From 353052f71d0b4b06a9a16ab57bcc60f223fbeba6 Mon Sep 17 00:00:00 2001 From: Jagdeep Singh Date: Sun, 6 Jun 2021 11:30:27 -0400 Subject: [PATCH] added auth --- auth.go | 185 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ go.mod | 6 +- go.sum | 13 ++++ 3 files changed, 203 insertions(+), 1 deletion(-) create mode 100644 auth.go diff --git a/auth.go b/auth.go new file mode 100644 index 0000000..4910f26 --- /dev/null +++ b/auth.go @@ -0,0 +1,185 @@ +package goapi + +import ( + "context" + "errors" + "fmt" + "log" + "net/http" + "runtime/debug" + "strings" + + "cloud.google.com/go/spanner" + firebase "firebase.google.com/go" +) + +func (config *Config) Authenticate(req *http.Request, accountIDs []string) (authorizedAccountIDs []string, err error) { + urlQuery := req.URL.Query() + + // Get API Key from headers or from URL parameters + apiKey := req.Header.Get("X-API-KEY") + if apiKey == "" { + apiKey = urlQuery.Get("api_key") + } + + if apiKey != "" { + authorizedAccountIDs, err = config.AuthorizeApiKey(apiKey, accountIDs) + if err != nil { + return + } + } else { + var userEmail string + + // Verify GIP ID Token and get the current user ID + userEmail, err = VerifyToken(req.Header.Get("Authorization")) + if err != nil { + return + } + + // Find account IDs and permissions for current user + authorizedAccountIDs, err = config.AuthorizeToken(userEmail, accountIDs) + } + + if len(authorizedAccountIDs) == 0 { + err = errors.New("accounts not found") + } + + return +} + +// AuthorizeApiKey ... +func (config *Config) AuthorizeApiKey(apiKey string, accountIDs []string) (authorizedAccountIDs []string, err error) { + query := ` + SELECT + ApiKeys.AccountId as account_id + FROM ApiKeys + LEFT OUTER JOIN Roles ON Roles.RoleName = ApiKeys.RoleName + WHERE ApiKeys.ApiKey = @api_key + AND ApiKeys.AccountId IN UNNEST (@account_ids) + AND LOWER(Roles.ServicePath) = @service_path + AND LOWER(Roles.ServiceMethod) = @service_method + ` + + // Find all accounts if no account ids mentioned + if len(accountIDs) == 0 { + query = strings.Replace(query, "AND ApiKeys.AccountId IN UNNEST (@account_ids)", "", -1) + } + + stmt := spanner.NewStatement(query) + stmt.Params["api_key"] = apiKey + stmt.Params["account_ids"] = accountIDs + stmt.Params["service_path"] = strings.ToLower(config.Service.Path) + stmt.Params["service_method"] = strings.ToLower(config.Service.Method) + + ctx := context.Background() + iter := SpannerClient.Single().Query(ctx, stmt) + defer iter.Stop() + + err = iter.Do(func(r *spanner.Row) error { + var accountID string + + if err := r.Column(0, &accountID); err != nil { + return err + } + authorizedAccountIDs = append(authorizedAccountIDs, accountID) + + return nil + }) + + return +} + +func (config *Config) AuthorizeToken(userEmail string, accountIDs []string) (authorizedAccountIDs []string, err error) { + query := ` + SELECT + Users.AccountId as account_id + FROM Users + LEFT OUTER JOIN Roles ON Roles.RoleName = Users.RoleName + WHERE Users.UserEmail = @user_email + AND Users.AccountId IN UNNEST (@account_ids) + AND LOWER(Roles.ServicePath) = @service_path + AND LOWER(Roles.ServiceMethod) = @service_method + ` + + // Find all accounts if no account ids mentioned + if len(accountIDs) == 0 { + query = strings.Replace(query, "AND Users.AccountId IN UNNEST (@account_ids)", "", -1) + } + + stmt := spanner.NewStatement(query) + stmt.Params["user_email"] = userEmail + stmt.Params["account_ids"] = accountIDs + stmt.Params["service_path"] = strings.ToLower(config.Service.Path) + stmt.Params["service_method"] = strings.ToLower(config.Service.Method) + + ctx := context.Background() + iter := SpannerClient.Single().Query(ctx, stmt) + defer iter.Stop() + + err = iter.Do(func(r *spanner.Row) error { + var accountID string + + if err := r.Column(0, &accountID); err != nil { + return err + } + authorizedAccountIDs = append(authorizedAccountIDs, accountID) + + return nil + }) + + return +} + +// VerifyToken ... +func VerifyToken(jwtToken string) (userID string, err error) { + defer func() { + if err := recover(); err != nil { + log.Println(err, " Execption in VerifyToken: ", string(debug.Stack())) + } + }() + + tokenParts := strings.Split(jwtToken, " ") + if len(tokenParts) > 1 { + jwtToken = strings.TrimSpace(tokenParts[1]) + } else { + jwtToken = strings.TrimSpace(tokenParts[0]) + } + + ctx := context.Background() + + app, err := firebase.NewApp(ctx, nil) + if err != nil { + log.Println("VerifyToken firebase.NewApp err: ", err) + return "", err + } + + client, err := app.Auth(ctx) + if err != nil { + log.Println("VerifyToken app.Auth err: ", err) + return "", err + } + + token, err := client.VerifyIDToken(ctx, jwtToken) + if err != nil { + log.Println("VerifyToken client.VerifyIDToken err: ", err) + return "", err + } + + // token.Claims : map[ + // auth_time:1.610686521e+09 + // email:giri@gmail.com + // email_verified:false + // firebase:map[ + // identities:map[ + // email:[giri@gmail.com] + // phone:[+919540327688] + // ] + // sign_in_provider:password + // ] + // name:giri giri + // phone_number:+919540327688 + // user_id:8SyEzOpSizc1IrIK36zigfy6Ou32 + // ] + + return fmt.Sprintf("%v", token.Claims["email"]), nil +} diff --git a/go.mod b/go.mod index 25d34e1..c713bac 100644 --- a/go.mod +++ b/go.mod @@ -2,4 +2,8 @@ module github.com/marosolutions/goapi go 1.15 -require cloud.google.com/go/spanner v1.17.0 +require ( + cloud.google.com/go/firestore v1.5.0 // indirect + cloud.google.com/go/spanner v1.17.0 + firebase.google.com/go v3.13.0+incompatible +) diff --git a/go.sum b/go.sum index a64ddb2..ff16f07 100644 --- a/go.sum +++ b/go.sum @@ -15,9 +15,11 @@ cloud.google.com/go v0.62.0/go.mod h1:jmCYTdRCQuc1PHIIJ/maLInMho30T/Y0M4hTdTShOY cloud.google.com/go v0.65.0/go.mod h1:O5N8zS7uWy9vkA9vayVHs65eM1ubvY4h553ofrNHObY= cloud.google.com/go v0.72.0/go.mod h1:M+5Vjvlc2wnp6tjzE102Dw08nGShTscUx2nZMufOKPI= cloud.google.com/go v0.74.0/go.mod h1:VV1xSbzvo+9QJOxLDaJfTjx5e+MePCpCWwvftOeQmWk= +cloud.google.com/go v0.75.0/go.mod h1:VGuuCn7PG0dwsd5XPVm2Mm3wlh3EL55/79EKB6hlPTY= cloud.google.com/go v0.78.0/go.mod h1:QjdrLG0uq+YwhjoVOLsS1t7TW8fs36kLs4XO5R5ECHg= cloud.google.com/go v0.79.0 h1:oqqswrt4x6b9OGBnNqdssxBl1xf0rSUNjU2BR4BZar0= cloud.google.com/go v0.79.0/go.mod h1:3bzgcEeQlzbuEAYu4mrWhKqWjmpprinYgKJLgKHnbb8= +cloud.google.com/go v0.83.0 h1:bAMqZidYkmIsUqe6PtkEPT7Q+vfizScn+jfNA6jwK9c= cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o= cloud.google.com/go/bigquery v1.3.0/go.mod h1:PjpwJnslEMmckchkHFfq+HTD2DmtT67aNFKH1/VBDHE= cloud.google.com/go/bigquery v1.4.0/go.mod h1:S8dzgnTigyfTmLBfrtrhyYhwRxG72rYxvftPBK2Dvzc= @@ -26,6 +28,8 @@ cloud.google.com/go/bigquery v1.7.0/go.mod h1://okPTzCYNXSlb24MZs83e2Do+h+VXtc4g cloud.google.com/go/bigquery v1.8.0/go.mod h1:J5hqkt3O0uAFnINi6JXValWIb1v0goeZM77hZzJN/fQ= cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE= cloud.google.com/go/datastore v1.1.0/go.mod h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1b3c64qFpCk= +cloud.google.com/go/firestore v1.5.0 h1:4qNItsmc4GP6UOZPGemmHY4ZfPofVhcaKXsYw9wm9oA= +cloud.google.com/go/firestore v1.5.0/go.mod h1:c4nNYR1qdq7eaZ+jSc5fonrQN2k3M7sWATcYTiakjEo= cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I= cloud.google.com/go/pubsub v1.1.0/go.mod h1:EwwdRX2sKPjnvnqCa270oGRyludottCI76h+R3AArQw= cloud.google.com/go/pubsub v1.2.0/go.mod h1:jhfEVHT8odbXTkndysNHCcx0awwzvfOlguIAii9o8iA= @@ -36,8 +40,12 @@ cloud.google.com/go/storage v1.0.0/go.mod h1:IhtSnM/ZTZV8YYJWCY8RULGVqBDmpoyjwiy cloud.google.com/go/storage v1.5.0/go.mod h1:tpKbwo567HUNpVclU5sGELwQWBDZ8gh0ZeosJ0Rtdos= cloud.google.com/go/storage v1.6.0/go.mod h1:N7U0C8pVQ/+NIKOBQyamJIeKQKkZ+mxpohlUTyfDhBk= cloud.google.com/go/storage v1.8.0/go.mod