summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--app/init.go22
-rw-r--r--app/middleware/from_cookie.go15
-rw-r--r--app/middleware/from_custom_header.go9
-rw-r--r--app/middleware/init.go2
-rw-r--r--app/middleware/raw_token.go7
-rw-r--r--app/middleware/token_parser.go3
-rw-r--r--app/middleware/user.go23
-rw-r--r--app/middleware/user_parser.go16
-rw-r--r--app/middleware/user_parser_test.go36
-rw-r--r--app/middleware/user_test.go2
-rwxr-xr-xbin/envoy.sh2
-rw-r--r--pkg/web/cookie.go35
-rw-r--r--pkg/web/cookie_test.go33
-rw-r--r--pkg/web/oidc.go27
14 files changed, 19 insertions, 213 deletions
diff --git a/app/init.go b/app/init.go
index 935c962..5057fe4 100644
--- a/app/init.go
+++ b/app/init.go
@@ -1,24 +1,20 @@
package app
import (
- "context"
"net/http"
"os"
- "github.com/coreos/go-oidc/v3/oidc"
"github.com/rs/zerolog"
"github.com/xlgmokha/x/pkg/env"
"github.com/xlgmokha/x/pkg/ioc"
"github.com/xlgmokha/x/pkg/log"
"github.com/xlgmokha/x/pkg/mapper"
"gitlab.com/gitlab-org/software-supply-chain-security/authorization/authzd.git/pkg/rpc"
- "gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/app/cfg"
"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/app/controllers/dashboard"
"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/app/controllers/sparkles"
"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/app/db"
"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/app/domain"
"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/web"
- "golang.org/x/oauth2"
)
func init() {
@@ -28,9 +24,6 @@ func init() {
ioc.RegisterSingleton[domain.Repository[*domain.Sparkle]](ioc.Default, func() domain.Repository[*domain.Sparkle] {
return db.NewRepository[*domain.Sparkle]()
})
- ioc.RegisterSingleton[domain.Repository[*domain.User]](ioc.Default, func() domain.Repository[*domain.User] {
- return db.NewRepository[*domain.User]()
- })
ioc.RegisterSingleton[*http.ServeMux](ioc.Default, func() *http.ServeMux {
return http.NewServeMux()
})
@@ -47,21 +40,6 @@ func init() {
},
}
})
- ioc.RegisterSingleton[*oidc.Provider](ioc.Default, func() *oidc.Provider {
- ctx := context.WithValue(
- context.Background(),
- oauth2.HTTPClient,
- ioc.MustResolve[*http.Client](ioc.Default),
- )
- return web.NewOIDCProvider(ctx, cfg.OIDCIssuer, func(err error) {
- ioc.MustResolve[*zerolog.Logger](ioc.Default).Err(err).Send()
- })
- })
- ioc.Register[*oidc.Config](ioc.Default, func() *oidc.Config {
- return &oidc.Config{
- ClientID: cfg.OAuthClientID,
- }
- })
ioc.Register[rpc.Ability](ioc.Default, func() rpc.Ability {
return rpc.NewAbilityProtobufClient(
env.Fetch("AUTHZD_HOST", ""),
diff --git a/app/middleware/from_cookie.go b/app/middleware/from_cookie.go
deleted file mode 100644
index 316d6e4..0000000
--- a/app/middleware/from_cookie.go
+++ /dev/null
@@ -1,15 +0,0 @@
-package middleware
-
-import "net/http"
-
-func FromCookie(name string) TokenParser {
- return func(r *http.Request) RawToken {
- cookies := r.CookiesNamed(name)
-
- if len(cookies) != 1 {
- return ""
- }
-
- return RawToken(cookies[0].Value)
- }
-}
diff --git a/app/middleware/from_custom_header.go b/app/middleware/from_custom_header.go
deleted file mode 100644
index f385911..0000000
--- a/app/middleware/from_custom_header.go
+++ /dev/null
@@ -1,9 +0,0 @@
-package middleware
-
-import "net/http"
-
-func FromCustomHeader(name string) TokenParser {
- return func(r *http.Request) RawToken {
- return RawToken(r.Header.Get(name))
- }
-}
diff --git a/app/middleware/init.go b/app/middleware/init.go
index 5bf84f6..23c524d 100644
--- a/app/middleware/init.go
+++ b/app/middleware/init.go
@@ -13,7 +13,7 @@ func init() {
subject := h.Get("x-jwt-claim-sub")
if x.IsPresent(subject) {
return &domain.User{
- ID: domain.ID(subject),
+ ID: domain.ID(h.Get("x-jwt-claim-sub")),
