netbird/management/server/jwtclaims/extractor.go

package jwtclaims

import (
	"net/http"
	"time"

	"github.com/golang-jwt/jwt"
)

const (
	// TokenUserProperty key for the user property in the request context
	TokenUserProperty = "user"
	// AccountIDSuffix suffix for the account id claim
	AccountIDSuffix = "wt_account_id"
	// DomainIDSuffix suffix for the domain id claim
	DomainIDSuffix = "wt_account_domain"
	// DomainCategorySuffix suffix for the domain category claim
	DomainCategorySuffix = "wt_account_domain_category"
	// UserIDClaim claim for the user id
	UserIDClaim = "sub"
	// LastLoginSuffix claim for the last login
	LastLoginSuffix = "nb_last_login"
	// Invited claim indicates that an incoming JWT is from a user that just accepted an invitation
	Invited = "nb_invited"
)

// ExtractClaims Extract function type
type ExtractClaims func(r *http.Request) AuthorizationClaims

// ClaimsExtractor struct that holds the extract function
type ClaimsExtractor struct {
	authAudience string
	userIDClaim  string

	FromRequestContext ExtractClaims
}

// ClaimsExtractorOption is a function that configures the ClaimsExtractor
type ClaimsExtractorOption func(*ClaimsExtractor)

// WithAudience sets the audience for the extractor
func WithAudience(audience string) ClaimsExtractorOption {
	return func(c *ClaimsExtractor) {
		c.authAudience = audience
	}
}

// WithUserIDClaim sets the user id claim for the extractor
func WithUserIDClaim(userIDClaim string) ClaimsExtractorOption {
	return func(c *ClaimsExtractor) {
		c.userIDClaim = userIDClaim
	}
}

// WithFromRequestContext sets the function that extracts claims from the request context
func WithFromRequestContext(ec ExtractClaims) ClaimsExtractorOption {
	return func(c *ClaimsExtractor) {
		c.FromRequestContext = ec
	}
}

// NewClaimsExtractor returns an extractor, and if provided with a function with ExtractClaims signature,
// then it will use that logic. Uses ExtractClaimsFromRequestContext by default
func NewClaimsExtractor(options ...ClaimsExtractorOption) *ClaimsExtractor {
	ce := &ClaimsExtractor{}
	for _, option := range options {
		option(ce)
	}
	if ce.FromRequestContext == nil {
		ce.FromRequestContext = ce.fromRequestContext
	}
	if ce.userIDClaim == "" {
		ce.userIDClaim = UserIDClaim
	}
	return ce
}

// FromToken extracts claims from the token (after auth)
func (c *ClaimsExtractor) FromToken(token *jwt.Token) AuthorizationClaims {
	claims := token.Claims.(jwt.MapClaims)
	jwtClaims := AuthorizationClaims{
		Raw: claims,
	}
	userID, ok := claims[c.userIDClaim].(string)
	if !ok {
		return jwtClaims
	}
	jwtClaims.UserId = userID
	accountIDClaim, ok := claims[c.authAudience+AccountIDSuffix]
	if ok {
		jwtClaims.AccountId = accountIDClaim.(string)
	}
	domainClaim, ok := claims[c.authAudience+DomainIDSuffix]
	if ok {
		jwtClaims.Domain = domainClaim.(string)
	}
	domainCategoryClaim, ok := claims[c.authAudience+DomainCategorySuffix]
	if ok {
		jwtClaims.DomainCategory = domainCategoryClaim.(string)
	}
	LastLoginClaimString, ok := claims[c.authAudience+LastLoginSuffix]
	if ok {
		jwtClaims.LastLogin = parseTime(LastLoginClaimString.(string))
	}
	invitedBool, ok := claims[c.authAudience+Invited]
	if ok {
		jwtClaims.Invited = invitedBool.(bool)
	}
	return jwtClaims
}

func parseTime(timeString string) time.Time {
	if timeString == "" {
		return time.Time{}
	}
	parsedTime, err := time.Parse(time.RFC3339, timeString)
	if err != nil {
		return time.Time{}
	}
	return parsedTime
}

// fromRequestContext extracts claims from the request context previously filled by the JWT token (after auth)
func (c *ClaimsExtractor) fromRequestContext(r *http.Request) AuthorizationClaims {
	if r.Context().Value(TokenUserProperty) == nil {
		return AuthorizationClaims{}
	}
	token := r.Context().Value(TokenUserProperty).(*jwt.Token)
	return c.FromToken(token)
}
Jwtclaims package (#242) * Move JWTClaims logic to its own package * Add extractor tests 2022-02-23 20:02:02 +01:00			`package jwtclaims`

