-
Notifications
You must be signed in to change notification settings - Fork 8
/
Copy pathmiddleware.go
296 lines (245 loc) · 7.29 KB
/
middleware.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
// Package keystone provides a go http middleware for authentication incoming
// http request against Openstack Keystone. It it modelled after the original
// keystone middleware:
// http://docs.openstack.org/developer/keystonemiddleware/middlewarearchitecture.html
//
// The middleware authenticates incoming requests by validating the `X-Auth-Token` header
// and adding additional headers to the incoming request containing the validation result.
// The final authentication/authorization decision is delegated to subsequent http handlers.
package keystone
import (
"encoding/json"
"errors"
"fmt"
"log"
"net/http"
"strings"
"time"
)
var Log func(string, ...interface{}) = func(format string, a ...interface{}) {
log.Printf(format, a...)
}
// Cache provides the interface for cache implementations.
type Cache interface {
//Set stores a value with the given ttl
Set(key string, value interface{}, ttl time.Duration)
//Get retrieves a value previously stored in the cache.
//value has to be a pointer to a data structure that matches the type previously given to Set
//The return value indicates if a value was found
Get(key string, value interface{}) bool
}
//Auth is the entrypoint for creating the middlware
type Auth struct {
//Keystone v3 endpoint url for validating tokens ( e.g https://some.where:5000/v3)
Endpoint string
//User-Agent used for all http request by the middlware. Defaults to go-keystone-middlware/1.0
UserAgent string
//A cache implementation the middleware should use for caching tokens. By default no caching is performed.
TokenCache Cache
//How long to cache tokens. Defaults to 5 minutes.
CacheTime time.Duration
//http client to use for requests, default to &http.Client{ Timeout: 5 * time.Second }
Client *http.Client
}
// New returns a new Auth object initialized with default values
func New(endpoint string) *Auth {
auth := &Auth{Endpoint: endpoint}
auth.ensureDefaults()
return auth
}
//Handler returns a http handler for use in a middleware chain.
func (a *Auth) Handler(h http.Handler) http.Handler {
a.ensureDefaults()
return &handler{Auth: a, handler: h}
}
//Validate a token.
//This is useful if you don't want to use the http middleware
func (a *Auth) Validate(authToken string) (*Token, error) {
if a.TokenCache != nil {
var cachedToken Token
if ok := a.TokenCache.Get(authToken, &cachedToken); ok && cachedToken.Valid() {
Log("Found valid token in cache")
return &cachedToken, nil
}
}
req, err := http.NewRequest("GET", a.Endpoint+"/auth/tokens?nocatalog", nil)
if err != nil {
return nil, err
}
req.Header.Set("X-Auth-Token", authToken)
req.Header.Set("X-Subject-Token", authToken)
req.Header.Set("User-Agent", a.UserAgent)
r, err := a.Client.Do(req)
if err != nil {
return nil, err
}
defer r.Body.Close()
if r.StatusCode >= 400 {
return nil, errors.New(r.Status)
}
var resp authResponse
if err = json.NewDecoder(r.Body).Decode(&resp); err != nil {
return nil, err
}
if e := resp.Error; e != nil {
return nil, fmt.Errorf("%s : %s", r.Status, e.Message)
}
if r.StatusCode != http.StatusOK {
return nil, fmt.Errorf("%s", r.Status)
}
if resp.Token == nil {
return nil, errors.New("Response didn't contain token context")
}
if !resp.Token.Valid() {
return nil, errors.New("Returned token is not valid")
}
if a.TokenCache != nil {
ttl := a.CacheTime
//The expiry date of the token provides an upper bound on the cache time
if expiresIn := resp.Token.ExpiresAt.Sub(time.Now()); expiresIn < a.CacheTime {
ttl = expiresIn
}
