associate tls.ConnectionState with a token Request

xmidt-org · Nov 15, 2024 · 7571bea · 7571bea
1 parent cfd9272
commit 7571bea
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 0 deletions.
diff --git a/token/factory.go b/token/factory.go
@@ -4,6 +4,7 @@ package token
 
 import (
 	"context"
+	"crypto/tls"
 	"fmt"
 	"sync/atomic"
 
@@ -26,6 +27,10 @@ type Request struct {
 	// Metadata holds non-claim information about the request, usually garnered from the original HTTP request.  This
 	// metadata is available to lower levels of infrastructure used by the Factory.
 	Metadata map[string]interface{}
+
+	// ConnectionState represents the state of any underlying TLS connection.
+	// For non-tls connections, this field is unset.
+	ConnectionState tls.ConnectionState
 }
 
 // NewRequest returns an empty, fully initialized token Request

diff --git a/token/transport.go b/token/transport.go
@@ -19,6 +19,12 @@ import (
 	"go.uber.org/multierr"
 )
 
+const (
+	// ClaimTrust is the name of the trust value within JWT claims issued
+	// by themis.
+	ClaimTrust = "trust"
+)
+
 var (
 	ErrVariableNotAllowed = errors.New("Either header/parameter or variable can specified, but not all three")
 )
@@ -208,6 +214,15 @@ func (prb partnerIDRequestBuilder) Build(original *http.Request, tr *Request) er
 	return nil
 }
 
+// setConnectionState sets the tls.ConnectionState for the given request.
+func setConnectionState(original *http.Request, tr *Request) error {
+	if cs, ok := xhttpserver.ConnectionState(original.Context()); ok {
+		tr.ConnectionState = cs
+	}
+
+	return nil
+}
+
 // NewRequestBuilders creates a RequestBuilders sequence given an Options configuration.  Only claims
 // and metadata that are HTTP-based are included in the results.  Claims and metadata that are statically
 // assigned values are handled by ClaimBuilder objects and are part of the Factory configuration.
@@ -238,6 +253,7 @@ func NewRequestBuilders(o Options) (RequestBuilders, error) {
 			)
 		}
 	}
+
 	for _, value := range o.Metadata {
 		switch {
 		case len(value.Key) == 0:
@@ -264,13 +280,20 @@ func NewRequestBuilders(o Options) (RequestBuilders, error) {
 			)
 		}
 	}
+
 	if o.PartnerID != nil && (len(o.PartnerID.Claim) > 0 || len(o.PartnerID.Metadata) > 0) {
 		rb = append(rb,
 			partnerIDRequestBuilder{
 				PartnerID: *o.PartnerID,
 			},
 		)
 	}
+
+	rb = append(
+		rb,
+		RequestBuilderFunc(setConnectionState),
+	)
+
 	return rb, nil
 }