From 79ffa837f176b81ce27a0664744eb1175c47f95f Mon Sep 17 00:00:00 2001 From: Christian Weichel Date: Sat, 1 Jul 2023 22:42:02 +0000 Subject: [PATCH] Add remote report authorization --- cmd/build.go | 2 +- pkg/remotereporter/reporter.go | 11 +++- tracker/backend/ingestor/go.mod | 10 +++ tracker/backend/ingestor/go.sum | 18 ++++++ tracker/backend/ingestor/handler/auth.go | 77 ++++++++++++++++++++++++ tracker/backend/ingestor/main.go | 26 ++++++-- 6 files changed, 135 insertions(+), 9 deletions(-) create mode 100644 tracker/backend/ingestor/handler/auth.go diff --git a/cmd/build.go b/cmd/build.go index 6a72544..0e243fc 100644 --- a/cmd/build.go +++ b/cmd/build.go @@ -254,7 +254,7 @@ func getBuildOpts(cmd *cobra.Command) ([]leeway.BuildOption, *leeway.FilesystemC if ep, err := cmd.Flags().GetString("remote-report"); err != nil { log.Fatal(err) } else if ep != "" { - reporter = append(reporter, remotereporter.NewReporter(ep)) + reporter = append(reporter, remotereporter.NewReporter(ep, os.Getenv("LEEWAY_REMOTE_REPORT_TOKEN"))) } dontTest, err := cmd.Flags().GetBool("dont-test") diff --git a/pkg/remotereporter/reporter.go b/pkg/remotereporter/reporter.go index 85a1492..f0646bc 100644 --- a/pkg/remotereporter/reporter.go +++ b/pkg/remotereporter/reporter.go @@ -15,14 +15,21 @@ import ( "github.com/sirupsen/logrus" ) -func NewReporter(endpoint string) *Reporter { +func NewReporter(endpoint, token string) *Reporter { id, err := uuid.NewRandom() if err != nil { panic(fmt.Sprintf("cannot create remote reporting sesison UUID: %v.\nTry running without --remote-report", err)) } httpclient := &http.Client{Timeout: 2 * time.Second} - client := v1connect.NewReporterServiceClient(httpclient, endpoint) + client := v1connect.NewReporterServiceClient(httpclient, endpoint, connect_go.WithInterceptors(connect_go.UnaryInterceptorFunc(func(uf connect_go.UnaryFunc) connect_go.UnaryFunc { + return func(ctx context.Context, req connect_go.AnyRequest) (connect_go.AnyResponse, error) { + if token != "" { + req.Header().Set("Authorization", token) + } + return uf(ctx, req) + } + }))) return &Reporter{ sessionID: id.String(), times: make(map[string]time.Time), diff --git a/tracker/backend/ingestor/go.mod b/tracker/backend/ingestor/go.mod index 9abc024..39bbe7b 100644 --- a/tracker/backend/ingestor/go.mod +++ b/tracker/backend/ingestor/go.mod @@ -4,6 +4,7 @@ go 1.19 require ( github.com/InfluxCommunity/influxdb3-go v0.1.0 + github.com/MicahParks/keyfunc v1.9.0 github.com/aws/aws-lambda-go v1.41.0 github.com/aws/aws-sdk-go-v2 v1.18.1 github.com/aws/aws-sdk-go-v2/config v1.18.27 @@ -12,8 +13,11 @@ require ( github.com/bufbuild/connect-go v1.9.0 github.com/bufbuild/connect-grpcreflect-go v1.1.0 github.com/gitpod-io/leeway v0.0.0-00010101000000-000000000000 + github.com/golang-jwt/jwt/v4 v4.4.2 github.com/segmentio/analytics-go/v3 v3.2.1 github.com/sirupsen/logrus v1.9.3 + github.com/spf13/pflag v1.0.5 + github.com/zitadel/oidc v1.13.4 ) require ( @@ -36,6 +40,8 @@ require ( github.com/golang/snappy v0.0.4 // indirect github.com/google/flatbuffers v2.0.8+incompatible // indirect github.com/google/uuid v1.3.0 // indirect + github.com/gorilla/schema v1.2.0 // indirect + github.com/gorilla/securecookie v1.1.1 // indirect github.com/influxdata/line-protocol/v2 v2.2.1 // indirect github.com/jmespath/go-jmespath v0.4.0 // indirect github.com/klauspost/asmfmt v1.3.2 // indirect @@ -46,16 +52,20 @@ require ( github.com/pierrec/lz4/v4 v4.1.15 // indirect github.com/segmentio/backo-go v1.0.0 // indirect github.com/zeebo/xxh3 v1.0.2 // indirect + golang.org/x/crypto v0.7.0 // indirect golang.org/x/exp v0.0.0-20230522175609-2e198f4a06a1 // indirect golang.org/x/mod v0.10.0 // indirect golang.org/x/net v0.10.0 // indirect + golang.org/x/oauth2 v0.6.0 // indirect golang.org/x/sys v0.8.0 // indirect golang.org/x/text v0.9.0 // indirect golang.org/x/tools v0.9.3 // indirect golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect + google.golang.org/appengine v1.6.7 // indirect google.golang.org/genproto v0.0.0-20230320184635-7606e756e683 // indirect google.golang.org/grpc v1.55.0 // indirect google.golang.org/protobuf v1.31.0 // indirect + gopkg.in/square/go-jose.v2 v2.6.0 // indirect ) replace github.com/gitpod-io/leeway => ../../.. // leeway diff --git a/tracker/backend/ingestor/go.sum b/tracker/backend/ingestor/go.sum index 92122fb..4f6c808 100644 --- a/tracker/backend/ingestor/go.sum +++ b/tracker/backend/ingestor/go.sum @@ -47,6 +47,8 @@ github.com/InfluxCommunity/influxdb3-go v0.1.0 h1:c+5H7qD7WZ0KSTCtCrVjBoMEspIP8K github.com/InfluxCommunity/influxdb3-go v0.1.0/go.mod h1:6hVZLGqLyfEvXu14JRm4Ai938q8BzJ73TGQ7VKh8qPA= github.com/JohnCGriffin/overflow v0.0.0-20211019200055-46fa312c352c h1:RGWPOewvKIROun94nF7v2cua9qP+thov/7M50KEoeSU= github.com/Joker/hpp v1.0.0/go.mod h1:8x5n+M1Hp5hC0g8okX3sR3vFQwynaX/UgSOM9MeBKzY= +github.com/MicahParks/keyfunc v1.9.0 h1:lhKd5xrFHLNOWrDc4Tyb/Q1AJ4LCzQ48GVJyVIID3+o= +github.com/MicahParks/keyfunc v1.9.0/go.mod h1:IdnCilugA0O/99dW+/MkvlyrsX8+L8+x95xuVNtM5jw= github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU= github.com/Shopify/goreferrer v0.0.0-20210630161223-536fa16abd6f/go.mod h1:a1uqRtAwp2Xwc6WNPJEufxJ7fx3npB4UV/JOLmbu5I0= github.com/ajg/form v1.5.1/go.mod h1:uL1WgH+h2mgNtvBq0339dVnzXdBETtL2LeUXaIv25UY= @@ -179,6 +181,8 @@ github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5x github.com/gofiber/fiber/v2 v2.1.0/go.mod h1:aG+lMkwy3LyVit4CnmYUbUdgjpc3UYOltvlJZ78rgQ0= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= github.com/golang-jwt/jwt v3.2.2+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I= +github.com/golang-jwt/jwt/v4 v4.4.2 h1:rcc4lwaZgFMCZ5jxF9ABolDcIHdBytAFgqFPbSJQAYs= +github.com/golang-jwt/jwt/v4 v4.4.2/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= @@ -259,6 +263,10 @@ github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORR github.com/gopherjs/gopherjs v0.0.0-20220221023154-0b2280d3ff96/go.mod h1:pRRIvn/QzFLrKfvEz3qUuEhtE/zLCWfreZ6J5gM2i+k= github.com/gorilla/css v1.0.0/go.mod h1:Dn721qIggHpt4+EFCcTLTU/vk5ySda2ReITrtgBl60c= github.com/gorilla/mux v1.7.4/go.mod h1:DVbg23sWSpFRCP0SfiEN6jmj59UnW/n46BH5rLB71So= +github.com/gorilla/schema v1.2.0 h1:YufUaxZYCKGFuAq3c96BOhjgd5nmXiOY9NGzF247Tsc= +github.com/gorilla/schema