7 files changed, 358 insertions, 0 deletions

diff --git a/app/middleware/id_token.go b/app/middleware/id_token.go
new file mode 100644
index 0000000..a32c77b
--- /dev/null
+++ b/app/middleware/id_token.go
@@ -0,0 +1,56 @@
+package middleware
+
+import (
+	"net/http"
+
+	"github.com/xlgmokha/x/pkg/log"
+	"github.com/xlgmokha/x/pkg/x"
+	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/key"
+	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/oidc"
+)
+
+type TokenParser func(*http.Request) oidc.RawToken
+
+func IDTokenFromSessionCookie(r *http.Request) oidc.RawToken {
+	cookies := r.CookiesNamed("session")
+
+	if len(cookies) != 1 {
+		return ""
+	}
+
+	tokens, err := oidc.TokensFromBase64String(cookies[0].Value)
+	if err != nil {
+		log.WithFields(r.Context(), log.Fields{"error": err})
+		return ""
+	}
+
+	return tokens.IDToken
+}
+
+func IDToken(cfg *oidc.OpenID) func(http.Handler) http.Handler {
+	parsers := []TokenParser{IDTokenFromSessionCookie}
+
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			for _, parser := range parsers {
+				rawIDToken := parser(r)
+				if !x.IsZero(rawIDToken) {
+					verifier := cfg.Provider.VerifierContext(r.Context(), cfg.OIDCConfig)
+					idToken, err := verifier.Verify(r.Context(), rawIDToken.String())
+					if err != nil {
+						log.WithFields(r.Context(), log.Fields{"error": err})
+					} else {
+						log.WithFields(r.Context(), log.Fields{"id_token": idToken})
+						next.ServeHTTP(
+							w,
+							r.WithContext(key.IDToken.With(r.Context(), idToken)),
+						)
+						return
+					}
+				}
+			}
+
+			next.ServeHTTP(w, r)
+		})
+	}
+}
diff --git a/app/middleware/id_token_test.go b/app/middleware/id_token_test.go
new file mode 100644
index 0000000..4f26cdf
--- /dev/null
+++ b/app/middleware/id_token_test.go
@@ -0,0 +1,101 @@
+package middleware
+
+import (
+	"context"
+	"net/http"
+	"os"
+	"testing"
+	"time"
+
+	"github.com/oauth2-proxy/mockoidc"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"github.com/xlgmokha/x/pkg/log"
+	"github.com/xlgmokha/x/pkg/x"
+	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/key"
+	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/oidc"
+	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/test"
+	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/web"
+	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/web/cookie"
+	"golang.org/x/oauth2"
+)
+
+func TestIDToken(t *testing.T) {
+	srv := test.NewOIDCServer(t)
+	defer srv.Close()
+
+	client := &http.Client{Transport: &web.Transport{Logger: log.New(os.Stdout, log.Fields{})}}
+	cfg := srv.MockOIDC.Config()
+	ctx := context.WithValue(t.Context(), oauth2.HTTPClient, client)
+	openID, err := oidc.New(
+		ctx,
+		srv.Issuer(),
+		cfg.ClientID,
+		cfg.ClientSecret,
+		"https://example.com/oauth/callback",
+	)
+	require.NoError(t, err)
+
+	middleware := IDToken(openID)
+
+	t.Run("when an active session cookie is provided", func(t *testing.T) {
+		t.Run("attaches the token to the request context", func(t *testing.T) {
+			user := mockoidc.DefaultUser()
+
+			token, rawIDToken := srv.CreateTokensFor(user)
+			tokens := &oidc.Tokens{Token: token, IDToken: oidc.RawToken(rawIDToken)}
+			encoded := x.Must(tokens.ToBase64String())
+
+			server := middleware(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				token := key.IDToken.From(r.Context())
+				require.NotNil(t, token)
+				assert.Equal(t, user.Subject, token.Subject)
+
+				w.WriteHeader(http.StatusTeapot)
+			}))
+
+			r, w := test.RequestResponse(
+				"GET",
+				"/example",
+				test.WithCookie(cookie.New("session", encoded, time.Now().Add(1*time.Hour))),
+			)
+			server.ServeHTTP(w, r)
+
+			assert.Equal(t, http.StatusTeapot, w.Code)
+		})
+	})
+
