Add UncheckedValidator and use it temporarily

equinor · Oct 9, 2024 · 341f76d · 341f76d
1 parent 494432d
commit 341f76d
Show file tree

Hide file tree

Showing 3 changed files with 91 additions and 2 deletions.
diff --git a/api/utils/token/unchecked_principal.go b/api/utils/token/unchecked_principal.go
@@ -0,0 +1,52 @@
+package token
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/go-jose/go-jose/v4/jwt"
+)
+
+func (c *unchechedClaimsPrincipal) Validate(_ context.Context) error {
+	return nil
+}
+
+type unchechedClaimsPrincipal struct {
+	token       string
+	claims      *jwt.Claims
+	azureClaims *azureClaims
+}
+
+func (p *unchechedClaimsPrincipal) Token() string {
+	return p.token
+}
+func (p *unchechedClaimsPrincipal) IsAuthenticated() bool {
+	return true
+}
+func (p *unchechedClaimsPrincipal) Id() string {
+	if p.azureClaims.ObjectId != "" {
+		return fmt.Sprintf("unverified: %s", p.azureClaims.ObjectId)
+	}
+
+	return fmt.Sprintf("unverified: %s (sub!)", p.claims.Subject)
+}
+
+func (p *unchechedClaimsPrincipal) Name() string {
+	if p.azureClaims.Upn != "" {
+		return fmt.Sprintf("unverified: %s", p.azureClaims.Upn)
+	}
+
+	if p.azureClaims.AppDisplayName != "" {
+		return fmt.Sprintf("unverified: %s", p.azureClaims.AppDisplayName)
+	}
+
+	if p.azureClaims.AppId != "" {
+		return fmt.Sprintf("unverified: %s", p.azureClaims.AppId)
+	}
+
+	if p.azureClaims.ObjectId != "" {
+		return fmt.Sprintf("unverified: %s", p.azureClaims.ObjectId)
+	}
+
+	return fmt.Sprintf("unverified: %s", p.claims.Subject)
+}
diff --git a/api/utils/token/unchecked_validator.go b/api/utils/token/unchecked_validator.go
@@ -0,0 +1,36 @@
+package token
+
+import (
+	"context"
+	"fmt"
+	"net/url"
+
+	"github.com/equinor/radix-common/net/http"
+	"github.com/go-jose/go-jose/v4"
+	"github.com/go-jose/go-jose/v4/jwt"
+)
+
+type UncheckedValidator struct{}
+
+var _ ValidatorInterface = &UncheckedValidator{}
+
+func NewUncheckedValidator(_ *url.URL, _ string) (*UncheckedValidator, error) {
+	return &UncheckedValidator{}, nil
+}
+
+func (v *UncheckedValidator) ValidateToken(_ context.Context, token string) (TokenPrincipal, error) {
+	var registeredClaims jwt.Claims
+	var azureClaims azureClaims
+
+	jwt, err := jwt.ParseSigned(token, []jose.SignatureAlgorithm{jose.HS256, jose.RS256})
+	if err != nil {
+		return nil, http.ForbiddenError("invalid token")
+	}
+	err = jwt.UnsafeClaimsWithoutVerification(&registeredClaims, &azureClaims)
+	if err != nil {
+		return nil, http.ForbiddenError(fmt.Sprintf("failed to extract JWT unsafeClaims: %w", err))
+	}
+
+	principal := &unchechedClaimsPrincipal{token: token, claims: &registeredClaims, azureClaims: &azureClaims}
+	return principal, nil
+}
diff --git a/main.go b/main.go
@@ -76,14 +76,15 @@ func initializeServer(c config.Config) *http.Server {
 	return srv
 }
 
-func initializeTokenValidator(c config.Config) *token.Validator {
+func initializeTokenValidator(c config.Config) token.ValidatorInterface {
 	issuerUrl, err := url.Parse(c.OidcIssuer)
 	if err != nil {
 		log.Fatal().Err(err).Msg("Error parsing issuer url")
 	}
 
 	// Set up the validator.
-	jwtValidator, err := token.NewValidator(issuerUrl, c.OidcAudience)
+	// jwtValidator, err := token.NewValidator(issuerUrl, c.OidcAudience)
+	jwtValidator, err := token.NewUncheckedValidator(issuerUrl, c.OidcAudience)
 	if err != nil {
 		log.Fatal().Err(err).Msg("Error creating JWT validator")
 	}