netbird/management/server/jwtclaims/extractor.go

package jwtclaims

import (
	"github.com/golang-jwt/jwt"
	"net/http"
)

const (
	TokenUserProperty    = "user"
	AccountIDSuffix      = "wt_account_id"
	DomainIDSuffix       = "wt_account_domain"
	DomainCategorySuffix = "wt_account_domain_category"
	UserIDClaim          = "sub"
)

// Extract function type
type ExtractClaims func(r *http.Request, authAudiance string) AuthorizationClaims

// ClaimsExtractor struct that holds the extract function
type ClaimsExtractor struct {
	ExtractClaimsFromRequestContext ExtractClaims
}

// NewClaimsExtractor returns an extractor, and if provided with a function with ExtractClaims signature,
// then it will use that logic. Uses ExtractClaimsFromRequestContext by default
func NewClaimsExtractor(e ExtractClaims) *ClaimsExtractor {
	var extractFunc ExtractClaims
	if extractFunc = e; extractFunc == nil {
		extractFunc = ExtractClaimsFromRequestContext
	}

	return &ClaimsExtractor{
		ExtractClaimsFromRequestContext: extractFunc,
	}
}

// ExtractClaimsFromRequestContext extracts claims from the request context previously filled by the JWT token (after auth)
func ExtractClaimsFromRequestContext(r *http.Request, authAudience string) AuthorizationClaims {
	if r.Context().Value(TokenUserProperty) == nil {
		return AuthorizationClaims{}
	}
	token := r.Context().Value(TokenUserProperty).(*jwt.Token)
	return ExtractClaimsWithToken(token, authAudience)
}

// ExtractClaimsWithToken extracts claims from the token (after auth)
func ExtractClaimsWithToken(token *jwt.Token, authAudience string) AuthorizationClaims {
	claims := token.Claims.(jwt.MapClaims)
	jwtClaims := AuthorizationClaims{}
	jwtClaims.UserId = claims[UserIDClaim].(string)
	accountIdClaim, ok := claims[authAudience+AccountIDSuffix]
	if ok {
		jwtClaims.AccountId = accountIdClaim.(string)
	}
	domainClaim, ok := claims[authAudience+DomainIDSuffix]
	if ok {
		jwtClaims.Domain = domainClaim.(string)
	}
	domainCategoryClaim, ok := claims[authAudience+DomainCategorySuffix]
	if ok {
		jwtClaims.DomainCategory = domainCategoryClaim.(string)
	}
	return jwtClaims
}
Jwtclaims package (#242) * Move JWTClaims logic to its own package * Add extractor tests 2022-02-23 20:02:02 +01:00			`package jwtclaims`

			`import (`
			`"github.com/golang-jwt/jwt"`
			`"net/http"`
			`)`

			`const (`
Group users of same private domain (#243) * Added Domain Category field and fix store tests * Add GetAccountByDomain method * Add Domain Category to authorization claims * Initial GetAccountWithAuthorizationClaims test cases * Renamed Private Domain map and index it on saving account * New Go build tags * Added NewRegularUser function * Updated restore to account for primary domain account Also, added another test case * Added grouping user of private domains Also added auxiliary methods for update metadata and domain attributes * Update http handles get account method and tests * Fix lint and document another case * Removed unnecessary log * Move use cases to method and add flow comments * Split the new user and existing logic from GetAccountWithAuthorizationClaims * Review: minor corrections Co-authored-by: braginini <bangvalo@gmail.com> 2022-03-01 15:22:18 +01:00			`TokenUserProperty = "user"`
			`AccountIDSuffix = "wt_account_id"`
			`DomainIDSuffix = "wt_account_domain"`
			`DomainCategorySuffix = "wt_account_domain_category"`
			`UserIDClaim = "sub"`
Jwtclaims package (#242) * Move JWTClaims logic to its own package * Add extractor tests 2022-02-23 20:02:02 +01:00			`)`

			`// Extract function type`
			`type ExtractClaims func(r *http.Request, authAudiance string) AuthorizationClaims`

			`// ClaimsExtractor struct that holds the extract function`
			`type ClaimsExtractor struct {`
			`ExtractClaimsFromRequestContext ExtractClaims`
			`}`

			`// NewClaimsExtractor returns an extractor, and if provided with a function with ExtractClaims signature,`
			`// then it will use that logic. Uses ExtractClaimsFromRequestContext by default`
			`func NewClaimsExtractor(e ExtractClaims) *ClaimsExtractor {`
			`var extractFunc ExtractClaims`
			`if extractFunc = e; extractFunc == nil {`
			`extractFunc = ExtractClaimsFromRequestContext`
			`}`

			`return &ClaimsExtractor{`
			`ExtractClaimsFromRequestContext: extractFunc,`
			`}`
			`}`