a.TokenCache.Set(authToken, *resp.Token, ttl)
}
return resp.Token, nil
}
func (a *Auth) ensureDefaults() {
if a.UserAgent == "" {
a.UserAgent = "go-keystone-middleware/1.0"
}
if a.CacheTime == 0 {
a.CacheTime = 5 * time.Minute
}
if a.Client == nil {
a.Client = &http.Client{
Timeout: 5 * time.Second,
}
}
}
type handler struct {
*Auth
handler http.Handler
}
func (h *handler) ServeHTTP(w http.ResponseWriter, req *http.Request) {
filterIncomingHeaders(req)
req.Header.Set("X-Identity-Status", "Invalid")
defer h.handler.ServeHTTP(w, req)
authToken := req.Header.Get("X-Auth-Token")
if authToken == "" {
return
}
context, err := h.Auth.Validate(authToken)
if err != nil {
//ToDo: How to handle logging, printing to stdout isn't the best thing
Log("Failed to validate token: %v", err)
return
}
req.Header.Set("X-Identity-Status", "Confirmed")
for k, v := range context.headers() {
req.Header.Set(k, v)
}
}
//Domain holds information about the scope of a token
type Domain struct {
ID string
Name string
Enabled bool
}
//Project contains information about the scope of a token
type Project struct {
ID string
Name string
Enabled bool
Domain Domain
}
//Token describes the scope of a validated token
type Token struct {
ExpiresAt time.Time `json:"expires_at"`
IssuedAt time.Time `json:"issued_at"`
User struct {
ID string
Name string
Email string
Enabled bool
Domain struct {
ID string
Name string
}
}
Project *Project
Domain *Domain
Roles []struct {
ID string
Name string
}
}
// Valid returns if the token is valid based on the expiration and issue date
func (t Token) Valid() bool {
now := time.Now().Unix()
return t.IssuedAt.Unix() <= now && now < t.ExpiresAt.Unix()
}
type authResponse struct {
Error *struct {
Code int
Message string
Title string
}
Token *Token
}
func (t Token) headers() map[string]string {
headers := make(map[string]string)
headers["X-User-Id"] = t.User.ID
headers["X-User-Name"] = t.User.Name
headers["X-User-Domain-Id"] = t.User.Domain.ID
headers["X-User-Domain-Name"] = t.User.Domain.Name
if project := t.Project; project != nil {
headers["X-Project-Name"] = project.Name
headers["X-Project-Id"] = project.ID
headers["X-Project-Domain-Name"] = project.Domain.Name
headers["X-Project-Domain-Id"] = project.Domain.ID
}
if domain := t.Domain; domain != nil {
headers["X-Domain-Id"] = domain.ID
headers["X-Domain-Name"] = domain.Name
}
if roles := t.Roles; roles != nil {
roleNames := []string{}
for _, role := range t.Roles {
roleNames = append(roleNames, role.Name)
}
headers["X-Roles"] = strings.Join(roleNames, ",")
}
return headers
}
func filterIncomingHeaders(req *http.Request) {
req.Header.Del("X-Identity-Status")
req.Header.Del("X-Service-Identity-Status")
req.Header.Del("X-Domain-Id")
req.Header.Del("X-Service-Domain-Id")
req.Header.Del("X-Domain-Name")
req.Header.Del("X-Service-Domain-Name")
req.Header.Del("X-Project-Id")
req.Header.Del("X-Service-Project-Id")
req.Header.Del("X-Project-Name")
req.Header.Del("X-Service-Project-Name")
req.Header.Del("X-Project-Domain-Id")
req.Header.Del("X-Service-Project-Domain-Id")
req.Header.Del("X-Project-Domain-Name")
req.Header.Del("X-Service-Project-Domain-Name")
req.Header.Del("X-User-Id")
req.Header.Del("X-Service-User-Id")
req.Header.Del("X-User-Name")
req.Header.Del("X-Service-User-Name")
req.Header.Del("X-User-Domain-Id")
req.Header.Del("X-Service-User-Domain-Id")
req.Header.Del("X-User-Domain-Name")
req.Header.Del("X-Service-User-Domain-Name")
req.Header.Del("X-Roles")
req.Header.Del("X-Service-Roles")
req.Header.Del("X-Servie-Catalog")
//deprecated Headers
req.Header.Del("X-Tenant-Id")
req.Header.Del("X-Tenant")
req.Header.Del("X-User")
req.Header.Del("X-Role")
}