Unify middleware and tokens claim model (#98)

**What**
- use the authorization.Claims model in the tokens creator
- Expand claims validation tests
- Expand authorization middleware test cases

Signed-off-by: Lucas Roesler <[email protected]>

Author: LucasRoesler

README.md

@@ -1,6 +1,6 @@
 # Contiamo Go base
-[![GoDoc](https://godoc.org/github.com/contiamo/go-base/v2?status.png)](https://godoc.org/github.com/contiamo/go-base/v2)
-[![Go Report Card](https://goreportcard.com/badge/github.com/contiamo/go-base/v2)](https://goreportcard.com/report/github.com/contiamo/go-base/v2)
+[![GoDoc](https://godoc.org/github.com/contiamo/go-base/v3?status.png)](https://godoc.org/github.com/contiamo/go-base/v3)
+[![Go Report Card](https://goreportcard.com/badge/github.com/contiamo/go-base/v3)](https://goreportcard.com/report/github.com/contiamo/go-base/v3)
 [![CircleCI](https://circleci.com/gh/contiamo/go-base/tree/master.svg?style=svg)](https://circleci.com/gh/contiamo/go-base/tree/master)
 
 This module contains common packages for Contiamo projects written in Go. Once, some of the projects introduce a pattern/approach which is worth re-using it's getting added here.

pkg/db/migrations/doc.go

@@ -38,7 +38,7 @@ Additionally, you will need to setup the assets_dev.go and migrations.go files.
 	import (
 		"net/http"
 
-		"github.com/contiamo/go-base/v2/pkg/fileutils/union"
+		"github.com/contiamo/go-base/v3/pkg/fileutils/union"
 	)
 
 	// Assets contains the static SQL file assets for setup and migrations
@@ -54,8 +54,8 @@ and then
 	package db
 
 	import (
-		"github.com/contiamo/go-base/v2/pkg/db/migrations"
-		"github.com/contiamo/go-base/v2/pkg/queue/postgres"
+		"github.com/contiamo/go-base/v3/pkg/db/migrations"
+		"github.com/contiamo/go-base/v3/pkg/queue/postgres"
 		"github.com/contiamo/app/pkg/config"
 	)
 

pkg/http/middlewares/authorization/claims.go

@@ -4,9 +4,11 @@ import (
 	"context"
 	"encoding/json"
 	"net/http"
+	"time"
 
 	"github.com/contiamo/jwt"
 	uuid "github.com/satori/go.uuid"
+	"github.com/sirupsen/logrus"
 )
 
 // authContextKey is an unexported type for keys defined in middleware.
@@ -28,51 +30,85 @@ var (
 	}
 )
 
