Enable JWT group-based user authorization (#1368)

* Extend management API to support list of allowed JWT groups (#1366) * Add JWTAllowGroups settings to account management * Return an empty group list if jwt allow groups is not set * Add JwtAllowGroups to account settings in handler test * Add JWT group-based user authorization (#1373) * Add JWTAllowGroups settings to account management * Return an empty group list if jwt allow groups is not set * Add JwtAllowGroups to account settings in handler test * Implement user access validation authentication based on JWT groups * Remove the slices package import due to compatibility issues with the gitHub workflow(s) Go version * Refactor auth middleware and test for extracted claim handling * Optimize JWT group check in auth middleware to cover nil and empty allowed groups
2026-04-19 00:36:38 +00:00 · 2023-12-11 18:59:15 +03:00
parent 5ecafef5d2
commit d275d411aa
8 changed files with 133 additions and 10 deletions
--- a/management/server/http/middleware/auth_middleware_test.go
+++ b/management/server/http/middleware/auth_middleware_test.go
@@ -10,6 +10,7 @@ import (
 	"github.com/golang-jwt/jwt"

 	"github.com/netbirdio/netbird/management/server"
+	"github.com/netbirdio/netbird/management/server/jwtclaims"
 )

 const (
@@ -54,7 +55,13 @@ func mockGetAccountFromPAT(token string) (*server.Account, *server.User, *server

 func mockValidateAndParseToken(token string) (*jwt.Token, error) {
 	if token == JWT {
-		return &jwt.Token{}, nil
+		return &jwt.Token{
+			Claims: jwt.MapClaims{
+				userIDClaim:                          userID,
+				audience + jwtclaims.AccountIDSuffix: accountID,
+			},
+			Valid: true,
+		}, nil
 	}
 	return nil, fmt.Errorf("JWT invalid")
 }
@@ -66,6 +73,19 @@ func mockMarkPATUsed(token string) error {
 	return fmt.Errorf("Should never get reached")
 }

+func mockGetAccountFromToken(claims jwtclaims.AuthorizationClaims) (*server.Account, *server.User, error) {
+	if testAccount.Id != claims.AccountId {
+		return nil, nil, fmt.Errorf("account with id %s does not exist", claims.AccountId)
+	}
+
+	user, ok := testAccount.Users[claims.UserId]
+	if !ok {
+		return nil, nil, fmt.Errorf("user with id %s does not exist", claims.UserId)
+	}
+
+	return testAccount, user, nil
+}
+
 func TestAuthMiddleware_Handler(t *testing.T) {
 	tt := []struct {
 		name               string
@@ -108,7 +128,20 @@ func TestAuthMiddleware_Handler(t *testing.T) {
 		// do nothing
 	})

-	authMiddleware := NewAuthMiddleware(mockGetAccountFromPAT, mockValidateAndParseToken, mockMarkPATUsed, audience, userIDClaim)
+	claimsExtractor := jwtclaims.NewClaimsExtractor(
+		jwtclaims.WithAudience(audience),
+		jwtclaims.WithUserIDClaim(userIDClaim),
+	)
+
+	authMiddleware := NewAuthMiddleware(
+		mockGetAccountFromPAT,
+		mockValidateAndParseToken,
+		mockMarkPATUsed,
+		mockGetAccountFromToken,
+		claimsExtractor,
+		audience,
+		userIDClaim,
+	)

 	handlerToTest := authMiddleware.Handler(nextHandler)