v1.2.0/go.mod h1:kgLaKoK1FELgZqMAVxx/5cbj0kT+57qxUrAlIO2eleU= +github.com/gorilla/securecookie v1.1.1 h1:miw7JPhV+b/lAHSXz4qd/nN9jRiAFV5FwjeKyCS8BvQ= +github.com/gorilla/securecookie v1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+HVt/4epWDjd4= github.com/gorilla/websocket v1.5.0/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE= github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw= github.com/hashicorp/consul/api v1.1.0/go.mod h1:VmuI/Lkw1nC05EYQWNKwWGbkg+FbDBtguAZLlVdkD9Q= @@ -449,6 +457,7 @@ github.com/spf13/cobra v1.2.1/go.mod h1:ExllRjgxM/piMAM+3tAZvg8fsklGAf3tPfi+i8t6 github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo= github.com/spf13/jwalterweatherman v1.1.0/go.mod h1:aNWZUN0dPAAO/Ljvb5BEdw96iTZ0EXowPYD95IqWIGo= github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= +github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= github.com/spf13/viper v1.3.2/go.mod h1:ZiWeW+zYFKm7srdB9IoDzzZXaJaI5eL9QjNiN/DMA2s= github.com/spf13/viper v1.8.1/go.mod h1:o0Pch8wJ9BVSWGQMbra6iw0oQ5oktSIBaujf1rJH9Ns= @@ -499,6 +508,8 @@ github.com/yusufpapurcu/wmi v1.2.2/go.mod h1:SBZ9tNy3G9/m5Oi98Zks0QjeHVDvuK0qfxQ github.com/zeebo/assert v1.3.0 h1:g7C04CbJuIDKNPFHmsk4hwZDO5O+kntRxzaUoNXj+IQ= github.com/zeebo/xxh3 v1.0.2 h1:xZmwmqxHZA8AI603jOQ0tMqmBr9lPeFwGg6d+xy9DC0= github.com/zeebo/xxh3 v1.0.2/go.mod h1:5NWz9Sef7zIDm2JHfFlcQvNekmcEl9ekUZQQKCYaDcA= +github.com/zitadel/oidc v1.13.4 h1:+k2GKqP9Ld9S2MSFlj+KaNsoZ3J9oy+Ezw51EzSFuC8= +github.com/zitadel/oidc v1.13.4/go.mod h1:3h2DhUcP02YV6q/CA/BG4yla0o6rXjK+DkJGK/dwJfw= go.etcd.io/bbolt v1.3.6/go.mod h1:qXsaaIqmgQH0T+OPdb99Bf+PKfBBQVAdyD6TY9G8XM4= go.etcd.io/etcd/api/v3 v3.5.0/go.mod h1:cbVKeC6lCfl7j/8jBhAK6aIYO9XOjdptoxU/nLQcPvs= go.etcd.io/etcd/client/pkg/v3 v3.5.0/go.mod h1:IJHfcCEKxYu1Os13ZdwCwIUTUVGYTSAM3YSwc9/Ac1g= @@ -527,6 +538,8 @@ golang.org/x/crypto v0.0.0-20210817164053-32db794688a5/go.mod h1:GvvjBRRGRdwPK5y golang.org/x/crypto v0.0.0-20220112180741-5e0467b6c7ce/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.0.0-20220214200702-86341886e292/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.0.0-20220525230936-793ad666bf5e/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= +golang.org/x/crypto v0.7.0 h1:AvwMYaRytfdeVt3u6mLaxYtErKYjxA2OXjJ1HHq6t3A= +golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= @@ -626,6 +639,8 @@ golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ golang.org/x/oauth2 v0.0.0-20210220000619-9bb904979d93/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20210313182246-cd4f82c27b84/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20210402161424-2e8d93401602/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +golang.org/x/oauth2 v0.6.0 h1:Lh8GPgSKBfWSwFvtuWOfeI3aAAnbXTSutYxJiOJFgIw= +golang.org/x/oauth2 v0.6.0/go.mod h1:ycmewcwgD4Rpr3eZJLSB4Kyyljb3qDh40vJ8STE5HKw= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -819,6 +834,7 @@ google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7 google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0= google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= google.golang.org/appengine v1.6.6/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= +google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c= google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= @@ -912,6 +928,8 @@ gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMy gopkg.in/ini.v1 v1.62.