rachmadiyanti.annisa.3004/service_antrean
1
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
0002cf26be0d36a275bac1760b477fc9965940a0
service_antrean/internal/middleware/providers.go
meninjar 0002cf26be Update besar
2025-10-31 02:30:27 +00:00

616 lines
18 KiB
Go
Raw Blame History

package middleware
import (
"api-service/internal/config"
"api-service/internal/models/auth"
models "api-service/internal/models/auth"
service "api-service/internal/services/auth"
"api-service/pkg/logger"
"crypto/rsa"
"encoding/base64"
"encoding/json"
"errors"
"fmt"
"math/big"
"net/http"
"strings"
"sync"
"time"
"github.com/gin-gonic/gin"
"github.com/golang-jwt/jwt/v5"
"golang.org/x/sync/singleflight"
)
// AuthProvider interface for different authentication methods
type AuthProvider interface {
ValidateToken(tokenString string) (*models.JWTClaims, error)
Name() string
}
// ProviderFactory creates authentication providers based on configuration
type ProviderFactory struct {
authService *service.AuthService
config *config.Config
}
func NewProviderFactory(authService *service.AuthService, config *config.Config) *ProviderFactory {
return &ProviderFactory{
authService: authService,
config: config,
}
}
func (f *ProviderFactory) CreateProviders() []AuthProvider {
var providers []AuthProvider
reqLogger := logger.Default().WithService("provider-factory")
reqLogger.Info("Creating authentication providers", map[string]interface{}{
"auth_type": f.config.Auth.Type,
"keycloak_enabled": f.config.Keycloak.Enabled,
"keycloak_issuer": f.config.Keycloak.Issuer,
"static_tokens_len": len(f.config.Auth.StaticTokens),
"fallback_to": f.config.Auth.FallbackTo,
})
switch f.config.Auth.Type {
case "static":
reqLogger.Info("Configuring static token provider")
if len(f.config.Auth.StaticTokens) > 0 {
providers = append(providers, NewStaticTokenProvider(f.config.Auth.StaticTokens))
reqLogger.Info("Static token provider added", map[string]interface{}{
"token_count": len(f.config.Auth.StaticTokens),
})
} else {
reqLogger.Warn("No static tokens configured for static auth type")
}
case "jwt":
reqLogger.Info("Configuring JWT provider")
providers = append(providers, NewJWTAuthProvider(f.authService))
reqLogger.Info("JWT provider added")
case "keycloak":
reqLogger.Info("Configuring Keycloak provider")
if f.config.Keycloak.Issuer != "" {
providers = append(providers, NewKeycloakAuthProvider(f.config))
reqLogger.Info("Keycloak provider added")
} else {
reqLogger.Warn("Keycloak issuer not configured for keycloak auth type")
}
case "hybrid":
reqLogger.Info("Configuring hybrid providers")
if f.config.Keycloak.Issuer != "" {
providers = append(providers, NewKeycloakAuthProvider(f.config))
reqLogger.Info("Keycloak provider added for hybrid")
} else {
reqLogger.Warn("Keycloak issuer not configured for hybrid auth type")
}
switch f.config.Auth.FallbackTo {
case "static":
reqLogger.Info("Configuring static fallback for hybrid")
if len(f.config.Auth.StaticTokens) > 0 {
providers = append(providers, NewStaticTokenProvider(f.config.Auth.StaticTokens))
reqLogger.Info("Static fallback provider added", map[string]interface{}{
"token_count": len(f.config.Auth.StaticTokens),
})
} else {
reqLogger.Warn("No static tokens configured for hybrid fallback")
}
case "jwt":
reqLogger.Info("Configuring JWT fallback for hybrid")
providers = append(providers, NewJWTAuthProvider(f.authService))
reqLogger.Info("JWT fallback provider added")
case "keycloak":
reqLogger.Info("Configuring Keycloak fallback for hybrid")
if f.config.Keycloak.Issuer != "" {
providers = append(providers, NewKeycloakAuthProvider(f.config))
reqLogger.Info("Keycloak fallback provider added")
} else {
reqLogger.Warn("Keycloak issuer not configured for hybrid fallback")
}
default:
reqLogger.Warn("Unknown fallback type for hybrid, using JWT", map[string]interface{}{
"fallback_to": f.config.Auth.FallbackTo,
})
providers = append(providers, NewJWTAuthProvider(f.authService))
reqLogger.Info("JWT fallback provider added as default")
}
default:
reqLogger.Warn("Unknown auth type, defaulting to JWT", map[string]interface{}{
"auth_type": f.config.Auth.Type,
})
providers = append(providers, NewJWTAuthProvider(f.authService))
reqLogger.Info("JWT provider added as default")
}
