fix: make per user request work

aaronschweig · aaronschweig · commit b762772fe3b3 · 2025-01-30T16:07:34.000+01:00
diff --git a/internal/manager/manager.go b/internal/manager/manager.go
@@ -64,9 +64,9 @@ func NewManager(log *logger.Logger, cfg *rest.Config, appCfg appConfig.Config) (
 	}
 	cfg.Host = fmt.Sprintf("%s://%s", u.Scheme, u.Host)
 
-	cfg.WrapTransport = func(rt http.RoundTripper) http.RoundTripper {
+	cfg.Wrap(func(rt http.RoundTripper) http.RoundTripper {
 		return NewRoundTripper(log, rt)
-	}
+	})
 
 	runtimeClient, err := kcp.NewClusterAwareClientWithWatch(cfg, client.Options{})
 	if err != nil {
@@ -215,11 +215,15 @@ func (s *Service) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	// let's store the token in the context for further use in the roundTripper
-	r = r.WithContext(context.WithValue(r.Context(), TokenKey{}, token))
-	// let's store the workspace in the context for cluster aware client
 	r = r.WithContext(kontext.WithCluster(r.Context(), logicalcluster.Name(workspace)))
 
+	split := strings.Split(token, " ")
+	if len(split) == 1 {
+		r = r.WithContext(context.WithValue(r.Context(), TokenKey{}, token))
+	} else {
+		r = r.WithContext(context.WithValue(r.Context(), TokenKey{}, split[1]))
+	}
+
 	if r.Header.Get("Accept") == "text/event-stream" {
 		s.handleSubscription(w, r, h.schema)
 	} else {
diff --git a/internal/manager/roundtripper.go b/internal/manager/roundtripper.go
@@ -1,9 +1,11 @@
 package manager
 
 import (
-	"github.com/openmfp/golang-commons/logger"
-	utilnet "k8s.io/apimachinery/pkg/util/net"
 	"net/http"
+
+	"github.com/golang-jwt/jwt/v5"
+	"github.com/openmfp/golang-commons/logger"
+	"k8s.io/client-go/transport"
 )
 
 type TokenKey struct{}
@@ -23,14 +25,20 @@ func NewRoundTripper(log *logger.Logger, base http.RoundTripper) http.RoundTripp
 func (rt *roundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
 	token, ok := req.Context().Value(TokenKey{}).(string)
 	if !ok {
-		rt.log.Debug().Str("requestURI", req.RequestURI).Msg("No token found in context")
+		rt.log.Debug().Msg("No token found in context")
 		return rt.base.RoundTrip(req)
 	}
 
-	rt.log.Debug().Str("requestURI", req.RequestURI).Msg("Adding token to request")
+	claims := jwt.MapClaims{}
+	_, _, err := jwt.NewParser().ParseUnverified(token, claims)
+	if err != nil {
+		rt.log.Error().Err(err).Msg("Failed to parse token")
+		return rt.base.RoundTrip(req)
+	}
 
-	req = utilnet.CloneRequest(req)
-	req.Header.Set("Authorization", "Bearer "+token)
+	t := transport.NewImpersonatingRoundTripper(transport.ImpersonationConfig{
+		UserName: claims["email"].(string),
+	}, rt.base)
 
-	return rt.base.RoundTrip(req)
+	return t.RoundTrip(req)
 }