			`import (`
			`"net/http"`
Adding dashboard login activity (#1092) For better auditing this PR adds a dashboard login event to the management service. For that the user object was extended with a field for last login that is not actively saved to the database but kept in memory until next write. The information about the last login can be extracted from the JWT claims nb_last_login. This timestamp will be stored and compared on each API request. If the value changes we generate an event to inform about a login. 2023-08-18 19:23:11 +02:00			`"time"`
Feature: add custom id claim (#667) This feature allows using the custom claim in the JWT token as a user ID. Refactor claims extractor with options support Add is_current to the user API response 2023-02-03 21:47:20 +01:00
			`"github.com/golang-jwt/jwt"`
Jwtclaims package (#242) * Move JWTClaims logic to its own package * Add extractor tests 2022-02-23 20:02:02 +01:00			`)`

			`const (`
comments for codacy 2023-03-30 17:32:44 +02:00			`// TokenUserProperty key for the user property in the request context`
revert codacy 2023-03-30 18:54:55 +02:00			`TokenUserProperty = "user"`
comments for codacy 2023-03-30 17:32:44 +02:00			`// AccountIDSuffix suffix for the account id claim`
revert codacy 2023-03-30 18:54:55 +02:00			`AccountIDSuffix = "wt_account_id"`
comments for codacy 2023-03-30 17:32:44 +02:00			`// DomainIDSuffix suffix for the domain id claim`
revert codacy 2023-03-30 18:54:55 +02:00			`DomainIDSuffix = "wt_account_domain"`
comments for codacy 2023-03-30 17:32:44 +02:00			`// DomainCategorySuffix suffix for the domain category claim`
revert codacy 2023-03-30 18:54:55 +02:00			`DomainCategorySuffix = "wt_account_domain_category"`
comments for codacy 2023-03-30 17:32:44 +02:00			`// UserIDClaim claim for the user id`
revert codacy 2023-03-30 18:54:55 +02:00			`UserIDClaim = "sub"`
Adding dashboard login activity (#1092) For better auditing this PR adds a dashboard login event to the management service. For that the user object was extended with a field for last login that is not actively saved to the database but kept in memory until next write. The information about the last login can be extracted from the JWT claims nb_last_login. This timestamp will be stored and compared on each API request. If the value changes we generate an event to inform about a login. 2023-08-18 19:23:11 +02:00			`// LastLoginSuffix claim for the last login`
			`LastLoginSuffix = "nb_last_login"`
Redeem invite only when incoming user was invited (#1861) checks for users with pending invite status in the cache that already logged in and refresh the cache 2024-04-22 11:10:27 +02:00			`// Invited claim indicates that an incoming JWT is from a user that just accepted an invitation`
			`Invited = "nb_invited"`
Jwtclaims package (#242) * Move JWTClaims logic to its own package * Add extractor tests 2022-02-23 20:02:02 +01:00			`)`

revert codacy 2023-03-30 18:59:35 +02:00			`// ExtractClaims Extract function type`
Feature: add custom id claim (#667) This feature allows using the custom claim in the JWT token as a user ID. Refactor claims extractor with options support Add is_current to the user API response 2023-02-03 21:47:20 +01:00			`type ExtractClaims func(r *http.Request) AuthorizationClaims`
Jwtclaims package (#242) * Move JWTClaims logic to its own package * Add extractor tests 2022-02-23 20:02:02 +01:00
			`// ClaimsExtractor struct that holds the extract function`
			`type ClaimsExtractor struct {`
Feature: add custom id claim (#667) This feature allows using the custom claim in the JWT token as a user ID. Refactor claims extractor with options support Add is_current to the user API response 2023-02-03 21:47:20 +01:00			`authAudience string`
			`userIDClaim string`

			`FromRequestContext ExtractClaims`
Jwtclaims package (#242) * Move JWTClaims logic to its own package * Add extractor tests 2022-02-23 20:02:02 +01:00			`}`

Feature: add custom id claim (#667) This feature allows using the custom claim in the JWT token as a user ID. Refactor claims extractor with options support Add is_current to the user API response 2023-02-03 21:47:20 +01:00			`// ClaimsExtractorOption is a function that configures the ClaimsExtractor`
			`type ClaimsExtractorOption func(*ClaimsExtractor)`

