authorization.go

Documentation: github.com/Azure/go-autorest/autorest

     1  package autorest
     2  
     3  // Copyright 2017 Microsoft Corporation
     4  //
     5  //  Licensed under the Apache License, Version 2.0 (the "License");
     6  //  you may not use this file except in compliance with the License.
     7  //  You may obtain a copy of the License at
     8  //
     9  //      http://www.apache.org/licenses/LICENSE-2.0
    10  //
    11  //  Unless required by applicable law or agreed to in writing, software
    12  //  distributed under the License is distributed on an "AS IS" BASIS,
    13  //  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    14  //  See the License for the specific language governing permissions and
    15  //  limitations under the License.
    16  
    17  import (
    18  	"crypto/tls"
    19  	"encoding/base64"
    20  	"fmt"
    21  	"net/http"
    22  	"net/url"
    23  	"strings"
    24  
    25  	"github.com/Azure/go-autorest/autorest/adal"
    26  )
    27  
    28  const (
    29  	bearerChallengeHeader       = "Www-Authenticate"
    30  	bearer                      = "Bearer"
    31  	tenantID                    = "tenantID"
    32  	apiKeyAuthorizerHeader      = "Ocp-Apim-Subscription-Key"
    33  	bingAPISdkHeader            = "X-BingApis-SDK-Client"
    34  	golangBingAPISdkHeaderValue = "Go-SDK"
    35  	authorization               = "Authorization"
    36  	basic                       = "Basic"
    37  )
    38  
    39  // Authorizer is the interface that provides a PrepareDecorator used to supply request
    40  // authorization. Most often, the Authorizer decorator runs last so it has access to the full
    41  // state of the formed HTTP request.
    42  type Authorizer interface {
    43  	WithAuthorization() PrepareDecorator
    44  }
    45  
    46  // NullAuthorizer implements a default, "do nothing" Authorizer.
    47  type NullAuthorizer struct{}
    48  
    49  // WithAuthorization returns a PrepareDecorator that does nothing.
    50  func (na NullAuthorizer) WithAuthorization() PrepareDecorator {
    51  	return WithNothing()
    52  }
    53  
    54  // APIKeyAuthorizer implements API Key authorization.
    55  type APIKeyAuthorizer struct {
    56  	headers         map[string]interface{}
    57  	queryParameters map[string]interface{}
    58  }
    59  
    60  // NewAPIKeyAuthorizerWithHeaders creates an ApiKeyAuthorizer with headers.
    61  func NewAPIKeyAuthorizerWithHeaders(headers map[string]interface{}) *APIKeyAuthorizer {
    62  	return NewAPIKeyAuthorizer(headers, nil)
    63  }
    64  
    65  // NewAPIKeyAuthorizerWithQueryParameters creates an ApiKeyAuthorizer with query parameters.
    66  func NewAPIKeyAuthorizerWithQueryParameters(queryParameters map[string]interface{}) *APIKeyAuthorizer {
    67  	return NewAPIKeyAuthorizer(nil, queryParameters)
    68  }
    69  
    70  // NewAPIKeyAuthorizer creates an ApiKeyAuthorizer with headers.
    71  func NewAPIKeyAuthorizer(headers map[string]interface{}, queryParameters map[string]interface{}) *APIKeyAuthorizer {
    72  	return &APIKeyAuthorizer{headers: headers, queryParameters: queryParameters}
    73  }
    74  
    75  // WithAuthorization returns a PrepareDecorator that adds an HTTP headers and Query Parameters.
    76  func (aka *APIKeyAuthorizer) WithAuthorization() PrepareDecorator {
    77  	return func(p Preparer) Preparer {
    78  		return DecoratePreparer(p, WithHeaders(aka.headers), WithQueryParameters(aka.queryParameters))
    79  	}
    80  }
    81  
    82  // CognitiveServicesAuthorizer implements authorization for Cognitive Services.
