internal/auth: add TenantChannelMiddleware

Extracts the tenant from the JWT and sets it in the request context.
2023-06-17 17:39:27 +02:00 · 2023-06-17 17:39:27 +02:00 · 0f946e1c9e
commit 0f946e1c9e
parent bec17b6d47
4 changed files with 50 additions and 11 deletions
--- a/internal/cloudapi/v2/middleware.go
+++ b/internal/cloudapi/v2/middleware.go
@ -6,22 +6,23 @@ import (
 	"github.com/getkin/kin-openapi/openapi3filter"
 	"github.com/google/uuid"
 	"github.com/labstack/echo/v4"
+
 	"github.com/osbuild/osbuild-composer/internal/auth"
 )

+const TenantCtxKey string = "tenant"
+
 // getTenantChannel returns the tenant channel for the provided request context
 func (s *Server) getTenantChannel(ctx echo.Context) (string, error) {
-	// channel is empty if JWT is not enabled
-	var channel string
 	if s.config.JWTEnabled {
-		tenant, err := auth.GetFromClaims(ctx.Request().Context(), s.config.TenantProviderFields)
-		if err != nil {
-			return "", err
+		tenant, ok := ctx.Get(auth.TenantCtxKey).(string)
+		if !ok {
+			return "", HTTPError(ErrorTenantNotInContext)
 		}
-		// prefix the tenant to prevent collisions if support for specifying channels in a request is ever added
-		channel = "org-" + tenant
+		return tenant, nil
 	}
-	return channel, nil
+	// channel is empty if JWT is not enabled
+	return "", nil
 }

 type ComposeHandlerFunc func(ctx echo.Context, id string) error
@ -36,7 +37,7 @@ func (s *Server) EnsureJobChannel(next ComposeHandlerFunc) ComposeHandlerFunc {

 		ctxChannel, err := s.getTenantChannel(c)
 		if err != nil {
-			return HTTPErrorWithInternal(ErrorTenantNotFound, err)
+			return err
 		}

 		jobChannel, err := s.workers.JobChannel(jobId)