7a4bb863dd
ioutil has been deprecated since go 1.16, this fixes all of the deprecated functions we are using: ioutil.ReadFile -> os.ReadFile ioutil.ReadAll -> io.ReadAll ioutil.WriteFile -> os.WriteFile ioutil.TempFile -> os.CreateTemp ioutil.TempDir -> os.MkdirTemp All of the above are a simple name change, the function arguments and results are exactly the same as before. ioutil.ReadDir -> os.ReadDir now returns a os.DirEntry but the IsDir and Name functions work the same. The difference is that the FileInfo must be retrieved with the Info() function which can also return an error. These were identified by running: golangci-lint run --build-tags=integration ./...
70 lines
1.6 KiB
Go
70 lines
1.6 KiB
Go
package auth
|
|
|
|
import (
|
|
"context"
|
|
"crypto/x509"
|
|
"fmt"
|
|
"net/http"
|
|
"os"
|
|
|
|
"github.com/openshift-online/ocm-sdk-go/authentication"
|
|
"github.com/openshift-online/ocm-sdk-go/logging"
|
|
|
|
"github.com/osbuild/osbuild-composer/internal/common"
|
|
)
|
|
|
|
// When using this handler for auth, it should be run as high up as possible.
|
|
// Exceptions can be registered in the `exclude` slice
|
|
func BuildJWTAuthHandler(keysURLs []string, caFile, aclFile string, exclude []string, next http.Handler) (handler http.Handler, err error) {
|
|
logBuilder := logging.NewGoLoggerBuilder()
|
|
if caFile != "" {
|
|
logBuilder = logBuilder.Debug(true)
|
|
}
|
|
|
|
logger, err := logBuilder.Build()
|
|
if err != nil {
|
|
return
|
|
}
|
|
|
|
logger.Info(context.Background(), aclFile)
|
|
|
|
builder := authentication.NewHandler().
|
|
Logger(logger)
|
|
|
|
for _, keysURL := range keysURLs {
|
|
builder = builder.KeysURL(keysURL)
|
|
}
|
|
|
|
// Used during testing
|
|
if caFile != "" {
|
|
logger.Warn(context.Background(),
|
|
"A custom CA is specified to verify jwt tokens, this shouldn't be enabled in a production setting.")
|
|
caPEM, err := os.ReadFile(caFile)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
pool := x509.NewCertPool()
|
|
ok := pool.AppendCertsFromPEM(caPEM)
|
|
if !ok {
|
|
return nil, fmt.Errorf("Unable to load jwt ca cert %s.", caFile)
|
|
}
|
|
builder = builder.KeysCAs(pool)
|
|
}
|
|
|
|
if aclFile != "" {
|
|
builder = builder.ACLFile(aclFile)
|
|
}
|
|
|
|
for _, e := range exclude {
|
|
builder = builder.Public(e)
|
|
}
|
|
|
|
// In case authentication fails, attach an OperationID
|
|
builder = builder.OperationID(func(r *http.Request) string {
|
|
return common.GenerateOperationID()
|
|
})
|
|
|
|
handler, err = builder.Next(next).Build()
|
|
return
|
|
}
|