Revert "Revert "[FIX/BE-US]add feature restrict by location and areas in roles""

This reverts commit 26bf7f165e.
2026-05-20 13:31:56 +00:00 · 2026-01-14 13:34:44 +07:00
parent 26bf7f165e
commit 32772a63c8
30 changed files with 1258 additions and 37 deletions
@@ -0,0 +1,160 @@
+package sso
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"net/http"
+	"strconv"
+	"strings"
+	"sync"
+	"time"
+
+	"github.com/MicahParks/keyfunc/v2"
+	"github.com/golang-jwt/jwt/v5"
+
+	"gitlab.com/mbugroup/lti-api.git/internal/utils"
+)
+
+type verifier struct {
+	jwks      *keyfunc.JWKS
+	issuer    string
+	audiences map[string]struct{}
+}
+
+type AccessTokenClaims struct {
+	Scope string `json:"scope"`
+	jwt.RegisteredClaims
+}
+
+func (c AccessTokenClaims) Scopes() []string {
+	if c.Scope == "" {
+		return nil
+	}
+	return strings.Fields(c.Scope)
+}
+
+type VerificationResult struct {
+	UserID       uint
+	ServiceAlias string
+	Subject      string
+	Claims       *AccessTokenClaims
+}
+
+var (
+	globalMu sync.RWMutex
+	globalV  *verifier
+)
+
+func Init(ctx context.Context, jwksURL, issuer string, audiences []string) error {
+	jwksURL = strings.TrimSpace(jwksURL)
+	issuer = strings.TrimSpace(issuer)
+	if jwksURL == "" || issuer == "" {
+		return errors.New("missing SSO JWKS or issuer configuration")
+	}
+
+	client := &http.Client{Timeout: 5 * time.Second}
+	options := keyfunc.Options{
+		Ctx:               ctx,
+		Client:            client,
+		RefreshTimeout:    10 * time.Second,
+		RefreshInterval:   time.Hour,
+		RefreshUnknownKID: true,
+		RefreshErrorHandler: func(err error) {
+			utils.Log.Errorf("sso jwks refresh failed: %v", err)
+		},
+	}
+
+	jwks, err := keyfunc.Get(jwksURL, options)
+	if err != nil {
+		return fmt.Errorf("load jwks: %w", err)
+	}
+
+	audienceMap := make(map[string]struct{}, len(audiences))
+	for _, aud := range audiences {
+		aud = strings.TrimSpace(aud)
+		if aud == "" {
+			continue
+		}
+		audienceMap[aud] = struct{}{}
+	}
+
+	globalMu.Lock()
+	globalV = &verifier{jwks: jwks, issuer: issuer, audiences: audienceMap}
+	globalMu.Unlock()
+
+	utils.Log.Infof("sso verifier initialized for issuer %s (%d keys)", issuer, len(jwks.KIDs()))
+	return nil
+}
+
+func VerifyAccessToken(token string) (*VerificationResult, error) {
+	token = strings.TrimSpace(token)
+	if token == "" {
+		return nil, errors.New("empty token")
+	}
+
+	globalMu.RLock()
+	v := globalV
+	globalMu.RUnlock()
+	if v == nil {
+		return nil, errors.New("sso verifier not initialized")
+	}
+
+	claims := &AccessTokenClaims{}
+	parser := jwt.NewParser(
+		jwt.WithValidMethods([]string{jwt.SigningMethodRS256.Alg()}),
+		jwt.WithIssuedAt(),
+		jwt.WithExpirationRequired(),
+	)
+	
+	tok, err := parser.ParseWithClaims(token, claims, v.jwks.Keyfunc)
+	if err != nil {
+		return nil, fmt.Errorf("parse token: %w", err)
+	}
+	if !tok.Valid {
+		return nil, errors.New("invalid token")
+	}
+
+	if claims.Issuer != v.issuer {
+		return nil, errors.New("unexpected token issuer")
+	}
+
+	if len(v.audiences) > 0 {
+		validAud := false
+		for _, aud := range claims.Audience {
+			if _, ok := v.audiences[aud]; ok {
+				validAud = true
+				break
+			}
+		}
+		if !validAud {
+			return nil, errors.New("unexpected token audience")
+		}
+	}
+
+	sub := strings.TrimSpace(claims.Subject)
+	if sub == "" {
+		return nil, errors.New("missing subject")
+	}
+
+	result := &VerificationResult{Claims: claims, Subject: sub}
+	switch {
+	case strings.HasPrefix(sub, "user:"):
+		idStr := strings.TrimPrefix(sub, "user:")
+		id, err := strconv.ParseUint(idStr, 10, 64)
+		if err != nil {
+			return nil, fmt.Errorf("invalid subject: %w", err)
+		}
+		result.UserID = uint(id)
+	case strings.HasPrefix(sub, "service:"):
+		alias := strings.TrimSpace(strings.TrimPrefix(sub, "service:"))
+		if alias == "" {
+			return nil, errors.New("invalid service subject")
+		}
+		result.ServiceAlias = strings.ToLower(alias)
+	default:
+		return nil, errors.New("unsupported subject type")
+	}
+
+	return result, nil
+}