    83  type CognitiveServicesAuthorizer struct {
    84  	subscriptionKey string
    85  }
    86  
    87  // NewCognitiveServicesAuthorizer is
    88  func NewCognitiveServicesAuthorizer(subscriptionKey string) *CognitiveServicesAuthorizer {
    89  	return &CognitiveServicesAuthorizer{subscriptionKey: subscriptionKey}
    90  }
    91  
    92  // WithAuthorization is
    93  func (csa *CognitiveServicesAuthorizer) WithAuthorization() PrepareDecorator {
    94  	headers := make(map[string]interface{})
    95  	headers[apiKeyAuthorizerHeader] = csa.subscriptionKey
    96  	headers[bingAPISdkHeader] = golangBingAPISdkHeaderValue
    97  
    98  	return NewAPIKeyAuthorizerWithHeaders(headers).WithAuthorization()
    99  }
   100  
   101  // BearerAuthorizer implements the bearer authorization
   102  type BearerAuthorizer struct {
   103  	tokenProvider adal.OAuthTokenProvider
   104  }
   105  
   106  // NewBearerAuthorizer crates a BearerAuthorizer using the given token provider
   107  func NewBearerAuthorizer(tp adal.OAuthTokenProvider) *BearerAuthorizer {
   108  	return &BearerAuthorizer{tokenProvider: tp}
   109  }
   110  
   111  // WithAuthorization returns a PrepareDecorator that adds an HTTP Authorization header whose
   112  // value is "Bearer " followed by the token.
   113  //
   114  // By default, the token will be automatically refreshed through the Refresher interface.
   115  func (ba *BearerAuthorizer) WithAuthorization() PrepareDecorator {
   116  	return func(p Preparer) Preparer {
   117  		return PreparerFunc(func(r *http.Request) (*http.Request, error) {
   118  			r, err := p.Prepare(r)
   119  			if err == nil {
   120  				// the ordering is important here, prefer RefresherWithContext if available
   121  				if refresher, ok := ba.tokenProvider.(adal.RefresherWithContext); ok {
   122  					err = refresher.EnsureFreshWithContext(r.Context())
   123  				} else if refresher, ok := ba.tokenProvider.(adal.Refresher); ok {
   124  					err = refresher.EnsureFresh()
   125  				}
   126  				if err != nil {
   127  					var resp *http.Response
   128  					if tokError, ok := err.(adal.TokenRefreshError); ok {
   129  						resp = tokError.Response()
   130  					}
   131  					return r, NewErrorWithError(err, "azure.BearerAuthorizer", "WithAuthorization", resp,
   132  						"Failed to refresh the Token for request to %s", r.URL)
   133  				}
   134  				return Prepare(r, WithHeader(headerAuthorization, fmt.Sprintf("Bearer %s", ba.tokenProvider.OAuthToken())))
   135  			}
   136  			return r, err
   137  		})
   138  	}
   139  }
   140  
   141  // TokenProvider returns OAuthTokenProvider so that it can be used for authorization outside the REST.
   142  func (ba *BearerAuthorizer) TokenProvider() adal.OAuthTokenProvider {
   143  	return ba.tokenProvider
   144  }
   145  
   146  // BearerAuthorizerCallbackFunc is the authentication callback signature.
   147  type BearerAuthorizerCallbackFunc func(tenantID, resource string) (*BearerAuthorizer, error)
   148  
   149  // BearerAuthorizerCallback implements bearer authorization via a callback.
   150  type BearerAuthorizerCallback struct {
   151  	sender   Sender
   152  	callback BearerAuthorizerCallbackFunc
   153  }
   154  
   155  // NewBearerAuthorizerCallback creates a bearer authorization callback.  The callback
   156  // is invoked when the HTTP request is submitted.
   157  func NewBearerAuthorizerCallback(s Sender, callback BearerAuthorizerCallbackFunc) *BearerAuthorizerCallback {
   158  	if s == nil {
   159  		s = sender(tls.RenegotiateNever)
   160  	}
   161  	return &BearerAuthorizerCallback{sender: s, callback: callback}
   162  }
   163  
   164  // WithAuthorization returns a PrepareDecorator that adds an HTTP Authorization header whose value
   165  // is "Bearer " followed by the token.  The BearerAuthorizer is obtained via a user-supplied callback.
   166  //
   167  // By default, the token will be automatically refreshed through the Refresher interface.
