Skip to content

Commit

Permalink
auth:chore - When verify user permission, the function GetAccountIDBy…
Browse files Browse the repository at this point in the history 
…JWTToken (#538)

call the keycloak server on all requests for backend and this can be
considered a DDos attack for keycloak.

Signed-off-by: lucas.bruno <lucas.bruno@zup.com.br>
  • Loading branch information
@lucasbrunozup
lucasbrunozup authored Jan 13, 2022
1 parent 9bd868f commit 9c1615c
Show file tree
Hide file tree
Showing 9 changed files with 33 additions and 22 deletions.
3 changes: 2 additions & 1 deletion auth/config/providers/wire.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,8 @@
// See the License for the specific language governing permissions and
// limitations under the License.

//+build wireinject
//go:build wireinject
// +build wireinject

package providers

Expand Down
3 changes: 2 additions & 1 deletion auth/config/providers/wire_gen.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

6 changes: 4 additions & 2 deletions auth/go.mod
View file
Original file line number Diff line number Diff line change
Expand Up @@ -65,10 +65,12 @@ require (
github.com/swaggo/files v0.0.0-20210815190702-a29dd2bc99b2 // indirect
github.com/swaggo/http-swagger v1.1.2 // indirect
golang.org/x/crypto v0.0.0-20211117183948-ae814b36b871 // indirect
golang.org/x/mod v0.5.1 // indirect
golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2 // indirect
golang.org/x/sys v0.0.0-20210809222454-d867a43fc93e // indirect
golang.org/x/sys v0.0.0-20220111092808-5a964db01320 // indirect
golang.org/x/text v0.3.7 // indirect
golang.org/x/tools v0.1.7 // indirect
golang.org/x/tools v0.1.8 // indirect
golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect
google.golang.org/genproto v0.0.0-20211007155348-82e027067bd4 // indirect
google.golang.org/protobuf v1.27.1 // indirect
gopkg.in/yaml.v2 v2.4.0 // indirect
Expand Down
6 changes: 6 additions & 0 deletions auth/go.sum
View file
Original file line number Diff line number Diff line change
Expand Up @@ -587,6 +587,8 @@ golang.org/x/mod v0.1.1-0.20191107180719-034126e5016b/go.mod h1:QqPTAvyqsEbceGzB
golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
golang.org/x/mod v0.3.0 h1:RM4zey1++hCTbCVQfnWeKs9/IEsaBLA8vTkd0WVtmH4=
golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
golang.org/x/mod v0.5.1 h1:OJxoQ/rynoF0dcCdI7cLPktw/hR2cueqYfjm43oqK38=
golang.org/x/mod v0.5.1/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro=
golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
Expand Down Expand Up @@ -696,6 +698,8 @@ golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1 h1:SrN+KX8Art/Sf4HNj6Zcz06G7
golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20210809222454-d867a43fc93e h1:WUoyKPm6nCo1BnNUvPGnFG3T5DUVem42yDJZZ4CNxMA=
golang.org/x/sys v0.0.0-20210809222454-d867a43fc93e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20220111092808-5a964db01320 h1:0jf+tOCoZ3LyutmCOWpVni1chK4VfFLhRsDK7MhqGRY=
golang.org/x/sys v0.0.0-20220111092808-5a964db01320/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1 h1:v+OssWQX+hTHEmOBgwxdZxK4zHq3yOs8F9J7mk0PY8E=
golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
Expand Down Expand Up @@ -766,6 +770,8 @@ golang.org/x/tools v0.1.0 h1:po9/4sTYwZU9lPhi1tOrb4hCv3qrhiQ77LZfGa2OjwY=
golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0=
golang.org/x/tools v0.1.7 h1:6j8CgantCy3yc8JGBqkDLMKWqZ0RDU2g1HVgacojGWQ=
golang.org/x/tools v0.1.7/go.mod h1:LGqMHiF4EqQNHR1JncWGqT5BVaXmza+X+BDGol+dOxo=
golang.org/x/tools v0.1.8 h1:P1HhGGuLW4aAclzjtmJdf0mJOjVUZUzOTqkAkWL+l6w=
golang.org/x/tools v0.1.8/go.mod h1:nABZi5QlRsZVlzPpHl034qft6wpY4eDcsTt5AaioBiU=
golang.org/x/xerrors v0.0.0-20190410155217-1f06c39b4373/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20190513163551-3ee3066db522/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
Expand Down
3 changes: 2 additions & 1 deletion auth/internal/enums/authentication/keycloak/messages.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,4 +16,5 @@ package keycloak