			`// ExtractClaimsFromRequestContext extracts claims from the request context previously filled by the JWT token (after auth)`
Adding peer registration support to JWT (#305) The management will validate the JWT as it does in the API and will register the Peer to the user's account. New fields were added to grpc messages in management and client daemon and its clients were updated Peer has one new field, UserID, that will hold the id of the user that registered it JWT middleware CheckJWT got a splitter and renamed to support validation for non HTTP requests Added test for adding new Peer with UserID Lots of tests update because of a new field 2022-05-05 20:02:15 +02:00			`func ExtractClaimsFromRequestContext(r *http.Request, authAudience string) AuthorizationClaims {`
OpenAPI specification and API Adjusts (#356) Introduced an OpenAPI specification. Updated API handlers to use the specification types. Added patch operation for rules and groups and methods to the account manager. HTTP PUT operations require id, fail if not provided. Use snake_case for HTTP request and response body 2022-06-14 10:32:54 +02:00			`if r.Context().Value(TokenUserProperty) == nil {`
			`return AuthorizationClaims{}`
			`}`
Jwtclaims package (#242) * Move JWTClaims logic to its own package * Add extractor tests 2022-02-23 20:02:02 +01:00			`token := r.Context().Value(TokenUserProperty).(*jwt.Token)`
Adding peer registration support to JWT (#305) The management will validate the JWT as it does in the API and will register the Peer to the user's account. New fields were added to grpc messages in management and client daemon and its clients were updated Peer has one new field, UserID, that will hold the id of the user that registered it JWT middleware CheckJWT got a splitter and renamed to support validation for non HTTP requests Added test for adding new Peer with UserID Lots of tests update because of a new field 2022-05-05 20:02:15 +02:00			`return ExtractClaimsWithToken(token, authAudience)`
			`}`

			`// ExtractClaimsWithToken extracts claims from the token (after auth)`
			`func ExtractClaimsWithToken(token *jwt.Token, authAudience string) AuthorizationClaims {`
Jwtclaims package (#242) * Move JWTClaims logic to its own package * Add extractor tests 2022-02-23 20:02:02 +01:00			`claims := token.Claims.(jwt.MapClaims)`
			`jwtClaims := AuthorizationClaims{}`
			`jwtClaims.UserId = claims[UserIDClaim].(string)`
Adding peer registration support to JWT (#305) The management will validate the JWT as it does in the API and will register the Peer to the user's account. New fields were added to grpc messages in management and client daemon and its clients were updated Peer has one new field, UserID, that will hold the id of the user that registered it JWT middleware CheckJWT got a splitter and renamed to support validation for non HTTP requests Added test for adding new Peer with UserID Lots of tests update because of a new field 2022-05-05 20:02:15 +02:00			`accountIdClaim, ok := claims[authAudience+AccountIDSuffix]`
Jwtclaims package (#242) * Move JWTClaims logic to its own package * Add extractor tests 2022-02-23 20:02:02 +01:00			`if ok {`
			`jwtClaims.AccountId = accountIdClaim.(string)`
			`}`
Adding peer registration support to JWT (#305) The management will validate the JWT as it does in the API and will register the Peer to the user's account. New fields were added to grpc messages in management and client daemon and its clients were updated Peer has one new field, UserID, that will hold the id of the user that registered it JWT middleware CheckJWT got a splitter and renamed to support validation for non HTTP requests Added test for adding new Peer with UserID Lots of tests update because of a new field 2022-05-05 20:02:15 +02:00			`domainClaim, ok := claims[authAudience+DomainIDSuffix]`
Jwtclaims package (#242) * Move JWTClaims logic to its own package * Add extractor tests 2022-02-23 20:02:02 +01:00			`if ok {`
			`jwtClaims.Domain = domainClaim.(string)`
			`}`
Adding peer registration support to JWT (#305) The management will validate the JWT as it does in the API and will register the Peer to the user's account. New fields were added to grpc messages in management and client daemon and its clients were updated Peer has one new field, UserID, that will hold the id of the user that registered it JWT middleware CheckJWT got a splitter and renamed to support validation for non HTTP requests Added test for adding new Peer with UserID Lots of tests update because of a new field 2022-05-05 20:02:15 +02:00			`domainCategoryClaim, ok := claims[authAudience+DomainCategorySuffix]`
Group users of same private domain (#243) * Added Domain Category field and fix store tests * Add GetAccountByDomain method * Add Domain Category to authorization claims * Initial GetAccountWithAuthorizationClaims test cases * Renamed Private Domain map and index it on saving account * New Go build tags * Added NewRegularUser function * Updated restore to account for primary domain account Also, added another test case * Added grouping user of private domains Also added auxiliary methods for update metadata and domain attributes * Update http handles get account method and tests * Fix lint and document another case * Removed unnecessary log * Move use cases to method and add flow comments * Split the new user and existing logic from GetAccountWithAuthorizationClaims * Review: minor corrections Co-authored-by: braginini <bangvalo@gmail.com> 2022-03-01 15:22:18 +01:00			`if ok {`
			`jwtClaims.DomainCategory = domainCategoryClaim.(string)`
			`}`
Jwtclaims package (#242) * Move JWTClaims logic to its own package * Add extractor tests 2022-02-23 20:02:02 +01:00			`return jwtClaims`
			`}`