Merge branch 'envoy-jwt-authn' into 'main'

Add External Authorization Service with Envoy Integration

See merge request gitlab-org/software-supply-chain-security/authorization/sparkled!9

5 files changed, 55 insertions, 24 deletions

diff --git a/app/app.go b/app/app.go
index 5bcc69a..c6f1c11 100644
--- a/app/app.go
+++ b/app/app.go
@@ -8,6 +8,7 @@ import (
 	"github.com/rs/zerolog"
 	"github.com/xlgmokha/x/pkg/ioc"
 	"github.com/xlgmokha/x/pkg/log"
+	"github.com/xlgmokha/x/pkg/x"
 	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/app/cfg"
 	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/app/controllers/dashboard"
 	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/app/controllers/sparkles"
@@ -35,10 +36,15 @@ func New(rootDir string) http.Handler {
 
 	logger := ioc.MustResolve[*zerolog.Logger](ioc.Default)
 	users := ioc.MustResolve[domain.Repository[*domain.User]](ioc.Default)
-	chain := middleware.IDToken(
-		ioc.MustResolve[*oidc.Provider](ioc.Default),
-		ioc.MustResolve[*oidc.Config](ioc.Default),
-		middleware.FromCookie(cfg.IDTokenCookie),
-	)(middleware.User(users)(mux))
-	return log.HTTP(logger)(chain)
+
+	return x.Middleware[http.Handler](
+		mux,
+		log.HTTP(logger),
+		middleware.IDToken(
+			ioc.MustResolve[*oidc.Provider](ioc.Default),
+			ioc.MustResolve[*oidc.Config](ioc.Default),
+			middleware.FromCookie(cfg.IDTokenCookie),
+		),
+		middleware.User(users),
+	)
 }
diff --git a/app/init.go b/app/init.go
index 868c2f7..d9ca3de 100644
--- a/app/init.go
+++ b/app/init.go
@@ -20,7 +20,7 @@ import (
 
 func init() {
 	ioc.RegisterSingleton[*zerolog.Logger](ioc.Default, func() *zerolog.Logger {
-		return log.New(os.Stdout, log.Fields{})
+		return log.New(os.Stdout, log.Fields{"app": "sparkled"})
 	})
 	ioc.RegisterSingleton[domain.Repository[*domain.Sparkle]](ioc.Default, func() domain.Repository[*domain.Sparkle] {
 		return db.NewRepository[*domain.Sparkle]()
diff --git a/app/middleware/id_token.go b/app/middleware/id_token.go
index 8084af0..bc6a05e 100644
--- a/app/middleware/id_token.go
+++ b/app/middleware/id_token.go
@@ -14,6 +14,8 @@ import (
 func IDToken(provider *oidc.Provider, config *oidc.Config, parsers ...TokenParser) func(http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			log.WithFields(r.Context(), log.Fields{"jwt": r.Header.Get("x-jwt-payload")})
+
 			for _, parser := range parsers {
 				rawIDToken := parser(r)
 				if x.IsPresent(rawIDToken) {
diff --git a/app/middleware/user.go b/app/middleware/user.go
index 9a88f8e..6c018f4 100644
--- a/app/middleware/user.go
+++ b/app/middleware/user.go
@@ -14,20 +14,26 @@ import (
 func User(db domain.Repository[*domain.User]) func(http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			idToken := cfg.IDToken.From(r.Context())
-			if x.IsZero(idToken) {
-				next.ServeHTTP(w, r)
-				return
-			}
+			subject := r.Header.Get("x-jwt-claim-sub")
+			user := db.Find(r.Context(), domain.ID(subject))
 
-			user := db.Find(r.Context(), domain.ID(idToken.Subject))
 			if !x.IsPresent(user) {
-				user = mapper.MapFrom[*oidc.IDToken, *domain.User](idToken)
-				if err := db.Save(r.Context(), user); err != nil {
-					pls.LogError(r.Context(), err)
+				idToken := cfg.IDToken.From(r.Context())
+
+				if x.IsZero(idToken) {
 					next.ServeHTTP(w, r)
 					return
 				}
+
+				user = db.Find(r.Context(), domain.ID(idToken.Subject))
+				if !x.IsPresent(user) {
+					user = mapper.MapFrom[*oidc.IDToken, *domain.User](idToken)
+					if err := db.Save(r.Context(), user); err != nil {
+						pls.LogError(r.Context(), err)
+						next.ServeHTTP(w, r)
+						return
+					}
+				}
 			}
 
 			next.ServeHTTP(w, r.WithContext(cfg.CurrentUser.With(r.Context(), user)))
diff --git a/app/middleware/user_test.go b/app/middleware/user_test.go
index aed3582..7653684 100644
--- a/app/middleware/user_test.go
+++ b/app/middleware/user_test.go
@@ -61,16 +61,33 @@ func TestUser(t *testing.T) {
 	})
 
 	t.Run("when ID Token is not provided", func(t *testing.T) {
-		server := middleware(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			user := cfg.CurrentUser.From(r.Context())
-			require.Nil(t, user)
+		t.Run("without custom headers", func(t *testing.T) {
+			server := middleware(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				user := cfg.CurrentUser.From(r.Context())
+				require.Nil(t, user)
+
+				w.WriteHeader(http.StatusTeapot)
+			}))
 
-			w.WriteHeader(http.StatusTeapot)
-		}))
+			r, w := test.RequestResponse("GET", "/example")
+			server.ServeHTTP(w, r)
 
-		r, w := test.RequestResponse("GET", "/example")
-		server.ServeHTTP(w, r)
+			assert.Equal(t, http.StatusTeapot, w.Code)
+		})
 
-		assert.Equal(t, http.StatusTeapot, w.Code)
+		t.Run("with x-jwt-claim-sub header", func(t *testing.T) {
+			server := middleware(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				user := cfg.CurrentUser.From(r.Context())
+				require.NotNil(t, user)
+				require.Equal(t, knownUser.ID, user.ID)
+
+				w.WriteHeader(http.StatusTeapot)
+			}))
+
+			r, w := test.RequestResponse("GET", "/example", test.WithRequestHeader("x-jwt-claim-sub", knownUser.ID.String()))
+			server.ServeHTTP(w, r)
+
+			assert.Equal(t, http.StatusTeapot, w.Code)
+		})
 	})
 }