From 2f214950a38e45e2dbae7588b03b31998ede4d37 Mon Sep 17 00:00:00 2001 From: Patrik Oldsberg Date: Mon, 7 Aug 2023 17:45:58 +0200 Subject: [PATCH] add auth-backend-module-iap-provider Signed-off-by: Patrik Oldsberg --- .../.eslintrc.js | 1 + .../README.md | 5 + .../config.d.ts | 29 ++++ .../package.json | 52 +++++++ .../src/authenticator.ts | 52 +++++++ .../src/helpers.test.ts | 124 ++++++++++++++++ .../src/helpers.ts | 67 +++++++++ .../src/index.ts | 19 +++ .../src/module.ts | 48 +++++++ .../src/resolvers.ts | 49 +++++++ .../src/types.ts | 50 +++++++ .../src/providers/gcp-iap/helpers.test.ts | 134 ------------------ .../src/providers/gcp-iap/helpers.ts | 82 ----------- yarn.lock | 16 +++ 14 files changed, 512 insertions(+), 216 deletions(-) create mode 100644 plugins/auth-backend-module-gcp-iap-provider/.eslintrc.js create mode 100644 plugins/auth-backend-module-gcp-iap-provider/README.md create mode 100644 plugins/auth-backend-module-gcp-iap-provider/config.d.ts create mode 100644 plugins/auth-backend-module-gcp-iap-provider/package.json create mode 100644 plugins/auth-backend-module-gcp-iap-provider/src/authenticator.ts create mode 100644 plugins/auth-backend-module-gcp-iap-provider/src/helpers.test.ts create mode 100644 plugins/auth-backend-module-gcp-iap-provider/src/helpers.ts create mode 100644 plugins/auth-backend-module-gcp-iap-provider/src/index.ts create mode 100644 plugins/auth-backend-module-gcp-iap-provider/src/module.ts create mode 100644 plugins/auth-backend-module-gcp-iap-provider/src/resolvers.ts create mode 100644 plugins/auth-backend-module-gcp-iap-provider/src/types.ts delete mode 100644 plugins/auth-backend/src/providers/gcp-iap/helpers.test.ts delete mode 100644 plugins/auth-backend/src/providers/gcp-iap/helpers.ts diff --git a/plugins/auth-backend-module-gcp-iap-provider/.eslintrc.js b/plugins/auth-backend-module-gcp-iap-provider/.eslintrc.js new file mode 100644 index 0000000000..e2a53a6ad2 --- /dev/null +++ b/plugins/auth-backend-module-gcp-iap-provider/.eslintrc.js @@ -0,0 +1 @@ +module.exports = require('@backstage/cli/config/eslint-factory')(__dirname); diff --git a/plugins/auth-backend-module-gcp-iap-provider/README.md b/plugins/auth-backend-module-gcp-iap-provider/README.md new file mode 100644 index 0000000000..a5f3ce1d4c --- /dev/null +++ b/plugins/auth-backend-module-gcp-iap-provider/README.md @@ -0,0 +1,5 @@ +# Auth Backend Module - GCP IAP Provider + +## Links + +- [The Backstage homepage](https://backstage.io) diff --git a/plugins/auth-backend-module-gcp-iap-provider/config.d.ts b/plugins/auth-backend-module-gcp-iap-provider/config.d.ts new file mode 100644 index 0000000000..c8460470af --- /dev/null +++ b/plugins/auth-backend-module-gcp-iap-provider/config.d.ts @@ -0,0 +1,29 @@ +/* + * Copyright 2020 The Backstage Authors + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +export interface Config { + auth?: { + providers?: { + gcpIap?: { + [authEnv: string]: { + audience: string; + + jwtHeader?: string; + }; + }; + }; + }; +} diff --git a/plugins/auth-backend-module-gcp-iap-provider/package.json b/plugins/auth-backend-module-gcp-iap-provider/package.json new file mode 100644 index 0000000000..93c47f2706 --- /dev/null +++ b/plugins/auth-backend-module-gcp-iap-provider/package.json @@ -0,0 +1,52 @@ +{ + "name": "@backstage/plugin-auth-backend-module-gcp-iap-provider", + "description": "A GCP IAP auth provider module for the Backstage auth