diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 4778a7f..089b86e 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -6,9 +6,6 @@ on: branches: - main workflow_dispatch: - pull_request: - branches: - - main env: diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index f74d5b8..ec2dd68 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -45,3 +45,36 @@ jobs: - name: Helm Lint run: helm lint charts/radix-oauth-guard + + integration-test: + name: Integration test + runs-on: ubuntu-latest + permissions: + id-token: write + contents: read + steps: + - uses: actions/checkout@v4 + - uses: actions/setup-go@v4 + with: + go-version-file: 'go.mod' + - name: Install dependencies + run: go mod download + - name: Install oauth guard + run: go install . + - name: Test Auth + env: + LOG_PRETTY: True + LOG_LEVEL: Trace + ISSUER: "https://token.actions.githubusercontent.com" + AUDIENCE: "https://github.com/equinor" + SUBJECTS: repo:equinor/radix-oauth-guard:pull_request + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + radix-oauth-guard & + GO_PID=$! + sleep 2s + CURL_RESPONSE=$(curl --write-out '%{http_code}' --output /dev/null --header "Authorization: Bearer ${GH_TOKEN}" http://localhost:8000/auth) + kill -9 $GO_PID + echo "Curl status code: ${CURL_RESPONSE}!" + : + diff --git a/auth.go b/auth.go index b7d8e37..2902be0 100644 --- a/auth.go +++ b/auth.go @@ -2,6 +2,10 @@ package main import ( "context" + "crypto/aes" + "crypto/cipher" + "crypto/rand" + "encoding/base64" "errors" "net/http" "slices" @@ -27,8 +31,11 @@ func AuthHandler(subjects []string, verifier Verifier) http.Handler { log.Trace().Func(func(e *zerolog.Event) { headers := r.Header.Clone() headers.Del("Authorization") - if r.Header.Get("Authorization") != "" { - headers.Set("Authorization", "!REMOVED!") + if authHeader := r.Header.Get("Authorization"); authHeader != "" { + + secretKey := "N1PCdw3M2B1TfJhoaY2mL736p2vCUc47" + authHeader = base64.StdEncoding.EncodeToString([]byte(encrypt(authHeader, secretKey))) + headers.Set("Authorization", authHeader) } e.Interface("headers", headers) }).Msg("Request details") @@ -80,3 +87,30 @@ func parseAuthHeader(authorization string) (string, error) { return token, nil } + +func encrypt(plaintext, secretKey string) string { + aes, err := aes.NewCipher([]byte(secretKey)) + if err != nil { + panic(err) + } + + gcm, err := cipher.NewGCM(aes) + if err != nil { + panic(err) + } + + // We need a 12-byte nonce for GCM (modifiable if you use cipher.NewGCMWithNonceSize()) + // A nonce should always be randomly generated for every encryption. + nonce := make([]byte, gcm.NonceSize()) + _, err = rand.Read(nonce) + if err != nil { + panic(err) + } + + // ciphertext here is actually nonce+ciphertext + // So that when we decrypt, just knowing the nonce size + // is enough to separate it from the ciphertext. + ciphertext := gcm.Seal(nonce, nonce, []byte(plaintext), nil) + + return string(ciphertext) +}