-
Notifications
You must be signed in to change notification settings - Fork 1
/
jwt.go
106 lines (90 loc) · 2.62 KB
/
jwt.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
package keycloakmiddleware
import (
"encoding/json"
"github.com/cristalhq/jwt/v3"
"github.com/gin-gonic/gin"
"net/http"
"strings"
"time"
)
type middleware struct {
wrapperCode int // 0: default, 1:standard, 2:traceable
}
func Construct(wrapperCode int) middleware {
return middleware{wrapperCode: wrapperCode}
}
func (middleware *middleware) Validate(scopes []string) gin.HandlerFunc {
return func(context *gin.Context) {
var isEnabled = getEnvOrDefault("KEYCLOAK_JWT_ENABLED", "false").(string)
if strings.ToLower(isEnabled) == "false" || isEnabled == "0" {
context.Next()
return
}
s := strings.SplitN(context.Request.Header.Get("Authorization"), " ", 2)
if len(s) != 2 {
msg := "Authorization token is not found"
middleware.abort(http.StatusUnauthorized, context, msg)
return
}
var headerToken = s[1]
unverifiedToken, err := jwt.Parse([]byte(headerToken))
if err != nil {
msg := err.Error()
middleware.abort(http.StatusUnauthorized, context, msg)
return
}
kid := unverifiedToken.Header().KeyID
key, err := getPublicKey(kid)
if err != nil {
msg := err.Error()
middleware.abort(http.StatusUnauthorized, context, msg)
return
}
verifier, err := jwt.NewVerifierRS(jwt.RS256, key)
if err != nil {
msg := err.Error()
middleware.abort(http.StatusUnauthorized, context, msg)
return
}
token, err := jwt.ParseAndVerifyString(headerToken, verifier)
if err != nil {
msg := err.Error()
middleware.abort(http.StatusUnauthorized, context, msg)
return
}
var claims claims
errClaims := json.Unmarshal(token.RawClaims(), &claims)
if errClaims != nil {
msg := errClaims.Error()
middleware.abort(http.StatusUnauthorized, context, msg)
return
}
var iss = getEnv("KEYCLOAK_JWT_ISS")
if claims.Issuer != iss {
msg := "Token issuer is not valid"
middleware.abort(http.StatusUnauthorized, context, msg)
return
}
if claims.ExpiresAt.Unix() < time.Now().Unix() {
msg := "Token expired"
middleware.abort(http.StatusUnauthorized, context, msg)
return
}
if !isScopesValid(claims, scopes) {
msg := "Access to this endpoint is not allowed"
middleware.abort(http.StatusForbidden, context, msg)
return
}
context.Set("keycloak_username", claims.Username)
context.Set("keycloak_name", claims.Name)
context.Set("keycloak_email", claims.Email)
context.Next()
}
}
func (middleware *middleware) abort(status int, context *gin.Context, message interface{}) {
httpStatus := http.StatusOK
if middleware.wrapperCode != 0 {
httpStatus = status
}
context.AbortWithStatusJSON(httpStatus, middleware.wrapper(status, context, message, nil))
}