			`// WithAudience sets the audience for the extractor`
			`func WithAudience(audience string) ClaimsExtractorOption {`
			`return func(c *ClaimsExtractor) {`
			`c.authAudience = audience`
Jwtclaims package (#242) * Move JWTClaims logic to its own package * Add extractor tests 2022-02-23 20:02:02 +01:00			`}`
Feature: add custom id claim (#667) This feature allows using the custom claim in the JWT token as a user ID. Refactor claims extractor with options support Add is_current to the user API response 2023-02-03 21:47:20 +01:00			`}`
Jwtclaims package (#242) * Move JWTClaims logic to its own package * Add extractor tests 2022-02-23 20:02:02 +01:00
Feature: add custom id claim (#667) This feature allows using the custom claim in the JWT token as a user ID. Refactor claims extractor with options support Add is_current to the user API response 2023-02-03 21:47:20 +01:00			`// WithUserIDClaim sets the user id claim for the extractor`
			`func WithUserIDClaim(userIDClaim string) ClaimsExtractorOption {`
			`return func(c *ClaimsExtractor) {`
			`c.userIDClaim = userIDClaim`
Jwtclaims package (#242) * Move JWTClaims logic to its own package * Add extractor tests 2022-02-23 20:02:02 +01:00			`}`
			`}`

Feature: add custom id claim (#667) This feature allows using the custom claim in the JWT token as a user ID. Refactor claims extractor with options support Add is_current to the user API response 2023-02-03 21:47:20 +01:00			`// WithFromRequestContext sets the function that extracts claims from the request context`
			`func WithFromRequestContext(ec ExtractClaims) ClaimsExtractorOption {`
			`return func(c *ClaimsExtractor) {`
			`c.FromRequestContext = ec`
OpenAPI specification and API Adjusts (#356) Introduced an OpenAPI specification. Updated API handlers to use the specification types. Added patch operation for rules and groups and methods to the account manager. HTTP PUT operations require id, fail if not provided. Use snake_case for HTTP request and response body 2022-06-14 10:32:54 +02:00			`}`
Adding peer registration support to JWT (#305) The management will validate the JWT as it does in the API and will register the Peer to the user's account. New fields were added to grpc messages in management and client daemon and its clients were updated Peer has one new field, UserID, that will hold the id of the user that registered it JWT middleware CheckJWT got a splitter and renamed to support validation for non HTTP requests Added test for adding new Peer with UserID Lots of tests update because of a new field 2022-05-05 20:02:15 +02:00			`}`

Feature: add custom id claim (#667) This feature allows using the custom claim in the JWT token as a user ID. Refactor claims extractor with options support Add is_current to the user API response 2023-02-03 21:47:20 +01:00			`// NewClaimsExtractor returns an extractor, and if provided with a function with ExtractClaims signature,`
			`// then it will use that logic. Uses ExtractClaimsFromRequestContext by default`
			`func NewClaimsExtractor(options ...ClaimsExtractorOption) *ClaimsExtractor {`
			`ce := &ClaimsExtractor{}`
			`for _, option := range options {`
			`option(ce)`
			`}`
			`if ce.FromRequestContext == nil {`
			`ce.FromRequestContext = ce.fromRequestContext`
			`}`
			`if ce.userIDClaim == "" {`
revert codacy 2023-03-30 18:59:35 +02:00			`ce.userIDClaim = UserIDClaim`
Feature: add custom id claim (#667) This feature allows using the custom claim in the JWT token as a user ID. Refactor claims extractor with options support Add is_current to the user API response 2023-02-03 21:47:20 +01:00			`}`
			`return ce`
			`}`