-// Claims represents the expected claims that should be in a JWT sent to labs
-//
-// The IDP defined the token as
-// type RequestToken struct {
-// 	ID               string   `protobuf:"bytes,1,opt,name=ID,json=id,proto3" json:"ID,omitempty"`
-// 	IssuedAt         float64  `protobuf:"fixed64,2,opt,name=IssuedAt,json=iat,proto3" json:"IssuedAt,omitempty"`
-// 	NotBefore        float64  `protobuf:"fixed64,3,opt,name=NotBefore,json=nbf,proto3" json:"NotBefore,omitempty"`
-// 	Expires          float64  `protobuf:"fixed64,4,opt,name=Expires,json=exp,proto3" json:"Expires,omitempty"`
-// 	Issuer           string   `protobuf:"bytes,5,opt,name=Issuer,json=iss,proto3" json:"Issuer,omitempty"`
-// 	UserID           string   `protobuf:"bytes,6,opt,name=UserID,json=sub,proto3" json:"UserID,omitempty"`
-// 	UserName         string   `protobuf:"bytes,7,opt,name=UserName,json=name,proto3" json:"UserName,omitempty"`
-// 	TenantID         string   `protobuf:"bytes,8,opt,name=TenantID,json=tenantID,proto3" json:"TenantID,omitempty"`
-// 	Email            string   `protobuf:"bytes,9,opt,name=Email,json=email,proto3" json:"Email,omitempty"`
-// 	RealmIDs         []string `protobuf:"bytes,10,rep,name=RealmIDs,json=realmIDs,proto3" json:"RealmIDs,omitempty"`
-// 	GroupIDs         []string `protobuf:"bytes,11,rep,name=GroupIDs,json=groupIDs,proto3" json:"GroupIDs,omitempty"`
-// 	ResourceTokenIDs []string `protobuf:"bytes,12,rep,name=ResourceTokenIDs,json=resourceTokenIDs,proto3" json:"ResourceTokenIDs,omitempty"`
-// 	AllowedIPs       []string `protobuf:"bytes,13,rep,name=AllowedIPs,json=allowedIPs,proto3" json:"AllowedIPs,omitempty"`
-// 	IsTenantAdmin    bool     `protobuf:"varint,14,opt,name=IsTenantAdmin,json=isTenantAdmin,proto3" json:"IsTenantAdmin,omitempty"`
-// 	AdminRealmIDs    []string `protobuf:"bytes,15,rep,name=AdminRealmIDs,json=adminRealmIDs,proto3" json:"AdminRealmIDs,omitempty"`
-// 	AuthenticationMethodReferences []string `protobuf:"bytes,16,rep,name=AuthenticationMethodReferences,json=amr,proto3" json:"AuthenticationMethodReferences,omitempty"`
-// }
+// Claims represents the expected claims that should be in JWT claims of an X-Request-Token
 type Claims struct {
-	ID                             string    `json:"id"`
-	IssuedAt                       Timestamp `json:"iat"`
-	NotBefore                      Timestamp `json:"nbf"`
-	Expires                        Timestamp `json:"exp"`
-	Issuer                         string    `json:"iss"`
-	UserID                         string    `json:"sub"`
-	UserName                       string    `json:"name"`
-	TenantID                       string    `json:"tenantID"`
-	Email                          string    `json:"email"`
-	RealmIDs                       []string  `json:"realmIDs"`
-	GroupIDs                       []string  `json:"groupIDs"`
-	ResourceTokenIDs               []string  `json:"resourceTokenIDs"`
-	AllowedIPs                     []string  `json:"allowedIPs"`
-	IsTenantAdmin                  bool      `json:"isTenantAdmin"`
-	AdminRealmIDs                  []string  `json:"adminRealmIDs"`
-	SourceToken                    string    `json:"-"`
-	AuthenticationMethodReferences []string  `json:"amr"`
+	// standard oidc claims
+	ID        string    `json:"id"`
+	Issuer    string    `json:"iss"`
+	IssuedAt  Timestamp `json:"iat"`
+	NotBefore Timestamp `json:"nbf"`
+	Expires   Timestamp `json:"exp"`
+	Audience  string    `json:"aud,omitempty"`
+
+	UserID   string `json:"sub"`
+	UserName string `json:"name"`
+	Email    string `json:"email"`
+
+	// Contiamo specific claims
+	TenantID      string   `json:"tenantID"`
+	RealmIDs      []string `json:"realmIDs"`
+	GroupIDs      []string `json:"groupIDs"`
+	AllowedIPs    []string `json:"allowedIPs"`
+	IsTenantAdmin bool     `json:"isTenantAdmin"`
+	AdminRealmIDs []string `json:"adminRealmIDs"`
+
+	AuthenticationMethodReferences []string `json:"amr"`
+	// AuthorizedParty is used to indicate that the request is authorizing as a
+	// service request, giving it super-admin privileges to completely any request.
+	// This replaces the "project admin" behavior of the current tokens.
+	AuthorizedParty string `json:"azp,omitempty"`
+
+	// SourceToken is for internal usage only
+	SourceToken string `json:"-"`
 }
 
 // Valid tests if the Claims object contains the minimal required information
 // to be used for authorization checks.
+//
+// Deprecated: Use the Validate method to get a precise error message. This
+// method remains for backward compatibility.
 func (a *Claims) Valid() bool {
-	return a.UserID != "" || len(a.ResourceTokenIDs) > 0
+
+	return a.Validate() == nil
+}
+
+// Validate verifies the token claims.
+func (a Claims) Validate() (err error) {
+	defer func() {
+		logrus.WithError(err).Error("claims validation error")
+	}()
+
+	now := TimeFunc()
+
+	// this validation is specific to contiamo
+	if a.UserID == "" {
+		return ErrMissingSub
+	}
+
+	// the middleware parsing will generally run this validation, but
+	// adding it here marks the exp as a required claim
+	if !a.VerifyExpiresAt(now, true) {
+		return ErrExpiration
+	}
+
+	// the middleware parsing will generally run this validation, but
+	// adding it here marks the nbf as a required claim
+	if !a.VerifyNotBefore(now, true) {
+		return ErrTooEarly
+	}
+
+	// the middleware parsing will generally run this validation, but
+	// adding it here marks the iat as a required claim
+	if !a.VerifyIssuedAt(now, true) {
+		return ErrTooSoon
+	}
+
+	// this validation is specific to contiamo
+	if !a.VerifyAuthorizedParty() {
+		return ErrInvalidParty
+	}
+
+	return nil
 }
 
