add shopify_jwt acl policy

Signed-off-by: Austen Lacy <[email protected]>

go.mod

@@ -116,7 +116,9 @@ require (
 )
 
 require (
+	github.com/MicahParks/keyfunc/v2 v2.1.0
 	github.com/bndr/gotabulate v1.1.2
+	github.com/golang-jwt/jwt/v5 v5.0.0
 	github.com/hashicorp/go-version v1.6.0
 	golang.org/x/exp v0.0.0-20230811145659-89c5cff77bcb
 	modernc.org/sqlite v1.20.3

go.sum

@@ -84,6 +84,8 @@ github.com/HdrHistogram/hdrhistogram-go v0.9.0/go.mod h1:nxrse8/Tzg2tg3DZcZjm6qE
 github.com/Masterminds/glide v0.13.2/go.mod h1:STyF5vcenH/rUqTEv+/hBXlSTo7KYwg2oc2f4tzPWic=
 github.com/Masterminds/semver v1.4.2/go.mod h1:MB6lktGJrhw8PrUyiEoblNEGEQ+RzHPF078ddwwvV3Y=
 github.com/Masterminds/vcs v1.13.0/go.mod h1:N09YCmOQr6RLxC6UNHzuVwAdodYbbnycGHSmwVJjcKA=
+github.com/MicahParks/keyfunc/v2 v2.1.0 h1:6ZXKb9Rp6qp1bDbJefnG7cTH8yMN1IC/4nf+GVjO99k=
+github.com/MicahParks/keyfunc/v2 v2.1.0/go.mod h1:rW42fi+xgLJ2FRRXAfNx9ZA8WpD4OeE/yHVMteCkw9k=
 github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ=
 github.com/PuerkitoBio/goquery v1.5.1 h1:PSPBGne8NIUWw+/7vFBV+kG2J/5MOjbzc7154OaKCSE=
 github.com/PuerkitoBio/goquery v1.5.1/go.mod h1:GsLWisAFVj4WgDibEWF4pvYnkVQBpKBKeU+7zCJoLcc=
@@ -281,6 +283,8 @@ github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7a
 github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
+github.com/golang-jwt/jwt/v5 v5.0.0 h1:1n1XNM9hk7O9mnQoNBGolZvzebBQ7p93ULHRc28XJUE=
+github.com/golang-jwt/jwt/v5 v5.0.0/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b h1:VKtxabqXZkF25pY9ekfRL6a582T4P37/31XEstQ5p58=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=

go/acl/shopify_jwt_policy.go

@@ -0,0 +1,114 @@
+/*
+Copyright 2023 The Vitess Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package acl
+
+import (
+	"bytes"
+	"context"
+	"errors"
+	"fmt"
+	"log"
+	"net/http"
+	"os"
+
+	keyfunc "github.com/MicahParks/keyfunc/v2"
+	jwt "github.com/golang-jwt/jwt/v5"
+)
+
+const (
+	SHOPIFY_JWT             = "shopify_jwt"
+	SHOPIFY_COOKIE_NAME_ENV = "JWT_COOKIE_NAME"
+	SHOPIFY_JWKS_URL_ENV    = "JWKS_URL"
+)
+
+var errDenyShopifyJwt = errors.New("not allowed: shopify_jwt security_policy enforced")
+
+func jwksRequestFactory(ctx context.Context, url string) (*http.Request, error) {
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, url, bytes.NewReader(nil))
+
+	if err != nil {
+		return nil, err
+	}
+
+	req.Header.Set("Accept", "application/json")
+	return req, nil
+}
+
+type shopifyJwt struct{}
+
+func validateJWT(tokenString string, jwksURL string) (bool, error) {
+	// Fetch the JWKS from the provided URL
+	jwks, err := keyfunc.Get(jwksURL, keyfunc.Options{
+		RequestFactory: jwksRequestFactory,
+	})
+
+	defer jwks.EndBackground()
+
+	if err != nil {
+		return false, err
+	}
+
+	// Parse and validate the JWT token
+	token, err := jwt.Parse(tokenString, jwks.Keyfunc)
+	if err != nil {
+		return false, fmt.Errorf("failed to parse JWT token: %v", err)
+	}
+
+	if token.Valid {
+		return true, nil
+	}
+
+	return false, nil
+}
+
+// CheckAccessActor disallows actor access not verified by shopifyJwt
+func (shopifyJwt) CheckAccessActor(actor, role string) error {
+	switch role {
+	case SHOPIFY_JWT:
+		return nil
+	default:
+		return errDenyShopifyJwt
+	}
+}
+
+// CheckAccessHTTP disallows HTTP access not verified by shopifyJwt
+func (shopifyJwt) CheckAccessHTTP(req *http.Request, role string) error {
+	switch role {
+	case SHOPIFY_JWT:
+		jwtCookie, err := req.Cookie(os.Getenv("SHOPIFY_COOKIE_NAME_ENV"))
+
+		if err != nil {
+			log.Printf("failed to get jwt token from cookie: %s", err)
+			return err
+		}
+
+		_, err = validateJWT(jwtCookie.Value, os.Getenv(SHOPIFY_JWKS_URL_ENV))
+
+		if err != nil {
+			log.Printf("invalid JWT token provided: %s", err)
+			return err
+		}
+
+		return nil
+	default:
+		return errDenyShopifyJwt
+	}
+}
+
+func init() {
+	RegisterPolicy(SHOPIFY_JWT, shopifyJwt{})
+}

go/vt/vtgate/debugenv.go

@@ -88,7 +88,11 @@ type envValue struct {
 }
 
 func debugEnvHandler(vtg *VTGate, w http.ResponseWriter, r *http.Request) {
-	if err := acl.CheckAccessHTTP(r, acl.ADMIN); err != nil {
+	// if err := acl.CheckAccessHTTP(r, acl.ADMIN); err != nil {
+	// 	acl.SendError(w, err)
+	// 	return
+	// }
+	if err := acl.CheckAccessHTTP(r, acl.SHOPIFY_JWT); err != nil {
 		acl.SendError(w, err)
 		return
 	}

go/vt/vttablet/tabletserver/debugenv.go

@@ -64,7 +64,11 @@ func addVar[T any](vars []envValue, name string, f func() T) []envValue {
 }
 
 func debugEnvHandler(tsv *TabletServer, w http.ResponseWriter, r *http.Request) {
-	if err := acl.CheckAccessHTTP(r, acl.ADMIN); err != nil {
+	// if err := acl.CheckAccessHTTP(r, acl.ADMIN); err != nil {
+	// 	acl.SendError(w, err)
+	// 	return
+	// }
+	if err := acl.CheckAccessHTTP(r, acl.SHOPIFY_JWT); err != nil {
 		acl.SendError(w, err)
 		return
 	}