fix: Require audience

stenic · Dec 21, 2022 · 01bc9fb · 01bc9fb
1 parent 3e1f332
commit 01bc9fb
Show file tree

Hide file tree

Showing 10 changed files with 22 additions and 10 deletions.
diff --git a/charts/ledger/templates/server_deployment.yaml b/charts/ledger/templates/server_deployment.yaml
@@ -68,6 +68,11 @@ spec:
                 secretKeyRef:
                   key: oidc-client-id
                   name: {{ include "ledger.fullname" . }}-server
+            - name: OIDC_AUDIENCE
+              valueFrom:
+                secretKeyRef:
+                  key: oidc-audience
+                  name: {{ include "ledger.fullname" . }}-server
             - name: JWT_SECRET
               valueFrom:
                 secretKeyRef:

diff --git a/charts/ledger/templates/server_secret.yaml b/charts/ledger/templates/server_secret.yaml
@@ -11,6 +11,7 @@ data:
   mysql-dsn: {{ .Values.ledgerServer.mysql.dsn | b64enc | quote }}
   oidc-client-id: {{ .Values.ledgerServer.oidc.clientID | b64enc | quote }}
   oidc-issuer-url: {{ .Values.ledgerServer.oidc.issuerURL | b64enc | quote }}
+  oidc-audience: {{ .Values.ledgerServer.oidc.audience | b64enc | quote }}
   jwt-secret: {{ .Values.ledgerServer.jwt.secret | b64enc | quote }}
   log-level: {{ .Values.ledgerServer.log.level | b64enc | quote }}
 {{- end }}
diff --git a/charts/ledger/values.yaml b/charts/ledger/values.yaml
@@ -109,6 +109,7 @@ ledgerServer:
   oidc:
     issuerURL: https://[keycloak-url]/auth/realms/[realm-name]
     clientID: ledger
+    audience: "account"
   jwt:
     secret: ""
   mysql:

diff --git a/cmd/ledger/server.go b/cmd/ledger/server.go
@@ -1,6 +1,8 @@
 package main
 
 import (
+	"strings"
+
 	"github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 	"github.com/stenic/ledger/internal/pkg/utils/env"
@@ -14,6 +16,7 @@ func NewServerCmd() *cobra.Command {
 		staticAssetPath string
 		oidcIssuerURL   string
 		oidcClientID    string
+		oidcAudience    string
 	)
 
 	serverCommand := &cobra.Command{
@@ -29,6 +32,7 @@ func NewServerCmd() *cobra.Command {
 				StaticAssetPath: staticAssetPath,
 				OidcIssuerURL:   oidcIssuerURL,
 				OidcClientID:    oidcClientID,
+				OidcAudience:    strings.Split(oidcAudience, ","),
 			}
 
 			errors.CheckError(server.NewServer(opts).Listen(listenAddr))
@@ -39,6 +43,7 @@ func NewServerCmd() *cobra.Command {
 	serverCommand.Flags().StringVar(&listenAddr, "addr", env.GetString("PORT", ":8080"), "Listen on given port")
 	serverCommand.Flags().StringVar(&oidcIssuerURL, "oidc-issuer-url", env.GetString("OIDC_ISSUER_URL", ""), "")
 	serverCommand.Flags().StringVar(&oidcClientID, "oidc-client-id", env.GetString("OIDC_CLIENT_ID", ""), "")
+	serverCommand.Flags().StringVar(&oidcAudience, "oidc-audience", env.GetString("OIDC_AUDIENCE", ""), "")
 
 	return serverCommand
 }

diff --git a/go.mod b/go.mod
@@ -66,7 +66,6 @@ require (
 require (
 	github.com/agnivade/levenshtein v1.1.1 // indirect
 	github.com/bombsimon/logrusr/v4 v4.0.0
-	github.com/bombsimon/logrusr/v4 v4.0.0
 	github.com/cpuguy83/go-md2man/v2 v2.0.2 // indirect
 	github.com/gin-contrib/sse v0.1.0 // indirect
 	github.com/go-playground/locales v0.14.0 // indirect
@@ -89,7 +88,7 @@ require (
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/pelletier/go-toml/v2 v2.0.1 // indirect
-	github.com/pkg/errors v0.9.1
+	github.com/pkg/errors v0.9.1 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/ugorji/go/codec v1.2.7 // indirect