   168  func (bacb *BearerAuthorizerCallback) WithAuthorization() PrepareDecorator {
   169  	return func(p Preparer) Preparer {
   170  		return PreparerFunc(func(r *http.Request) (*http.Request, error) {
   171  			r, err := p.Prepare(r)
   172  			if err == nil {
   173  				// make a copy of the request and remove the body as it's not
   174  				// required and avoids us having to create a copy of it.
   175  				rCopy := *r
   176  				removeRequestBody(&rCopy)
   177  
   178  				resp, err := bacb.sender.Do(&rCopy)
   179  				if err != nil {
   180  					return r, err
   181  				}
   182  				DrainResponseBody(resp)
   183  				if resp.StatusCode == 401 && hasBearerChallenge(resp.Header) {
   184  					bc, err := newBearerChallenge(resp.Header)
   185  					if err != nil {
   186  						return r, err
   187  					}
   188  					if bacb.callback != nil {
   189  						ba, err := bacb.callback(bc.values[tenantID], bc.values["resource"])
   190  						if err != nil {
   191  							return r, err
   192  						}
   193  						return Prepare(r, ba.WithAuthorization())
   194  					}
   195  				}
   196  			}
   197  			return r, err
   198  		})
   199  	}
   200  }
   201  
   202  // returns true if the HTTP response contains a bearer challenge
   203  func hasBearerChallenge(header http.Header) bool {
   204  	authHeader := header.Get(bearerChallengeHeader)
   205  	if len(authHeader) == 0 || strings.Index(authHeader, bearer) < 0 {
   206  		return false
   207  	}
   208  	return true
   209  }
   210  
   211  type bearerChallenge struct {
   212  	values map[string]string
   213  }
   214  
   215  func newBearerChallenge(header http.Header) (bc bearerChallenge, err error) {
   216  	challenge := strings.TrimSpace(header.Get(bearerChallengeHeader))
   217  	trimmedChallenge := challenge[len(bearer)+1:]
   218  
   219  	// challenge is a set of key=value pairs that are comma delimited
   220  	pairs := strings.Split(trimmedChallenge, ",")
   221  	if len(pairs) < 1 {
   222  		err = fmt.Errorf("challenge '%s' contains no pairs", challenge)
   223  		return bc, err
   224  	}
   225  
   226  	bc.values = make(map[string]string)
   227  	for i := range pairs {
   228  		trimmedPair := strings.TrimSpace(pairs[i])
   229  		pair := strings.Split(trimmedPair, "=")
   230  		if len(pair) == 2 {
   231  			// remove the enclosing quotes
   232  			key := strings.Trim(pair[0], "\"")
   233  			value := strings.Trim(pair[1], "\"")
   234  
   235  			switch key {
   236  			case "authorization", "authorization_uri":
   237  				// strip the tenant ID from the authorization URL
   238  				asURL, err := url.Parse(value)
   239  				if err != nil {
   240  					return bc, err
   241  				}
   242  				bc.values[tenantID] = asURL.Path[1:]
   243  			default:
   244  				bc.values[key] = value
   245  			}
   246  		}
   247  	}
   248  
   249  	return bc, err
   250  }
   251  
   252  // EventGridKeyAuthorizer implements authorization for event grid using key authentication.
   253  type EventGridKeyAuthorizer struct {
   254  	topicKey string
   255  }
   256  
   257  // NewEventGridKeyAuthorizer creates a new EventGridKeyAuthorizer
   258  // with the specified topic key.
   259  func NewEventGridKeyAuthorizer(topicKey string) EventGridKeyAuthorizer {
   260  	return EventGridKeyAuthorizer{topicKey: topicKey}
   261  }
   262  
   263  // WithAuthorization returns a PrepareDecorator that adds the aeg-sas-key authentication header.
   264  func (egta EventGridKeyAuthorizer) WithAuthorization() PrepareDecorator {
   265  	headers := map[string]interface{}{
   266  		"aeg-sas-key": egta.topicKey,
   267  	}
   268  	return NewAPIKeyAuthorizerWithHeaders(headers).WithAuthorization()
   269  }
   270  
   271  // BasicAuthorizer implements basic HTTP authorization by adding the Authorization HTTP header
   272  // with the value "Basic <TOKEN>" where <TOKEN> is a base64-encoded username:password tuple.
   273  type BasicAuthorizer struct {
   274  	userName string
   275  	password string
   276  }
   277  
   278  // NewBasicAuthorizer creates a new BasicAuthorizer with the specified username and password.
