From 7d18a2b56a1255eed16a8541dbdd5c754044f946 Mon Sep 17 00:00:00 2001 From: atefeh Date: Wed, 10 May 2023 23:54:26 -0700 Subject: [PATCH] code 281 validation of JWT token for CI integration --- internal/api/middleware/authn/authn.go | 8 ++++---- internal/auth/authn/authenticator.go | 12 +++++++++++- internal/auth/authn/token.go | 2 +- 3 files changed, 16 insertions(+), 6 deletions(-) diff --git a/internal/api/middleware/authn/authn.go b/internal/api/middleware/authn/authn.go index ad645d88b..d3c7eae20 100644 --- a/internal/api/middleware/authn/authn.go +++ b/internal/api/middleware/authn/authn.go @@ -19,25 +19,25 @@ import ( // Attempt returns an http.HandlerFunc middleware that authenticates // the http.Request if authentication payload is available. func Attempt(authenticator authn.Authenticator) func(http.Handler) http.Handler { - return performAuthentication(authenticator, false) + return performAuthentication(authenticator, false, authn.AuthGitCaller) } // Required returns an http.HandlerFunc middleware that authenticates // the http.Request and fails the request if no auth data was available. func Required(authenticator authn.Authenticator) func(http.Handler) http.Handler { - return performAuthentication(authenticator, true) + return performAuthentication(authenticator, true, authn.AuthAPICaller) } // performAuthentication returns an http.HandlerFunc middleware that authenticates // the http.Request if authentication payload is available. // Depending on whether it is required or not, the request will be failed. -func performAuthentication(authenticator authn.Authenticator, required bool) func(http.Handler) http.Handler { +func performAuthentication(authenticator authn.Authenticator, required bool, caller authn.APICaller) func(http.Handler) http.Handler { return func(next http.Handler) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { ctx := r.Context() log := hlog.FromRequest(r) - session, err := authenticator.Authenticate(r) + session, err := authenticator.Authenticate(r, caller) if errors.Is(err, authn.ErrNoAuthData) { if required { diff --git a/internal/auth/authn/authenticator.go b/internal/auth/authn/authenticator.go index fd157da1f..a63e4c13d 100644 --- a/internal/auth/authn/authenticator.go +++ b/internal/auth/authn/authenticator.go @@ -14,6 +14,16 @@ import ( var ( // ErrNoAuthData that is returned if the authorizer doesn't find any data in the request that can be used for auth. ErrNoAuthData = errors.New("the request doesn't contain any auth data that can be used by the Authorizer") + // ErrNotAcceptedAuthData that is returned if the request is using an auth data that is not accepted by the authorizer. + // e.g, don't accept jwt (without allowedURI field) for git clone/pull request. + ErrNotAcceptedAuthMethod = errors.New("the request contains auth method that is not accepted by the Authorizer") +) + +type APICaller string + +const ( + AuthAPICaller APICaller = "api" + AuthGitCaller APICaller = "git" ) // Authenticator is an abstraction of an entity that's responsible for authenticating principals @@ -26,5 +36,5 @@ type Authenticator interface { * (nil, ErrNoAuthData) - request doesn't contain any auth data * (nil, err) - request contains auth data but verification failed */ - Authenticate(r *http.Request) (*auth.Session, error) + Authenticate(r *http.Request, caller APICaller) (*auth.Session, error) } diff --git a/internal/auth/authn/token.go b/internal/auth/authn/token.go index 75d9e87f1..b2dc748f3 100644 --- a/internal/auth/authn/token.go +++ b/internal/auth/authn/token.go @@ -38,7 +38,7 @@ func NewTokenAuthenticator( } } -func (a *TokenAuthenticator) Authenticate(r *http.Request) (*auth.Session, error) { +func (a *TokenAuthenticator) Authenticate(r *http.Request, caller APICaller) (*auth.Session, error) { ctx := r.Context() str := extractToken(r)