[management] refactor auth (#3296)

2025-08-16 01:58:16 +02:00 · 2025-02-20 20:24:40 +00:00
parent d7d5b1b1d6
commit 77e40f41f2
64 changed files with 2085 additions and 1937 deletions
--- a/management/server/account_test.go
+++ b/management/server/account_test.go
@ -2,8 +2,6 @@ package server

 import (
 	"context"
-	"crypto/sha256"
-	b64 "encoding/base64"
 	"encoding/json"
 	"fmt"
 	"io"
@ -15,8 +13,6 @@ import (
 	"testing"
 	"time"

-	"github.com/golang-jwt/jwt"
-
 	"github.com/netbirdio/netbird/management/server/util"

 	resourceTypes "github.com/netbirdio/netbird/management/server/networks/resources/types"
@ -30,7 +26,7 @@ import (

 	nbdns "github.com/netbirdio/netbird/dns"
 	"github.com/netbirdio/netbird/management/server/activity"
-	"github.com/netbirdio/netbird/management/server/jwtclaims"
+	nbcontext "github.com/netbirdio/netbird/management/server/context"
 	nbpeer "github.com/netbirdio/netbird/management/server/peer"
 	"github.com/netbirdio/netbird/management/server/posture"
 	"github.com/netbirdio/netbird/management/server/store"
@ -437,7 +433,7 @@ func TestAccountManager_GetOrCreateAccountByUser(t *testing.T) {
 }

 func TestDefaultAccountManager_GetAccountIDFromToken(t *testing.T) {
-	type initUserParams jwtclaims.AuthorizationClaims
+	type initUserParams nbcontext.UserAuth

 	var (
 		publicDomain  = "public.com"
@ -460,7 +456,7 @@ func TestDefaultAccountManager_GetAccountIDFromToken(t *testing.T) {

 	testCases := []struct {
 		name                        string
-		inputClaims                 jwtclaims.AuthorizationClaims
+		inputClaims                 nbcontext.UserAuth
 		inputInitUserParams         initUserParams
 		inputUpdateAttrs            bool
 		inputUpdateClaimAccount     bool
@ -475,7 +471,7 @@ func TestDefaultAccountManager_GetAccountIDFromToken(t *testing.T) {
 	}{
 		{
 			name: "New User With Public Domain",
-			inputClaims: jwtclaims.AuthorizationClaims{
+			inputClaims: nbcontext.UserAuth{
 				Domain:         publicDomain,
 				UserId:         "pub-domain-user",
 				DomainCategory: types.PublicCategory,
@ -492,7 +488,7 @@ func TestDefaultAccountManager_GetAccountIDFromToken(t *testing.T) {
 		},
 		{
 			name: "New User With Unknown Domain",
-			inputClaims: jwtclaims.AuthorizationClaims{
+			inputClaims: nbcontext.UserAuth{
 				Domain:         unknownDomain,
 				UserId:         "unknown-domain-user",
 				DomainCategory: types.UnknownCategory,
@ -509,7 +505,7 @@ func TestDefaultAccountManager_GetAccountIDFromToken(t *testing.T) {
 		},
 		{
 			name: "New User With Private Domain",
-			inputClaims: jwtclaims.AuthorizationClaims{
+			inputClaims: nbcontext.UserAuth{
 				Domain:         privateDomain,
 				UserId:         "pvt-domain-user",
 				DomainCategory: types.PrivateCategory,
@ -526,7 +522,7 @@ func TestDefaultAccountManager_GetAccountIDFromToken(t *testing.T) {
 		},
 		{
 			name: "New Regular User With Existing Private Domain",
-			inputClaims: jwtclaims.AuthorizationClaims{
+			inputClaims: nbcontext.UserAuth{
 				Domain:         privateDomain,
 				UserId:         "new-pvt-domain-user",
 				DomainCategory: types.PrivateCategory,
@ -544,7 +540,7 @@ func TestDefaultAccountManager_GetAccountIDFromToken(t *testing.T) {
 		},
 		{
 			name: "Existing User With Existing Reclassified Private Domain",
-			inputClaims: jwtclaims.AuthorizationClaims{
+			inputClaims: nbcontext.UserAuth{
 				Domain:         defaultInitAccount.Domain,
 				UserId:         defaultInitAccount.UserId,
 				DomainCategory: types.PrivateCategory,
@ -561,7 +557,7 @@ func TestDefaultAccountManager_GetAccountIDFromToken(t *testing.T) {
 		},
 		{
 			name: "Existing Account Id With Existing Reclassified Private Domain",
-			inputClaims: jwtclaims.AuthorizationClaims{
+			inputClaims: nbcontext.UserAuth{
 				Domain:         defaultInitAccount.Domain,
 				UserId:         defaultInitAccount.UserId,
 				DomainCategory: types.PrivateCategory,
@ -579,7 +575,7 @@ func TestDefaultAccountManager_GetAccountIDFromToken(t *testing.T) {
 		},
 		{
 			name: "User With Private Category And Empty Domain",
-			inputClaims: jwtclaims.AuthorizationClaims{
+			inputClaims: nbcontext.UserAuth{
 				Domain:         "",
 				UserId:         "pvt-domain-user",
 				DomainCategory: types.PrivateCategory,
@ -608,7 +604,7 @@ func TestDefaultAccountManager_GetAccountIDFromToken(t *testing.T) {
 			require.NoError(t, err, "get init account failed")

