Merge tag 'v0.4.29' into k8s-lib-update-v0.4.20

devtron-labs · Jun 8, 2022 · dcd017c · dcd017c
2 parents 61a0522 + 9a4123d
commit dcd017c
Show file tree

Hide file tree

Showing 2 changed files with 42 additions and 7 deletions.
diff --git a/apiToken/ApiTokenSecretStore.go b/apiToken/ApiTokenSecretStore.go
@@ -0,0 +1,9 @@
+package apiTokenAuth
+
+type ApiTokenSecretStore struct {
+	Secret string
+}
+
+func InitApiTokenSecretStore() *ApiTokenSecretStore {
+	return &ApiTokenSecretStore{}
+}
diff --git a/middleware/sessionmanager.go b/middleware/sessionmanager.go
@@ -16,16 +16,17 @@
  * Some of the code has been taken from argocd, for them argocd licensing terms apply
  */
 
-
 package middleware
 
 import (
 	"context"
+	"errors"
 	"fmt"
+	apiTokenAuth "github.com/devtron-labs/authenticator/apiToken"
 	"github.com/devtron-labs/authenticator/client"
 	jwt2 "github.com/devtron-labs/authenticator/jwt"
 	"github.com/devtron-labs/authenticator/oidc"
-	jwt "github.com/golang-jwt/jwt/v4"
+	"github.com/golang-jwt/jwt/v4"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
 	"net"
@@ -35,15 +36,19 @@ import (
 
 // SessionManager generates and validates JWT tokens for login sessions.
 type SessionManager struct {
-	settings *oidc.Settings
-	client   *http.Client
-	prov     oidc.Provider
+	settings            *oidc.Settings
+	client              *http.Client
+	prov                oidc.Provider
+	apiTokenSecretStore *apiTokenAuth.ApiTokenSecretStore
 }
 
 const (
 	// SessionManagerClaimsIssuer fills the "iss" field of the token.
 	SessionManagerClaimsIssuer = "argocd"
 
+	// ApiTokenClaimIssuer is the issuer who generated api-token for APIs
+	ApiTokenClaimIssuer = "apiTokenIssuer"
+
 	// invalidLoginError, for security purposes, doesn't say whether the username or password was invalid.  This does not mitigate the potential for timing attacks to determine which is which.
 	invalidLoginError         = "Invalid username or password"
 	blankPasswordError        = "Blank passwords are not allowed"
@@ -59,9 +64,10 @@ var (
 )
 
 // NewSessionManager creates a new session manager from Argo CD settings
-func NewSessionManager(settings *oidc.Settings, config *client.DexConfig) *SessionManager {
+func NewSessionManager(settings *oidc.Settings, config *client.DexConfig, apiTokenSecretStore *apiTokenAuth.ApiTokenSecretStore) *SessionManager {
 	s := SessionManager{
-		settings: settings,
+		settings:            settings,
+		apiTokenSecretStore: apiTokenSecretStore,
 	}
 	s.client = &http.Client{
 		Transport: &http.Transport{
@@ -165,6 +171,23 @@ func (mgr *SessionManager) Parse(tokenString string) (jwt.Claims, error) {
 	return token.Claims, nil
 }
 
+// ParseApiToken tries to parse the provided string and returns the token claims for api-token user.
+func (mgr *SessionManager) ParseApiToken(tokenString string) (jwt.Claims, error) {
+	var claims jwt.MapClaims
+
+	token, err := jwt.ParseWithClaims(tokenString, &claims, func(token *jwt.Token) (interface{}, error) {
+		return []byte(mgr.apiTokenSecretStore.Secret), nil
+	})
+
+	if err != nil {
+		return nil, err
+	}
+	if !token.Valid {
+		return nil, errors.New("token is invalid")
+	}
+	return token.Claims, nil
+}
+
 // VerifyToken verifies if a token is correct. Tokens can be issued either from us or by an IDP.
 // We choose how to verify based on the issuer.
 func (mgr *SessionManager) VerifyToken(tokenString string) (jwt.Claims, error) {
@@ -180,6 +203,9 @@ func (mgr *SessionManager) VerifyToken(tokenString string) (jwt.Claims, error) {
 	case SessionManagerClaimsIssuer:
 		// Argo CD signed token
 		return mgr.Parse(tokenString)
+	case ApiTokenClaimIssuer:
+		// api-key token
+		return mgr.ParseApiToken(tokenString)
 	default:
 		// IDP signed token
 		prov, err := mgr.provider()