Bridge all verbs (get/put/patch/post/delete) + Authorization is set i…

…n Gateway-Authorization header for the bridge
Devolutions · Aug 3, 2021 · 2b5077a · 2b5077a
1 parent cfdc353
commit 2b5077a
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 12 deletions.
diff --git a/devolutions-gateway/src/http/controllers/http_bridge.rs b/devolutions-gateway/src/http/controllers/http_bridge.rs
@@ -5,8 +5,6 @@ use saphir::macros::controller;
 use saphir::request::Request;
 use saphir::response::Builder;
 
-pub const REQUEST_AUTHORIZATION_TOKEN_HDR_NAME: &str = "Request-Authorization-Token";
-
 pub struct HttpBridgeController {
     client: reqwest::Client,
 }
@@ -20,7 +18,11 @@ impl HttpBridgeController {
 
 #[controller(name = "bridge")]
 impl HttpBridgeController {
+    #[get("/message")]
     #[post("/message")]
+    #[put("/message")]
+    #[patch("/message")]
+    #[delete("/message")]
     #[guard(AccessGuard, init_expr = r#"JetTokenType::Bridge"#)]
     async fn message(&self, req: Request) -> Result<Builder, HttpErrorStatus> {
         use core::convert::TryFrom;
@@ -37,15 +39,7 @@ impl HttpBridgeController {
             let req: saphir::request::Request<reqwest::Body> = req.map(reqwest::Body::from);
             let mut req: http::Request<reqwest::Body> = http::Request::from(req);
 
-            // === Replace Authorization header (used to be authorized on the gateway) with the request authorization token === //
-
             let mut rsp = {
-                let headers = req.headers_mut();
-                headers.remove(http::header::AUTHORIZATION);
-                if let Some(auth_token) = headers.remove(REQUEST_AUTHORIZATION_TOKEN_HDR_NAME) {
-                    headers.insert(http::header::AUTHORIZATION, auth_token);
-                }
-
                 // Update request destination
                 let uri = http::Uri::try_from(claims.target.as_str()).map_err(HttpErrorStatus::bad_request)?;
                 *req.uri_mut() = uri;

diff --git a/devolutions-gateway/src/http/middlewares/auth.rs b/devolutions-gateway/src/http/middlewares/auth.rs
@@ -11,6 +11,8 @@ use saphir::response::Builder as ResponseBuilder;
 use slog_scope::error;
 use std::sync::Arc;
 
+const GATEWAY_AUTHORIZATION_HDR_NAME: &str = "Gateway-Authorization";
+
 pub struct AuthMiddleware {
     config: Arc<Config>,
 }
@@ -38,7 +40,10 @@ async fn auth_middleware(
 ) -> Result<HttpContext, SaphirError> {
     let request = ctx.state.request_unchecked_mut();
 
-    let auth_header = request.headers().get(http::header::AUTHORIZATION);
+    let gateway_auth_header = request.headers_mut().remove(GATEWAY_AUTHORIZATION_HDR_NAME);
+    let auth_header = gateway_auth_header
+        .as_ref()
+        .or_else(|| request.headers().get(http::header::AUTHORIZATION));
 
     let auth_header = match auth_header {
         Some(header) => header.clone(),

diff --git a/powershell/DevolutionsGateway/Public/DGateway.ps1 b/powershell/DevolutionsGateway/Public/DGateway.ps1
@@ -620,7 +620,7 @@ function New-DGatewayToken {
     param(
         [string] $ConfigPath,
 
-        [ValidateSet('association', 'scope')]
+        [ValidateSet('association', 'scope', 'bridge')]
         [Parameter(Mandatory = $true)]
         [string] $Type, #type
 
@@ -640,6 +640,9 @@ function New-DGatewayToken {
         #private scope claims
         [string] $Scope, # scope
 
+        #private bridge claims
+        [string] $Target, # target
+
         # signature parameters
         [string] $PrivateKeyFile
     )
@@ -722,6 +725,10 @@ function New-DGatewayToken {
         $Payload | Add-Member -MemberType NoteProperty -Name 'scope' -Value $Scope
     }
 
+    if (($Type -eq 'bridge') -and ($Target)) {
+        $Payload | Add-Member -MemberType NoteProperty -Name 'target' -Value $Target
+    }
+
     New-JwtRs256 -Header $Header -Payload $Payload -PrivateKey $PrivateKey
 }