reqLogger.Info("Provider creation completed", map[string]interface{}{
"provider_count": len(providers),
})
return providers
}
// StaticTokenProvider handles static token authentication
type StaticTokenProvider struct {
tokens map[string]bool
}
func NewStaticTokenProvider(tokens []string) *StaticTokenProvider {
tokenMap := make(map[string]bool)
for _, token := range tokens {
if token != "" {
tokenMap[token] = true
}
}
return &StaticTokenProvider{tokens: tokenMap}
}
func (s *StaticTokenProvider) ValidateToken(tokenString string) (*models.JWTClaims, error) {
reqLogger := logger.Default().WithService("static-auth")
if !s.tokens[tokenString] {
reqLogger.Warn("Invalid static token provided")
return nil, ErrInvalidToken
}
reqLogger.Info("Static token validation successful")
return &models.JWTClaims{
UserID: "static-user",
Username: "static-user",
Email: "static@example.com",
Role: "user",
}, nil
}
func (s *StaticTokenProvider) Name() string {
return "static"
}
// JWTAuthProvider handles JWT authentication using AuthService
type JWTAuthProvider struct {
authService *service.AuthService
}
func NewJWTAuthProvider(authService *service.AuthService) *JWTAuthProvider {
return &JWTAuthProvider{authService: authService}
}
func (j *JWTAuthProvider) ValidateToken(tokenString string) (*models.JWTClaims, error) {
reqLogger := logger.Default().WithService("jwt-auth")
reqLogger.Info("Starting JWT token validation")
claims, err := j.authService.ValidateToken(tokenString)
if err != nil {
reqLogger.Error("JWT validation failed", map[string]interface{}{
"error": err.Error(),
})
return nil, err
}
reqLogger.Info("JWT validation successful", map[string]interface{}{
"user_id": claims.UserID,
})
return claims, nil
}
func (j *JWTAuthProvider) Name() string {
return "jwt"
}
// KeycloakAuthProvider handles Keycloak JWT authentication
type KeycloakAuthProvider struct {
jwksCache *JwksCache
config *config.Config
}
func NewKeycloakAuthProvider(cfg *config.Config) *KeycloakAuthProvider {
return &KeycloakAuthProvider{
jwksCache: NewJwksCache(cfg),
config: cfg,
}
}
func (k *KeycloakAuthProvider) ValidateToken(tokenString string) (*auth.JWTClaims, error) {
reqLogger := logger.Default().WithService("keycloak-auth")
reqLogger.Info("Starting Keycloak token validation")
// Parse token without verification first to get claims for logging
parsedToken, _, err := jwt.NewParser().ParseUnverified(tokenString, jwt.MapClaims{})
if err != nil {
reqLogger.Error("Failed to parse token", map[string]interface{}{
"error": err.Error(),
})
return nil, ErrInvalidToken
}
// Extract claims for logging
claims, ok := parsedToken.Claims.(jwt.MapClaims)
if !ok {
reqLogger.Error("Invalid claims format")
return nil, ErrMissingClaims
}
// Check if token is expired
if exp, ok := claims["exp"].(float64); ok {
if time.Now().Unix() > int64(exp) {
reqLogger.Warn("Token expired", map[string]interface{}{
"exp": exp,
"now": time.Now().Unix(),
})
return nil, ErrTokenExpired
}
}
// Now parse with verification
token, err := jwt.Parse(tokenString, func(token *jwt.Token) (interface{}, error) {
// Verify signing method
if _, ok := token.Method.(*jwt.SigningMethodRSA); !ok {
reqLogger.Warn("Unexpected signing method", map[string]interface{}{
"alg": token.Header["alg"],
})
return nil, ErrInvalidSignature
}
kid, ok := token.Header["kid"].(string)
if !ok {
reqLogger.Warn("kid header not found in token")
return nil, errors.New("kid header not found")
}
reqLogger.Info("Looking for key", map[string]interface{}{
"kid": kid,
})
key, err := k.jwksCache.GetKey(kid)
if err != nil {
reqLogger.Error("Failed to get key", map[string]interface{}{
"kid": kid,
"error": err.Error(),
})
return nil, err
}
reqLogger.Info("Key retrieved successfully", map[string]interface{}{
"kid": kid,
})
return key, nil
}, jwt.WithIssuer(k.config.Keycloak.Issuer), jwt.WithAudience(k.config.Keycloak.Audience))
if err != nil {
reqLogger.Error("JWT parse error", map[string]interface{}{
"error": err.Error(),
})
// Return specific error based on the error type
if strings.Contains(err.Error(), "expired") {
return nil, ErrTokenExpired
} else if strings.Contains(err.Error(), "signature") {
return nil, ErrInvalidSignature
} else if strings.Contains(err.Error(), "issuer") {
return nil, ErrInvalidIssuer
} else if strings.Contains(err.Error(), "audience") {