backend", + "version": "0.0.0", + "main": "src/index.ts", + "types": "src/index.ts", + "license": "Apache-2.0", + "publishConfig": { + "access": "public", + "main": "dist/index.cjs.js", + "types": "dist/index.d.ts" + }, + "backstage": { + "role": "backend-plugin-module" + }, + "homepage": "https://backstage.io", + "repository": { + "type": "git", + "url": "https://github.com/backstage/backstage", + "directory": "plugins/auth-backend-module-gcp-iap-provider" + }, + "keywords": [ + "backstage" + ], + "scripts": { + "start": "backstage-cli package start", + "build": "backstage-cli package build", + "lint": "backstage-cli package lint", + "test": "backstage-cli package test", + "prepack": "backstage-cli package prepack", + "postpack": "backstage-cli package postpack", + "clean": "backstage-cli package clean" + }, + "dependencies": { + "@backstage/backend-plugin-api": "workspace:^", + "@backstage/errors": "workspace:^", + "@backstage/plugin-auth-node": "workspace:^", + "@backstage/types": "workspace:^", + "google-auth-library": "^8.0.0" + }, + "devDependencies": { + "@backstage/backend-test-utils": "workspace:^", + "@backstage/cli": "workspace:^", + "msw": "^1.0.0", + "supertest": "^6.1.3" + }, + "files": [ + "dist", + "config.d.ts" + ], + "configSchema": "config.d.ts" +} diff --git a/plugins/auth-backend-module-gcp-iap-provider/src/authenticator.ts b/plugins/auth-backend-module-gcp-iap-provider/src/authenticator.ts new file mode 100644 index 0000000000..ca104ded86 --- /dev/null +++ b/plugins/auth-backend-module-gcp-iap-provider/src/authenticator.ts @@ -0,0 +1,52 @@ +/* + * Copyright 2023 The Backstage Authors + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +import { AuthenticationError } from '@backstage/errors'; +import { createProxyAuthenticator } from '@backstage/plugin-auth-node'; +import { createTokenValidator } from './helpers'; +import { GcpIapResult } from './types'; + +/** + * The header name used by the IAP. + */ +const DEFAULT_IAP_JWT_HEADER = 'x-goog-iap-jwt-assertion'; + +/** @public */ +export const gcpIapAuthenticator = createProxyAuthenticator({ + defaultProfileTransform: async (result: GcpIapResult) => { + return { profile: { email: result.iapToken.email } }; + }, + async initialize({ config }) { + const audience = config.getString('audience'); + const jwtHeader = + config.getOptionalString('jwtHeader') ?? DEFAULT_IAP_JWT_HEADER; + + const tokenValidator = createTokenValidator(audience); + + return { jwtHeader, tokenValidator }; + }, + async authenticate({ req }, { jwtHeader, tokenValidator }) { + const token = req.header(jwtHeader); + + if (!token || typeof token !== 'string') { + throw new AuthenticationError('Missing Google IAP header'); + } + + const iapToken = await tokenValidator(token); + + return { result: { iapToken } }; + }, +}); diff --git a/plugins/auth-backend-module-gcp-iap-provider/src/helpers.test.ts b/plugins/auth-backend-module-gcp-iap-provider/src/helpers.test.ts new file mode 100644 index 0000000000..4079f8f7d3 --- /dev/null +++ b/plugins/auth-backend-module-gcp-iap-provider/src/helpers.test.ts @@ -0,0 +1,124 @@ +/* + * Copyright 2021 The Backstage Authors + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +import { OAuth2Client } from 'google-auth-library'; +import { createTokenValidator } from './helpers'; + +const mockJwt = 'a.b.c'; + +beforeEach(() => { + jest.clearAllMocks(); +}); + +describe('helpers', () => { + describe('createTokenValidator', () => { + it('runs the happy path', async () => { + const mockClient = { + getIapPublicKeys: async () => ({ pubkeys: '' }), + verifySignedJwtWithCertsAsync: async () => ({ + getPayload: () => ({ sub: 's', email: 'e@mail.com' }), + }), + }; + const validator = createTokenValidator( + 'a', + mockClient as unknown as OAuth2Client, + ); + await expect(validator(mockJwt)).resolves.toMatchObject({ + sub: 's', + email: 'e@mail.com', + }); + }); + + it('throws