libauth/libauth.go

package libauth

import (
	"fmt"
	"net/http"
	"os"
	"strings"

	"git.rootprojects.org/root/keypairs"
	"git.rootprojects.org/root/keypairs/keyfetch"
)

const oidcIssuersEnv = "OIDC_ISSUERS"
const oidcIssuersInternalEnv = "OIDC_ISSUERS_INTERNAL"

// JWS is keypairs.JWS with added debugging information
type JWS struct {
	keypairs.JWS

	Trusted bool    `json:"trusted"`
	Errors  []error `json:"errors,omitempty"`
}

// IssuerList is the trusted list of token issuers
type IssuerList = keyfetch.Whitelist

// ParseIssuerEnvs will parse ENVs (both comma- and space-delimited) to
// create a trusted IssuerList of public and/or internal issuer URLs.
//
// Example:
//  OIDC_ISSUERS='https://example.com/ https://therootcompany.github.io/libauth/'
//  OIDC_ISSUERS_INTERNAL='http://localhost:3000/ http://my-service-name:8080/'
func ParseIssuerEnvs(issuersEnvName, internalEnvName string) (IssuerList, error) {
	if len(issuersEnvName) > 0 {
		issuersEnvName = oidcIssuersEnv
	}
	pubs := os.Getenv(issuersEnvName)
	pubURLs := ParseIssuerListString(pubs)

	if len(internalEnvName) > 0 {
		internalEnvName = oidcIssuersInternalEnv
	}
	internals := os.Getenv(internalEnvName)
	internalURLs := ParseIssuerListString(internals)

	return keyfetch.NewWhitelist(pubURLs, internalURLs)
}

// ParseIssuerListString will Split comma- and/or space-delimited list into a slice
//
// Example:
//  "https://example.com/, https://therootcompany.github.io/libauth/"
func ParseIssuerListString(issuerList string) []string {
	issuers := []string{}

	issuerList = strings.TrimSpace(issuerList)
	if len(issuerList) > 0 {
		issuerList = strings.ReplaceAll(issuerList, ",", " ")
		issuers = strings.Fields(issuerList)
	}

	return issuers
}

// VerifyJWT will return a verified InspectableToken if possible, or otherwise as much detail as possible, possibly including an InspectableToken with failed verification.
func VerifyJWT(jwt string, issuers IssuerList, r *http.Request) (*JWS, error) {
	jws := keypairs.JWTToJWS(jwt)
	if nil == jws {
		return nil, fmt.Errorf("Bad Request: malformed Authorization header")
	}

	myJws := &JWS{
		*jws,
		false,
		[]error{},
	}
	if err := myJws.DecodeComponents(); nil != err {
		myJws.Errors = append(myJws.Errors, err)
		return myJws, err
	}

	return VerifyJWS(myJws, issuers, r)
}

// VerifyJWS takes a fully decoded JWS and will return a verified InspectableToken if possible, or otherwise as much detail as possible, possibly including an InspectableToken with failed verification.
func VerifyJWS(jws *JWS, issuers IssuerList, r *http.Request) (*JWS, error) {
	var pub keypairs.PublicKey
	kid, kidOK := jws.Header["kid"].(string)
	iss, issOK := jws.Claims["iss"].(string)

	_, jwkOK := jws.Header["jwk"]
	if !jwkOK {
		if !kidOK || 0 == len(kid) {
			//errs = append(errs, "must have either header.kid or header.jwk")
			return nil, fmt.Errorf("Bad Request: missing 'kid' identifier")
		} else if !issOK || 0 == len(iss) {
			//errs = append(errs, "payload.iss must exist to complement header.kid")
			return nil, fmt.Errorf("Bad Request: payload.iss must exist to complement header.kid")
		} else {
			// TODO beware domain fronting, we should set domain statically
			// See https://pkg.go.dev/git.rootprojects.org/root/keypairs@v0.6.2/keyfetch
			// (Caddy does protect against Domain-Fronting by default:
			//     https://github.com/caddyserver/caddy/issues/2500)
			if !issuers.IsTrustedIssuer(iss, r) {
				return nil, fmt.Errorf("Bad Request: 'iss' is not a trusted issuer")
			}
		}
		var err error
		pub, err = keyfetch.OIDCJWK(kid, iss)
		if nil != err {
			return nil, fmt.Errorf("Bad Request: 'kid' could not be matched to a known public key: %w", err)
		}
	} else {
		return nil, fmt.Errorf("Bad Request: self-signed tokens with 'jwk' are not supported")
	}

