(ctx context.Context, rw http.ResponseWriter, r *http.Request, issueReq IssueTokenRequest)
| 90 | } |
| 91 | |
| 92 | func (p *DBTokenProvider) Issue(ctx context.Context, rw http.ResponseWriter, r *http.Request, issueReq IssueTokenRequest) (*SignedToken, string, bool) { |
| 93 | // nolint:gocritic // We need to make a number of database calls. Setting a system context here |
| 94 | // // is simpler than calling dbauthz.AsSystemRestricted on every call. |
| 95 | // // dangerousSystemCtx is only used for database calls. The actual authentication |
| 96 | // // logic is handled in Provider.authorizeWorkspaceApp which directly checks the actor's |
| 97 | // // permissions. |
| 98 | dangerousSystemCtx := dbauthz.AsSystemRestricted(ctx) |
| 99 | |
| 100 | aReq, commitAudit := p.connLogInitRequest(rw, r) |
| 101 | defer commitAudit() |
| 102 | |
| 103 | appReq := issueReq.AppRequest.Normalize() |
| 104 | err := appReq.Check() |
| 105 | if err != nil { |
| 106 | WriteWorkspaceApp500(p.Logger, p.DashboardURL, rw, r, &appReq, err, "invalid app request") |
| 107 | return nil, "", false |
| 108 | } |
| 109 | |
| 110 | token := SignedToken{ |
| 111 | Request: appReq, |
| 112 | } |
| 113 | |
| 114 | // We use the regular API apiKey extraction middleware fn here to avoid any |
| 115 | // differences in behavior between the two. |
| 116 | apiKey, authz, ok := httpmw.ExtractAPIKey(rw, r, httpmw.ExtractAPIKeyConfig{ |
| 117 | DB: p.Database, |
| 118 | OAuth2Configs: p.OAuth2Configs, |
| 119 | RedirectToLogin: false, |
| 120 | DisableSessionExpiryRefresh: p.DeploymentValues.Sessions.DisableExpiryRefresh.Value(), |
| 121 | // Optional is true to allow for public apps. If the authorization check |
| 122 | // (later on) fails and the user is not authenticated, they will be |
| 123 | // redirected to the login page or app auth endpoint using code below. |
| 124 | Optional: true, |
| 125 | SessionTokenFunc: func(_ *http.Request) string { |
| 126 | return issueReq.SessionToken |
| 127 | }, |
| 128 | }) |
| 129 | if !ok { |
| 130 | return nil, "", false |
| 131 | } |
| 132 | |
| 133 | aReq.apiKey = apiKey // Update audit request. |
| 134 | |
| 135 | // Lookup workspace app details from DB. |
| 136 | dbReq, err := appReq.getDatabase(dangerousSystemCtx, p.Database) |
| 137 | switch { |
| 138 | case xerrors.Is(err, sql.ErrNoRows): |
| 139 | WriteWorkspaceApp404(p.Logger, p.DashboardURL, rw, r, &appReq, nil, err.Error()) |
| 140 | return nil, "", false |
| 141 | case xerrors.Is(err, errWorkspaceStopped): |
| 142 | WriteWorkspaceOffline(p.Logger, p.DashboardURL, rw, r, &appReq) |
| 143 | return nil, "", false |
| 144 | case err != nil: |
| 145 | WriteWorkspaceApp500(p.Logger, p.DashboardURL, rw, r, &appReq, err, "get app details from database") |
| 146 | return nil, "", false |
| 147 | } |
| 148 | |
| 149 | aReq.dbReq = dbReq // Update audit request. |
nothing calls this directly
no test coverage detected