2022-03-29 09:53:19 +00:00
|
|
|
package middleware
|
|
|
|
|
|
|
|
import (
|
|
|
|
"context"
|
|
|
|
"fmt"
|
|
|
|
"net/http"
|
2022-05-02 15:26:54 +00:00
|
|
|
"strings"
|
2022-03-29 09:53:19 +00:00
|
|
|
|
2022-04-26 23:01:45 +00:00
|
|
|
"github.com/zitadel/zitadel/internal/api/authz"
|
|
|
|
"github.com/zitadel/zitadel/internal/telemetry/tracing"
|
2022-03-29 09:53:19 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
type instanceInterceptor struct {
|
2022-05-02 15:26:54 +00:00
|
|
|
verifier authz.InstanceVerifier
|
|
|
|
headerName string
|
|
|
|
ignoredPrefixes []string
|
2022-03-29 09:53:19 +00:00
|
|
|
}
|
|
|
|
|
2022-05-02 15:26:54 +00:00
|
|
|
func InstanceInterceptor(verifier authz.InstanceVerifier, headerName string, ignoredPrefixes ...string) *instanceInterceptor {
|
2022-03-29 09:53:19 +00:00
|
|
|
return &instanceInterceptor{
|
2022-05-02 15:26:54 +00:00
|
|
|
verifier: verifier,
|
|
|
|
headerName: headerName,
|
|
|
|
ignoredPrefixes: ignoredPrefixes,
|
2022-03-29 09:53:19 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func (a *instanceInterceptor) Handler(next http.Handler) http.Handler {
|
|
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
2022-05-02 15:26:54 +00:00
|
|
|
for _, prefix := range a.ignoredPrefixes {
|
|
|
|
if strings.HasPrefix(r.URL.Path, prefix) {
|
|
|
|
next.ServeHTTP(w, r)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
}
|
2022-03-29 09:53:19 +00:00
|
|
|
ctx, err := setInstance(r, a.verifier, a.headerName)
|
|
|
|
if err != nil {
|
|
|
|
http.Error(w, err.Error(), http.StatusUnauthorized)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
r = r.WithContext(ctx)
|
|
|
|
next.ServeHTTP(w, r)
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
|
|
|
func (a *instanceInterceptor) HandlerFunc(next http.HandlerFunc) http.HandlerFunc {
|
|
|
|
return func(w http.ResponseWriter, r *http.Request) {
|
2022-05-02 15:26:54 +00:00
|
|
|
for _, prefix := range a.ignoredPrefixes {
|
|
|
|
if strings.HasPrefix(r.URL.Path, prefix) {
|
|
|
|
next.ServeHTTP(w, r)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
}
|
2022-03-29 09:53:19 +00:00
|
|
|
ctx, err := setInstance(r, a.verifier, a.headerName)
|
|
|
|
if err != nil {
|
|
|
|
http.Error(w, err.Error(), http.StatusForbidden)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
r = r.WithContext(ctx)
|
|
|
|
next.ServeHTTP(w, r)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func setInstance(r *http.Request, verifier authz.InstanceVerifier, headerName string) (_ context.Context, err error) {
|
|
|
|
ctx := r.Context()
|
|
|
|
|
|
|
|
authCtx, span := tracing.NewServerInterceptorSpan(ctx)
|
|
|
|
defer func() { span.EndWithError(err) }()
|
|
|
|
|
2022-06-03 12:44:04 +00:00
|
|
|
host, err := HostFromRequest(r, headerName)
|
2022-03-31 09:36:26 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
2022-03-29 09:53:19 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
instance, err := verifier.InstanceByHost(authCtx, host)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
span.End()
|
|
|
|
return authz.WithInstance(ctx, instance), nil
|
|
|
|
}
|
2022-03-31 09:36:26 +00:00
|
|
|
|
2022-06-03 12:44:04 +00:00
|
|
|
func HostFromRequest(r *http.Request, headerName string) (string, error) {
|
2022-03-31 09:36:26 +00:00
|
|
|
host := r.Host
|
|
|
|
if headerName != "host" {
|
|
|
|
host = r.Header.Get(headerName)
|
|
|
|
}
|
|
|
|
if host == "" {
|
|
|
|
return "", fmt.Errorf("host header `%s` not found", headerName)
|
|
|
|
}
|
|
|
|
return host, nil
|
|
|
|
}
|