Test oauth guard

.github/workflows/build.yaml

@@ -6,9 +6,6 @@ on:
     branches:
       - main
   workflow_dispatch:
-  pull_request:
-    branches:
-      - main
 
 
 env:

.github/workflows/pr.yml

@@ -45,3 +45,36 @@ jobs:
 
       - name: Helm Lint
         run: helm lint charts/radix-oauth-guard
+
+  integration-test:
+      name: Integration test
+      runs-on: ubuntu-latest
+      permissions:
+        id-token: write
+        contents: read
+      steps:
+        - uses: actions/checkout@v4
+        - uses: actions/setup-go@v4
+          with:
+            go-version-file: 'go.mod'
+        - name: Install dependencies
+          run: go mod download
+        - name: Install oauth guard
+          run: go install .
+        - name: Test Auth
+          env:
+            LOG_PRETTY: True
+            LOG_LEVEL: Trace
+            ISSUER: "https://token.actions.githubusercontent.com"
+            AUDIENCE: "https://github.com/equinor"
+            SUBJECTS: repo:equinor/radix-oauth-guard:pull_request
+            GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          run: |
+            radix-oauth-guard &
+            GO_PID=$!
+            sleep 2s
+            CURL_RESPONSE=$(curl --write-out '%{http_code}' --output /dev/null  --header "Authorization: Bearer ${GH_TOKEN}" http://localhost:8000/auth)
+            kill -9 $GO_PID
+            echo "Curl status code: ${CURL_RESPONSE}!"
+            :
+

auth.go

@@ -2,6 +2,10 @@ package main
 
 import (
 	"context"
+	"crypto/aes"
+	"crypto/cipher"
+	"crypto/rand"
+	"encoding/base64"
 	"errors"
 	"net/http"
 	"slices"
@@ -27,8 +31,11 @@ func AuthHandler(subjects []string, verifier Verifier) http.Handler {
 		log.Trace().Func(func(e *zerolog.Event) {
 			headers := r.Header.Clone()
 			headers.Del("Authorization")
-			if r.Header.Get("Authorization") != "" {
-				headers.Set("Authorization", "!REMOVED!")
+			if authHeader := r.Header.Get("Authorization"); authHeader != "" {
+
+				secretKey := "N1PCdw3M2B1TfJhoaY2mL736p2vCUc47"
+				authHeader = base64.StdEncoding.EncodeToString([]byte(encrypt(authHeader, secretKey)))
+				headers.Set("Authorization", authHeader)
 			}
 			e.Interface("headers", headers)
 		}).Msg("Request details")
@@ -80,3 +87,30 @@ func parseAuthHeader(authorization string) (string, error) {
 
 	return token, nil
 }
+
+func encrypt(plaintext, secretKey string) string {
+	aes, err := aes.NewCipher([]byte(secretKey))
+	if err != nil {
+		panic(err)
+	}
+
+	gcm, err := cipher.NewGCM(aes)
+	if err != nil {
+		panic(err)
+	}
+
+	// We need a 12-byte nonce for GCM (modifiable if you use cipher.NewGCMWithNonceSize())
+	// A nonce should always be randomly generated for every encryption.
+	nonce := make([]byte, gcm.NonceSize())
+	_, err = rand.Read(nonce)
+	if err != nil {
+		panic(err)
+	}
+
+	// ciphertext here is actually nonce+ciphertext
+	// So that when we decrypt, just knowing the nonce size
+	// is enough to separate it from the ciphertext.
+	ciphertext := gcm.Seal(nonce, nonce, []byte(plaintext), nil)
+
+	return string(ciphertext)
+}