Path: blob/main/components/public-api-server/pkg/auth/middleware.go
2500 views
// Copyright (c) 2022 Gitpod GmbH. All rights reserved.1// Licensed under the GNU Affero General Public License (AGPL).2// See License.AGPL.txt in the project root for license information.34package auth56import (7"context"8"fmt"9"net/http"1011"github.com/bufbuild/connect-go"12"github.com/gitpod-io/gitpod/components/public-api/go/config"13"github.com/gitpod-io/gitpod/public-api-server/pkg/jws"14)1516type Interceptor struct {17accessToken string1819sessionCfg config.SessionConfig20verifier jws.Verifier21}2223func (i *Interceptor) WrapUnary(next connect.UnaryFunc) connect.UnaryFunc {24return connect.UnaryFunc(func(ctx context.Context, req connect.AnyRequest) (connect.AnyResponse, error) {25if req.Spec().IsClient {26ctx = TokenToContext(ctx, NewAccessToken(i.accessToken))2728req.Header().Add(authorizationHeaderKey, bearerPrefix+i.accessToken)29return next(ctx, req)30}3132token, err := i.tokenFromHeaders(ctx, req.Header())33if err != nil {34return nil, err35}3637return next(TokenToContext(ctx, token), req)38})39}4041func (i *Interceptor) WrapStreamingClient(next connect.StreamingClientFunc) connect.StreamingClientFunc {42return func(ctx context.Context, s connect.Spec) connect.StreamingClientConn {43ctx = TokenToContext(ctx, NewAccessToken(i.accessToken))44conn := next(ctx, s)45conn.RequestHeader().Add(authorizationHeaderKey, bearerPrefix+i.accessToken)46return conn47}48}4950func (i *Interceptor) WrapStreamingHandler(next connect.StreamingHandlerFunc) connect.StreamingHandlerFunc {51return func(ctx context.Context, conn connect.StreamingHandlerConn) error {52token, err := i.tokenFromHeaders(ctx, conn.RequestHeader())53if err != nil {54return err55}56return next(TokenToContext(ctx, token), conn)57}58}5960// NewServerInterceptor creates a server-side interceptor which validates that an incoming request contains a valid Authorization header61func NewServerInterceptor(sessionCfg config.SessionConfig, verifier jws.Verifier) connect.Interceptor {62return &Interceptor{63sessionCfg: sessionCfg,64verifier: verifier,65}66}6768func (i *Interceptor) tokenFromHeaders(ctx context.Context, headers http.Header) (Token, error) {69bearerToken, err := BearerTokenFromHeaders(headers)70if err == nil {71return NewAccessToken(bearerToken), nil72}7374rawCookie := headers.Get("Cookie")75if rawCookie == "" {76return Token{}, connect.NewError(connect.CodeUnauthenticated, fmt.Errorf("No access token or cookie credentials available on request."))77}7879// Extract the JWT token from Cookies80cookies := cookiesFromString(rawCookie, i.sessionCfg.Cookie.Name)81if len(cookies) == 0 {82return Token{}, connect.NewError(connect.CodeUnauthenticated, fmt.Errorf("No cookie credentials present on request."))83}8485var cookie *http.Cookie86for _, c := range cookies {87_, err := VerifySessionJWT(c.Value, i.verifier, i.sessionCfg.Issuer)88if err == nil {89cookie = c90break91}92}93if cookie == nil {94return Token{}, connect.NewError(connect.CodeUnauthenticated, fmt.Errorf("JWT session could not be verified."))95}9697return NewCookieToken(cookie.String()), nil98}99100// NewClientInterceptor creates a client-side interceptor which injects token as a Bearer Authorization header101func NewClientInterceptor(accessToken string) connect.Interceptor {102return &Interceptor{103accessToken: accessToken,104}105}106107func cookiesFromString(rawCookieHeader, name string) []*http.Cookie {108// To access the cookie as an http.Cookie, we sadly have to construct a request with the appropriate header such109// that we can then extract the cookie.110header := http.Header{}111header.Add("Cookie", rawCookieHeader)112req := http.Request{Header: header}113114var cookies []*http.Cookie115for _, c := range req.Cookies() {116if c.Name == name {117cookies = append(cookies, c)118}119}120return cookies121}122123124