(ctx context.Context, bearerToken string)
| 90 | } |
| 91 | |
| 92 | func (j *JwtAuthenticator) authenticate(ctx context.Context, bearerToken string) (*security.Caller, error) { |
| 93 | idToken, err := j.verifier.Verify(ctx, bearerToken) |
| 94 | if err != nil { |
| 95 | return nil, fmt.Errorf("failed to verify the JWT token (error %v)", err) |
| 96 | } |
| 97 | |
| 98 | sa := JwtPayload{} |
| 99 | // "aud" for trust domain, "sub" has "system:serviceaccount:$namespace:$serviceaccount". |
| 100 | // in future trust domain may use another field as a standard is defined. |
| 101 | if err := idToken.Claims(&sa); err != nil { |
| 102 | return nil, fmt.Errorf("failed to extract claims from ID token: %v", err) |
| 103 | } |
| 104 | if !strings.HasPrefix(sa.Sub, "system:serviceaccount") { |
| 105 | return nil, fmt.Errorf("invalid sub %v", sa.Sub) |
| 106 | } |
| 107 | parts := strings.Split(sa.Sub, ":") |
| 108 | ns := parts[2] |
| 109 | ksa := parts[3] |
| 110 | if !checkAudience(sa.Aud, j.audiences) { |
| 111 | return nil, fmt.Errorf("invalid audiences %v", sa.Aud) |
| 112 | } |
| 113 | return &security.Caller{ |
| 114 | AuthSource: security.AuthSourceIDToken, |
| 115 | Identities: []string{spiffe.MustGenSpiffeURI(j.meshHolder.Mesh(), ns, ksa)}, |
| 116 | }, nil |
| 117 | } |
| 118 | |
| 119 | // checkAudience() returns true if the audiences to check are in |
| 120 | // the expected audiences. Otherwise, return false. |
no test coverage detected