 			if testCase.inputUpdateAttrs {
-				err = manager.updateAccountDomainAttributesIfNotUpToDate(context.Background(), initAccount.Id, jwtclaims.AuthorizationClaims{UserId: testCase.inputInitUserParams.UserId, Domain: testCase.inputInitUserParams.Domain, DomainCategory: testCase.inputInitUserParams.DomainCategory}, true)
+				err = manager.updateAccountDomainAttributesIfNotUpToDate(context.Background(), initAccount.Id, nbcontext.UserAuth{UserId: testCase.inputInitUserParams.UserId, Domain: testCase.inputInitUserParams.Domain, DomainCategory: testCase.inputInitUserParams.DomainCategory}, true)
 				require.NoError(t, err, "update init user failed")
 			}

@ -616,7 +612,7 @@ func TestDefaultAccountManager_GetAccountIDFromToken(t *testing.T) {
 				testCase.inputClaims.AccountId = initAccount.Id
 			}

-			accountID, _, err = manager.GetAccountIDFromToken(context.Background(), testCase.inputClaims)
+			accountID, _, err = manager.GetAccountIDFromUserAuth(context.Background(), testCase.inputClaims)
 			require.NoError(t, err, "support function failed")

 			account, err := manager.Store.GetAccount(context.Background(), accountID)
@ -635,14 +631,12 @@ func TestDefaultAccountManager_GetAccountIDFromToken(t *testing.T) {
 	}
 }

