Deduplicate JWT header authenticator code

buildbarn · Feb 4, 2025 · d87ffa4 · d87ffa4
1 parent 7339d98
commit d87ffa4
Show file tree

Hide file tree

Showing 7 changed files with 28 additions and 79 deletions.
diff --git a/pkg/grpc/BUILD.bazel b/pkg/grpc/BUILD.bazel
@@ -14,7 +14,6 @@ go_library(
         "deduplicating_client_factory.go",
         "deny_authenticator.go",
         "jmespath_extractor.go",
-        "jwt_authenticator.go",
         "lazy_client_dialer.go",
         "metadata_adding_interceptor.go",
         "metadata_extracting_and_forwarding_interceptor.go",

diff --git a/pkg/grpc/authenticator.go b/pkg/grpc/authenticator.go
@@ -91,15 +91,15 @@ func NewAuthenticatorFromConfiguration(policy *configuration.AuthenticationPolic
 		if err != nil {
 			return nil, false, false, util.StatusWrap(err, "Failed to create authorization header parser for JWT authentication policy")
 		}
-		return NewJWTAuthenticator(authorizationHeaderParser), false, false, nil
+		return NewRequestHeadersAuthenticator(authorizationHeaderParser, []string{jwt.AuthorizationHeaderName}), false, false, nil
 	case *configuration.AuthenticationPolicy_PeerCredentialsJmespathExpression:
 		metadataExtractor, err := jmespath.Compile(policyKind.PeerCredentialsJmespathExpression)
 		if err != nil {
 			return nil, false, false, util.StatusWrap(err, "Failed to compile peer credentials metadata extraction JMESPath expression")
 		}
 		return NewPeerCredentialsAuthenticator(metadataExtractor), true, false, nil
 	case *configuration.AuthenticationPolicy_Remote:
-		authenticator, err := NewRequestHeadersAuthenticatorFromConfiguration(policyKind.Remote.Backend, grpcClientFactory)
+		authenticator, err := NewRemoteRequestHeadersAuthenticatorFromConfiguration(policyKind.Remote.Backend, grpcClientFactory)
 		if err != nil {
 			return nil, false, false, err
 		}
@@ -109,10 +109,10 @@ func NewAuthenticatorFromConfiguration(policy *configuration.AuthenticationPolic
 	}
 }
 
-// NewRequestHeadersAuthenticatorFromConfiguration creates an Authenticator that
-// forwards authentication requests to a remote gRPC service. This is a
-// convenient way to integrate custom authentication processes.
-func NewRequestHeadersAuthenticatorFromConfiguration(configuration *configuration.RemoteAuthenticationPolicy, grpcClientFactory ClientFactory) (auth.RequestHeadersAuthenticator, error) {
+// NewRemoteRequestHeadersAuthenticatorFromConfiguration creates an
+// Authenticator that forwards authentication requests to a remote gRPC service.
+// This is a convenient way to integrate custom authentication processes.
+func NewRemoteRequestHeadersAuthenticatorFromConfiguration(configuration *configuration.RemoteAuthenticationPolicy, grpcClientFactory ClientFactory) (auth.RequestHeadersAuthenticator, error) {
 	grpcClient, err := grpcClientFactory.NewClientFromConfiguration(configuration.Endpoint)
 	if err != nil {
 		return nil, util.StatusWrap(err, "Failed to create authenticator RPC client")

diff --git a/pkg/grpc/jwt_authenticator.go b/pkg/grpc/jwt_authenticator.go
diff --git a/pkg/http/BUILD.bazel b/pkg/http/BUILD.bazel
@@ -11,7 +11,6 @@ go_library(
         "configuration.go",
         "deny_authenticator.go",
         "header_adding_round_tripper.go",
-        "jwt_authenticator.go",
         "metrics_handler.go",
         "metrics_round_tripper.go",
         "oidc_authenticator.go",

diff --git a/pkg/http/authenticator.go b/pkg/http/authenticator.go
@@ -60,7 +60,11 @@ func NewAuthenticatorFromConfiguration(policy *configuration.AuthenticationPolic
 		if err != nil {
 			return nil, util.StatusWrap(err, "Failed to create authorization header parser for JWT authentication policy")
 		}
-		return NewJWTAuthenticator(authorizationHeaderParser), nil
+		authenticator, err := NewRequestHeadersAuthenticator(authorizationHeaderParser, []string{jwt.AuthorizationHeaderName})
+		if err != nil {
+			return nil, util.StatusWrap(err, "Failed to create request headers authenticator for JWT authentication policy")
+		}
+		return authenticator, nil
 	case *configuration.AuthenticationPolicy_Oidc:
 		// Select a name and encryption key for the session
 		// state cookie. Even though the configuration has a
@@ -126,7 +130,7 @@ func NewAuthenticatorFromConfiguration(policy *configuration.AuthenticationPolic
 		}
 		return NewAcceptHeaderAuthenticator(base, policyKind.AcceptHeader.MediaTypes), nil
 	case *configuration.AuthenticationPolicy_Remote:
-		backend, err := grpc.NewRequestHeadersAuthenticatorFromConfiguration(policyKind.Remote.Backend, grpcClientFactory)
+		backend, err := grpc.NewRemoteRequestHeadersAuthenticatorFromConfiguration(policyKind.Remote.Backend, grpcClientFactory)
 		if err != nil {
 			return nil, err
 		}

diff --git a/pkg/http/jwt_authenticator.go b/pkg/http/jwt_authenticator.go
diff --git a/pkg/jwt/authorization_header_parser.go b/pkg/jwt/authorization_header_parser.go
@@ -1,6 +1,7 @@
 package jwt
 
 import (
+	"context"
 	"encoding/base64"
 	"encoding/json"
 	"log"
@@ -13,8 +14,14 @@ import (
 	"github.com/buildbarn/bb-storage/pkg/clock"
 	"github.com/buildbarn/bb-storage/pkg/eviction"
 	"github.com/jmespath/go-jmespath"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
 )
 
+// AuthorizationHeaderName is the name of the HTTP header that contains
+// the JSON Web Token.
+const AuthorizationHeaderName = "Authorization"
+
 // Pattern of authorization headers from which to extract a JSON Web Token.
 var jwtHeaderPattern = regexp.MustCompile("^Bearer\\s+(([-_a-zA-Z0-9]+)\\.([-_a-zA-Z0-9]+))\\.([-_a-zA-Z0-9]+)$")
 
@@ -83,6 +90,15 @@ func jsonNumberAsTimestamp(n *json.Number) (time.Time, error) {
 	return time.Unix(int64(i), int64(frac*1e9)), nil
 }
 
+// Authenticate is the implementation of RequestHeadersAuthenticator.Authenticate.
+func (a *AuthorizationHeaderParser) Authenticate(ctx context.Context, headers map[string][]string) (*auth.AuthenticationMetadata, error) {
+	metadata, ok := a.ParseAuthorizationHeaders(headers[AuthorizationHeaderName])
+	if !ok {
+		return nil, status.Error(codes.Unauthenticated, "No valid authorization header containing a bearer token provided")
+	}
+	return metadata, nil
+}
+
 func (a *AuthorizationHeaderParser) parseSingleAuthorizationHeader(header string, now time.Time) response {
 	match := jwtHeaderPattern.FindStringSubmatch(header)
 	if match == nil {