+	t.Run("when an invalid session cookie is provided", func(t *testing.T) {
+		t.Run("forwards the request", func(t *testing.T) {
+			server := middleware(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				require.Nil(t, key.IDToken.From(r.Context()))
+
+				w.WriteHeader(http.StatusTeapot)
+			}))
+
+			r, w := test.RequestResponse(
+				"GET",
+				"/example",
+				test.WithCookie(cookie.New("session", "invalid", time.Now().Add(1*time.Hour))),
+			)
+			server.ServeHTTP(w, r)
+
+			assert.Equal(t, http.StatusTeapot, w.Code)
+		})
+	})
+
+	t.Run("when no cookies are provided", func(t *testing.T) {
+		t.Run("forwards the request", func(t *testing.T) {
+			server := middleware(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				require.Nil(t, key.IDToken.From(r.Context()))
+
+				w.WriteHeader(http.StatusTeapot)
+			}))
+
+			r, w := test.RequestResponse("GET", "/example")
+			server.ServeHTTP(w, r)
+
+			assert.Equal(t, http.StatusTeapot, w.Code)
+		})
+	})
+}
diff --git a/app/middleware/init.go b/app/middleware/init.go
new file mode 100644
index 0000000..f1a693d
--- /dev/null
+++ b/app/middleware/init.go
@@ -0,0 +1,24 @@
+package middleware
+
+import (
+	"github.com/xlgmokha/x/pkg/mapper"
+	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/app/domain"
+	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/oidc"
+)
+
+func init() {
+	mapper.Register(func(idToken *oidc.IDToken) *domain.User {
+		customClaims := &oidc.CustomClaims{}
+		if err := idToken.Claims(customClaims); err != nil {
+			return &domain.User{ID: domain.ID(idToken.Subject)}
+		}
+
+		return &domain.User{
+			ID:         domain.ID(idToken.Subject),
+			Username:   customClaims.Nickname,
+			Email:      customClaims.Email,
+			ProfileURL: customClaims.ProfileURL,
+			Picture:    customClaims.Picture,
+		}
+	})
+}
diff --git a/app/middleware/require_user.go b/app/middleware/require_user.go
new file mode 100644
index 0000000..e81d5b5
--- /dev/null
+++ b/app/middleware/require_user.go
@@ -0,0 +1,22 @@
+package middleware
+
+import (
+	"net/http"
+
+	"github.com/xlgmokha/x/pkg/x"
+	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/key"
+)
+
+func RequireUser(code int, url string) func(http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			user := key.CurrentUser.From(r.Context())
+			if x.IsZero(user) {
+				http.Redirect(w, r, url, code)
+				return
+			}
+
+			next.ServeHTTP(w, r)
+		})
+	}
+}
diff --git a/app/middleware/require_user_test.go b/app/middleware/require_user_test.go
new file mode 100644
index 0000000..68b9911
--- /dev/null
+++ b/app/middleware/require_user_test.go
@@ -0,0 +1,43 @@
+package middleware
+
+import (
+	"net/http"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/app/domain"
+	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/key"
+	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/test"
+)
+
+func TestRequireUser(t *testing.T) {
+	middleware := RequireUser(http.StatusFound, "/login")
+
+	t.Run("when a user is not logged in", func(t *testing.T) {
+		t.Run("redirects to the homepage", func(t *testing.T) {
+			r, w := test.RequestResponse("GET", "/example")
+
+			server := middleware(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				require.Fail(t, "unexpected call to handler")
+			}))
+			server.ServeHTTP(w, r)
+
+			require.Equal(t, http.StatusFound, w.Code)
+			assert.Equal(t, "/login", w.Header().Get("Location"))
+		})
+	})
+
+	t.Run("when a user is logged in", func(t *testing.T) {
+		t.Run("forwards the request", func(t *testing.T) {
+			r, w := test.RequestResponse("GET", "/example", test.WithContextKeyValue(t.Context(), key.CurrentUser, &domain.User{}))
+
+			server := middleware(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				w.WriteHeader(http.StatusTeapot)
