Initial commit

Author: vuongxuongminh

.gitattributes

@@ -0,0 +1,11 @@
+* text=auto
+
+/assets export-ignore
+/tests export-ignore
+/.gitattributes export-ignore
+/.github export-ignore
+/.gitignore export-ignore
+/phpunit.xml.dist export-ignore
+/.php-cs-fixer.dist.php export-ignore
+/CHANGELOG.md export-ignore
+/README.md export-ignore

.gitignore

@@ -0,0 +1,10 @@
+*.log
+/build/
+/.php_cs
+/.php_cs.cache
+/.phpunit.result.cache
+/vendor/
+/composer.lock
+.php-cs-fixer.php
+.php-cs-fixer.cache
+/tests/.kernel/

.php-cs-fixer.dist.php

@@ -0,0 +1,35 @@
+<?php
+
+declare(strict_types=1);
+
+$finder = PhpCsFixer\Finder::create()
+    ->in(__DIR__)
+    ->append([__FILE__]);
+
+return (new PhpCsFixer\Config())
+    ->setUsingCache(true)
+    ->setRules(
+        [
+            '@PSR12' => true,
+            '@Symfony' => true,
+            'array_indentation' => true,
+            'class_definition' => ['multi_line_extends_each_single_line' => true],
+            'compact_nullable_typehint' => true,
+            'concat_space' => ['spacing' => 'one'],
+            'declare_strict_types' => true,
+            'heredoc_to_nowdoc' => true,
+            'global_namespace_import' => [
+                'import_classes' => false,
+                'import_constants' => false,
+                'import_functions' => false,
+            ],
+            'list_syntax' => ['syntax' => 'short'],
+            'no_null_property_initialization' => true,
+            'phpdoc_to_comment' => false,
+            'phpdoc_align' => ['align' => 'left'],
+            'phpdoc_summary' => false,
+            'ternary_to_null_coalescing' => true,
+        ]
+    )
+    ->setRiskyAllowed(true)
+    ->setFinder($finder);

LICENSE

@@ -0,0 +1,21 @@
+The MIT License
+
+Copyright (c) 2021 Minh Vuong <vuongxuongminh@gmail.com>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

composer.json

@@ -0,0 +1,39 @@
+{
+  "name": "php-istio/jwt-authentication-bundle",
+  "description": "Symfony bundle to help authenticate JWT payload from Istio Envoy proxy.",
+  "type": "symfony-bundle",
+  "license": "MIT",
+  "authors": [
+    {
+      "name": "Minh Vuong",
+      "email": "vuongxuongminh@gmail.com"
+    }
+  ],
+  "config": {
+    "sort-packages": true
+  },
+  "minimum-stability": "stable",
+  "require": {
+    "php": ">=8.0",
+    "nyholm/psr7": "^1.4",
+    "php-istio/jwt-payload-extractor": "^1.0",
+    "symfony/psr-http-message-bridge": "^2.1",
+    "symfony/security-bundle": "^5.3"
+  },
+  "autoload": {
+    "psr-4": {
+      "Istio\\Symfony\\JWTAuthentication\\": "src"
+    }
+  },
+  "autoload-dev": {
+    "psr-4": {
+      "Istio\\Symfony\\JWTAuthentication\\Tests\\": "tests"
+    }
+  },
+  "require-dev": {
+    "symfony/browser-kit": "^5.3",
+    "symfony/console": "^5.3",
+    "symfony/framework-bundle": "^5.3",
+    "symfony/phpunit-bridge": "^5.3"
+  }
+}

phpunit.xml.dist

@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<phpunit xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="https://schema.phpunit.de/9.5/phpunit.xsd" backupGlobals="false" bootstrap="vendor/autoload.php" colors="true">
+    <php>
+        <env name="KERNEL_CLASS" value="Istio\Symfony\JWTAuthentication\Tests\TestKernel" />
+        <env name="SHELL_VERBOSITY" value="-1" />
+        <env name="SYMFONY_PHPUNIT_REMOVE" value="" />
+        <ini name="error_reporting" value="-1" />
+    </php>
+
+    <testsuites>
+        <testsuite name="Bundle Test Suite">
+            <directory>tests</directory>
+        </testsuite>
+    </testsuites>
+
+    <coverage processUncoveredFiles="true">
+        <include>
+            <directory>.</directory>
+        </include>
+        <exclude>
+            <directory>tests</directory>
+            <directory>vendor</directory>
+            <file>.php-cs-fixer.dist.php</file>
+        </exclude>
+    </coverage>
+</phpunit>

