Add JWKS auth en forwarding to dashboard

sensorbucket · Apr 29, 2024 · 73e6c74 · 73e6c74
1 parent a177bf4
commit 73e6c74
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 30 deletions.
diff --git a/services/dashboard/main.go b/services/dashboard/main.go
@@ -9,13 +9,15 @@ import (
 	"net/url"
 	"os"
 	"os/signal"
+	"strings"
 	"time"
 
 	"github.com/go-chi/chi/v5"
 	"github.com/go-chi/chi/v5/middleware"
 
 	"sensorbucket.nl/sensorbucket/internal/env"
 	"sensorbucket.nl/sensorbucket/pkg/api"
+	"sensorbucket.nl/sensorbucket/pkg/auth"
 	"sensorbucket.nl/sensorbucket/services/dashboard/routes"
 	"sensorbucket.nl/sensorbucket/services/dashboard/views"
 )
@@ -41,7 +43,8 @@ func Run() error {
 	defer cancel()
 
 	router := chi.NewRouter()
-	router.Use(middleware.Logger)
+	jwks := auth.NewJWKSHttpClient("http://oathkeeper:4456/.well-known/jwks.json")
+	router.Use(middleware.Logger, auth.Authenticate(jwks), auth.Protect())
 
 	var baseURL *url.URL
 	if HTTP_BASE != "" {
@@ -52,14 +55,13 @@ func Run() error {
 	// Middleware to pass on basic auth to the client api
 	router.Use(func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			user, pass, ok := r.BasicAuth()
-			if ok {
-				r = r.WithContext(context.WithValue(
-					r.Context(), api.ContextBasicAuth, api.BasicAuth{
-						UserName: user,
-						Password: pass,
-					}))
-			}
+			key := r.Header.Get("Authorization")
+			key = strings.Join(strings.Split(key, " ")[1:], "")
+			r = r.WithContext(context.WithValue(
+				r.Context(), api.ContextAPIKeys, api.APIKey{
+					Key:    key,
+					Prefix: "Bearer",
+				}))
 			next.ServeHTTP(w, r)
 		})
 	})

diff --git a/services/tenants/transports/webui/webui.go b/services/tenants/transports/webui/webui.go
@@ -52,7 +52,7 @@ func New(
 
 	ui.router.Use(middleware.Logger)
 	jwks := auth.NewJWKSHttpClient("http://oathkeeper:4456/.well-known/jwks.json")
-	ui.router.Use(auth.Authenticate(jwks))
+	authMW := auth.Authenticate(jwks)
 	// Middleware to pass on basic auth to the client api
 	// TODO: This also exists in dashboard/main.go, perhaps make it a package?
 	// Also this will become a JWT instead of basic auth!
@@ -71,8 +71,8 @@ func New(
 	})
 	ui.router.Handle("/static/*", serveStatic())
 	ui.router.Mount("/auth", routes.SetupKratosRoutes())
-	ui.router.Mount("/api-keys", routes.SetupAPIKeyRoutes(client, apiKeys, tenantsService))
-	ui.router.Mount("/", routes.SetupTenantSwitchingRoutes(tenantsService, userPreferences))
+	ui.router.With(authMW).Mount("/api-keys", routes.SetupAPIKeyRoutes(client, apiKeys, tenantsService))
+	ui.router.With(authMW).Mount("/", routes.SetupTenantSwitchingRoutes(tenantsService, userPreferences))
 
 	return ui, nil
 }

diff --git a/tools/docker-compose/oathkeeper_config/rules.json b/tools/docker-compose/oathkeeper_config/rules.json
@@ -2,7 +2,7 @@
     {
         "id": "passthrough-authentication",
         "match": {
-            "url": "http://<127.0.0.1|localhost>:3000/<\\.ory(/.+)?>",
+            "url": "http://<127.0.0.1|localhost>:3000/<(\\.ory|tenants/auth/settings|tenants/auth/login|tenants/auth/logout|tenants/static)(/.+)?>",
             "methods": [
                 "GET","POST","PATCH","PUT","DELETE"
             ]
@@ -20,7 +20,7 @@
     {
         "id": "auth",
         "match": {
-            "url": "http://<127.0.0.1|localhost>:3000</tenants|/dashboard|/api><(/.*)?>",
+            "url": "http://<127.0.0.1|localhost>:3000/<tenants/auth|((tenants/switch|tenants/api-keys|dashboard|api)(/.*)?)>",
             "methods": [
                 "GET",
                 "POST",
@@ -35,9 +35,6 @@
             },
             {
                 "handler": "bearer_token"
-            },
-            {
-                "handler": "noop"
             }
         ],
         "authorizer": {
@@ -48,8 +45,7 @@
                 "handler": "hydrator"
             },
             {
-                "handler": "id_token",
-                "config": {}
+                "handler": "id_token"
             }
         ]
     },
@@ -66,12 +62,6 @@
             ]
         },
         "authenticators": [
-            {
-                "handler": "cookie_session"
-            },
-            {
-                "handler": "bearer_token"
-            },
             {
                 "handler": "noop"
             }
@@ -81,11 +71,7 @@
         },
         "mutators": [
             {
-                "handler": "hydrator"
-            },
-            {
-                "handler": "id_token",
-                "config": {}
+                "handler": "noop"
             }
         ]
     }