github.com/greenpau/go-authcrunch@v1.1.4/pkg/authn/idp_apikey_auth.go (about) 1 // Copyright 2022 Paul Greenberg greenpau@outlook.com 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 package authn 16 17 import ( 18 "context" 19 "time" 20 21 "github.com/greenpau/go-authcrunch/pkg/authn/enums/operator" 22 "github.com/greenpau/go-authcrunch/pkg/authproxy" 23 "github.com/greenpau/go-authcrunch/pkg/errors" 24 "github.com/greenpau/go-authcrunch/pkg/requests" 25 "github.com/greenpau/go-authcrunch/pkg/user" 26 "go.uber.org/zap" 27 ) 28 29 // APIKeyAuth performs API key authentication. 30 func (p *Portal) APIKeyAuth(r *authproxy.Request) error { 31 if r.Realm == "" { 32 r.Realm = "local" 33 } 34 35 rr := requests.NewRequest() 36 rr.Logger = p.logger 37 rr.Response.Authenticated = false 38 rr.Key.Payload = r.Secret 39 rr.Upstream.Realm = r.Realm 40 41 backend := p.getIdentityStoreByRealm(r.Realm) 42 if backend == nil { 43 p.logger.Warn( 44 "realm backend not found", 45 zap.String("source_address", r.Address), 46 zap.String("custom_auth", "apikey"), 47 zap.String("realm", r.Realm), 48 ) 49 return errors.ErrAPIKeyAuthFailed 50 } 51 52 if err := backend.Request(operator.LookupAPIKey, rr); err != nil { 53 p.logger.Warn( 54 "api key lookup failed", 55 zap.String("source_address", r.Address), 56 zap.String("custom_auth", "apikey"), 57 zap.String("realm", r.Realm), 58 zap.Error(err), 59 ) 60 return errors.ErrAPIKeyAuthFailed 61 } 62 63 if err := backend.Request(operator.IdentifyUser, rr); err != nil { 64 p.logger.Warn( 65 "user lookup following api key lookup failed", 66 zap.String("source_address", r.Address), 67 zap.String("custom_auth", "apikey"), 68 zap.String("realm", r.Realm), 69 zap.Error(err), 70 ) 71 return errors.ErrAPIKeyAuthFailed 72 } 73 74 m := make(map[string]interface{}) 75 m["sub"] = rr.User.Username 76 m["email"] = rr.User.Email 77 if rr.User.FullName != "" { 78 m["name"] = rr.User.FullName 79 } 80 if len(rr.User.Roles) > 0 { 81 m["roles"] = rr.User.Roles 82 } 83 84 // m["jti"] = rr.Upstream.SessionID 85 m["exp"] = time.Now().Add(time.Duration(p.keystore.GetTokenLifetime(nil, nil)) * time.Second).UTC().Unix() 86 m["iat"] = time.Now().UTC().Unix() 87 m["nbf"] = time.Now().Add(time.Duration(60) * time.Second * -1).UTC().Unix() 88 if _, exists := m["origin"]; !exists { 89 m["origin"] = r.Realm 90 } 91 m["iss"] = "authp" 92 m["addr"] = r.Address 93 94 // Perform user claim transformation if necessary. 95 if err := p.transformUser(context.Background(), rr, m); err != nil { 96 return err 97 } 98 99 // Inject portal specific roles 100 injectPortalRoles(m, p.config) 101 102 // Create a new user and sign the token. 103 usr, err := user.NewUser(m) 104 if err != nil { 105 p.logger.Warn( 106 "user build following user lookup failed", 107 zap.String("source_address", r.Address), 108 zap.String("custom_auth", "apikey"), 109 zap.String("realm", r.Realm), 110 zap.Error(err), 111 ) 112 return errors.ErrAPIKeyAuthFailed 113 } 114 if err := p.keystore.SignToken(nil, nil, usr); err != nil { 115 p.logger.Warn( 116 "user token signing failed", 117 zap.String("source_address", r.Address), 118 zap.String("custom_auth", "apikey"), 119 zap.String("realm", r.Realm), 120 zap.Error(err), 121 ) 122 return errors.ErrAPIKeyAuthFailed 123 } 124 125 r.Response.Payload = usr.Token 126 r.Response.Name = usr.TokenName 127 return nil 128 }