Skip to content

Commit

Permalink
Merge pull request #186 from openinfradev/fix_pingtoken
Browse files Browse the repository at this point in the history 
bugfux. check expired token on ping-token API
  • Loading branch information
@ktkfree
ktkfree authored Oct 30, 2023
2 parents 6d03e47 + e370f5e commit 0b0fb0a
Show file tree
Hide file tree
Showing 2 changed files with 49 additions and 0 deletions.
3 changes: 3 additions & 0 deletions internal/usecase/app-group.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -179,7 +179,9 @@ func (u *AppGroupUsecase) Delete(ctx context.Context, id domain.AppGroupId) (err

// check cloudAccount
tksCloudAccountId := ""
tksObjectStore := "minio"
if cluster.CloudService != domain.CloudService_BYOH {
tksObjectStore = "s3"
cloudAccounts, err := u.cloudAccountRepo.Fetch(cluster.OrganizationId, nil)
if err != nil {
return httpErrors.NewBadRequestError(fmt.Errorf("Failed to get cloudAccounts"), "", "")
Expand Down Expand Up @@ -229,6 +231,7 @@ func (u *AppGroupUsecase) Delete(ctx context.Context, id domain.AppGroupId) (err
"keycloak_url=" + strings.TrimSuffix(viper.GetString("keycloak-address"), "/auth"),
"base_repo_branch=" + viper.GetString("revision"),
"cloud_account_id=" + tksCloudAccountId,
"object_store=" + tksObjectStore,
}

workflowId, err := u.argo.SumbitWorkflowFromWftpl(workflowTemplate, opts)
Expand Down
46 changes: 46 additions & 0 deletions internal/usecase/auth.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,8 @@ import (
"strings"
"time"

jwtWithouKey "github.com/dgrijalva/jwt-go"

"github.com/openinfradev/tks-api/pkg/log"
"github.com/spf13/viper"
"golang.org/x/net/html"
Expand Down Expand Up @@ -106,10 +108,54 @@ func (u *AuthUsecase) Logout(accessToken string, organizationName string) error
}

func (u *AuthUsecase) PingToken(accessToken string, organizationId string) error {
parsedToken, _, err := new(jwtWithouKey.Parser).ParseUnverified(accessToken, jwtWithouKey.MapClaims{})
if err != nil {
return err
}

if parsedToken.Method.Alg() != "RS256" {
return fmt.Errorf("invalid token")
}

if parsedToken.Claims.Valid() != nil {
return fmt.Errorf("invalid token")
}

if err := u.kc.VerifyAccessToken(accessToken, organizationId); err != nil {
log.Errorf("failed to verify access token: %v", err)
return err
}

userId, err := uuid.Parse(parsedToken.Claims.(jwtWithouKey.MapClaims)["sub"].(string))
if err != nil {
log.Errorf("failed to verify access token: %v", err)

return err
}
requestSessionId, ok := parsedToken.Claims.(jwtWithouKey.MapClaims)["sid"].(string)
if !ok {
return fmt.Errorf("session id is not found in token")
}

sessionIds, err := u.kc.GetSessions(userId.String(), organizationId)
if err != nil {
log.Errorf("failed to get sessions: %v", err)

return err
}
if len(*sessionIds) == 0 {
return fmt.Errorf("invalid session")
}
var matched bool = false
for _, id := range *sessionIds {
if id == requestSessionId {
matched = true
break
}
}
if !matched {
return fmt.Errorf("invalid session")
}
return nil
}

Expand Down

0 comments on commit 0b0fb0a

Please sign in to comment.