diff --git a/go.sum b/go.sum
@@ -180,8 +180,6 @@ github.com/bketelsen/crypt v0.0.3-0.20200106085610-5cbc8cc4026c/go.mod h1:MKsuJm
 github.com/blang/semver v3.1.0+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk=
 github.com/blang/semver v3.5.1+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk=
 github.com/bmizerany/assert v0.0.0-20160611221934-b7ed37b82869/go.mod h1:Ekp36dRnpXw/yCqJaO+ZrUyxD+3VXMFFr56k5XYrpB4=
-github.com/bombsimon/logrusr v1.1.0 h1:Y03FI4Z/Shyrc9jF26vuaUbnPxC5NMJnTtJA/3Lihq8=
-github.com/bombsimon/logrusr v1.1.0/go.mod h1:Jq0nHtvxabKE5EMwAAdgTaz7dfWE8C4i11NOltxGQpc=
 github.com/bombsimon/logrusr/v4 v4.0.0 h1:Pm0InGphX0wMhPqC02t31onlq9OVyJ98eP/Vh63t1Oo=
 github.com/bombsimon/logrusr/v4 v4.0.0/go.mod h1:pjfHC5e59CvjTBIU3V3sGhFWFAnsnhOR03TRc6im0l8=
 github.com/boombuler/barcode v1.0.0/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8=
@@ -1160,8 +1158,8 @@ github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/stretchr/testify v1.8.0 h1:pSgiaMZlXftHpm5L7V1+rVB+AZJydKsMxsQBIJw4PKk=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
+github.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKsk=
 github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw=
 github.com/syndtr/gocapability v0.0.0-20170704070218-db04d3cc01c8/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww=
 github.com/syndtr/gocapability v0.0.0-20180916011248-d98352740cb2/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww=

diff --git a/internal/auth/middleware.go b/internal/auth/middleware.go
@@ -15,8 +15,9 @@ import (
 type localJwtClaims struct{}
 
 type ApiSecurityOptions struct {
-	IssuerURL string `json:"authority"`
-	ClientID  string `json:"client_id"`
+	IssuerURL string   `json:"authority"`
+	ClientID  string   `json:"client_id"`
+	Audience  []string `json:"-"`
 }
 
 type CustomClaims struct {
@@ -32,7 +33,7 @@ func JwtHandler(opts ApiSecurityOptions) gin.HandlerFunc {
 
 	var jwtOidcMiddleware *jwtmiddleware.JWTMiddleware
 	if opts.IssuerURL != "" {
-		jwtOidcMiddleware = getOidcValidator(opts.IssuerURL)
+		jwtOidcMiddleware = getOidcValidator(opts.IssuerURL, opts.Audience)
 	}
 
 	return func(c *gin.Context) {

diff --git a/internal/auth/oidc.go b/internal/auth/oidc.go
@@ -12,7 +12,7 @@ import (
 	log "github.com/sirupsen/logrus"
 )
 
-func getOidcValidator(issuerURLString string) *jwtmiddleware.JWTMiddleware {
+func getOidcValidator(issuerURLString string, audience []string) *jwtmiddleware.JWTMiddleware {
 	issuerURL, err := url.Parse(issuerURLString)
 	if err != nil {
 		log.Fatal(err)
@@ -40,7 +40,7 @@ func getOidcValidator(issuerURLString string) *jwtmiddleware.JWTMiddleware {
 		provider.KeyFunc,
 		validator.RS256,
 		issuerURL.String(),
-		[]string{},
+		audience,
 		// validator.WithAllowedClockSkew(30*time.Second),
 
 		validator.WithCustomClaims(customClaims),

diff --git a/internal/server/config.go b/internal/server/config.go
@@ -6,4 +6,5 @@ type ServerOpts struct {
 	EnableGZip      bool
 	OidcIssuerURL   string
 	OidcClientID    string
+	OidcAudience    []string
 }
diff --git a/internal/server/server.go b/internal/server/server.go
@@ -56,6 +56,7 @@ func (s *Server) Listen(addr string) error {
 	oidcOptions := auth.ApiSecurityOptions{
 		IssuerURL: s.ServerOpts.OidcIssuerURL,
 		ClientID:  s.ServerOpts.OidcClientID,
+		Audience:  s.ServerOpts.OidcAudience,
 	}
 
 	if os.Getenv("DEBUG") == "true" {