h1:Wv1Oy7z6Yz3DshWRJFhqM/UCfaWIRTdp0RXyy7KQOVs= +cloud.google.com/go/storage v1.10.0 h1:STgFzyU5/8miMl0//zKh2aQeTyeaUH3WN9bSUiJ09bA= cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9ullr3+Kg0= dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= +firebase.google.com/go v1.0.2 h1:MCEmjmlwZiQ0s+z7EDVX6e3KHHvpGdF2pJBiQAXVXao= +firebase.google.com/go v3.13.0+incompatible h1:3TdYC3DDi6aHn20qoRkxwGqNgdjtblwVAyRLQwGn/+4= +firebase.google.com/go v3.13.0+incompatible/go.mod h1:xlah6XbEyW6tbfSklcfe5FHJIwjt8toICdV5Wh9ptHs= github.com/BurntSushi/toml v0.3.1 h1:WXkYYl6Yr3qBf1K79EBnL4mak0OimBfB0XUf9Vl28OQ= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= @@ -115,6 +123,7 @@ github.com/google/pprof v0.0.0-20200430221834-fc25d7d30c6d/go.mod h1:ZgVRPoUq/hf github.com/google/pprof v0.0.0-20200708004538-1a94d8640e99/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= github.com/google/pprof v0.0.0-20201023163331-3e6fc7fc9c4c/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/pprof v0.0.0-20201203190320-1bf35d6f28c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= +github.com/google/pprof v0.0.0-20201218002935-b9804c9f04c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/pprof v0.0.0-20210122040257-d980be63207e/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/pprof v0.0.0-20210226084205-cbba55b83ad5/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= @@ -222,6 +231,7 @@ golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwY golang.org/x/net v0.0.0-20201031054903-ff519b6c9102/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.0.0-20201209123823-ac852fbbde11/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= +golang.org/x/net v0.0.0-20201224014010-6772e930b67b/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20210119194325-5f4716e94777/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20210316092652-d523dce5a7f4 h1:b0LrWgu8+q7z4J+0Y3Umo5q1dL7NXBkKBWkaVkAq17E= @@ -281,6 +291,7 @@ golang.org/x/sys v0.0.0-20201201145000-ef89a241ccb3/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20210104204734-6f8348627aad/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210220050731-9a76102bfb43/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210223095934-7937bea0104d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210305230114-8fe3ee5dd75b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210315160823-c6e025ad8005/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210320140829-1e4c9ba3b0c4 h1:EZ2mChiOa8udjfp6rRmswTbtZN/QzUQp4ptM4rnjHvc= @@ -342,6 +353,7 @@ golang.org/x/tools v0.0.0-20201110124207-079ba7bd75cd/go.mod h1:emZCQorbCU4vsT4f golang.org/x/tools v0.0.0-20201201161351-ac6f37ff4c2a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.0.0-20201208233053-a543418bbed2/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.0.0-20210105154028-b0ab187a4818/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= +golang.org/x/tools v0.0.0-20210108195828-e2f9c7f1fc8e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.1.0 h1:po9/4sTYwZU9lPhi1tOrb4hCv3qrhiQ77LZfGa2OjwY= golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= @@ -413,6 +425,7 @@ google.golang.org/genproto v0.0.0-20201109203340-2640f1f9cdfb/go.mod h1:FWY/as6D google.golang.org/genproto v0.0.0-20201201144952-b05cb90ed32e/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20201210142538-e3217bee35cc/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20201214200347-8c77b98c765d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= +google.golang.org/genproto v0.0.0-20210108203827-ffc7fda8c3d7/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20210222152913-aa3ee6e6a81c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20210303154014-9728d6b83eeb/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20210310155132-4ce2db91004e/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=