sdk-go/zero_client.go at main · pomerium/sdk-go · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
package sdk

import (
	"bytes"
	"context"
	"encoding/json"
	"fmt"
	"net/http"
	"strconv"
	"time"

	"github.com/pomerium/sdk-go/pkg/zeroapi"
)

type ZeroClient interface {
	zeroapi.ClientWithResponsesInterface
}

type zeroClient struct {
	cfg *clientConfig
	zeroapi.ClientWithResponsesInterface

	zeroToken *cachedValue[zeroToken]
}

func NewZeroClient(options ...ClientOption) (ZeroClient, error) {
	c := &zeroClient{
		cfg: getClientConfig(options...),
	}

	client, err := zeroapi.NewClientWithResponses(c.cfg.url+"/api/v0",
		zeroapi.WithHTTPClient(c.cfg.httpClient),
		zeroapi.WithRequestEditorFn(c.authenticationRequestEditorFn))
	if err != nil {
		return nil, err
	}
	c.ClientWithResponsesInterface = client

	c.zeroToken = newCachedValue(func(ctx context.Context) (zeroToken, error) {
		return loadZeroToken(ctx, c.cfg)
	}, func(t zeroToken) bool {
		return t.expiry.After(time.Now().Add(tokenMinTTL))
	})

	return c, nil
}

func (c *zeroClient) authenticationRequestEditorFn(ctx context.Context, req *http.Request) error {
	token, err := c.zeroToken.Get(ctx)
	if err != nil {
		return err
	}
	req.Header.Set("Authorization", "Pomerium "+token.idToken)
	return nil
}

func loadZeroToken(ctx context.Context, cfg *clientConfig) (zeroToken, error) {
	now := time.Now()

	data, err := json.Marshal(map[string]any{"refreshToken": cfg.apiToken})
	if err != nil {
		return zeroToken{}, fmt.Errorf("error marshaling refresh token: %w", err)
	}

	req, err := http.NewRequestWithContext(ctx, http.MethodPost, cfg.url+"/api/v0/token", bytes.NewBuffer(data))
	if err != nil {
		return zeroToken{}, fmt.Errorf("error creating token request: %w", err)
	}
	req.Header.Set("Content-Type", "application/json")

	res, err := cfg.httpClient.Do(req)
	if err != nil {
		return zeroToken{}, fmt.Errorf("error executing token request: %w", err)
	}
	defer res.Body.Close()

	if res.StatusCode/100 != 2 {
		return zeroToken{}, fmt.Errorf("unexpected status code from zero API: %d", res.StatusCode)
	}

	var resData struct {
		ExpiresInSeconds string `json:"expiresInSeconds"`
		IDToken          string `json:"idToken"`
	}
	err = json.NewDecoder(res.Body).Decode(&resData)
	if err != nil {
		return zeroToken{}, fmt.Errorf("error unmarshaling token response: %w", err)
	}

	expires, err := strconv.ParseInt(resData.ExpiresInSeconds, 10, 64)
	if err != nil {
		return zeroToken{}, fmt.Errorf("error parsing token expiry: %w", err)
	}

	// Strip the monotonic clock reading from the expiry, so that any time
	// comparison will use only the wall clock time. (On some systems, the
	// monotonic clock does not advance during system sleep, which could
	// lead to incorrect expiration time checks.)
	expiry := now.Add(time.Second * time.Duration(expires)).Round(0)

	return zeroToken{
		expiry:  expiry,
		idToken: resData.IDToken,
	}, nil
}