adding requirer middleware to gin middleware

Author: dr4hcu5-jan

internal/jwt/errors.go

@@ -123,3 +123,12 @@ var ErrJWTInvalidAudience = types.ServiceError{
 	Title:  "JSON Web Token Invalid Audience",
 	Detail: "The JSON Web Token has been issued for a different target audience",
 }
+
+// ErrForbidden is a template error which should be used to deny requests but
+// allows for setting a detail message beforehand
+var ErrForbidden = types.ServiceError{
+	Type:   "https://www.rfc-editor.org/rfc/rfc9110#section-15.5.4",
+	Status: 403,
+	Title:  "Access Forbidden",
+	Detail: "You don't have the required permissions to access this resource",
+}

internal/jwt/requirer.go

@@ -0,0 +1,9 @@
+package jwt
+
+type ScopeRequirer struct {
+	Service string
+}
+
+func (sr *ScopeRequirer) Configure(serviceName string) {
+	sr.Service = serviceName
+}

middleware/gin/jwt/jwt_test.go

@@ -0,0 +1,108 @@
+package jwt
+
+import (
+	"testing"
+
+	"github.com/gin-gonic/gin"
+	"github.com/lestrrat-go/jwx/v2/jwa"
+	"github.com/lestrrat-go/jwx/v2/jwk"
+	"github.com/stretchr/testify/assert"
+)
+
+var r *gin.Engine
+var jwkTestingKey = []byte("testing-key")
+var key jwk.Key
+var keySet jwk.Set
+var v *Validator
+var sr *ScopeRequirer
+
+func Test(t *testing.T) {
+	r = gin.New()
+
+	var err error
+	key, err = jwk.FromRaw(jwkTestingKey)
+	assert.NoError(t, err)
+
+	jwk.AssignKeyID(key)
+	key.Set(jwk.KeyUsageKey, "sig")
+	key.Set(jwk.AlgorithmKey, jwa.HS256)
+
+	keySet = jwk.NewSet()
+	keySet.AddKey(key)
+
+	v = &Validator{}
+	err = v.Configure("test", keySet, nil)
+	assert.NoError(t, err)
+
+	sr = &ScopeRequirer{}
+	sr.Configure(scopePrefix)
+
+	r.Use(v.Handler)
+	r.GET("/", func(ctx *gin.Context) {
+		ctx.Status(200)
+	})
+
+	t.Run("Validator", func(t *testing.T) {
+		t.Run("Missing_Authorization_Header", _missing_authorization_header)
+		t.Run("Multiple_Authoritazion_Headers", _multiple_authorization_headers)
+		t.Run("Unsupported_Token_Scheme", _unsupported_token_scheme)
+		t.Run("Invalid_JWT", _invalid_jwt)
+		t.Run("Missing_Claims", _missing_jwt_claims)
+		t.Run("Invalid_Claims", _invalid_claim_values)
+		t.Run("Empty_Scopes", _jwt_empty_scopes)
+		t.Run("Valid_JWT", _jwt_valid)
+		t.Run("Valid_Admin_JWT", _jwt_admin_valid)
+	})
+
+	r = gin.New()
+	r.Use(v.Handler)
+
+	t.Run("Requirer", func(t *testing.T) {
+		t.Run("Read", func(t *testing.T) {
+
+			r.GET("/", sr.RequireRead, func(ctx *gin.Context) {
+				ctx.Status(200)
+			})
+			t.Run("No_Scope", _require_read_no_scope)
+			t.Run("Scope", _require_read)
+
+			t.Cleanup(func() {
+				r = gin.New()
+				r.Use(v.Handler)
+			})
+		})
+		t.Run("Write", func(t *testing.T) {
+			r.GET("/", sr.RequireWrite, func(ctx *gin.Context) {
+				ctx.Status(200)
+			})
+			t.Run("No_Scope", _require_write_no_scope)
+			t.Run("Scope", _require_write)
+			t.Cleanup(func() {
+				r = gin.New()
+				r.Use(v.Handler)
+			})
+		})
+		t.Run("Delete", func(t *testing.T) {
+			r.GET("/", sr.RequireDelete, func(ctx *gin.Context) {
+				ctx.Status(200)
+			})
+			t.Run("No_Scope", _require_delete_no_scope)
+			t.Run("Scope", _require_delete)
+			t.Cleanup(func() {
+				r = gin.New()
+				r.Use(v.Handler)
+			})
+		})
+		t.Run("Admin", func(t *testing.T) {
+			r.GET("/", sr.RequireAdministrator, func(ctx *gin.Context) {
+				ctx.Status(200)
+			})
+			t.Run("No_Scope", _require_admin_no_scope)
+			t.Run("Scope", _require_admin)
+			t.Cleanup(func() {
+				r = gin.New()
+				r.Use(v.Handler)
+			})
+		})
+	})
+}

middleware/gin/jwt/requirer.go

@@ -0,0 +1,74 @@
+package jwt
+
+import (
+	"fmt"
+	"slices"
+
+	"github.com/gin-gonic/gin"
+	"github.com/wisdom-oss/common-go/v3/internal/jwt"
+	"github.com/wisdom-oss/common-go/v3/types"
+)
+
+type ScopeRequirer struct {
+	jwt.ScopeRequirer
+}
+
+func (sr *ScopeRequirer) require(scope types.Scope, c *gin.Context) {
+	isAdministrator := c.GetBool(KeyAdministrator)
+	if isAdministrator {
+		c.Next()
+		return
+	}
+
+	scopes := c.GetStringSlice(KeyTokenPermissions)
+	if len(scopes) == 0 {
+		c.Abort()
+		jwt.ErrForbidden.Emit(c)
+		return
+
+	}
+
+	requiredScope := fmt.Sprintf(`%s:%s`, sr.Service, scope)
+
+	if !slices.Contains(scopes, requiredScope) {
+		c.Abort()
+		jwt.ErrForbidden.Emit(c)
+		return
+	}
+
+}
+
+func (sr *ScopeRequirer) RequireRead(c *gin.Context) {
+	sr.require(types.ScopeRead, c)
+	if c.IsAborted() {
+		return
+	}
+	c.Next()
+}
+
+func (sr *ScopeRequirer) RequireWrite(c *gin.Context) {
+	sr.require(types.ScopeWrite, c)
+	if c.IsAborted() {
+		return
+	}
+	c.Next()
+}
+
+func (sr *ScopeRequirer) RequireDelete(c *gin.Context) {
+	sr.require(types.ScopeDelete, c)
+	if c.IsAborted() {
+		return
+	}
+	c.Next()
+}
+
+func (sr *ScopeRequirer) RequireAdministrator(c *gin.Context) {
+	isAdministrator := c.GetBool(KeyAdministrator)
+	if isAdministrator {
+		c.Next()
+		return
+	}
+
+	c.Abort()
+	jwt.ErrForbidden.Emit(c)
+}