return nil, ErrInvalidAudience
}
return nil, fmt.Errorf("invalid token: %v", err)
}
if !token.Valid {
reqLogger.Warn("Token is not valid")
return nil, ErrInvalidToken
}
reqLogger.Info("Token validation successful")
// Extract claims
claims, ok = token.Claims.(jwt.MapClaims)
if !ok {
reqLogger.Error("Invalid claims format")
return nil, ErrMissingClaims
}
// Validate required claims
userID := getClaimString(claims, "sub")
if userID == "" {
reqLogger.Error("Missing required claim: sub")
return nil, ErrMissingClaims
}
return &auth.JWTClaims{
UserID: userID,
Username: getClaimString(claims, "preferred_username"),
Email: getClaimString(claims, "email"),
Role: getClaimString(claims, "role"),
}, nil
}
func (k *KeycloakAuthProvider) Name() string {
return "keycloak"
}
// UnifiedAuthMiddleware provides flexible authentication based on configuration
func UnifiedAuthMiddleware(cfg *config.Config, authService *service.AuthService) gin.HandlerFunc {
factory := NewProviderFactory(authService, cfg)
providers := factory.CreateProviders()
// Validate that we have at least one provider
if len(providers) == 0 {
logger.Default().Error("No authentication providers configured", map[string]interface{}{
"auth_type": cfg.Auth.Type,
})
return func(c *gin.Context) {
c.AbortWithStatusJSON(http.StatusInternalServerError, gin.H{"error": "authentication service not configured"})
}
}
logger.Default().Info("UnifiedAuthMiddleware initialized", map[string]interface{}{
"provider_count": len(providers),
"auth_type": cfg.Auth.Type,
})
return func(c *gin.Context) {
reqLogger := logger.Default().WithService("unified-auth")
reqLogger.Info("Memulai proses autentikasi", map[string]interface{}{
"auth_type": cfg.Auth.Type,
"path": c.Request.URL.Path,
"method": c.Request.Method,
})
authHeader := c.GetHeader("Authorization")
if authHeader == "" {
reqLogger.Warn("Header Authorization tidak ditemukan", map[string]interface{}{
"path": c.Request.URL.Path,
"method": c.Request.Method,
})
c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"error": ErrMissingAuthHeader.Error()})
return
}
parts := strings.SplitN(authHeader, " ", 2)
if len(parts) != 2 || strings.ToLower(parts[0]) != "bearer" {
reqLogger.Warn("Format header Authorization tidak valid", map[string]interface{}{
"header_value": authHeader[:min(20, len(authHeader))], // Log first 20 chars for debugging
"path": c.Request.URL.Path,
"method": c.Request.Method,
})
c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"error": ErrInvalidAuthHeader.Error()})
return
}
tokenString := parts[1]
reqLogger.Info("Token diterima", map[string]interface{}{
"token_length": len(tokenString),
"path": c.Request.URL.Path,
"method": c.Request.Method,
})
// Coba setiap provider sampai salah satu berhasil
var claims *auth.JWTClaims
var err error
var providerName string
var providerErrors []string
var triedProviders []string
reqLogger.Info("Starting provider validation loop", map[string]interface{}{
"provider_count": len(providers),
})
for _, provider := range providers {
providerLog := reqLogger.WithField("provider", provider.Name())
triedProviders = append(triedProviders, provider.Name())
providerLog.Info("Mencoba validasi dengan provider", map[string]interface{}{
"path": c.Request.URL.Path,
"method": c.Request.Method,
})
claims, err = provider.ValidateToken(tokenString)
if err == nil {
providerName = provider.Name()
providerLog.Info("Autentikasi berhasil", map[string]interface{}{
"user_id": claims.UserID,
"username": claims.Username,
"role": claims.Role,
"path": c.Request.URL.Path,
"method": c.Request.Method,
})
break // Berhenti jika ada yang berhasil
}
providerLog.Warn("Validasi provider gagal", map[string]interface{}{
"error": err.Error(),
"path": c.Request.URL.Path,
"method": c.Request.Method,
})
providerErrors = append(providerErrors, fmt.Sprintf("provider %s: %v", provider.Name(), err))
}
if err != nil {
reqLogger.Error("Semua provider gagal memvalidasi token", map[string]interface{}{
"errors": strings.Join(providerErrors, "; "),
"tried_providers": strings.Join(triedProviders, ", "),
"path": c.Request.URL.Path,
"method": c.Request.Method,
})
// Return specific error message based on the error type
errorMessage := "Token tidak valid"
if errors.Is(err, ErrTokenExpired) {
