func tryFromHeader()

in pkg/authority/v1alpha1/tools.go [73:118]

• 38 lines of code
• 11 McCabe index (conditional complexity)

func tryFromHeader(c context.Context, certStorage cert.Storage, options *config.Options, kubeClient k8s.Client) (*rule.Endpoint, error) {
	// TODO refactor as coreos/go-oidc
	authorization := metadata.ValueFromIncomingContext(c, "authorization")
	if len(authorization) != 1 {
		return nil, fmt.Errorf("failed to get Authorization header from context")
	}

	if !strings.HasPrefix(authorization[0], "Bearer ") {
		return nil, fmt.Errorf("failed to get Authorization header from context")
	}

	token := strings.ReplaceAll(authorization[0], "Bearer ", "")

	authorizationTypes := metadata.ValueFromIncomingContext(c, "authorization-type")
	authorizationType := "kubernetes"

	if len(authorizationTypes) == 1 {
		authorizationType = authorizationTypes[0]
	}

	if authorizationType == "dubbo-jwt" {
		for _, c := range certStorage.GetTrustedCerts() {
			claims, err := jwt.Verify(&c.PrivateKey.PublicKey, token)
			if err != nil {
				continue
			}
			endpoint := &rule.Endpoint{SpiffeID: claims.Subject}
			err = json.Unmarshal([]byte(claims.Extensions), endpoint)
			if err != nil {
				continue
			}
			return endpoint, nil
		}
		return nil, fmt.Errorf("failed to verify Authorization header from dubbo-jwt")
	}

	if options.IsKubernetesConnected && options.EnableOIDCCheck {
		endpoint, ok := kubeClient.VerifyServiceAccount(token, authorizationType)
		if !ok {
			return nil, fmt.Errorf("failed to verify Authorization header from kubernetes")
		}
		return endpoint, nil
	}

	return nil, fmt.Errorf("failed to verify Authorization header")
}