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= gopkg.in/ini.v1 v1.66.4/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= gopkg.in/ini.v1 v1.66.6/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= +gopkg.in/square/go-jose.v2 v2.6.0 h1:NGk74WTnPKBNUhNzQX7PYcTLUjoq7mzKk2OKbvwk2iI= +gopkg.in/square/go-jose.v2 v2.6.0/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI= gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ= gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw= gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= diff --git a/tracker/backend/ingestor/handler/auth.go b/tracker/backend/ingestor/handler/auth.go new file mode 100644 index 0000000..621e5df --- /dev/null +++ b/tracker/backend/ingestor/handler/auth.go @@ -0,0 +1,77 @@ +package handler + +import ( + context "context" + "fmt" + "net/http" + "time" + + "github.com/MicahParks/keyfunc" + "github.com/bufbuild/connect-go" + "github.com/golang-jwt/jwt/v4" + "github.com/sirupsen/logrus" + + oidc "github.com/zitadel/oidc/pkg/client" +) + +func NewOIDCInterceptor(idp, audience string, allowedSubs []string) (connect.Interceptor, error) { + cfg, err := oidc.Discover(idp, &http.Client{Timeout: 10 * time.Second}) + if err != nil { + return nil, err + } + jwks, err := keyfunc.Get(cfg.JwksURI, keyfunc.Options{ + Ctx: context.Background(), + RefreshErrorHandler: func(err error) { + logrus.WithError(err).WithField("identityProvider", idp).Warn("cannot refresh JWKS") + }, + RefreshInterval: time.Hour, + RefreshRateLimit: time.Minute * 5, + RefreshTimeout: time.Second * 10, + RefreshUnknownKID: true, + }) + if err != nil { + return nil, err + } + logrus.WithField("issuer", idp).WithField("audience", audience).WithField("sub", allowedSubs).Info("enabled OIDC authorisation") + + return connect.UnaryInterceptorFunc(func(uf connect.UnaryFunc) connect.UnaryFunc { + return func(ctx context.Context, ar connect.AnyRequest) (connect.AnyResponse, error) { + rawToken := ar.Header().Get("Authorization") + if rawToken == "" { + return nil, connect.NewError(connect.CodeUnauthenticated, fmt.Errorf("missing Authorization header")) + } + token, err := jwt.Parse(rawToken, jwks.Keyfunc) + if err != nil { + return nil, connect.NewError(connect.CodeUnauthenticated, fmt.Errorf("cannot parse token: %w", err)) + } + if !token.Valid { + return nil, connect.NewError(connect.CodeUnauthenticated, fmt.Errorf("invalid JWT token")) + } + claims, ok := token.Claims.