From 20f0f6c047769ccb0dc51ca873a858ece0a8067a Mon Sep 17 00:00:00 2001 From: Erin Shepherd Date: Wed, 8 Mar 2023 13:50:50 +0000 Subject: [PATCH] HTTP authz: Return groups --- internal/webui/authz.go | 24 ++++++++++++++++++++++++ internal/webui/pg_auth.go | 26 +++++++++++++++++++------- 2 files changed, 43 insertions(+), 7 deletions(-) diff --git a/internal/webui/authz.go b/internal/webui/authz.go index 1b872df..41704b8 100644 --- a/internal/webui/authz.go +++ b/internal/webui/authz.go @@ -2,10 +2,34 @@ package webui import ( "context" + "fmt" "github.com/google/uuid" + "github.com/lestrrat-go/jwx/v2/jwt/openid" ) +func getTokenGroupIDs(tok openid.Token) ([]string, error) { + groupsIfc, ok := tok.Get("authentricity.groups") + if !ok { + return nil, nil + } + + groups, ok := groupsIfc.([]interface{}) + if !ok { + return nil, fmt.Errorf("Groups element of token of invalid type: %+v", groups) + } + + groupsStr := make([]string, len(groups)) + for i := range groups { + groupsStr[i], ok = groups[i].(string) + if !ok { + return nil, fmt.Errorf("Group entry of incorrect type: %+v", groups[i]) + } + } + + return groupsStr, nil +} + func (s *Service) isInGroup(ctx context.Context, id uuid.UUID) bool { tok := getUserToken(ctx) groupsIfc, ok := tok.Get("authentricity.groups") diff --git a/internal/webui/pg_auth.go b/internal/webui/pg_auth.go index 724cae5..ebe8d1b 100644 --- a/internal/webui/pg_auth.go +++ b/internal/webui/pg_auth.go @@ -1,17 +1,29 @@ package webui -import "net/http" +import ( + "net/http" + + "go.uber.org/zap" +) func (s *Service) authGet(w http.ResponseWriter, r *http.Request) { tok := getUserToken(r.Context()) if tok == nil { w.WriteHeader(http.StatusUnauthorized) - } else { - headers := w.Header() - headers.Add("X-Webauth-UserID", tok.Subject()) - headers.Add("X-Webauth-User", tok.PreferredUsername()) - headers.Add("X-Webauth-Email", tok.Email()) - w.WriteHeader(http.StatusNoContent) + return } + headers := w.Header() + headers.Add("X-Webauth-UserID", tok.Subject()) + headers.Add("X-Webauth-User", tok.PreferredUsername()) + headers.Add("X-Webauth-Email", tok.Email()) + + groups, err := getTokenGroupIDs(tok) + if err != nil { + zap.S().Errorf("Error getting groups from token: %v", err) + } else { + headers["X-Webauth-Groups"] = groups + } + + w.WriteHeader(http.StatusNoContent) }