-func TestDefaultAccountManager_GetGroupsFromTheToken(t *testing.T) {
+func TestDefaultAccountManager_SyncUserJWTGroups(t *testing.T) {
 	userId := "user-id"
 	domain := "test.domain"
-
 	_ = newAccountWithId(context.Background(), "", userId, domain)
 	manager, err := createManager(t)
 	require.NoError(t, err, "unable to create account manager")
-
 	accountID, err := manager.GetAccountIDByUserID(context.Background(), userId, domain)
 	require.NoError(t, err, "create init user failed")
 	// as initAccount was created without account id we have to take the id after account initialization
@ -650,65 +644,50 @@ func TestDefaultAccountManager_GetGroupsFromTheToken(t *testing.T) {
 	// it is important to set the id as it help to avoid creating additional account with empty Id and re-pointing indices to it
 	initAccount, err := manager.Store.GetAccount(context.Background(), accountID)
 	require.NoError(t, err, "get init account failed")
-
-	claims := jwtclaims.AuthorizationClaims{
+	claims := nbcontext.UserAuth{
 		AccountId:      accountID, // is empty as it is based on accountID right after initialization of initAccount
 		Domain:         domain,
 		UserId:         userId,
 		DomainCategory: "test-category",
-		Raw:            jwt.MapClaims{"idp-groups": []interface{}{"group1", "group2"}},
+		Groups:         []string{"group1", "group2"},
 	}
-
 	t.Run("JWT groups disabled", func(t *testing.T) {
-		accountID, _, err := manager.GetAccountIDFromToken(context.Background(), claims)
-		require.NoError(t, err, "get account by token failed")
-
+		err := manager.SyncUserJWTGroups(context.Background(), claims)
+		require.NoError(t, err, "synt user jwt groups failed")
 		account, err := manager.Store.GetAccount(context.Background(), accountID)
 		require.NoError(t, err, "get account failed")
-
 		require.Len(t, account.Groups, 1, "only ALL group should exists")
 	})
-
 	t.Run("JWT groups enabled without claim name", func(t *testing.T) {
 		initAccount.Settings.JWTGroupsEnabled = true
 		err := manager.Store.SaveAccount(context.Background(), initAccount)
 		require.NoError(t, err, "save account failed")
 		require.Len(t, manager.Store.GetAllAccounts(context.Background()), 1, "only one account should exist")
-
-		accountID, _, err := manager.GetAccountIDFromToken(context.Background(), claims)
-		require.NoError(t, err, "get account by token failed")
-
+		err = manager.SyncUserJWTGroups(context.Background(), claims)
+		require.NoError(t, err, "synt user jwt groups failed")
 		account, err := manager.Store.GetAccount(context.Background(), accountID)
 		require.NoError(t, err, "get account failed")
-
 		require.Len(t, account.Groups, 1, "if group claim is not set no group added from JWT")
 	})
-
 	t.Run("JWT groups enabled", func(t *testing.T) {
 		initAccount.Settings.JWTGroupsEnabled = true
 		initAccount.Settings.JWTGroupsClaimName = "idp-groups"
 		err := manager.Store.SaveAccount(context.Background(), initAccount)
 		require.NoError(t, err, "save account failed")
 		require.Len(t, manager.Store.GetAllAccounts(context.Background()), 1, "only one account should exist")
-
-		accountID, _, err := manager.GetAccountIDFromToken(context.Background(), claims)
-		require.NoError(t, err, "get account by token failed")
-
+		err = manager.SyncUserJWTGroups(context.Background(), claims)
+		require.NoError(t, err, "synt user jwt groups failed")
 		account, err := manager.Store.GetAccount(context.Background(), accountID)
 		require.NoError(t, err, "get account failed")
-
 		require.Len(t, account.Groups, 3, "groups should be added to the account")
-
 		groupsByNames := map[string]*types.Group{}
 		for _, g := range account.Groups {
 			groupsByNames[g.Name] = g
 		}
-
 		g1, ok := groupsByNames["group1"]
 		require.True(t, ok, "group1 should be added to the account")
 		require.Equal(t, g1.Name, "group1", "group1 name should match")
 		require.Equal(t, g1.Issued, types.GroupIssuedJWT, "group1 issued should match")
-
 		g2, ok := groupsByNames["group2"]
 		require.True(t, ok, "group2 should be added to the account")
 		require.Equal(t, g2.Name, "group2", "group2 name should match")
@ -716,88 +695,6 @@ func TestDefaultAccountManager_GetGroupsFromTheToken(t *testing.T) {
 	})
 }