errorMessage = "Token telah kadaluarsa"
} else if errors.Is(err, ErrInvalidSignature) {
errorMessage = "Signature token tidak valid"
} else if errors.Is(err, ErrInvalidIssuer) {
errorMessage = "Issuer token tidak valid"
} else if errors.Is(err, ErrInvalidAudience) {
errorMessage = "Audience token tidak valid"
}
c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{
"error": errorMessage,
"details": strings.Join(providerErrors, "; "),
})
return
}
// Set informasi pengguna di konteks
if claims != nil {
c.Set("user_id", claims.UserID)
c.Set("username", claims.Username)
c.Set("email", claims.Email)
c.Set("role", claims.Role)
c.Set("auth_provider", providerName)
reqLogger.Info("User context set successfully", map[string]interface{}{
"user_id": claims.UserID,
"username": claims.Username,
"role": claims.Role,
"auth_provider": providerName,
"path": c.Request.URL.Path,
"method": c.Request.Method,
})
} else {
reqLogger.Warn("Claims is nil after successful authentication", map[string]interface{}{
"provider": providerName,
"path": c.Request.URL.Path,
"method": c.Request.Method,
})
}
reqLogger.Info("Authentication completed successfully, proceeding to next handler", map[string]interface{}{
"path": c.Request.URL.Path,
"method": c.Request.Method,
})
c.Next()
}
}
// InitializeAuth initializes authentication configuration
func InitializeAuth(cfg *config.Config) {
// This function can be used to initialize global auth settings if needed
logger.Default().Info("Authentication initialized", map[string]interface{}{
"auth_type": cfg.Auth.Type,
})
}
// Helper functions
func getClaimString(claims jwt.MapClaims, key string) string {
if value, ok := claims[key]; ok && value != nil {
if str, ok := value.(string); ok {
return str
}
}
return ""
}
// JwksCache and related functions
type JwksCache struct {
mu sync.RWMutex
keys map[string]*rsa.PublicKey
expiresAt time.Time
sfGroup singleflight.Group
config *config.Config
}
func NewJwksCache(cfg *config.Config) *JwksCache {
return &JwksCache{
keys: make(map[string]*rsa.PublicKey),
config: cfg,
}
}
func (c *JwksCache) GetKey(kid string) (*rsa.PublicKey, error) {
c.mu.RLock()
if key, ok := c.keys[kid]; ok && time.Now().Before(c.expiresAt) {
c.mu.RUnlock()
return key, nil
}
c.mu.RUnlock()
// Fetch keys with singleflight to avoid concurrent fetches
v, err, _ := c.sfGroup.Do("fetch_jwks", func() (interface{}, error) {
return c.fetchKeys()
})
if err != nil {
return nil, err
}
keys := v.(map[string]*rsa.PublicKey)
c.mu.Lock()
c.keys = keys
c.expiresAt = time.Now().Add(1 * time.Hour) // cache for 1 hour
c.mu.Unlock()
key, ok := keys[kid]
if !ok {
return nil, fmt.Errorf("key with kid %s not found", kid)
}
return key, nil
}
func (c *JwksCache) fetchKeys() (map[string]*rsa.PublicKey, error) {
if c.config.Keycloak.Issuer == "" {
return nil, fmt.Errorf("keycloak issuer is not configured")
}
jwksURL := c.config.Keycloak.JwksURL
if jwksURL == "" {
// Construct JWKS URL from issuer if not explicitly provided
jwksURL = c.config.Keycloak.Issuer + "/protocol/openid-connect/certs"
}
client := &http.Client{Timeout: 10 * time.Second}
resp, err := client.Get(jwksURL)
if err != nil {
return nil, err
}
defer resp.Body.Close()
if resp.StatusCode != http.StatusOK {
return nil, fmt.Errorf("failed to fetch JWKS: HTTP %d", resp.StatusCode)
}
var jwksData struct {
Keys []struct {
Kid string `json:"kid"`
Kty string `json:"kty"`
N string `json:"n"`
E string `json:"e"`
} `json:"keys"`
}
if err := json.NewDecoder(resp.Body).Decode(&jwksData); err != nil {
return nil, err
}
keys := make(map[string]*rsa.PublicKey)
for _, key := range jwksData.Keys {
if key.Kty != "RSA" {
continue
}
pubKey, err := parseRSAPublicKey(key.N, key.E)
if err != nil {
continue
}
keys[key.Kid] = pubKey
}
return keys, nil
}
// parseRSAPublicKey parses RSA public key components from base64url strings
func parseRSAPublicKey(nStr, eStr string) (*rsa.PublicKey, error) {
nBytes, err := base64.RawURLEncoding.DecodeString(nStr)
if err != nil {
return nil, err
}
eBytes, err := base64.RawURLEncoding.DecodeString(eStr)
if err != nil {
return nil, err
}
n := new(big.Int).SetBytes(nBytes)
e := int(new(big.Int).SetBytes(eBytes).Int64())
return &rsa.PublicKey{
N: n,
E: e,
}, nil
}
Reference in New Issue View Git Blame Copy Permalink