opentdf · dmihalcik-virtru · Nov 15, 2024 · Nov 14, 2024 · Nov 14, 2024 · Nov 14, 2024
@@ -181,10 +181,10 @@ func NewAuthenticator(ctx context.Context, cfg Config, logger *logger.Logger, we
 }
 
 type receiverInfo struct {
-	// The URI of the request
-	u string
-	// The HTTP method of the request
-	m string
+	// Acceptable URIs of the request
+	u []string
+	// Allowed HTTP methods of the request
+	m []string
 }
 
 func normalizeURL(o string, u *url.URL) string {
@@ -209,6 +209,8 @@ func (a Authentication) MuxHandler(handler http.Handler) http.Handler {
 			return
 		}
 
+		dp := r.Header.Values("Dpop")
+
 		// Verify the token
 		header := r.Header["Authorization"]
 		if len(header) < 1 {
@@ -225,10 +227,11 @@ func (a Authentication) MuxHandler(handler http.Handler) http.Handler {
 			}
 		}
 		accessTok, ctxWithJWK, err := a.checkToken(r.Context(), header, receiverInfo{
-			u: normalizeURL(origin, r.URL),
-			m: r.Method,
-		}, r.Header["Dpop"])
+			u: []string{normalizeURL(origin, r.URL)},
+			m: []string{r.Method},
+		}, dp)
 		if err != nil {
+			slog.WarnContext(r.Context(), "unauthenticated", "error", err, "dpop", dp, "authorization", header)
 			http.Error(w, "unauthenticated", http.StatusUnauthorized)
 			return
 		}
@@ -270,6 +273,32 @@ func (a Authentication) ConnectUnaryServerInterceptor() connect.UnaryInterceptor
 			ctx context.Context,
 			req connect.AnyRequest,
 		) (connect.AnyResponse, error) {
+			ri := receiverInfo{
+				u: []string{req.Spec().Procedure},
+				m: []string{http.MethodPost},
+			}
+
+			paths := req.Header()["Pattern"]
+			if len(paths) == 0 {
+				paths = allowedPublicEndpoints[:]
+			}
+			for _, m := range []string{"Origin", "Grpcgateway-Origin", "Grpcgateway-Referer"} {
+				origins := req.Header().Values(m)
+				if len(origins) == 0 {
+					continue
+				}
+				for _, o := range origins {
+					if strings.HasSuffix(o, ":443") {
+						o = "https://" + strings.TrimPrefix(strings.TrimSuffix(o, ":443"), "https://")
+					} else {
+						o = strings.TrimSuffix(o, ":80")
+					}
+					for _, u := range paths {
+						ri.u = append(ri.u, normalizeURL(o, &url.URL{Path: u}))
+					}
+				}
+			}
+
 			// Interceptor Logic
 			// Allow health checks and other public routes to pass through
 			if slices.ContainsFunc(a.publicRoutes, a.isPublicRoute(req.Spec().Procedure)) { //nolint:contextcheck // There is no way to pass a context here
@@ -289,10 +318,7 @@ func (a Authentication) ConnectUnaryServerInterceptor() connect.UnaryInterceptor
 			token, newCtx, err := a.checkToken(
 				ctx,
 				header,
-				receiverInfo{
-					u: req.Spec().Procedure,
-					m: http.MethodPost,
-				},
+				ri,
 				req.Header()["Dpop"],
 			)
 			if err != nil {
@@ -510,21 +536,29 @@ func (a Authentication) validateDPoP(accessToken jwt.Token, acessTokenRaw string
 		return nil, fmt.Errorf("the DPoP JWT has expired")
 	}
 
-	htm, ok := dpopToken.Get("htm")
+	htma, ok := dpopToken.Get("htm")
 	if !ok {
 		return nil, fmt.Errorf("`htm` claim missing in DPoP JWT")
 	}
+	htm, ok := htma.(string)
+	if !ok {
+		return nil, fmt.Errorf("`htm` claim invalid format in DPoP JWT")
+	}
 
-	if htm != dpopInfo.m {
+	if !slices.Contains(dpopInfo.m, htm) {
 		return nil, fmt.Errorf("incorrect `htm` claim in DPoP JWT; received [%v], but should match [%v]", htm, dpopInfo.m)
 	}
 
-	htu, ok := dpopToken.Get("htu")
+	htua, ok := dpopToken.Get("htu")
 	if !ok {
 		return nil, fmt.Errorf("`htu` claim missing in DPoP JWT")
 	}
+	htu, ok := htua.(string)
+	if !ok {
+		return nil, fmt.Errorf("`htu` claim invalid format in DPoP JWT")
+	}
 
-	if htu != dpopInfo.u {
+	if !slices.Contains(dpopInfo.u, htu) {
 		return nil, fmt.Errorf("incorrect `htu` claim in DPoP JWT; received [%v], but should match [%v]", htu, dpopInfo.u)
 	}
 

@@ -408,8 +408,8 @@ func (s *AuthSuite) TestInvalid_DPoP_Cases() {
 				context.Background(),
 				[]string{fmt.Sprintf("DPoP %s", string(testCase.accessToken))},
 				receiverInfo{
-					u: "/a/path",
-					m: http.MethodPost,
+					u: []string{"/a/path"},
+					m: []string{http.MethodPost},
 				},
 				[]string{dpopToken},
 			)

@@ -9,6 +9,7 @@ import (
 	"net"
 	"net/http"
 	"net/http/pprof"
+	"net/textproto"
 	"regexp"
 	"strings"
 	"time"
@@ -28,6 +29,7 @@ import (
 	"golang.org/x/net/http2/h2c"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/credentials/insecure"
+	"google.golang.org/grpc/metadata"
 )
 
 const (
@@ -165,7 +167,29 @@ func NewOpenTDFServer(config Config, logger *logger.Logger) (*OpenTDFServer, err
 	}
 
 	// GRPC Gateway Mux
-	grpcGatewayMux := runtime.NewServeMux()
+	grpcGatewayMux := runtime.NewServeMux(
+		runtime.WithIncomingHeaderMatcher(
+			func(key string) (string, bool) {
+				if k, ok := runtime.DefaultHeaderMatcher(key); ok {
+					return k, true
+				}
+				if textproto.CanonicalMIMEHeaderKey(key) == "Dpop" {
+					return "Dpop", true
+				}
+				return "", false
+			},
+		),
+		runtime.WithMetadata(func(ctx context.Context, _ *http.Request) metadata.MD {
+			md := make(map[string]string)
+			if method, ok := runtime.RPCMethod(ctx); ok {
+				md["method"] = method // /grpc.gateway.examples.internal.proto.examplepb.LoginService/Login
+			}
+			if pattern, ok := runtime.HTTPPathPattern(ctx); ok {
+				md["pattern"] = pattern // /v1/example/login
+			}
+			return metadata.New(md)
+		}),
+	)
 
 	// Create http server
 	httpServer, err := newHTTPServer(config, connectRPC.Mux, grpcGatewayMux, authN, logger)