-func TestAccountManager_GetAccountFromPAT(t *testing.T) {
-	store, cleanup, err := store.NewTestStoreFromSQL(context.Background(), "", t.TempDir())
-	if err != nil {
-		t.Fatalf("Error when creating store: %s", err)
-	}
-	t.Cleanup(cleanup)
-	account := newAccountWithId(context.Background(), "account_id", "testuser", "")
-
-	token := "nbp_9999EUDNdkeusjentDLSJEn1902u84390W6W"
-	hashedToken := sha256.Sum256([]byte(token))
-	encodedHashedToken := b64.StdEncoding.EncodeToString(hashedToken[:])
-	account.Users["someUser"] = &types.User{
-		Id: "someUser",
-		PATs: map[string]*types.PersonalAccessToken{
-			"tokenId": {
-				ID:          "tokenId",
-				UserID:      "someUser",
-				HashedToken: encodedHashedToken,
-			},
-		},
-	}
-	err = store.SaveAccount(context.Background(), account)
-	if err != nil {
-		t.Fatalf("Error when saving account: %s", err)
-	}
-
-	am := DefaultAccountManager{
-		Store: store,
-	}
-
-	user, pat, _, _, err := am.GetPATInfo(context.Background(), token)
-	if err != nil {
-		t.Fatalf("Error when getting Account from PAT: %s", err)
-	}
-
-	assert.Equal(t, "account_id", user.AccountID)
-	assert.Equal(t, "someUser", user.Id)
-	assert.Equal(t, account.Users["someUser"].PATs["tokenId"].ID, pat.ID)
-}
-
-func TestDefaultAccountManager_MarkPATUsed(t *testing.T) {
-	store, cleanup, err := store.NewTestStoreFromSQL(context.Background(), "", t.TempDir())
-	if err != nil {
-		t.Fatalf("Error when creating store: %s", err)
-	}
-	t.Cleanup(cleanup)
-
-	account := newAccountWithId(context.Background(), "account_id", "testuser", "")
-
-	token := "nbp_9999EUDNdkeusjentDLSJEn1902u84390W6W"
-	hashedToken := sha256.Sum256([]byte(token))
-	encodedHashedToken := b64.StdEncoding.EncodeToString(hashedToken[:])
-	account.Users["someUser"] = &types.User{
-		Id: "someUser",
-		PATs: map[string]*types.PersonalAccessToken{
-			"tokenId": {
-				ID:          "tokenId",
-				HashedToken: encodedHashedToken,
-			},
-		},
-	}
-	err = store.SaveAccount(context.Background(), account)
-	if err != nil {
-		t.Fatalf("Error when saving account: %s", err)
-	}
-
-	am := DefaultAccountManager{
-		Store: store,
-	}
-
-	err = am.MarkPATUsed(context.Background(), "tokenId")
-	if err != nil {
-		t.Fatalf("Error when marking PAT used: %s", err)
-	}
-
-	account, err = am.Store.GetAccount(context.Background(), "account_id")
-	if err != nil {
-		t.Fatalf("Error when getting account: %s", err)
-	}
-	assert.True(t, !account.Users["someUser"].PATs["tokenId"].GetLastUsed().IsZero())
-}
-
 func TestAccountManager_PrivateAccount(t *testing.T) {
 	manager, err := createManager(t)
 	if err != nil {
@ -962,13 +859,13 @@ func TestAccountManager_DeleteAccount(t *testing.T) {
 }

 func BenchmarkTest_GetAccountWithclaims(b *testing.B) {
-	claims := jwtclaims.AuthorizationClaims{
+	claims := nbcontext.UserAuth{
 		Domain:         "example.com",
 		UserId:         "pvt-domain-user",
 		DomainCategory: types.PrivateCategory,
 	}