	errs := keypairs.VerifyClaims(pub, &jws.JWS)
	if 0 != len(errs) {
		strs := []string{}
		for _, err := range errs {
			jws.Errors = append(jws.Errors, err)
			strs = append(strs, err.Error())
		}
		return jws, fmt.Errorf("invalid jwt:\n%s", strings.Join(strs, "\n\t"))
	}

	jws.Trusted = true
	return jws, nil
}
initial commit 2022-05-06 00:11:08 +00:00			`package libauth`

			`import (`
			`"fmt"`
			`"net/http"`
feat: add more convenience methods 2022-05-09 23:08:38 +00:00			`"os"`
initial commit 2022-05-06 00:11:08 +00:00			`"strings"`

			`"git.rootprojects.org/root/keypairs"`
			`"git.rootprojects.org/root/keypairs/keyfetch"`
			`)`

feat: add more convenience methods 2022-05-09 23:08:38 +00:00			`const oidcIssuersEnv = "OIDC_ISSUERS"`
			`const oidcIssuersInternalEnv = "OIDC_ISSUERS_INTERNAL"`

initial commit 2022-05-06 00:11:08 +00:00			`// JWS is keypairs.JWS with added debugging information`
			`type JWS struct {`
			`keypairs.JWS`

			Trusted bool `json:"trusted"`
			Errors []error `json:"errors,omitempty"`
			`}`

feat: add more convenience methods 2022-05-09 23:08:38 +00:00			`// IssuerList is the trusted list of token issuers`
			`type IssuerList = keyfetch.Whitelist`

			`// ParseIssuerEnvs will parse ENVs (both comma- and space-delimited) to`
			`// create a trusted IssuerList of public and/or internal issuer URLs.`
			`//`
			`// Example:`
			`// OIDC_ISSUERS='https://example.com/ https://therootcompany.github.io/libauth/'`
			`// OIDC_ISSUERS_INTERNAL='http://localhost:3000/ http://my-service-name:8080/'`
			`func ParseIssuerEnvs(issuersEnvName, internalEnvName string) (IssuerList, error) {`
			`if len(issuersEnvName) > 0 {`
			`issuersEnvName = oidcIssuersEnv`
			`}`
			`pubs := os.Getenv(issuersEnvName)`
			`pubURLs := ParseIssuerListString(pubs)`

			`if len(internalEnvName) > 0 {`
			`internalEnvName = oidcIssuersInternalEnv`
			`}`
			`internals := os.Getenv(internalEnvName)`
			`internalURLs := ParseIssuerListString(internals)`

			`return keyfetch.NewWhitelist(pubURLs, internalURLs)`
			`}`

			`// ParseIssuerListString will Split comma- and/or space-delimited list into a slice`
			`//`
			`// Example:`
			`// "https://example.com/, https://therootcompany.github.io/libauth/"`
			`func ParseIssuerListString(issuerList string) []string {`
			`issuers := []string{}`

			`issuerList = strings.TrimSpace(issuerList)`
			`if len(issuerList) > 0 {`
			`issuerList = strings.ReplaceAll(issuerList, ",", " ")`
			`issuers = strings.Fields(issuerList)`
			`}`

