proxy: add headers credentials issuer

Signed-off-by: Jason Hutchinson <[email protected]>
ory · Aug 16, 2018 · b084c32 · b084c32
1 parent 92c09fb
commit b084c32
Show file tree

Hide file tree

Showing 2 changed files with 110 additions and 0 deletions.
diff --git a/proxy/credentials_issuer_headers.go b/proxy/credentials_issuer_headers.go
@@ -0,0 +1,63 @@
+package proxy
+
+import (
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"text/template"
+
+	"github.com/ory/oathkeeper/rule"
+	"github.com/pkg/errors"
+)
+
+type CredentialsHeadersConfig map[string]string
+
+type CredentialsHeaders struct {
+	rulesCache *template.Template
+}
+
+func NewCredentialsIssuerHeaders() *CredentialsHeaders {
+	return &CredentialsHeaders{
+		rulesCache: template.New("rules"),
+	}
+}
+
+func (a *CredentialsHeaders) GetID() string {
+	return "headers"
+}
+
+func (a *CredentialsHeaders) Issue(r *http.Request, session *AuthenticationSession, config json.RawMessage, rl *rule.Rule) error {
+	if len(config) == 0 {
+		config = []byte("{}")
+	}
+
+	var cfg CredentialsHeadersConfig
+	d := json.NewDecoder(bytes.NewBuffer(config))
+	if err := d.Decode(&cfg); err != nil {
+		return errors.WithStack(err)
+	}
+
+	for hdr, templateString := range cfg {
+		var tmpl *template.Template
+		var err error
+
+		templateId := fmt.Sprintf("%s:%s", rl.ID, hdr)
+		tmpl = a.rulesCache.Lookup(templateId)
+		if tmpl == nil {
+			tmpl, err = a.rulesCache.New(templateId).Parse(templateString)
+			if err != nil {
+				return errors.Wrapf(err, `error parsing header template "%s" in rule "%s"`, templateString, rl.ID)
+			}
+		}
+
+		headerValue := bytes.Buffer{}
+		err = tmpl.Execute(&headerValue, session)
+		if err != nil {
+			return errors.Wrapf(err, `error executing header template "%s" in rule "%s"`, templateString, rl.ID)
+		}
+		r.Header.Set(hdr, headerValue.String())
+	}
+
+	return nil
+}
diff --git a/proxy/credentials_issuer_headers_test.go b/proxy/credentials_issuer_headers_test.go
@@ -0,0 +1,47 @@
+package proxy
+
+import (
+	"encoding/json"
+	"net/http"
+	"testing"
+
+	"github.com/ory/oathkeeper/rule"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestCredentialsIssuerHeaders(t *testing.T) {
+	var testMap = map[string]struct {
+		Session *AuthenticationSession
+		Rule    *rule.Rule
+		Config  json.RawMessage
+		Request *http.Request
+		Match   http.Header
+	}{
+		"Subject": {
+			Session: &AuthenticationSession{Subject: "foo"},
+			Rule:    &rule.Rule{ID: "test-rule"},
+			Config:  json.RawMessage([]byte(`{"X-User": "{{ .Subject }}"}`)),
+			Request: &http.Request{Header: http.Header{}},
+			Match:   http.Header{"X-User": []string{"foo"}},
+		},
+	}
+
+	for testName, specs := range testMap {
+		t.Run(testName, func(t *testing.T) {
+			issuer := NewCredentialsIssuerHeaders()
+
+			// Must return non-nil issuer
+			assert.NotNil(t, issuer)
+
+			// Issuer must return non-empty ID
+			assert.NotEmpty(t, issuer.GetID())
+
+			// Issuer must run without error
+			require.NoError(t, issuer.Issue(specs.Request, specs.Session, specs.Config, specs.Rule))
+
+			// Output request headers must match test specs
+			assert.Equal(t, specs.Request.Header, specs.Match)
+		})
+	}
+}