||||
span := trace.SpanFromContext(r.Context())
|
||||
|
||||
span.AddEvent("Start marshalling public key.")
|
||||
enc := json.NewEncoder(w)
|
||||
key, err := x509.MarshalPKIXPublicKey(s.signingKey.Public())
|
||||
if err != nil {
|
||||
@@ -106,6 +163,7 @@ func (s *Server) PubkeyHandler(w http.ResponseWriter, r *http.Request) {
|
||||
})
|
||||
return
|
||||
}
|
||||
span.AddEvent("Finished marshalling public key.")
|
||||
response := auth.PubkeyResponse{
|
||||
PubKey: key,
|
||||
}
|
||||
@@ -114,6 +172,7 @@ func (s *Server) PubkeyHandler(w http.ResponseWriter, r *http.Request) {
|
||||
}
|
||||
|
||||
func (s *Server) TokenHandler(w http.ResponseWriter, r *http.Request) {
|
||||
ctx := r.Context()
|
||||
decoder := json.NewDecoder(r.Body)
|
||||
defer r.Body.Close()
|
||||
|
||||
@@ -135,7 +194,7 @@ func (s *Server) TokenHandler(w http.ResponseWriter, r *http.Request) {
|
||||
return
|
||||
}
|
||||
|
||||
if err := s.userClient.VerifyUserPassword(userIdentifier, request.Password); err != nil {
|
||||
if err := s.userClient.VerifyUserPassword(ctx, userIdentifier, request.Password); err != nil {
|
||||
WriteError(w, auth.ErrorResponse{
|
||||
Status: http.StatusUnauthorized,
|
||||
Message: fmt.Sprintf("Unable to verify password: %s", err),
|
||||
@@ -143,9 +202,18 @@ func (s *Server) TokenHandler(w http.ResponseWriter, r *http.Request) {
|
||||
return
|
||||
}
|
||||
|
||||
u, err := s.userClient.GetUser(ctx, userIdentifier)
|
||||
if err != nil {
|
||||
WriteError(w, auth.ErrorResponse{
|
||||
Status: http.StatusUnauthorized,
|
||||
Message: fmt.Sprintf("Unable to get user details: %s", err),
|
||||
})
|
||||
return
|
||||
}
|
||||
|
||||
exp := time.Now().Add(DefaultTokenDuration)
|
||||
claims := auth.MicrofilmClaims{
|
||||
Role: auth.RoleUser,
|
||||
Role: u.Role,
|
||||
RegisteredClaims: jwt.RegisteredClaims{
|
||||
Issuer: "microfilm",
|
||||
Subject: userIdentifier,
|
||||
|
||||
@@ -7,20 +7,33 @@ import (
|
||||
"fmt"
|
||||
"net/http"
|
||||
"time"
|
||||
|
||||
"git.t-juice.club/microfilm/users"
|
||||
"go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp"
|
||||
"go.opentelemetry.io/otel"
|
||||
)
|
||||
|
||||
type UserClient struct {
|
||||
BaseURL string
|
||||
client *http.Client
|
||||
}
|
||||
|
||||
const defaultTimeout time.Duration = 5 * time.Second
|
||||
|
||||
func NewUserClient(baseurl string) *UserClient {
|
||||
return &UserClient{BaseURL: baseurl}
|
||||
return &UserClient{
|
||||
BaseURL: baseurl,
|
||||
client: &http.Client{
|
||||
Transport: otelhttp.NewTransport(http.DefaultTransport),
|
||||
},
|
||||
}
|
||||
}
|
||||
|
||||
func (c *UserClient) VerifyUserPassword(username, password string) error {
|
||||
ctx, cancel := context.WithTimeout(context.Background(), defaultTimeout)
|
||||
func (c *UserClient) VerifyUserPassword(ctx context.Context, username, password string) error {
|
||||
ctx, span := otel.GetTracerProvider().Tracer("").Start(ctx, "verify-user-password")
|
||||
defer span.End()
|
||||
|
||||
ctx, cancel := context.WithTimeout(ctx, defaultTimeout)
|
||||
defer cancel()
|
||||
|
||||
url := fmt.Sprintf("%s/%s/verify", c.BaseURL, username)
|
||||
@@ -40,12 +53,11 @@ func (c *UserClient) VerifyUserPassword(username, password string) error {
|
||||
return err
|
||||
}
|
||||
|
||||
client := http.Client{}
|
||||
|
||||
resp, err := client.Do(req)
|
||||
resp, err := c.client.Do(req)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
defer resp.Body.Close()
|
||||
|
||||
if resp.StatusCode != http.StatusOK {
|
||||
return fmt.Errorf("authentication failed")
|
||||
@@ -53,3 +65,37 @@ func (c *UserClient) VerifyUserPassword(username, password string) error {
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func (c *UserClient) GetUser(ctx context.Context, identifier string) (users.User, error) {
|
||||
var u users.User
|
||||
|
||||
ctx, span := otel.GetTracerProvider().Tracer("").Start(ctx, "get-user")
|
||||
defer span.End()
|
||||
|
||||
ctx, cancel := context.WithTimeout(ctx, defaultTimeout)
|
||||
defer cancel()
|
||||
|
||||
url := fmt.Sprintf("%s/%s", c.BaseURL, identifier)
|
||||
|
||||
req, err := http.NewRequestWithContext(ctx, http.MethodGet, url, nil)
|
||||
if err != nil {
|
||||
return u, err
|
||||
}
|
||||
|
||||
resp, err := c.client.Do(req)
|
||||
if err != nil {
|
||||
return u, err
|
||||
}
|
||||
defer resp.Body.Close()
|
||||
|
||||
if resp.StatusCode != http.StatusOK {
|
||||
return u, fmt.Errorf("authentication failed")
|
||||
}
|
||||
|
||||
decoder := json.NewDecoder(resp.Body)
|
||||
if err := decoder.Decode(&u); err != nil {
|
||||
return u, err
|
||||
}
|
||||
|
||||
return u, nil
|
||||
}
|
||||
|
||||
@@ -1,3 +1,3 @@
|
||||
package auth
|
||||
|
||||
const Version = "v0.1.1"
|
||||
const Version = "v0.1.6"
|
||||
|
||||
Reference in New Issue
Block a user