(jwt.MapClaims) + if !ok { + return nil, connect.NewError(connect.CodeUnauthenticated, fmt.Errorf("cannot extract claims from JWT")) + } + if !claims.VerifyAudience(audience, true) { + return nil, connect.NewError(connect.CodeUnauthenticated, fmt.Errorf("audience does not match (expected %s, got %s)", audience, claims["aud"])) + } + if !claims.VerifyIssuer(idp, true) { + return nil, connect.NewError(connect.CodeUnauthenticated, fmt.Errorf("issuer does not match (expected %s, got %s)", idp, claims["iss"])) + } + if !claims.VerifyExpiresAt(time.Now().Unix(), true) { + return nil, connect.NewError(connect.CodeUnauthenticated, fmt.Errorf("token has expired")) + } + var validSub bool + for _, sub := range allowedSubs { + if claims["sub"] == sub { + validSub = true + break + } + } + if !validSub { + return nil, connect.NewError(connect.CodeUnauthenticated, fmt.Errorf("unexpected subject %s", claims["sub"])) + } + + return uf(ctx, ar) + } + }), nil +} diff --git a/tracker/backend/ingestor/main.go b/tracker/backend/ingestor/main.go index 97a5d11..5b9cc3a 100644 --- a/tracker/backend/ingestor/main.go +++ b/tracker/backend/ingestor/main.go @@ -2,17 +2,19 @@ package main import ( "context" - "flag" "log" "net/http" "os" "time" + flag "github.com/spf13/pflag" + "github.com/InfluxCommunity/influxdb3-go/influx" "github.com/aws/aws-lambda-go/lambda" "github.com/aws/aws-sdk-go-v2/config" "github.com/aws/aws-sdk-go-v2/service/cloudwatch" "github.com/awslabs/aws-lambda-go-api-proxy/httpadapter" + "github.com/bufbuild/connect-go" grpcreflect "github.com/bufbuild/connect-grpcreflect-go" segment "github.com/segmentio/analytics-go/v3" "github.com/sirupsen/logrus" @@ -22,9 +24,12 @@ import ( ) var ( - listen = flag.String("listen", ":8080", "address to listen on when not running as lambda") - verbose = flag.Bool("verbose", false, "enable verbose logging") - sink = flag.String("sink", "console", "where to write samples to. Valid values are: console, cloudwatch, influxdb, segment") + listen = flag.String("listen", ":8080", "address to listen on when not running as lambda") + verbose = flag.Bool("verbose", false, "enable verbose logging") + sink = flag.String("sink", "console", "where to write samples to. Valid values are: console, cloudwatch, influxdb, segment") + idp = flag.String("idp", "", "if set incoming requests must carry a valid ID token from this IDP in their Authorization header") + idpAudience = flag.String("idp-aud", "leeway.gitpod.io", "use in combination with --idp to control the audience the ID token must carry") + idpSub = flag.StringArray("idp-sub", nil, "use in combination with --idp to control the subject the ID token must carry; if any subject matches the token is accepted") ) func main() { @@ -62,9 +67,18 @@ func main() { client := segment.New(os.Getenv("SEGMENT_KEY")) store = handler.WriteToSegment(client) default: - logrus.Fatalf("unsupported --sample-sink: %s", *sink) + logrus.Fatalf("unsupported --sink: %s", *sink) + } + + var interceptors []connect.Interceptor + if *idp != "" { + ic, err := handler.NewOIDCInterceptor(*idp, *idpAudience, *idpSub) + if err != nil { + logrus.Fatalf("cannot setup OIDC auth with %s: %v", err) + } + interceptors = append(interceptors, ic) } - mux.Handle(v1connect.NewReporterServiceHandler(handler.NewBuildReportHandler(store))) + mux.Handle(v1connect.NewReporterServiceHandler(handler.NewBuildReportHandler(store), connect.WithInterceptors(interceptors...))) reflector := grpcreflect.NewStaticReflector( v1connect.ReporterServiceName,