prysm-pulse/validator/rpc/intercepter.go
Raul Jordan f3a7f399c0
Engine API Client Authentication for the Merge via HTTP (#10236)
* round tripper with claims

* auth

* edit auth

* test out jwt

* passing

* jwt flag

* comment

* passing

* commentary

* fix up jwt parsing

* gaz

* update jwt libs

* tidy

* gaz

* lint

* tidy up

* comment too long

Co-authored-by: james-prysm <90280386+james-prysm@users.noreply.github.com>
2022-02-25 19:08:43 +00:00

60 lines
1.6 KiB
Go

package rpc
import (
"context"
"fmt"
"strings"
"github.com/golang-jwt/jwt/v4"
"google.golang.org/grpc"
"google.golang.org/grpc/codes"
"google.golang.org/grpc/metadata"
"google.golang.org/grpc/status"
)
// JWTInterceptor is a gRPC unary interceptor to authorize incoming requests.
func (s *Server) JWTInterceptor() grpc.UnaryServerInterceptor {
return func(
ctx context.Context,
req interface{},
info *grpc.UnaryServerInfo,
handler grpc.UnaryHandler,
) (interface{}, error) {
if err := s.authorize(ctx); err != nil {
return nil, err
}
h, err := handler(ctx, req)
log.Debugf("Request - Method: %s, Error: %v\n", info.FullMethod, err)
return h, err
}
}
// Authorize the token received is valid.
func (s *Server) authorize(ctx context.Context) error {
md, ok := metadata.FromIncomingContext(ctx)
if !ok {
return status.Errorf(codes.InvalidArgument, "Retrieving metadata failed")
}
authHeader, ok := md["authorization"]
if !ok {
return status.Errorf(codes.Unauthenticated, "Authorization token could not be found")
}
if len(authHeader) < 1 || !strings.Contains(authHeader[0], "Bearer ") {
return status.Error(codes.Unauthenticated, "Invalid auth header, needs Bearer {token}")
}
token := strings.Split(authHeader[0], "Bearer ")[1]
_, err := jwt.Parse(token, s.validateJWT)
if err != nil {
return status.Errorf(codes.Unauthenticated, "Could not parse JWT token: %v", err)
}
return nil
}
func (s *Server) validateJWT(token *jwt.Token) (interface{}, error) {
if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
return nil, fmt.Errorf("unexpected JWT signing method: %v", token.Header["alg"])
}
return s.jwtSecret, nil
}