			`// FromToken extracts claims from the token (after auth)`
			`func (c ClaimsExtractor) FromToken(token jwt.Token) AuthorizationClaims {`
Jwtclaims package (#242) * Move JWTClaims logic to its own package * Add extractor tests 2022-02-23 20:02:02 +01:00			`claims := token.Claims.(jwt.MapClaims)`
JWT Groups support (#966) Get groups from the JWT tokens if the feature enabled for the account 2023-06-27 16:51:05 +02:00			`jwtClaims := AuthorizationClaims{`
			`Raw: claims,`
			`}`
Feature: add custom id claim (#667) This feature allows using the custom claim in the JWT token as a user ID. Refactor claims extractor with options support Add is_current to the user API response 2023-02-03 21:47:20 +01:00			`userID, ok := claims[c.userIDClaim].(string)`
			`if !ok {`
			`return jwtClaims`
			`}`
			`jwtClaims.UserId = userID`
revert codacy 2023-03-30 18:54:55 +02:00			`accountIDClaim, ok := claims[c.authAudience+AccountIDSuffix]`
Jwtclaims package (#242) * Move JWTClaims logic to its own package * Add extractor tests 2022-02-23 20:02:02 +01:00			`if ok {`
Feature: add custom id claim (#667) This feature allows using the custom claim in the JWT token as a user ID. Refactor claims extractor with options support Add is_current to the user API response 2023-02-03 21:47:20 +01:00			`jwtClaims.AccountId = accountIDClaim.(string)`
Jwtclaims package (#242) * Move JWTClaims logic to its own package * Add extractor tests 2022-02-23 20:02:02 +01:00			`}`
revert codacy 2023-03-30 18:54:55 +02:00			`domainClaim, ok := claims[c.authAudience+DomainIDSuffix]`
Jwtclaims package (#242) * Move JWTClaims logic to its own package * Add extractor tests 2022-02-23 20:02:02 +01:00			`if ok {`
			`jwtClaims.Domain = domainClaim.(string)`
			`}`
revert codacy 2023-03-30 18:54:55 +02:00			`domainCategoryClaim, ok := claims[c.authAudience+DomainCategorySuffix]`
Group users of same private domain (#243) * Added Domain Category field and fix store tests * Add GetAccountByDomain method * Add Domain Category to authorization claims * Initial GetAccountWithAuthorizationClaims test cases * Renamed Private Domain map and index it on saving account * New Go build tags * Added NewRegularUser function * Updated restore to account for primary domain account Also, added another test case * Added grouping user of private domains Also added auxiliary methods for update metadata and domain attributes * Update http handles get account method and tests * Fix lint and document another case * Removed unnecessary log * Move use cases to method and add flow comments * Split the new user and existing logic from GetAccountWithAuthorizationClaims * Review: minor corrections Co-authored-by: braginini <bangvalo@gmail.com> 2022-03-01 15:22:18 +01:00			`if ok {`
			`jwtClaims.DomainCategory = domainCategoryClaim.(string)`
			`}`
Adding dashboard login activity (#1092) For better auditing this PR adds a dashboard login event to the management service. For that the user object was extended with a field for last login that is not actively saved to the database but kept in memory until next write. The information about the last login can be extracted from the JWT claims nb_last_login. This timestamp will be stored and compared on each API request. If the value changes we generate an event to inform about a login. 2023-08-18 19:23:11 +02:00			`LastLoginClaimString, ok := claims[c.authAudience+LastLoginSuffix]`
			`if ok {`
			`jwtClaims.LastLogin = parseTime(LastLoginClaimString.(string))`
			`}`
Redeem invite only when incoming user was invited (#1861) checks for users with pending invite status in the cache that already logged in and refresh the cache 2024-04-22 11:10:27 +02:00			`invitedBool, ok := claims[c.authAudience+Invited]`
			`if ok {`
			`jwtClaims.Invited = invitedBool.(bool)`
			`}`
Jwtclaims package (#242) * Move JWTClaims logic to its own package * Add extractor tests 2022-02-23 20:02:02 +01:00			`return jwtClaims`
			`}`
Feature: add custom id claim (#667) This feature allows using the custom claim in the JWT token as a user ID. Refactor claims extractor with options support Add is_current to the user API response 2023-02-03 21:47:20 +01:00
Adding dashboard login activity (#1092) For better auditing this PR adds a dashboard login event to the management service. For that the user object was extended with a field for last login that is not actively saved to the database but kept in memory until next write. The information about the last login can be extracted from the JWT claims nb_last_login. This timestamp will be stored and compared on each API request. If the value changes we generate an event to inform about a login. 2023-08-18 19:23:11 +02:00			`func parseTime(timeString string) time.Time {`
			`if timeString == "" {`
			`return time.Time{}`
			`}`
			`parsedTime, err := time.Parse(time.RFC3339, timeString)`
			`if err != nil {`
			`return time.Time{}`
			`}`
			`return parsedTime`
			`}`

Feature: add custom id claim (#667) This feature allows using the custom claim in the JWT token as a user ID. Refactor claims extractor with options support Add is_current to the user API response 2023-02-03 21:47:20 +01:00			`// fromRequestContext extracts claims from the request context previously filled by the JWT token (after auth)`
			`func (c ClaimsExtractor) fromRequestContext(r http.Request) AuthorizationClaims {`
			`if r.Context().Value(TokenUserProperty) == nil {`
			`return AuthorizationClaims{}`
			`}`
			`token := r.Context().Value(TokenUserProperty).(*jwt.Token)`
			`return c.FromToken(token)`
			`}`