This repository has been archived by the owner on Oct 28, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathauthzadaptor.go
166 lines (141 loc) · 4.21 KB
/
authzadaptor.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
package authzadaptor
import (
"crypto/ecdsa"
"crypto/tls"
fmt "fmt"
"io/ioutil"
"net/http"
"reflect"
"strconv"
strings "strings"
"time"
"github.com/gogo/googleapis/google/rpc"
"golang.org/x/net/context"
"github.com/dgrijalva/jwt-go"
log "github.com/sirupsen/logrus"
"istio.io/api/mixer/adapter/model/v1beta1"
"istio.io/istio/userkey/config"
)
type AuthZAdaptor struct {
URLToPublicKeyDict map[string]*ecdsa.PublicKey
}
func (authZAdaptor AuthZAdaptor) HandleAuthzadaptor(_ context.Context, req *HandleAuthzadaptorRequest) (*HandleAuthzadaptorResponse, error) {
config := &config.Params{}
if err := config.Unmarshal(req.AdapterConfig.Value); err != nil {
return nil, err
}
if req.Instance.Key == "unknown" {
log.Warnf("skip unknown header: %v", req.Instance.Key)
return &HandleAuthzadaptorResponse{
Result: &v1beta1.CheckResult{
ValidDuration: config.ValidDuration,
// Status: rpc.Status{Code: int32(rpc.PERMISSION_DENIED)},
},
}, nil
}
claims := jwt.MapClaims{}
_, err := jwt.ParseWithClaims(req.Instance.Key, claims, func(token *jwt.Token) (interface{}, error) {
if _, ok := token.Method.(*jwt.SigningMethodECDSA); !ok {
return nil, fmt.Errorf("Unexpected signing method: %v", token.Header["alg"])
}
url := constructURLFromTokenHeader(token.Header)
if val, ok := authZAdaptor.URLToPublicKeyDict[url]; ok {
return val, nil
}
publicKey, err := fetchPublicKeyFromURL(url)
if err != nil {
log.Warnf("Can not fetch public key from %s, error: %s", url, err)
return nil, err
}
pKey, err := convertKey(publicKey)
if err != nil {
log.Warnf("Can not convert pem key to *ecdsa.PublicKey %s, error: %s", publicKey, err)
return nil, err
}
authZAdaptor.URLToPublicKeyDict[url] = pKey
return pKey, nil
})
if err != nil {
log.Warnf("Can not verify header: %v, err: %v", req.Instance.Key, err)
return &HandleAuthzadaptorResponse{
Result: &v1beta1.CheckResult{
Status: rpc.Status{Code: int32(rpc.PERMISSION_DENIED)},
},
}, nil
}
email, ok := claims["email"]
if !ok {
log.Errorf("Email doesn't exist in user's claim %v. This is not supported", claims)
return &HandleAuthzadaptorResponse{
Result: &v1beta1.CheckResult{
Status: rpc.Status{Code: int32(rpc.PERMISSION_DENIED)},
},
}, nil
}
// Only verify this field if it exists.
if val, ok := claims["email_verified"]; ok {
isEmailVerified := false
switch v := val.(type) {
case bool:
isEmailVerified = v
case string:
b, err := strconv.ParseBool(v)
if err != nil {
log.Warnf("Can not parse email_verified %v to bool", val)
} else {
isEmailVerified = b
}
default:
log.Warnf("Unknown email_verified type %v, value %v", reflect.TypeOf(v), v)
}
if !isEmailVerified {
log.Errorf("Email is not verified %v", isEmailVerified)
return &HandleAuthzadaptorResponse{
Result: &v1beta1.CheckResult{
Status: rpc.Status{Code: int32(rpc.PERMISSION_DENIED)},
},
}, nil
}
}
log.Infof("Return email %v", email)
return &HandleAuthzadaptorResponse{
Result: &v1beta1.CheckResult{ValidDuration: config.ValidDuration},
Output: &OutputMsg{Email: email.(string)},
}, nil
}
// constructURLFromTokenHeader retrieve region and kid from headers and construct url to fetch public key
func constructURLFromTokenHeader(header map[string]interface{}) string {
kid := header["kid"]
signer := header["signer"].(string)
region := strings.SplitN(signer, ":", -1)[3]
return fmt.Sprintf("https://public-keys.auth.elb.%s.amazonaws.com/%s", region, kid)
}
// https client to get public key pem from a give url
func fetchPublicKeyFromURL(url string) ([]byte, error) {
tr := &http.Transport{
TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
}
client := &http.Client{
Timeout: 15 * time.Second,
Transport: tr,
}
req, err := http.NewRequest("GET", url, nil)
if err != nil {
return nil, err
}
resp, err := client.Do(req)
if err != nil {
return nil, err
}
defer resp.Body.Close()
body, err := ioutil.ReadAll(resp.Body)
return body, err
}
// convertKey transform pem public key to *ecdsa.PublicKey
func convertKey(publicKey []byte) (*ecdsa.PublicKey, error) {
key, err := jwt.ParseECPublicKeyFromPEM(publicKey)
if err != nil {
return nil, err
}
return key, nil
}