Username: h.Get("x-jwt-claim-username"),
ProfileURL: h.Get("x-jwt-claim-profile-url"),
Picture: h.Get("x-jwt-claim-picture-url"),
diff --git a/app/middleware/raw_token.go b/app/middleware/raw_token.go
deleted file mode 100644
index f7aa264..0000000
--- a/app/middleware/raw_token.go
+++ /dev/null
@@ -1,7 +0,0 @@
-package middleware
-
-type RawToken string
-
-func (r RawToken) String() string {
- return string(r)
-}
diff --git a/app/middleware/token_parser.go b/app/middleware/token_parser.go
deleted file mode 100644
index 1a92760..0000000
--- a/app/middleware/token_parser.go
+++ /dev/null
@@ -1,3 +0,0 @@
-package middleware
-
-type TokenParser RequestParser[RawToken]
diff --git a/app/middleware/user.go b/app/middleware/user.go
index 90bf6aa..2b2dd17 100644
--- a/app/middleware/user.go
+++ b/app/middleware/user.go
@@ -3,20 +3,27 @@ package middleware
import (
"net/http"
- "github.com/xlgmokha/x/pkg/x"
+ "github.com/xlgmokha/x/pkg/log"
+ "github.com/xlgmokha/x/pkg/mapper"
"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/app/cfg"
+ "gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/app/domain"
)
func User() func(http.Handler) http.Handler {
- parser := UserParser()
return func(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
- user := parser(r)
- if x.IsPresent(user) {
- next.ServeHTTP(w, r.WithContext(cfg.CurrentUser.With(r.Context(), user)))
- } else {
- next.ServeHTTP(w, r)
- }
+ log.WithFields(r.Context(), log.Fields{
+ "payload": r.Header.Get("x-jwt-payload"),
+ "photo": r.Header.Get("x-jwt-claim-picture-url"),
+ "profile": r.Header.Get("x-jwt-claim-profile-url"),
+ "sub": r.Header.Get("x-jwt-claim-sub"),
+ "username": r.Header.Get("x-jwt-claim-username"),
+ })
+
+ next.ServeHTTP(w, r.WithContext(cfg.CurrentUser.With(
+ r.Context(),
+ mapper.MapFrom[http.Header, *domain.User](r.Header),
+ )))
})
}
}
diff --git a/app/middleware/user_parser.go b/app/middleware/user_parser.go
deleted file mode 100644
index dfa0cce..0000000
--- a/app/middleware/user_parser.go
+++ /dev/null
@@ -1,16 +0,0 @@
-package middleware
-
-import (
- "net/http"
-
- "github.com/xlgmokha/x/pkg/log"
- "github.com/xlgmokha/x/pkg/mapper"
- "gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/app/domain"
-)
-
-func UserParser() RequestParser[*domain.User] {
- return func(r *http.Request) *domain.User {
- log.WithFields(r.Context(), log.Fields{"header": r.Header})
- return mapper.MapFrom[http.Header, *domain.User](r.Header)
- }
-}
diff --git a/app/middleware/user_parser_test.go b/app/middleware/user_parser_test.go
deleted file mode 100644
index 2127a10..0000000
--- a/app/middleware/user_parser_test.go
+++ /dev/null
@@ -1,36 +0,0 @@
-package middleware
-
-import (
- "testing"
-
- "github.com/stretchr/testify/assert"
- "github.com/stretchr/testify/require"
- "github.com/xlgmokha/x/pkg/test"
- "gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/app/domain"
-)
-
-func TestUserParser(t *testing.T) {
- parser := UserParser()
-
- t.Run("when x-jwt-claim-* headers are not provided", func(t *testing.T) {
- t.Run("forwards the request without a current user attached to the request", func(t *testing.T) {
- assert.Nil(t, parser(test.Request("GET", "/")))
- })
- })
-
- t.Run("when x-jwt-claim-* headers are provided", func(t *testing.T) {
- r := test.Request("GET", "/",
- test.WithRequestHeader("x-jwt-claim-sub", "1"),
- test.WithRequestHeader("x-jwt-claim-username", "root"),
- test.WithRequestHeader("x-jwt-claim-profile-url", "https://gitlab.com/tanuki"),
- test.WithRequestHeader("x-jwt-claim-picture-url", "https://example.com/profile.png"),
- )
-
- result := parser(r)
- require.NotNil(t, result)
- assert.Equal(t, domain.ID("1"), result.ID)
- assert.Equal(t, "root", result.Username)