			`return issuers`
			`}`

initial commit 2022-05-06 00:11:08 +00:00			`// VerifyJWT will return a verified InspectableToken if possible, or otherwise as much detail as possible, possibly including an InspectableToken with failed verification.`
feat: add more convenience methods 2022-05-09 23:08:38 +00:00			`func VerifyJWT(jwt string, issuers IssuerList, r http.Request) (JWS, error) {`
initial commit 2022-05-06 00:11:08 +00:00			`jws := keypairs.JWTToJWS(jwt)`
			`if nil == jws {`
			`return nil, fmt.Errorf("Bad Request: malformed Authorization header")`
			`}`

feat: add more convenience methods 2022-05-09 23:08:38 +00:00			`myJws := &JWS{`
			`*jws,`
			`false,`
			`[]error{},`
			`}`
			`if err := myJws.DecodeComponents(); nil != err {`
			`myJws.Errors = append(myJws.Errors, err)`
			`return myJws, err`
initial commit 2022-05-06 00:11:08 +00:00			`}`

feat: add more convenience methods 2022-05-09 23:08:38 +00:00			`return VerifyJWS(myJws, issuers, r)`
initial commit 2022-05-06 00:11:08 +00:00			`}`

			`// VerifyJWS takes a fully decoded JWS and will return a verified InspectableToken if possible, or otherwise as much detail as possible, possibly including an InspectableToken with failed verification.`
feat: add more convenience methods 2022-05-09 23:08:38 +00:00			`func VerifyJWS(jws JWS, issuers IssuerList, r http.Request) (*JWS, error) {`
initial commit 2022-05-06 00:11:08 +00:00			`var pub keypairs.PublicKey`
			`kid, kidOK := jws.Header["kid"].(string)`
			`iss, issOK := jws.Claims["iss"].(string)`

			`_, jwkOK := jws.Header["jwk"]`
bugfix(claims): invert jwk check condition 2022-05-09 19:34:08 +00:00			`if !jwkOK {`
initial commit 2022-05-06 00:11:08 +00:00			`if !kidOK \|\| 0 == len(kid) {`
			`//errs = append(errs, "must have either header.kid or header.jwk")`
			`return nil, fmt.Errorf("Bad Request: missing 'kid' identifier")`
			`} else if !issOK \|\| 0 == len(iss) {`
			`//errs = append(errs, "payload.iss must exist to complement header.kid")`
			`return nil, fmt.Errorf("Bad Request: payload.iss must exist to complement header.kid")`
			`} else {`
			`// TODO beware domain fronting, we should set domain statically`
			`// See https://pkg.go.dev/git.rootprojects.org/root/keypairs@v0.6.2/keyfetch`
			`// (Caddy does protect against Domain-Fronting by default:`
			`// https://github.com/caddyserver/caddy/issues/2500)`
			`if !issuers.IsTrustedIssuer(iss, r) {`
			`return nil, fmt.Errorf("Bad Request: 'iss' is not a trusted issuer")`
			`}`
			`}`
			`var err error`
			`pub, err = keyfetch.OIDCJWK(kid, iss)`
			`if nil != err {`
bugfix(claims): invert jwk check condition 2022-05-09 19:34:08 +00:00			`return nil, fmt.Errorf("Bad Request: 'kid' could not be matched to a known public key: %w", err)`
initial commit 2022-05-06 00:11:08 +00:00			`}`
			`} else {`
			`return nil, fmt.Errorf("Bad Request: self-signed tokens with 'jwk' are not supported")`
			`}`

feat: add more convenience methods 2022-05-09 23:08:38 +00:00			`errs := keypairs.VerifyClaims(pub, &jws.JWS)`
initial commit 2022-05-06 00:11:08 +00:00			`if 0 != len(errs) {`
			`strs := []string{}`
			`for _, err := range errs {`
feat: add more convenience methods 2022-05-09 23:08:38 +00:00			`jws.Errors = append(jws.Errors, err)`
initial commit 2022-05-06 00:11:08 +00:00			`strs = append(strs, err.Error())`
			`}`
feat: add more convenience methods 2022-05-09 23:08:38 +00:00			`return jws, fmt.Errorf("invalid jwt:\n%s", strings.Join(strs, "\n\t"))`
initial commit 2022-05-06 00:11:08 +00:00			`}`

feat: add more convenience methods 2022-05-09 23:08:38 +00:00			`jws.Trusted = true`
			`return jws, nil`
initial commit 2022-05-06 00:11:08 +00:00			`}`