if listing keys fail', async () => { + const mockClient = { + getIapPublicKeys: async () => { + throw new Error('NOPE'); + }, + }; + const validator = createTokenValidator( + 'a', + mockClient as unknown as OAuth2Client, + ); + await expect(validator(mockJwt)).rejects.toThrow( + 'Unable to list Google IAP token verification keys, Error: NOPE', + ); + }); + + it('throws if the verifying signature fails', async () => { + const mockClient = { + getIapPublicKeys: async () => ({ pubkeys: '' }), + verifySignedJwtWithCertsAsync: async () => { + throw new Error('NOPE'); + }, + }; + const validator = createTokenValidator( + 'a', + mockClient as unknown as OAuth2Client, + ); + await expect(validator(mockJwt)).rejects.toThrow( + 'Google IAP token verification failed, Error: NOPE', + ); + }); + + it('rejects empty payload', async () => { + const mockClient = { + getIapPublicKeys: async () => ({ pubkeys: '' }), + verifySignedJwtWithCertsAsync: async () => ({ + getPayload: () => undefined, + }), + }; + const validator = createTokenValidator( + 'a', + mockClient as unknown as OAuth2Client, + ); + await expect(validator(mockJwt)).rejects.toThrow( + 'Google IAP token verification failed, token had no payload', + ); + }); + + it('rejects payload without subject', async () => { + const mockClient = { + getIapPublicKeys: async () => ({ pubkeys: '' }), + verifySignedJwtWithCertsAsync: async () => ({ + getPayload: () => ({ email: 'e@mail.com' }), + }), + }; + const validator = createTokenValidator( + 'a', + mockClient as unknown as OAuth2Client, + ); + await expect(validator(mockJwt)).rejects.toThrow( + 'Google IAP token payload is missing subject claim', + ); + }); + + it('rejects payload without email', async () => { + const mockClient = { + getIapPublicKeys: async () => ({ pubkeys: '' }), + verifySignedJwtWithCertsAsync: async () => ({ + getPayload: () => ({ sub: 's' }), + }), + }; + const validator = createTokenValidator( + 'a', + mockClient as unknown as OAuth2Client, + ); + await expect(validator(mockJwt)).rejects.toThrow( + 'Google IAP token payload is missing email claim', + ); + }); + }); +}); diff --git a/plugins/auth-backend-module-gcp-iap-provider/src/helpers.ts b/plugins/auth-backend-module-gcp-iap-provider/src/helpers.ts new file mode 100644 index 0000000000..54db7117f9 --- /dev/null +++ b/plugins/auth-backend-module-gcp-iap-provider/src/helpers.ts @@ -0,0 +1,67 @@ +/* + * Copyright 2021 The Backstage Authors + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +import { AuthenticationError } from '@backstage/errors'; +import { OAuth2Client } from 'google-auth-library'; +import { GcpIapTokenInfo } from './types'; + +export function createTokenValidator( + audience: string, + providedClient?: OAuth2Client, +): (token: string) => Promise { + const client = providedClient ?? new OAuth2Client(); + + return async function tokenValidator(token) { + // TODO(freben): Rate limit the public key reads. It may be sensible to + // cache these for some reasonable time rather than asking for the public + // keys on every single sign-in. But since the rate of events here is so + // slow, I decided to keep it simple for now. + const response = await client.getIapPublicKeys().catch(error => { + throw new AuthenticationError( + `Unable to list Google IAP token verification keys, ${error}`, + ); + }); + const ticket = await client + .verifySignedJwtWithCertsAsync(token, response.pubkeys, audience, [ + 'https://cloud.google.com/iap', + ]) + .catch(error => { + throw new AuthenticationError( + `Google IAP token verification failed, ${error}`, + ); + }); + + const payload = ticket.getPayload(); + if (!payload) { + throw new AuthenticationError( + 'Google IAP token verification failed, token had no payload', + ); + } + + if (!payload.sub) { + throw new AuthenticationError( + 'Google IAP token payload is missing subject claim', + ); + } + if (!payload.email) { + throw new AuthenticationError( + 'Google IAP token payload is missing email claim', + ); + } + + return payload as unknown as GcpIapTokenInfo; + }; +} diff --git a/plugins/auth-backend-module-gcp-iap-provider/src/index.ts b/plugins/auth-backend-module-gcp-iap-provider/src/index.ts new file mode 100644 index 0000000000..50ea1cb2af --- /dev/null +++ b/plugins/auth-backend-module-gcp-iap-provider/src/index.ts @@ -0,0 +1,19 @@ +/* + * Copyright 2023 The Backstage Authors + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +export { gcpIapAuthenticator } from './authenticator'; +export { authModuleGcpIapProvider } from './module'; +export { gcpIapSignInResolvers } from './resolvers'; diff --git a/plugins/auth-backend-module-gcp-iap-provider/src/module.ts b/plugins/auth-backend-module-gcp-iap-provider/src/module.ts new file mode 100644 index 0000000000..38742e4236 --- /dev/null +++ b/plugins/auth-backend-module-gcp-iap-provider/src/module.ts @@ -0,0 +1,48 @@ +/* + * Copyright 2023 The Backstage Authors + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +import { createBackendModule } from '@backstage/backend-plugin-api'; +import { + authProvidersExtensionPoint, + commonSignInResolvers, + createProxyAuthProviderFactory, +} from '@backstage/plugin-auth-node'; +import { gcpIapAuthenticator } from './authenticator'; +import { gcpIapSignInResolvers } from './resolvers'; + +export const authModuleGcpIapProvider = createBackendModule({ + pluginId: 'auth', + moduleId: 'gcpIapProvider', + register(reg) { + reg.registerInit({ + deps: { + providers: authProvidersExtensionPoint, + }, + async init({ providers }) { + providers.registerProvider({ + providerId: 'gcpIap', + factory: createProxyAuthProviderFactory({ + authenticator: gcpIapAuthenticator, + signInResolverFactories: { + ...gcpIapSignInResolvers, + ...commonSignInResolvers, + }, + }), + }); + }, + }); + }, +}); diff --git a/plugins/auth-backend-module-gcp-iap-provider/src/resolvers.ts b/plugins/auth-backend-module-gcp-iap-provider/src/resolvers.ts new file mode 100644 index 0000000000..32ab2b6cc7 --- /dev/null +++ b/plugins/auth-backend-module-gcp-iap-provider/src/resolvers.ts @@ -0,0 +1,49 @@ +/* + * Copyright 2023 The Backstage Authors + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +import { + createSignInResolverFactory, + SignInInfo, +} from '@backstage/plugin-auth-node'; +import { GcpIapResult } from './types'; + +/** + * Available sign-in resolvers for the Google auth provider. + * + * @public + */ +export namespace gcpIapSignInResolvers { + /** + * Looks up the user by matching their email to the `google.com/email` annotation. + */ + export const emailMatchingUserEntityAnnotation = createSignInResolverFactory({ + create() { + return async (info: SignInInfo, ctx) => { + const email = info.result.iapToken.email; + + if (!email) { + throw new Error('Google IAP sign-in result is missing email'); + } + + return ctx.signInWithCatalogUser({ + annotations: { + 'google.com/email': email, + }, + }); + }; + }, + }); +} diff --git a/plugins/auth-backend-module-gcp-iap-provider/src/types.ts b/plugins/auth-backend-module-gcp-iap-provider/src/types.ts new file mode 100644 index 0000000000..a967a4d579 --- /dev/null +++ b/plugins/auth-backend-module-gcp-iap-provider/src/types.ts @@ -0,0 +1,50 @@ +/* + * Copyright 2023 The Backstage Authors + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +import { JsonPrimitive } from '@backstage/types'; + +/** + * The data extracted from an IAP token. + * + * @public + */ +export type GcpIapTokenInfo = { + /** + * The unique, stable identifier for the user. + */ + sub: string; + /** + * User email address. + */ + email: string; + /** + * Other fields. + */ + [key: string]: JsonPrimitive; +}; + +/** + * The result of the initial auth challenge. This is the input to the auth + * callbacks. + * + * @public + */ +export type GcpIapResult = { + /** + * The data extracted from the IAP token header. + */ + iapToken: GcpIapTokenInfo; +}; diff --git a/plugins/auth-backend/src/providers/gcp-iap/helpers.test.ts b/plugins/auth-backend/src/providers/gcp-iap/helpers.test.ts deleted file mode 100644 index 0162366f61..0000000000 --- a/plugins/auth-backend/src/providers/gcp-iap/helpers.test.ts +++ /dev/null @@ -1,134 +0,0 @@ -/* - * Copyright 2021 The Backstage Authors - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -import { ConflictError } from '@backstage/errors'; -import { OAuth2Client } from 'google-auth-library'; -import { createTokenValidator, parseRequestToken } from './helpers'; - -const validJwt = - 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImZvbyIsImlzcyI6ImZvbyJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.T2BNS4G-6RoiFnXc8Q8TiwdWzTpNitY8jcsGM3N3-Yo'; - -beforeEach(() => { - jest.clearAllMocks(); -}); - -describe('helpers', () => { - describe('createTokenValidator', () => { - it('runs the happy path', async () => { - const mockClient = { - getIapPublicKeys: async () => ({ pubkeys: '' }), - verifySignedJwtWithCertsAsync: async () => ({ - getPayload: () => ({ sub: 's', email: 'e@mail.com' }), - }), - }; - const validator = createTokenValidator( - 'a', - mockClient as unknown as OAuth2Client, - ); - await expect(validator(validJwt)).resolves.toMatchObject({ - sub: 's', - email: 'e@mail.com', - }); - }); - - it('throws if the client throws', async () => { - const mockClient = { - getIapPublicKeys: async () => { - throw new TypeError('bam'); - }, - }; - const validator = createTokenValidator( - 'a', - mockClient as unknown as OAuth2Client, - ); - await expect(validator(validJwt)).rejects.toThrow(TypeError); - }); - - it('rejects empty payload', async () => { - const mockClient = { - getIapPublicKeys: async () => ({ pubkeys: '' }), - verifySignedJwtWithCertsAsync: async () => ({ - getPayload: () => undefined, - }), - }; - const validator = createTokenValidator( - 'a', - mockClient as unknown as OAuth2Client, - ); - await expect(validator(validJwt)).rejects.toMatchObject({ - name: 'TypeError', - message: 'Token had no payload', - }); - }); - }); - - describe('parseRequestToken', () => { - it('runs the happy path', async () => { - await expect( - parseRequestToken( - validJwt, - async () => ({ sub: 's', email: 'e@mail.com' } as any), - ), - ).resolves.toMatchObject({ - iapToken: { - sub: 's', - email: 'e@mail.com', - }, - }); - }); - - it('rejects bad tokens', async () => { - await expect( - parseRequestToken(7, undefined as any), - ).rejects.toMatchObject({ - name: 'AuthenticationError', - message: 'Missing Google IAP header', - }); - await expect( - parseRequestToken(undefined, undefined as any), - ).rejects.toMatchObject({ - name: 'AuthenticationError', - message: 'Missing Google IAP header', - }); - await expect( - parseRequestToken('', undefined as any), - ).rejects.toMatchObject({ - name: 'AuthenticationError', - message: 'Missing Google IAP header', - }); - }); - - it('translates validator errors', async () => { - await expect( - parseRequestToken(validJwt, async () => { - throw new ConflictError('Ouch'); - }), - ).rejects.toMatchObject({ - name: 