branchmispredictor
/
api
forked from vikunja/vikunja
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

move to keyvalue

This commit is contained in:
branchmispredictor 2021-05-18 18:50:47 -04:00
parent 717c3bcc0b
commit c9ab22cec7
1 changed files with 17 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
pkg/modules/auth/identityawareproxy/middleware.go
View File

@ -18,12 +18,12 @@ package identityawareproxy
import ( import (
"fmt" "fmt"
"sync"
"time" "time"
"code.vikunja.io/api/pkg/config" "code.vikunja.io/api/pkg/config"
"code.vikunja.io/api/pkg/log" "code.vikunja.io/api/pkg/log"
"code.vikunja.io/api/pkg/modules/auth" "code.vikunja.io/api/pkg/modules/auth"
"code.vikunja.io/api/pkg/modules/keyvalue"
"code.vikunja.io/web/handler" "code.vikunja.io/web/handler"
"github.com/dgrijalva/jwt-go" "github.com/dgrijalva/jwt-go"
"github.com/labstack/echo/v4" "github.com/labstack/echo/v4"
@ -35,40 +35,32 @@ import (
var TimeFunc = time.Now var TimeFunc = time.Now
// Caches the public keys of the identity-aware proxy used to validate the auth data it sends // Caches the public keys of the identity-aware proxy used to validate the auth data it sends
type iapCache struct { const iapCacheKey = "iapcache_keyset"
keyset *jwk.Set
mutex sync.Mutex
}
// GetKeyset returns the cached public keys from the identity-aware proxy // GetKeyset returns the cached public keys from the identity-aware proxy
// or fetches them for the first time. // or fetches them for the first time.
func (cache *iapCache) GetKeyset() (*jwk.Set, error) { func GetKeyset() (keyset *jwk.Set, err error) {
if cache.keyset != nil { k, exists, err := keyvalue.Get(iapCacheKey)
return cache.keyset, nil if !exists {
// Fetch the public key(s) from the identity-aware proxy
keyset, err = jwk.FetchHTTP(config.AuthIdentityAwareProxyJwksURI.GetString())
if err != nil {
log.Error("Failed to retrieve the identity-aware proxy's signing public key at URL %s: %v", config.AuthIdentityAwareProxyJwksURI.GetString(), err)
return nil, ErrIAPPublicKeysetMissing{URL: config.AuthIdentityAwareProxyJwksURI.GetString()}
}
keyvalue.Put(iapCacheKey, keyset)
} }
cache.mutex.Lock() if k != nil {
defer cache.mutex.Unlock() return k.(*jwk.Set), nil
// Check that another thread has not fetched the keyset
if cache.keyset != nil {
return cache.keyset, nil
} }
// Fetch the public key(s) from the identity-aware proxy return
keyset, err := jwk.FetchHTTP(config.AuthIdentityAwareProxyJwksURI.GetString())
if err != nil {
log.Error("Failed to retrieve the identity-aware proxy's signing public key at URL %s: %v", config.AuthIdentityAwareProxyJwksURI.GetString(), err)
return nil, ErrIAPPublicKeysetMissing{URL: config.AuthIdentityAwareProxyJwksURI.GetString()}
}
cache.keyset = keyset
return cache.keyset, nil
} }
// The identity-aware proxy authentication middleware parses and validates the // The identity-aware proxy authentication middleware parses and validates the
// JWT provided by the IAP // JWT provided by the IAP
func Middleware() echo.MiddlewareFunc { func Middleware() echo.MiddlewareFunc {
cache := &iapCache{}
return func(next echo.HandlerFunc) echo.HandlerFunc { return func(next echo.HandlerFunc) echo.HandlerFunc {
return func(c echo.Context) error { return func(c echo.Context) error {
// Skip if IAP is not enabled // Skip if IAP is not enabled
@ -83,7 +75,7 @@ func Middleware() echo.MiddlewareFunc {
return handler.HandleHTTPError(err, c) return handler.HandleHTTPError(err, c)
} }
keyset, err := cache.GetKeyset() keyset, err := GetKeyset()
if err != nil { if err != nil {
return handler.HandleHTTPError(err, c) return handler.HandleHTTPError(err, c)
} }