+			}))
+			server.ServeHTTP(w, r)
+
+			require.Equal(t, http.StatusTeapot, w.Code)
+		})
+	})
+}
diff --git a/app/middleware/user.go b/app/middleware/user.go
new file mode 100644
index 0000000..194ded6
--- /dev/null
+++ b/app/middleware/user.go
@@ -0,0 +1,36 @@
+package middleware
+
+import (
+	"net/http"
+
+	"github.com/xlgmokha/x/pkg/log"
+	"github.com/xlgmokha/x/pkg/mapper"
+	"github.com/xlgmokha/x/pkg/x"
+	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/app/domain"
+	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/key"
+	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/oidc"
+)
+
+func User(db domain.Repository[*domain.User]) func(http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			idToken := key.IDToken.From(r.Context())
+			if x.IsZero(idToken) {
+				next.ServeHTTP(w, r)
+				return
+			}
+
+			user := db.Find(domain.ID(idToken.Subject))
+			if x.IsZero(user) {
+				user = mapper.MapFrom[*oidc.IDToken, *domain.User](idToken)
+				if err := db.Save(user); err != nil {
+					log.WithFields(r.Context(), log.Fields{"error": err})
+					next.ServeHTTP(w, r)
+					return
+				}
+			}
+
+			next.ServeHTTP(w, r.WithContext(key.CurrentUser.With(r.Context(), user)))
+		})
+	}
+}
diff --git a/app/middleware/user_test.go b/app/middleware/user_test.go
new file mode 100644
index 0000000..e6c74d8
--- /dev/null
+++ b/app/middleware/user_test.go
@@ -0,0 +1,76 @@
+package middleware
+
+import (
+	"net/http"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/app/db"
+	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/app/domain"
+	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/key"
+	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/oidc"
+	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/pls"
+	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/test"
+)
+
+func TestUser(t *testing.T) {
+	repository := db.NewRepository[*domain.User]()
+	middleware := User(repository)
+
+	knownUser := &domain.User{ID: domain.ID(pls.GenerateULID())}
+	require.NoError(t, repository.Save(knownUser))
+
+	t.Run("when ID Token is provided", func(t *testing.T) {
+		t.Run("when user is known", func(t *testing.T) {
+			server := middleware(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				user := key.CurrentUser.From(r.Context())
+				require.NotNil(t, user)
+				assert.Equal(t, knownUser.ID, user.ID)
+
+				w.WriteHeader(http.StatusTeapot)
+			}))
+
+			ctx := key.IDToken.With(t.Context(), &oidc.IDToken{Subject: knownUser.ID.String()})
+
+			r, w := test.RequestResponse("GET", "/example", test.WithContext(ctx))
+			server.ServeHTTP(w, r)
+
+			assert.Equal(t, http.StatusTeapot, w.Code)
+		})
+
+		t.Run("when user is unknown", func(t *testing.T) {
+			unknownID := pls.GenerateULID()
+
+			server := middleware(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				user := key.CurrentUser.From(r.Context())
+				require.NotNil(t, user)
+				assert.Equal(t, domain.ID(unknownID), user.ID)
+
+				w.WriteHeader(http.StatusTeapot)
+			}))
+
+			ctx := key.IDToken.With(t.Context(), &oidc.IDToken{Subject: unknownID})
+
+			r, w := test.RequestResponse("GET", "/example", test.WithContext(ctx))
+			server.ServeHTTP(w, r)
+
+			assert.Equal(t, http.StatusTeapot, w.Code)
+			require.NotNil(t, repository.Find(domain.ID(unknownID)))
+		})
+	})
+
+	t.Run("when ID Token is not provided", func(t *testing.T) {
+		server := middleware(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			user := key.CurrentUser.From(r.Context())
+			require.Nil(t, user)
+
+			w.WriteHeader(http.StatusTeapot)
+		}))
+
+		r, w := test.RequestResponse("GET", "/example")
+		server.ServeHTTP(w, r)
+
+		assert.Equal(t, http.StatusTeapot, w.Code)
+	})
+}