'AuthenticationError', - message: 'Google IAP token verification failed, ConflictError: Ouch', - }); - }); - - it('rejects bad token payloads', async () => { - await expect( - parseRequestToken(validJwt, async () => ({ sub: 'a' } as any)), - ).rejects.toMatchObject({ - name: 'AuthenticationError', - message: 'Google IAP token payload is missing sub and/or email claim', - }); - }); - }); -}); diff --git a/plugins/auth-backend/src/providers/gcp-iap/helpers.ts b/plugins/auth-backend/src/providers/gcp-iap/helpers.ts deleted file mode 100644 index 26d9a8c904..0000000000 --- a/plugins/auth-backend/src/providers/gcp-iap/helpers.ts +++ /dev/null @@ -1,82 +0,0 @@ -/* - * Copyright 2021 The Backstage Authors - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -import { AuthenticationError } from '@backstage/errors'; -import { OAuth2Client, TokenPayload } from 'google-auth-library'; -import { AuthHandler } from '../types'; -import { GcpIapResult } from './types'; - -export function createTokenValidator( - audience: string, - mockClient?: OAuth2Client, -): (token: string) => Promise { - const client = mockClient ?? new OAuth2Client(); - - return async function tokenValidator(token) { - // TODO(freben): Rate limit the public key reads. It may be sensible to - // cache these for some reasonable time rather than asking for the public - // keys on every single sign-in. But since the rate of events here is so - // slow, I decided to keep it simple for now. - const response = await client.getIapPublicKeys(); - const ticket = await client.verifySignedJwtWithCertsAsync( - token, - response.pubkeys, - audience, - ['https://cloud.google.com/iap'], - ); - - const payload = ticket.getPayload(); - if (!payload) { - throw new TypeError('Token had no payload'); - } - - return payload; - }; -} - -export async function parseRequestToken( - jwtToken: unknown, - tokenValidator: (token: string) => Promise, -): Promise { - if (typeof jwtToken !== 'string' || !jwtToken) { - throw new AuthenticationError('Missing Google IAP header'); - } - - let payload: TokenPayload; - try { - payload = await tokenValidator(jwtToken); - } catch (e) { - throw new AuthenticationError(`Google IAP token verification failed, ${e}`); - } - - if (!payload.sub || !payload.email) { - throw new AuthenticationError( - 'Google IAP token payload is missing sub and/or email claim', - ); - } - - return { - iapToken: { - ...payload, - sub: payload.sub, - email: payload.email, - }, - }; -} - -export const defaultAuthHandler: AuthHandler = async ({ - iapToken, -}) => ({ profile: { email: iapToken.email } }); diff --git a/yarn.lock b/yarn.lock index b974ad70d3..48b1c3999a 100644 --- a/yarn.lock +++ b/yarn.lock @@ -4576,6 +4576,22 @@ __metadata: languageName: unknown linkType: soft +"@backstage/plugin-auth-backend-module-gcp-iap-provider@workspace:plugins/auth-backend-module-gcp-iap-provider": + version: 0.0.0-use.local + resolution: "@backstage/plugin-auth-backend-module-gcp-iap-provider@workspace:plugins/auth-backend-module-gcp-iap-provider" + dependencies: + "@backstage/backend-plugin-api": "workspace:^" + "@backstage/backend-test-utils": "workspace:^" + "@backstage/cli": "workspace:^" + "@backstage/errors": "workspace:^" + "@backstage/plugin-auth-node": "workspace:^" + "@backstage/types": "workspace:^" + google-auth-library: ^8.0.0 + msw: ^1.0.0 + supertest: ^6.1.3 + languageName: unknown + linkType: soft + "@backstage/plugin-auth-backend-module-google-provider@workspace:plugins/auth-backend-module-google-provider": version: 0.0.0-use.local resolution: "@backstage/plugin-auth-backend-module-google-provider@workspace:plugins/auth-backend-module-google-provider"