- assert.Equal(t, "https://gitlab.com/tanuki", result.ProfileURL)
- assert.Equal(t, "https://example.com/profile.png", result.Picture)
- })
-}
diff --git a/app/middleware/user_test.go b/app/middleware/user_test.go
index c5fa7ed..66ca121 100644
--- a/app/middleware/user_test.go
+++ b/app/middleware/user_test.go
@@ -29,6 +29,8 @@ func TestUser(t *testing.T) {
t.Run("when x-jwt-claim-* headers are provided", func(t *testing.T) {
server := middleware(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+ require.True(t, IsLoggedIn(r))
+
user := cfg.CurrentUser.From(r.Context())
require.NotNil(t, user)
diff --git a/bin/envoy.sh b/bin/envoy.sh
index 692167c..219228f 100755
--- a/bin/envoy.sh
+++ b/bin/envoy.sh
@@ -33,4 +33,4 @@ fi
envoy \
--config-yaml "$yaml" \
--log-level warn \
- --component-log-level admin:warn,connection:warn,ext_authz:info,grpc:info,health_checker:warn,http:warn,http2:warn,jwt:warn,oauth2:warn,router:warn,secret:warn,upstream:warn
+ --component-log-level admin:warn,connection:warn,ext_authz:info,grpc:info,health_checker:warn,http:warn,http2:warn,jwt:trace,oauth2:warn,router:warn,secret:warn,upstream:warn
diff --git a/pkg/web/cookie.go b/pkg/web/cookie.go
deleted file mode 100644
index 11cc807..0000000
--- a/pkg/web/cookie.go
+++ /dev/null
@@ -1,35 +0,0 @@
-package web
-
-import (
- "net/http"
-
- "github.com/xlgmokha/x/pkg/cookie"
- "github.com/xlgmokha/x/pkg/x"
-)
-
-func NewCookie(name, value string, options ...x.Option[*http.Cookie]) *http.Cookie {
- return x.New[*http.Cookie](x.Prepend[x.Option[*http.Cookie]](
- options,
- cookie.WithName(name),
- cookie.WithValue(value),
- cookie.WithPath("/"),
- cookie.WithHttpOnly(true),
- cookie.WithSecure(true),
- )...)
-}
-
-func ExpireCookie(w http.ResponseWriter, name string) error {
- return WriteCookie(w, cookie.Reset(name,
- cookie.WithPath("/"),
- cookie.WithHttpOnly(true),
- cookie.WithSecure(true),
- ))
-}
-
-func WriteCookie(w http.ResponseWriter, c *http.Cookie) error {
- if err := c.Valid(); err != nil {
- return err
- }
- cookie.Write(w, c)
- return nil
-}
diff --git a/pkg/web/cookie_test.go b/pkg/web/cookie_test.go
deleted file mode 100644
index 1a3bfb0..0000000
--- a/pkg/web/cookie_test.go
+++ /dev/null
@@ -1,33 +0,0 @@
-package web
-
-import (
- "net/http"
- "net/http/httptest"
- "testing"
- "time"
-
- "github.com/stretchr/testify/assert"
- "github.com/stretchr/testify/require"
-)
-
-func TestNewCookie(t *testing.T) {
- cookie := NewCookie("name", "value")
- assert.True(t, cookie.HttpOnly)
- assert.True(t, cookie.Secure)
-}
-
-func TestExpireCookie(t *testing.T) {
- w := httptest.NewRecorder()
-
- ExpireCookie(w, "example")
-
- result, err := http.ParseSetCookie(w.Header().Get("Set-Cookie"))
- require.NoError(t, err)
-
- assert.Empty(t, result.Value)
- assert.Equal(t, -1, result.MaxAge)
- assert.Equal(t, time.Unix(0, 0).Unix(), result.Expires.Unix())
- assert.True(t, result.HttpOnly)
- assert.True(t, result.Secure)
- assert.Zero(t, result.SameSite)
-}
diff --git a/pkg/web/oidc.go b/pkg/web/oidc.go
deleted file mode 100644
index 707a1b5..0000000
--- a/pkg/web/oidc.go
+++ /dev/null
@@ -1,27 +0,0 @@
-package web
-
-import (
- "context"
-
- "github.com/coreos/go-oidc/v3/oidc"
-)
-
-func NewOIDCProvider(ctx context.Context, issuer string, report func(error)) *oidc.Provider {
- provider, err := oidc.NewProvider(ctx, issuer)
- if err == nil {
- return provider
- }
-
- report(err)
-
- config := &oidc.ProviderConfig{
- IssuerURL: issuer,
- AuthURL: issuer + "/oauth/authorize",
- TokenURL: issuer + "/oauth/token",
- DeviceAuthURL: "",
- UserInfoURL: issuer + "/oauth/userinfo",
- JWKSURL: issuer + "/oauth/disovery/keys",
- Algorithms: []string{"RS256"},
- }
- return config.NewProvider(ctx)
-}
generated by cgit v1.2.3 (git 2.39.1) at 2026-02-02 10:51:45 +0000