src/Authenticator/Authenticator.php

@@ -0,0 +1,114 @@
+<?php
+/*
+ * (c) Minh Vuong <vuongxuongminh@gmail.com>
+ *
+ * This source file is subject to the MIT license that is bundled
+ * with this source code in the file LICENSE.
+ */
+
+declare(strict_types=1);
+
+namespace Istio\Symfony\JWTAuthentication\Authenticator;
+
+use Istio\Symfony\JWTAuthentication\User\JWTPayloadAwareUserProviderInterface;
+use Nyholm\Psr7\Factory\Psr17Factory;
+use Psr\Http\Message\ServerRequestInterface;
+use Symfony\Bridge\PsrHttpMessage\Factory\PsrHttpFactory;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\Response;
+use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
+use Symfony\Component\Security\Core\Exception\AuthenticationException;
+use Symfony\Component\Security\Core\User\UserProviderInterface;
+use Symfony\Component\Security\Http\Authenticator\AbstractAuthenticator;
+use Symfony\Component\Security\Http\Authenticator\Passport\Badge\UserBadge;
+use Symfony\Component\Security\Http\Authenticator\Passport\PassportInterface;
+use Symfony\Component\Security\Http\Authenticator\Passport\SelfValidatingPassport;
+use Symfony\Component\Security\Http\EntryPoint\AuthenticationEntryPointInterface;
+
+final class Authenticator extends AbstractAuthenticator implements AuthenticationEntryPointInterface
+{
+    public function __construct(
+        private iterable $userIdentifierClaimMappings,
+        private UserProviderInterface $userProvider
+    ) {
+    }
+
+    public function supports(Request $request): ?bool
+    {
+        $psr7Request = $this->normalizeRequest($request);
+
+        foreach ($this->userIdentifierClaimMappings as $mapping) {
+            /** @var UserIdentifierClaimMapping $mapping */
+            $payload = $mapping->extractor()->extract($psr7Request);
+
+            if (null !== $payload && false !== is_string($payload[$mapping->userIdentifierClaim()] ?? null)) {
+                $request->attributes->set(
+                    '_user_identifier_and_payload',
+                    [
+                        $mapping->userIdentifierClaim(),
+                        $payload,
+                    ]
+                );
+
+                return true;
+            }
+        }
+
+        return false;
+    }
+
+    public function authenticate(Request $request): PassportInterface
+    {
+        [$userIdentifierClaim, $payload] = $request->attributes->get('_user_identifier_and_payload');
+        $request->attributes->remove('_user_identifier_and_payload');
+        $userBadge = new UserBadge($payload[$userIdentifierClaim], $this->makeUserLoader($payload));
+        $passport = new SelfValidatingPassport($userBadge);
+        $passport->setAttribute('_payload', $payload);
+
+        return $passport;
+    }
+
+    private function makeUserLoader(array $payload): callable
+    {
+        return function (string $userIdentifier) use ($payload) {
+            if ($this->userProvider instanceof JWTPayloadAwareUserProviderInterface) {
+                return $this->userProvider->loadUserByIdentifier($userIdentifier, $payload);
+            }
+
+            return $this->userProvider->loadUserByIdentifier($userIdentifier);
+        };
+    }
+
+    public function onAuthenticationSuccess(Request $request, TokenInterface $token, string $firewallName): ?Response
+    {
+        return null;
+    }
+
+    public function onAuthenticationFailure(Request $request, AuthenticationException $exception): ?Response
+    {
+        throw $exception;
+    }
+
+    public function createAuthenticatedToken(PassportInterface $passport, string $firewallName): TokenInterface
+    {
+        /** @var SelfValidatingPassport $passport */
+        $payload = $passport->getAttribute('_payload');
+        $token = parent::createAuthenticatedToken($passport, $firewallName);
+        $token->setAttribute('jwt_payload', $payload);
+
+        return $token;
+    }
+
+    public function start(Request $request, AuthenticationException $authException = null)
+    {
+        return new Response('Istio JWT in request\'s missing or invalid.', Response::HTTP_UNAUTHORIZED);
+    }
+
+    private function normalizeRequest(Request $request): ServerRequestInterface
+    {
+        $psr17Factory = new Psr17Factory();
+        $psrHttpFactory = new PsrHttpFactory($psr17Factory, $psr17Factory, $psr17Factory, $psr17Factory);
+
+        return $psrHttpFactory->createRequest($request);
+    }
+}

src/Authenticator/UserIdentifierClaimMapping.php

@@ -0,0 +1,30 @@
+<?php
+/*
+ * (c) Minh Vuong <vuongxuongminh@gmail.com>
+ *
+ * This source file is subject to the MIT license that is bundled
+ * with this source code in the file LICENSE.
+ */
+
+declare(strict_types=1);
+
+namespace Istio\Symfony\JWTAuthentication\Authenticator;
+
+use Istio\JWTPayloadExtractor\ExtractorInterface;
+
+final class UserIdentifierClaimMapping
+{
+    public function __construct(private string $userIdentifierClaim, private ExtractorInterface $extractor)
+    {
+    }
+
+    public function userIdentifierClaim(): string
+    {
+        return $this->userIdentifierClaim;
+    }
+
+    public function extractor(): ExtractorInterface
+    {
+        return $this->extractor;
+    }
+}

src/DependencyInjection/JWTAuthenticationExtension.php

@@ -0,0 +1,27 @@
+<?php
+/*
+ * (c) Minh Vuong <vuongxuongminh@gmail.com>
+ *
+ * This source file is subject to the MIT license that is bundled
+ * with this source code in the file LICENSE.
+ */
+
+declare(strict_types=1);
+
+namespace Istio\Symfony\JWTAuthentication\DependencyInjection;
+
+use Symfony\Component\Config\FileLocator;
+use Symfony\Component\DependencyInjection\ContainerBuilder;
+use Symfony\Component\DependencyInjection\Extension\Extension;
+use Symfony\Component\DependencyInjection\Loader\PhpFileLoader;
+
+final class JWTAuthenticationExtension extends Extension
+{
+    public function load(array $configs, ContainerBuilder $container)
+    {
+        $loader = new PhpFileLoader($container, new FileLocator(dirname(__DIR__) . '/Resources/config'));
+
+        $loader->load('payload_extractor.php');
+        $loader->load('security.php');
+    }
+}