mirror of https://github.com/harness/drone.git
102 lines
2.7 KiB
Go
102 lines
2.7 KiB
Go
// Copyright 2021 Harness Inc. All rights reserved.
|
|
// Use of this source code is governed by the Polyform Free Trial License
|
|
// that can be found in the LICENSE.md file for this repository.
|
|
|
|
package token
|
|
|
|
import (
|
|
"errors"
|
|
"net/http"
|
|
"strconv"
|
|
"strings"
|
|
"time"
|
|
|
|
"github.com/harness/scm/internal/api/render"
|
|
"github.com/harness/scm/internal/api/request"
|
|
"github.com/harness/scm/internal/store"
|
|
"github.com/harness/scm/internal/token"
|
|
"github.com/harness/scm/types"
|
|
|
|
"github.com/dgrijalva/jwt-go"
|
|
"github.com/rs/zerolog"
|
|
"github.com/rs/zerolog/hlog"
|
|
"github.com/rs/zerolog/log"
|
|
)
|
|
|
|
// Must returns an http.HandlerFunc middleware that authenticates
|
|
// the http.Request and errors if the account cannot be authenticated.
|
|
func Must(users store.UserStore) func(http.Handler) http.Handler {
|
|
return func(next http.Handler) http.Handler {
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
ctx := r.Context()
|
|
str := extractToken(r)
|
|
|
|
if len(str) == 0 {
|
|
render.ErrorCode(w, errors.New("Requires authentication"), 401)
|
|
return
|
|
}
|
|
|
|
var user *types.User
|
|
parsed, err := jwt.ParseWithClaims(str, &token.Claims{}, func(token_ *jwt.Token) (interface{}, error) {
|
|
sub := token_.Claims.(*token.Claims).Subject
|
|
id, err := strconv.ParseInt(sub, 10, 64)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
user, err = users.Find(ctx, id)
|
|
if err != nil {
|
|
hlog.FromRequest(r).
|
|
Error().Err(err).
|
|
Int64("user", id).
|
|
Msg("cannot find user")
|
|
return nil, err
|
|
}
|
|
return []byte(user.Salt), nil
|
|
})
|
|
if err != nil {
|
|
render.ErrorCode(w, err, 401)
|
|
return
|
|
}
|
|
if parsed.Valid == false {
|
|
render.ErrorCode(w, errors.New("Invalid token"), 401)
|
|
return
|
|
}
|
|
if _, ok := parsed.Method.(*jwt.SigningMethodHMAC); !ok {
|
|
render.ErrorCode(w, errors.New("Invalid token"), 401)
|
|
return
|
|
}
|
|
|
|
// this code should be deprecated, since the jwt.ParseWithClaims
|
|
// should fail if the token is expired. TODO remove once we have
|
|
// proper unit tests in place.
|
|
if claims, ok := parsed.Claims.(*token.Claims); ok {
|
|
if claims.ExpiresAt > 0 {
|
|
if time.Now().Unix() > claims.ExpiresAt {
|
|
render.ErrorCode(w, errors.New("Expired token"), 401)
|
|
return
|
|
}
|
|
}
|
|
}
|
|
|
|
log.Ctx(ctx).UpdateContext(func(c zerolog.Context) zerolog.Context {
|
|
return c.Str("session_email", user.Email).Bool("session_admin", user.Admin)
|
|
})
|
|
|
|
next.ServeHTTP(w, r.WithContext(
|
|
request.WithUser(ctx, user),
|
|
))
|
|
})
|
|
}
|
|
}
|
|
|
|
func extractToken(r *http.Request) string {
|
|
bearer := r.Header.Get("Authorization")
|
|
if bearer == "" {
|
|
return r.FormValue("access_token")
|
|
}
|
|
bearer = strings.TrimPrefix(bearer, "Bearer ")
|
|
bearer = strings.TrimPrefix(bearer, "IdentityService ")
|
|
return bearer
|
|
}
|