var MessageFailedToCheckIfTokenIsActive = "{KEYCLOAK AUTH} failed to check if token is active" //nolint:gosec, lll // false positive
var MessageFailedToGetUserInfo = "{KEYCLOAK AUTH} failed to get user info"
var MessageFailedToGetAccountIDFromKeycloakToken = "{KEYCLOAK AUTH} failed to fet account if from keycloak token" //nolint:gosec, lll // false positive
var MessageFailedToGetAccountIDFromKeycloakToken = "{KEYCLOAK AUTH} failed to get account id from keycloak token" //nolint:gosec, lll // false positive
var MessageFailedToParseKeycloakToken = "{KEYCLOAK AUTH} failed to parse keycloak token to get account id" //nolint:gosec, lll // false positive
14 changes: 11 additions & 3 deletions auth/internal/services/authentication/keycloak/client/keycloak.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ import (
"strings"

"github.com/ZupIT/horusec-devkit/pkg/utils/logger"
"github.com/form3tech-oss/jwt-go"

"github.com/pkg/errors"

Expand Down Expand Up @@ -70,12 +71,19 @@ func (c *Client) IsActiveToken(token string) (bool, error) {
}

func (c *Client) GetAccountIDByJWTToken(token string) (uuid.UUID, error) {
userInfo, err := c.GetUserInfo(c.removeBearer(token))
accessToken, _, err := new(jwt.Parser).ParseUnverified(c.removeBearer(token), jwt.MapClaims{})

if err != nil {
return uuid.Nil, errors.Wrap(err, keycloakEnums.MessageFailedToGetAccountIDFromKeycloakToken)
return uuid.Nil, errors.Wrap(err, keycloakEnums.MessageFailedToParseKeycloakToken)
}

if claims, isValid := accessToken.Claims.(jwt.MapClaims); isValid {
if subString, ok := claims["sub"].(string); ok {
return uuid.Parse(subString)
}
}

return uuid.Parse(*userInfo.Sub)
return uuid.Nil, errors.Wrap(err, keycloakEnums.MessageFailedToGetAccountIDFromKeycloakToken)
}

func (c *Client) GetUserInfo(accessToken string) (*gocloak.UserInfo, error) {
Expand Down
14 changes: 2 additions & 12 deletions auth/internal/services/authentication/keycloak/client/keycloak_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -58,26 +58,16 @@ func TestAuthenticate(t *testing.T) {

func TestGetAccountIDByJWTToken(t *testing.T) {
t.Run("should success get account id without errors", func(t *testing.T) {
email := "test@horusec.com"
valid := true
sub := uuid.New().String()

userInfo := &gocloak.UserInfo{
Email: &email,
Sub: &sub,
}
token := "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiI4NDc3ZDdmYy0wOTFlLTQwZWEtYjJkMC04ZTg0YWM0Y2Q5ZDQiLCJuYW1lIjoiVGVzdGUiLCJpYXQiOjE1MTYyMzkwMjJ9.HbLKk9hkWw_nGPNwststdFrEjqbQQpDdpQb42KKSVLM"

goCloakMock := &GoCloakMock{}
goCloakMock.On("RetrospectToken").Return(&gocloak.RetrospecTokenResult{Active: &valid}, nil)
goCloakMock.On("IsActiveToken").Return(true, nil)
goCloakMock.On("GetUserInfo").Return(userInfo, nil)

service := &Client{
ctx: context.Background(),
client: goCloakMock,
}

userID, err := service.GetAccountIDByJWTToken("")
userID, err := service.GetAccountIDByJWTToken(token)
assert.NoError(t, err)
assert.NotEqual(t, uuid.Nil, userID)
})
Expand Down
3 changes: 2 additions & 1 deletion core/config/providers/wire.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,8 @@
// See the License for the specific language governing permissions and
// limitations under the License.

//+build wireinject
//go:build wireinject
// +build wireinject

package providers

Expand Down
3 changes: 2 additions & 1 deletion core/config/providers/wire_gen.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

0 comments on commit 9c1615c

Please sign in to comment.