-
Notifications
You must be signed in to change notification settings - Fork 1
/
service.go
115 lines (92 loc) · 2.77 KB
/
service.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
package auth
import (
"context"
"fmt"
"time"
"github.com/DelineaXPM/dsv-k8s-sidecar/pkg/pods"
"github.com/golang-jwt/jwt/v5"
"github.com/sirupsen/logrus"
"google.golang.org/grpc"
"google.golang.org/grpc/codes"
"google.golang.org/grpc/metadata"
"google.golang.org/grpc/status"
)
type authService struct {
registry pods.PodRegistry
secret string
}
type AuthService interface {
GetToken(request *TokenRequest) *TokenResponse
GetUnaryInterceptor() grpc.ServerOption
}
func NewAuthService(secret string, registry pods.PodRegistry) AuthService {
return &authService{
registry,
secret,
}
}
func (s *authService) GetToken(request *TokenRequest) *TokenResponse {
key := []byte(s.secret)
logrus.Info("podname " + request.PodName)
pod := s.registry.Get(request.PodName)
if pod == nil {
logrus.Errorf("pod is nil")
}
if pod == nil || *pod.Status.PodIP != request.PodIp {
return nil
}
/* Create the token */
token := jwt.New(jwt.SigningMethodHS256)
/* Create a map to store our claims */
claims := token.Claims.(jwt.MapClaims)
/* Set token claims */
claims["sub"] = *pod.Metadata.Uid
claims["name"] = *pod.Metadata.Name
claims["type"] = "pod"
claims["exp"] = time.Now().Add(time.Hour * 2400).Unix() // Long Term token.
/* Sign the token with our secret */
tokenString, _ := token.SignedString(key)
return &TokenResponse{
Token: tokenString,
}
}
func (s *authService) GetUnaryInterceptor() grpc.ServerOption {
return grpc.UnaryInterceptor(s.unaryInterceptor)
}
func extractHeader(ctx context.Context, header string) (string, error) {
md, ok := metadata.FromIncomingContext(ctx)
if !ok {
return "", status.Error(codes.Unauthenticated, "no headers in request")
}
authHeaders, ok := md[header]
if !ok {
return "", status.Error(codes.Unauthenticated, "no header in request")
}
if len(authHeaders) != 1 {
return "", status.Error(codes.Unauthenticated, "more than 1 header in request")
}
return authHeaders[0], nil
}
func purgeHeader(ctx context.Context, header string) context.Context {
md, _ := metadata.FromIncomingContext(ctx)
mdCopy := md.Copy()
mdCopy[header] = nil
return metadata.NewIncomingContext(ctx, mdCopy)
}
func (s *authService) unaryInterceptor(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (interface{}, error) {
md, err := extractHeader(ctx, "authorization")
if err != nil {
return nil, err
}
_, err = jwt.Parse(md, func(token *jwt.Token) (interface{}, error) {
if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
return nil, fmt.Errorf("Unexpected signing method: %v", token.Header["alg"])
}
return []byte(s.secret), nil
})
if err != nil {
return "", status.Error(codes.Unauthenticated, "invalid token")
}
ctx = purgeHeader(ctx, "authorization")
return handler(ctx, req)
}