Merge pull request #269 from pace/client_id_header

Client id header
pace · Jun 2, 2021 · 96cd30f · 96cd30f
2 parents c5a4fd7 + 4223b69
commit 96cd30f
Show file tree

Hide file tree

Showing 26 changed files with 1,720 additions and 0 deletions.
diff --git a/go.mod b/go.mod
@@ -13,6 +13,7 @@ require (
 	github.com/certifi/gocertifi v0.0.0-20180118203423-deb3ae2ef261
 	github.com/codahale/hdrhistogram v0.0.0-20161010025455-3a0bb77429bd // indirect
 	github.com/dave/jennifer v1.0.2
+	github.com/dgrijalva/jwt-go v3.2.0+incompatible
 	github.com/getkin/kin-openapi v0.0.0-20180813063848-e1956e8013e5
 	github.com/ghodss/yaml v1.0.0 // indirect
 	github.com/go-kivik/couchdb/v3 v3.2.6

diff --git a/go.sum b/go.sum
@@ -20,6 +20,8 @@ github.com/dave/jennifer v1.0.2/go.mod h1:fIb+770HOpJ2fmN9EPPKOqm1vMGhB+TwXKMZhr
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/dgrijalva/jwt-go v3.2.0+incompatible h1:7qlOGliEKZXTDg6OTjfoBKDXWrumCAMpl/TFQ4/5kLM=
+github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
 github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
 github.com/fatih/color v1.9.0/go.mod h1:eQcE1qtQxscV5RaZvpXrrb8Drkc3/DdQ+uUYCNjL+zU=
 github.com/flimzy/diff v0.1.5/go.mod h1:lFJtC7SPsK0EroDmGTSrdtWKAxOk3rO+q+e04LL05Hs=

diff --git a/http/middleware/response_header.go b/http/middleware/response_header.go
@@ -0,0 +1,45 @@
+// Copyright © 2021 by PACE Telematics GmbH. All rights reserved.
+// Created at 2021/05/10 by Alessandro Miceli
+
+package middleware
+
+import (
+	"errors"
+	"net/http"
+	"strings"
+
+	jwt "github.com/dgrijalva/jwt-go"
+)
+
+// ClientIDHeaderName name of the HTTP header that is used for reporting
+const (
+	ClientIDHeaderName = "Client-ID"
+)
+
+var ErrEmptyAuthorizedParty = errors.New("authorized party is empty")
+
+func ClientID(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		value := r.Header.Get("Authorization")
+		if strings.HasPrefix(value, "Bearer ") {
+			var claim clientIDClaim
+
+			_, _, err := new(jwt.Parser).ParseUnverified(value[7:], &claim)
+			if err == nil {
+				w.Header().Add(ClientIDHeaderName, claim.AuthorizedParty)
+			}
+		}
+		next.ServeHTTP(w, r)
+	})
+}
+
+type clientIDClaim struct {
+	AuthorizedParty string `json:"azp"`
+}
+
+func (c clientIDClaim) Valid() error {
+	if c.AuthorizedParty == "" {
+		return ErrEmptyAuthorizedParty
+	}
+	return nil
+}
diff --git a/http/middleware/response_header_test.go b/http/middleware/response_header_test.go
@@ -0,0 +1,54 @@
+// Copyright © 2021 by PACE Telematics GmbH. All rights reserved.
+// Created at 2021/05/10 by Alessandro Miceli
+
+package middleware
+
+import (
+	"fmt"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+const (
+	emptyToken = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c"
+	token      = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyLCJhenAiOiJjbGllbnRUZXN0In0.eAUlRLw2R2LEvI9TdaD9P6zGQyz-oF7V-Omm2x00iQk"
+)
+
+func TestClientID(t *testing.T) {
+
+	t.Run("empty", func(t *testing.T) {
+		rec := httptest.NewRecorder()
+		req := httptest.NewRequest(http.MethodGet, "/", nil)
+		req.Header.Set("Authorization", fmt.Sprintf("Bearer %v", emptyToken))
+
+		h := ClientID(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		}))
+		h.ServeHTTP(rec, req)
+		assert.Empty(t, rec.Header().Get(ClientIDHeaderName))
+	})
+
+	t.Run("brokenToken", func(t *testing.T) {
+		rec := httptest.NewRecorder()
+		req := httptest.NewRequest(http.MethodGet, "/", nil)
+		req.Header.Set("Authorization", fmt.Sprintf("Bearer %v", emptyToken+"broken"))
+
+		h := ClientID(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		}))
+		h.ServeHTTP(rec, req)
+		assert.Empty(t, rec.Header().Get(ClientIDHeaderName))
+	})
+
+	t.Run("clientID", func(t *testing.T) {
+		rec := httptest.NewRecorder()
+		req := httptest.NewRequest(http.MethodGet, "/", nil)
+		req.Header.Set("Authorization", fmt.Sprintf("Bearer %v", token))
+
+		h := ClientID(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		}))
+		h.ServeHTTP(rec, req)
+		assert.NotNil(t, rec.Header().Get(ClientIDHeaderName))
+	})
+}
diff --git a/http/router.go b/http/router.go
@@ -58,6 +58,9 @@ func Router() *mux.Router {
 	// report use of external dependencies
 	r.Use(middleware.ExternalDependency)
 
+	// report Client ID back to caller
+	r.Use(middleware.ClientID)
+
 	// support redacting of data accross the full request scope
 	r.Use(redactMdw.Redact)
 

diff --git a/vendor/github.com/dgrijalva/jwt-go/.gitignore b/vendor/github.com/dgrijalva/jwt-go/.gitignore
diff --git a/vendor/github.com/dgrijalva/jwt-go/.travis.yml b/vendor/github.com/dgrijalva/jwt-go/.travis.yml
diff --git a/vendor/github.com/dgrijalva/jwt-go/LICENSE b/vendor/github.com/dgrijalva/jwt-go/LICENSE
diff --git a/vendor/github.com/dgrijalva/jwt-go/MIGRATION_GUIDE.md b/vendor/github.com/dgrijalva/jwt-go/MIGRATION_GUIDE.md
diff --git a/vendor/github.com/dgrijalva/jwt-go/README.md b/vendor/github.com/dgrijalva/jwt-go/README.md