   279  func NewBasicAuthorizer(userName, password string) *BasicAuthorizer {
   280  	return &BasicAuthorizer{
   281  		userName: userName,
   282  		password: password,
   283  	}
   284  }
   285  
   286  // WithAuthorization returns a PrepareDecorator that adds an HTTP Authorization header whose
   287  // value is "Basic " followed by the base64-encoded username:password tuple.
   288  func (ba *BasicAuthorizer) WithAuthorization() PrepareDecorator {
   289  	headers := make(map[string]interface{})
   290  	headers[authorization] = basic + " " + base64.StdEncoding.EncodeToString([]byte(fmt.Sprintf("%s:%s", ba.userName, ba.password)))
   291  
   292  	return NewAPIKeyAuthorizerWithHeaders(headers).WithAuthorization()
   293  }
   294  
   295  // MultiTenantServicePrincipalTokenAuthorizer provides authentication across tenants.
   296  type MultiTenantServicePrincipalTokenAuthorizer interface {
   297  	WithAuthorization() PrepareDecorator
   298  }
   299  
   300  // NewMultiTenantServicePrincipalTokenAuthorizer crates a BearerAuthorizer using the given token provider
   301  func NewMultiTenantServicePrincipalTokenAuthorizer(tp adal.MultitenantOAuthTokenProvider) MultiTenantServicePrincipalTokenAuthorizer {
   302  	return NewMultiTenantBearerAuthorizer(tp)
   303  }
   304  
   305  // MultiTenantBearerAuthorizer implements bearer authorization across multiple tenants.
   306  type MultiTenantBearerAuthorizer struct {
   307  	tp adal.MultitenantOAuthTokenProvider
   308  }
   309  
   310  // NewMultiTenantBearerAuthorizer creates a MultiTenantBearerAuthorizer using the given token provider.
   311  func NewMultiTenantBearerAuthorizer(tp adal.MultitenantOAuthTokenProvider) *MultiTenantBearerAuthorizer {
   312  	return &MultiTenantBearerAuthorizer{tp: tp}
   313  }
   314  
   315  // WithAuthorization returns a PrepareDecorator that adds an HTTP Authorization header using the
   316  // primary token along with the auxiliary authorization header using the auxiliary tokens.
   317  //
   318  // By default, the token will be automatically refreshed through the Refresher interface.
   319  func (mt *MultiTenantBearerAuthorizer) WithAuthorization() PrepareDecorator {
   320  	return func(p Preparer) Preparer {
   321  		return PreparerFunc(func(r *http.Request) (*http.Request, error) {
   322  			r, err := p.Prepare(r)
   323  			if err != nil {
   324  				return r, err
   325  			}
   326  			if refresher, ok := mt.tp.(adal.RefresherWithContext); ok {
   327  				err = refresher.EnsureFreshWithContext(r.Context())
   328  				if err != nil {
   329  					var resp *http.Response
   330  					if tokError, ok := err.(adal.TokenRefreshError); ok {
   331  						resp = tokError.Response()
   332  					}
   333  					return r, NewErrorWithError(err, "azure.multiTenantSPTAuthorizer", "WithAuthorization", resp,
   334  						"Failed to refresh one or more Tokens for request to %s", r.URL)
   335  				}
   336  			}
   337  			r, err = Prepare(r, WithHeader(headerAuthorization, fmt.Sprintf("Bearer %s", mt.tp.PrimaryOAuthToken())))
   338  			if err != nil {
   339  				return r, err
   340  			}
   341  			auxTokens := mt.tp.AuxiliaryOAuthTokens()
   342  			for i := range auxTokens {
   343  				auxTokens[i] = fmt.Sprintf("Bearer %s", auxTokens[i])
   344  			}
   345  			return Prepare(r, WithHeader(headerAuxAuthorization, strings.Join(auxTokens, ", ")))
   346  		})
   347  	}
   348  }
   349  
   350  // TokenProvider returns the underlying MultitenantOAuthTokenProvider for this authorizer.
   351  func (mt *MultiTenantBearerAuthorizer) TokenProvider() adal.MultitenantOAuthTokenProvider {
   352  	return mt.tp
   353  }
   354
View as plain text