2020-08-13 20:27:42 +00:00
|
|
|
package rpc
|
|
|
|
|
|
|
|
import (
|
|
|
|
"context"
|
2020-10-20 05:37:12 +00:00
|
|
|
"fmt"
|
2020-09-03 23:25:56 +00:00
|
|
|
"strings"
|
2020-08-13 20:27:42 +00:00
|
|
|
|
2022-02-25 19:08:43 +00:00
|
|
|
"github.com/golang-jwt/jwt/v4"
|
2022-08-05 10:52:02 +00:00
|
|
|
"github.com/sirupsen/logrus"
|
2020-08-13 20:27:42 +00:00
|
|
|
"google.golang.org/grpc"
|
|
|
|
"google.golang.org/grpc/codes"
|
|
|
|
"google.golang.org/grpc/metadata"
|
|
|
|
"google.golang.org/grpc/status"
|
|
|
|
)
|
|
|
|
|
2021-10-20 16:37:05 +00:00
|
|
|
// JWTInterceptor is a gRPC unary interceptor to authorize incoming requests.
|
2020-08-13 20:27:42 +00:00
|
|
|
func (s *Server) JWTInterceptor() grpc.UnaryServerInterceptor {
|
|
|
|
return func(
|
|
|
|
ctx context.Context,
|
|
|
|
req interface{},
|
|
|
|
info *grpc.UnaryServerInfo,
|
|
|
|
handler grpc.UnaryHandler,
|
|
|
|
) (interface{}, error) {
|
2021-10-20 16:37:05 +00:00
|
|
|
if err := s.authorize(ctx); err != nil {
|
|
|
|
return nil, err
|
2020-08-13 20:27:42 +00:00
|
|
|
}
|
|
|
|
h, err := handler(ctx, req)
|
2022-08-05 10:52:02 +00:00
|
|
|
log.WithError(err).WithFields(logrus.Fields{
|
|
|
|
"FullMethod": info.FullMethod,
|
|
|
|
"Server": info.Server,
|
|
|
|
}).Debug("Request handled")
|
2020-08-13 20:27:42 +00:00
|
|
|
return h, err
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// Authorize the token received is valid.
|
|
|
|
func (s *Server) authorize(ctx context.Context) error {
|
|
|
|
md, ok := metadata.FromIncomingContext(ctx)
|
|
|
|
if !ok {
|
2020-09-03 23:25:56 +00:00
|
|
|
return status.Errorf(codes.InvalidArgument, "Retrieving metadata failed")
|
2020-08-13 20:27:42 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
authHeader, ok := md["authorization"]
|
|
|
|
if !ok {
|
2020-09-03 23:25:56 +00:00
|
|
|
return status.Errorf(codes.Unauthenticated, "Authorization token could not be found")
|
2020-08-13 20:27:42 +00:00
|
|
|
}
|
2020-09-03 23:25:56 +00:00
|
|
|
if len(authHeader) < 1 || !strings.Contains(authHeader[0], "Bearer ") {
|
|
|
|
return status.Error(codes.Unauthenticated, "Invalid auth header, needs Bearer {token}")
|
|
|
|
}
|
|
|
|
token := strings.Split(authHeader[0], "Bearer ")[1]
|
2020-10-20 05:37:12 +00:00
|
|
|
_, err := jwt.Parse(token, s.validateJWT)
|
2020-08-13 20:27:42 +00:00
|
|
|
if err != nil {
|
2020-10-10 02:07:28 +00:00
|
|
|
return status.Errorf(codes.Unauthenticated, "Could not parse JWT token: %v", err)
|
2020-08-13 20:27:42 +00:00
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|
2020-10-20 05:37:12 +00:00
|
|
|
|
|
|
|
func (s *Server) validateJWT(token *jwt.Token) (interface{}, error) {
|
|
|
|
if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
|
|
|
|
return nil, fmt.Errorf("unexpected JWT signing method: %v", token.Header["alg"])
|
|
|
|
}
|
2021-10-28 14:24:39 +00:00
|
|
|
return s.jwtSecret, nil
|
2020-10-20 05:37:12 +00:00
|
|
|
}
|