-
-
Notifications
You must be signed in to change notification settings - Fork 5
Expand file tree
/
Copy pathdetails.go
More file actions
119 lines (100 loc) · 3.14 KB
/
Copy pathdetails.go
File metadata and controls
119 lines (100 loc) · 3.14 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
package main
import (
"encoding/base64"
"fmt"
"strings"
"github.com/goccy/go-json"
"github.com/lukaszraczylo/ask"
libpack_logger "github.com/lukaszraczylo/graphql-monitoring-proxy/logging"
libpack_monitoring "github.com/lukaszraczylo/graphql-monitoring-proxy/monitoring"
)
const defaultValue = "-"
var emptyMetrics = map[string]string{}
func extractClaimsFromJWTHeader(authorization string) (usr, role string) {
usr, role = defaultValue, defaultValue
tokenParts := strings.SplitN(authorization, ".", 3)
if len(tokenParts) != 3 {
handleError("Can't split the token", map[string]any{"token": maskToken(authorization)})
return
}
claim, err := base64.RawURLEncoding.DecodeString(tokenParts[1])
if err != nil {
handleError("Can't decode the token", map[string]any{"token": maskToken(authorization)})
return
}
var claimMap map[string]any
if err = json.Unmarshal(claim, &claimMap); err != nil {
handleError("Can't unmarshal the claim", map[string]any{"token": maskToken(authorization)})
return
}
usr = extractClaim(claimMap, cfg.Client.JWTUserClaimPath, "user id")
role = extractClaim(claimMap, cfg.Client.JWTRoleClaimPath, "role")
return
}
func extractClaim(claimMap map[string]any, claimPath, name string) string {
if claimPath == "" {
return defaultValue
}
// Validate claim path to prevent injection attacks
if !isValidClaimPath(claimPath) {
handleError(fmt.Sprintf("Invalid claim path for %s", name), map[string]any{"path": claimPath})
return defaultValue
}
value, ok := ask.For(claimMap, claimPath).String(defaultValue)
if !ok {
handleError(fmt.Sprintf("Can't find the %s", name), map[string]any{"claim_map": sanitizeClaimMap(claimMap), "path": claimPath})
return defaultValue
}
return value
}
// maskToken masks JWT tokens in logs to prevent exposure
func maskToken(token string) string {
if len(token) <= 10 {
return "***"
}
return token[:4] + "***" + token[len(token)-4:]
}
// isValidClaimPath validates JWT claim paths to prevent injection
func isValidClaimPath(path string) bool {
if path == "" {
return false
}
// Allow only alphanumeric characters, dots, underscores, and hyphens
for _, char := range path {
if (char < 'a' || char > 'z') &&
(char < 'A' || char > 'Z') &&
(char < '0' || char > '9') &&
char != '.' && char != '_' && char != '-' {
return false
}
}
// Prevent path traversal attempts
if strings.Contains(path, "..") || strings.Contains(path, "//") {
return false
}
return true
}
// sanitizeClaimMap removes sensitive data from claim map for logging
func sanitizeClaimMap(claimMap map[string]any) map[string]any {
sanitized := make(map[string]any)
sensitiveKeys := map[string]bool{
"password": true, "secret": true, "token": true, "key": true,
"auth": true, "credential": true, "private": true,
}
for k, v := range claimMap {
lowerKey := strings.ToLower(k)
if sensitiveKeys[lowerKey] {
sanitized[k] = "***"
} else {
sanitized[k] = v
}
}
return sanitized
}
func handleError(msg string, details map[string]any) {
cfg.Monitoring.Increment(libpack_monitoring.MetricsFailed, emptyMetrics)
cfg.Logger.Error(&libpack_logger.LogMessage{
Message: msg,
Pairs: details,
})
}