-	publicClaims := jwtclaims.AuthorizationClaims{
+	publicClaims := nbcontext.UserAuth{
 		Domain:         "test.com",
 		UserId:         "public-domain-user",
 		DomainCategory: types.PublicCategory,
@ -2683,11 +2580,13 @@ func TestAccount_SetJWTGroups(t *testing.T) {
 	assert.NoError(t, manager.Store.SaveAccount(context.Background(), account), "unable to save account")

 	t.Run("skip sync for token auth type", func(t *testing.T) {
-		claims := jwtclaims.AuthorizationClaims{
-			UserId: "user1",
-			Raw:    jwt.MapClaims{"groups": []interface{}{"group3"}, "is_token": true},
+		claims := nbcontext.UserAuth{
+			UserId:    "user1",
+			AccountId: "accountID",
+			Groups:    []string{"group3"},
+			IsPAT:     true,
 		}
-		err = manager.syncJWTGroups(context.Background(), "accountID", claims)
+		err = manager.SyncUserJWTGroups(context.Background(), claims)
 		assert.NoError(t, err, "unable to sync jwt groups")

 		user, err := manager.Store.GetUserByUserID(context.Background(), store.LockingStrengthShare, "user1")
@ -2696,11 +2595,12 @@ func TestAccount_SetJWTGroups(t *testing.T) {
 	})

 	t.Run("empty jwt groups", func(t *testing.T) {
-		claims := jwtclaims.AuthorizationClaims{
-			UserId: "user1",
-			Raw:    jwt.MapClaims{"groups": []interface{}{}},
+		claims := nbcontext.UserAuth{
+			UserId:    "user1",
+			AccountId: "accountID",
+			Groups:    []string{},
 		}
-		err := manager.syncJWTGroups(context.Background(), "accountID", claims)
+		err := manager.SyncUserJWTGroups(context.Background(), claims)
 		assert.NoError(t, err, "unable to sync jwt groups")

 		user, err := manager.Store.GetUserByUserID(context.Background(), store.LockingStrengthShare, "user1")
@ -2709,11 +2609,12 @@ func TestAccount_SetJWTGroups(t *testing.T) {
 	})

 	t.Run("jwt match existing api group", func(t *testing.T) {
-		claims := jwtclaims.AuthorizationClaims{
-			UserId: "user1",
-			Raw:    jwt.MapClaims{"groups": []interface{}{"group1"}},
+		claims := nbcontext.UserAuth{
+			UserId:    "user1",
+			AccountId: "accountID",
+			Groups:    []string{"group1"},
 		}
-		err := manager.syncJWTGroups(context.Background(), "accountID", claims)
+		err := manager.SyncUserJWTGroups(context.Background(), claims)
 		assert.NoError(t, err, "unable to sync jwt groups")

 		user, err := manager.Store.GetUserByUserID(context.Background(), store.LockingStrengthShare, "user1")
@ -2729,11 +2630,12 @@ func TestAccount_SetJWTGroups(t *testing.T) {
 		account.Users["user1"].AutoGroups = []string{"group1"}
 		assert.NoError(t, manager.Store.SaveUser(context.Background(), store.LockingStrengthUpdate, account.Users["user1"]))

-		claims := jwtclaims.AuthorizationClaims{
-			UserId: "user1",
-			Raw:    jwt.MapClaims{"groups": []interface{}{"group1"}},
+		claims := nbcontext.UserAuth{
+			UserId:    "user1",
+			AccountId: "accountID",
+			Groups:    []string{"group1"},
 		}
-		err = manager.syncJWTGroups(context.Background(), "accountID", claims)
+		err = manager.SyncUserJWTGroups(context.Background(), claims)
 		assert.NoError(t, err, "unable to sync jwt groups")

 		user, err := manager.Store.GetUserByUserID(context.Background(), store.LockingStrengthShare, "user1")
@ -2746,11 +2648,12 @@ func TestAccount_SetJWTGroups(t *testing.T) {
 	})