 // FromClaimsMap loads the claim information from a jwt.Claims object, this is a simple
@@ -112,10 +148,62 @@ func (a *Claims) ToJWT(privateKey interface{}) (string, error) {
 func (a *Claims) Entities() (entities []string) {
 	entities = append(entities, a.UserID)
 	entities = append(entities, a.GroupIDs...)
-	entities = append(entities, a.ResourceTokenIDs...)
 	return entities
 }
 
+// VerifyAudience compares the aud claim against cmp.
+func (a Claims) VerifyAudience(cmp string, required bool) bool {
+	if a.Audience == "" {
+		return !required
+	}
+
+	return a.Audience == cmp
+}
+
+// VerifyExpiresAt compares the exp claim against the cmp time.
+func (a Claims) VerifyExpiresAt(cmp time.Time, required bool) bool {
+	if a.Expires.time.IsZero() {
+		return !required
+	}
+
+	return cmp.Before(a.Expires.time)
+}
+
+// VerifyNotBefore compares the nbf claim against the cmp time.
+func (a Claims) VerifyNotBefore(cmp time.Time, required bool) bool {
+	if a.NotBefore.time.IsZero() {
+		return !required
+	}
+
+	return cmp.After(a.NotBefore.time) || cmp.Equal(a.NotBefore.time)
+}
+
+// VerifyIssuedAt compares the iat claim against the cmp time.
+func (a Claims) VerifyIssuedAt(cmp time.Time, required bool) bool {
+	if a.IssuedAt.time.IsZero() {
+		return !required
+	}
+
+	return cmp.After(a.IssuedAt.time) || cmp.Equal(a.IssuedAt.time)
+}
+
+// VerifyIssuer compares the iss claim against cmp.
+func (a Claims) VerifyIssuer(cmp string, required bool) bool {
+	if a.Issuer == "" {
+		return !required
+	}
+
+	return a.Issuer == cmp
+}
+
+// VerifyAuthorizedParty verify that azp matches the iss value, if set.
+func (a Claims) VerifyAuthorizedParty() bool {
+	if a.AuthorizedParty == "" {
+		return true
+	}
+	return a.VerifyIssuer(a.AuthorizedParty, true)
+}
+
 // GetClaims retrieves the Claims object from the request context
 func GetClaims(r *http.Request) (Claims, bool) {
 	claims, ok := GetClaimsFromCtx(r.Context())

pkg/http/middlewares/authorization/claims_test.go

@@ -4,56 +4,80 @@ import (
 	"net/http"
 	"net/http/httptest"
 	"testing"
+	"time"
 
 	"github.com/stretchr/testify/require"
 )
 
 func Test_Valid(t *testing.T) {
+	// Freeze time
+	now := time.Now()
+	TimeFunc = func() time.Time {
+		return now
+	}
+
 	cases := []struct {
 		name   string
 		claims Claims
-		valid  bool
+		err    error
 	}{
 		{
 			name:   "Empty claims should not be valid",
 			claims: Claims{},
-			valid:  false,
+			err:    ErrMissingSub,
+		},
+		{
+			name: "Invalid if used before the iat",
+			claims: Claims{
+				UserID:    "this is a test id",
+				IssuedAt:  FromTime(now.Add(2 * time.Second)),
+				Expires:   FromTime(now.Add(5 * time.Second)),
+				NotBefore: FromTime(now.Add(-1 * time.Second)),
+			},
+			err: ErrTooSoon,
 		},
 		{
-			name: "If the user ID is set it's valid",
+			name: "Invalid if used before the nbf",
 			claims: Claims{
-				UserID: "this is a test id",
+				UserID:    "this is a test id",
+				IssuedAt:  FromTime(now.Add(-1 * time.Second)),
+				Expires:   FromTime(now.Add(5 * time.Second)),
+				NotBefore: FromTime(now.Add(1 * time.Second)),
 			},
-			valid: true,
+			err: ErrTooEarly,
 		},
 		{
-			name: "If the resource token ID is set it's valid",
+			name: "Invalid if used after exp",
 			claims: Claims{
-				ResourceTokenIDs: []string{"abc123"},
+				UserID:    "this is a test id",
+				IssuedAt:  FromTime(now.Add(-5 * time.Second)),
+				Expires:   FromTime(now.Add(-1 * time.Second)),
+				NotBefore: FromTime(now.Add(-5 * time.Second)),
 			},
-			valid: true,
+			err: ErrExpiration,
 		},
 		{
-			name: "If the user ID and resource token ID are set it's valid",
+			name: "minimally valid claims requires sub, iat, exp, and nbf",
 			claims: Claims{
-				UserID:           "this is a test id",
-				ResourceTokenIDs: []string{"abc123"},
+				UserID:    "this is a test id",
+				IssuedAt:  FromTime(now.Add(-1 * time.Second)),
+				Expires:   FromTime(now.Add(time.Second)),
+				NotBefore: FromTime(now.Add(-1 * time.Second)),
 			},
-			valid: true,
 		},
 	}
 	for _, tc := range cases {
 		t.Run(tc.name, func(t *testing.T) {
-			require.Equal(t, tc.valid, tc.claims.Valid())
+			require.Equal(t, tc.claims.Validate(), tc.err)
+			require.Equal(t, tc.err == nil, tc.claims.Valid())
 		})
 	}
 }
 
 func Test_SetGetClaims(t *testing.T) {
 	r := httptest.NewRequest(http.MethodGet, "/", nil)
 	claims := Claims{
-		UserID:           "my user ID",
-		ResourceTokenIDs: []string{"some", "other", "resource", "token"},
+		UserID: "my user ID",
 	}
 	r = SetClaims(r, claims)
 	extractedClaims, ok := GetClaims(r)
@@ -63,9 +87,8 @@ func Test_SetGetClaims(t *testing.T) {
 
 func Test_Entities(t *testing.T) {
 	claims := Claims{
-		UserID:           "user-id",
-		GroupIDs:         []string{"group-first", "group-second", "group-third"},
-		ResourceTokenIDs: []string{"res-first", "res-second"},
+		UserID:   "user-id",
+		GroupIDs: []string{"group-first", "group-second", "group-third"},
 	}
 
 	require.Equal(
@@ -75,18 +98,15 @@ func Test_Entities(t *testing.T) {
 			"group-first",
 			"group-second",
 			"group-third",
-			"res-first",
-			"res-second",
 		},
 		claims.Entities(),
 	)
 }
 
 func Test_FromToClaims(t *testing.T) {
 	claims := Claims{
-		UserID:           "user-id",
-		GroupIDs:         []string{"group-first", "group-second", "group-third"},
-		ResourceTokenIDs: []string{"res-first", "res-second"},
+		UserID:   "user-id",
+		GroupIDs: []string{"group-first", "group-second", "group-third"},
 	}
 	jwtClaims, err := claims.ToClaims()
 	require.NoError(t, err)
@@ -95,15 +115,10 @@ func Test_FromToClaims(t *testing.T) {
 		[]interface{}{"group-first", "group-second", "group-third"},
 		jwtClaims["groupIDs"],
 	)
-	require.Equal(t,
-		[]interface{}{"res-first", "res-second"},
-		jwtClaims["resourceTokenIDs"],
-	)
 
 	// edit the exported map and try to import its values
 	jwtClaims["sub"] = "new-user-id"
 	jwtClaims["groupIDs"] = []interface{}{"new-group-first", "new-group-second"}
-	jwtClaims["resourceTokenIDs"] = []interface{}{"new-res-first", "new-res-second"}
 
 	err = claims.FromClaimsMap(jwtClaims)
 	require.NoError(t, err)
@@ -113,9 +128,4 @@ func Test_FromToClaims(t *testing.T) {
 		[]string{"new-group-first", "new-group-second"},
 		claims.GroupIDs,
 	)
-	require.Equal(
-		t,
-		[]string{"new-res-first", "new-res-second"},
-		claims.ResourceTokenIDs,
-	)
 }

pkg/http/middlewares/authorization/errors.go

@@ -0,0 +1,12 @@
+package authorization
+
+import "github.com/pkg/errors"
+
+// Validation error constants
+var (
+	ErrMissingSub   = errors.New("sub is required")
+	ErrExpiration   = errors.New("invalid exp")
+	ErrTooEarly     = errors.New("token is not valid yet")
+	ErrTooSoon      = errors.New("token used before issued")
+	ErrInvalidParty = errors.New("invalid authorized party")
+)