 	t.Run("add jwt group", func(t *testing.T) {
-		claims := jwtclaims.AuthorizationClaims{
-			UserId: "user1",
-			Raw:    jwt.MapClaims{"groups": []interface{}{"group1", "group2"}},
+		claims := nbcontext.UserAuth{
+			UserId:    "user1",
+			AccountId: "accountID",
+			Groups:    []string{"group1", "group2"},
 		}
-		err = manager.syncJWTGroups(context.Background(), "accountID", claims)
+		err = manager.SyncUserJWTGroups(context.Background(), claims)
 		assert.NoError(t, err, "unable to sync jwt groups")

 		user, err := manager.Store.GetUserByUserID(context.Background(), store.LockingStrengthShare, "user1")
@ -2759,11 +2662,12 @@ func TestAccount_SetJWTGroups(t *testing.T) {
 	})

 	t.Run("existed group not update", func(t *testing.T) {
-		claims := jwtclaims.AuthorizationClaims{
-			UserId: "user1",
-			Raw:    jwt.MapClaims{"groups": []interface{}{"group2"}},
+		claims := nbcontext.UserAuth{
+			UserId:    "user1",
+			AccountId: "accountID",
+			Groups:    []string{"group2"},
 		}
-		err = manager.syncJWTGroups(context.Background(), "accountID", claims)
+		err = manager.SyncUserJWTGroups(context.Background(), claims)
 		assert.NoError(t, err, "unable to sync jwt groups")

 		user, err := manager.Store.GetUserByUserID(context.Background(), store.LockingStrengthShare, "user1")
@ -2772,11 +2676,12 @@ func TestAccount_SetJWTGroups(t *testing.T) {
 	})

 	t.Run("add new group", func(t *testing.T) {
-		claims := jwtclaims.AuthorizationClaims{
-			UserId: "user2",
-			Raw:    jwt.MapClaims{"groups": []interface{}{"group1", "group3"}},
+		claims := nbcontext.UserAuth{
+			UserId:    "user2",
+			AccountId: "accountID",
+			Groups:    []string{"group1", "group3"},
 		}
-		err = manager.syncJWTGroups(context.Background(), "accountID", claims)
+		err = manager.SyncUserJWTGroups(context.Background(), claims)
 		assert.NoError(t, err, "unable to sync jwt groups")

 		groups, err := manager.Store.GetAccountGroups(context.Background(), store.LockingStrengthShare, "accountID")
@ -2789,11 +2694,12 @@ func TestAccount_SetJWTGroups(t *testing.T) {
 	})

 	t.Run("remove all JWT groups when list is empty", func(t *testing.T) {
-		claims := jwtclaims.AuthorizationClaims{
-			UserId: "user1",
-			Raw:    jwt.MapClaims{"groups": []interface{}{}},
+		claims := nbcontext.UserAuth{
+			UserId:    "user1",
+			AccountId: "accountID",
+			Groups:    []string{},
 		}
-		err = manager.syncJWTGroups(context.Background(), "accountID", claims)
+		err = manager.SyncUserJWTGroups(context.Background(), claims)
 		assert.NoError(t, err, "unable to sync jwt groups")

 		user, err := manager.Store.GetUserByUserID(context.Background(), store.LockingStrengthShare, "user1")
@ -2803,11 +2709,12 @@ func TestAccount_SetJWTGroups(t *testing.T) {
 	})

 	t.Run("remove all JWT groups when claim does not exist", func(t *testing.T) {
-		claims := jwtclaims.AuthorizationClaims{
-			UserId: "user2",
-			Raw:    jwt.MapClaims{},
+		claims := nbcontext.UserAuth{
+			UserId:    "user2",
+			AccountId: "accountID",
+			Groups:    []string{},
 		}
-		err = manager.syncJWTGroups(context.Background(), "accountID", claims)
+		err = manager.SyncUserJWTGroups(context.Background(), claims)
 		assert.NoError(t, err, "unable to sync jwt groups")

 		user, err := manager.Store.GetUserByUserID(context.Background(), store.LockingStrengthShare, "user2")