someone1/cloud_endpoints_swagger_auth.go

## cloud_endpoints_swagger_auth.go
// CloudEndpointsUserInfo represents the data passed  by the ESP in Google's Cloud Endpoints Service
type CloudEndpointsUserInfo struct {
	Issuer string `json:"issuer"`
	ID     string `json:"id"`
	Email  string `json:"email"`
}

// CloudEndPointsWrapper will try to extract the ESP header and add it as a scope - NOT IDEAL
func CloudEndPointsWrapper(name string, authenticate security.ScopedTokenAuthentication) runtime.Authenticator {
	const header = "X-Endpoint-API-UserInfo"
	defaultAuthenticator := security.BearerAuth(name, authenticate)
	return security.ScopedAuthenticator(func(r *security.ScopedAuthRequest) (bool, interface{}, error) {
		encodedInfo := r.Request.Header.Get(header)
		if encodedInfo == "" {
			return false, nil, fmt.Errorf("missing %s header when it is required", header)
		}

		b, err := base64.StdEncoding.DecodeString(encodedInfo)
		if err != nil {
			return false, nil, err
		}
		r.RequiredScopes = append(r.RequiredScopes, string(b))

		return defaultAuthenticator.Authenticate(r)
	})
}

// GoogleIDTokenAuth will parse the ESP Header and validate the email is an admin email, otherwise it will fail
func GoogleIDTokenAuth(token string, scopes []string) (*models.UserInfo, error) {
	if len(scopes) < 1 {
		return nil, errors.Unauthenticated("OIDC")
	}
	endPointsJSONHeader := scopes[len(scopes)-1]
	// scopes = scopes[:len(scopes)-1]

	oidcUser := &CloudEndpointsUserInfo{}
	if err := json.Unmarshal([]byte(endPointsJSONHeader), oidcUser); err != nil {
		return nil, errors.Unauthenticated("OIDC")
	}

	if !isAdminEamil(oidcUser.Email) {
		return nil, errors.New(http.StatusForbidden, "not allowed")
	}

	userInfo := &models.UserInfo{
		ID:    oidcUser.ID,
		Email: strfmt.Email(oidcUser.Email),
		Admin: true,
	}
	return userInfo, nil
}

func main() {
	swaggerSpec, err := loads.Analyzed(restapi.SwaggerJSON, "")
	if err != nil {
		panic(err)
	}

	api := operations.NewAPI(swaggerSpec)
	api.BearerAuthenticator = CloudEndPointsWrapper
	api.GoogleIDTokenAuth = GoogleIDTokenAuth
  // and so on...
}
	// CloudEndpointsUserInfo represents the data passed by the ESP in Google's Cloud Endpoints Service
	type CloudEndpointsUserInfo struct {
	Issuer string `json:"issuer"`
	ID string `json:"id"`
	Email string `json:"email"`
	}

	// CloudEndPointsWrapper will try to extract the ESP header and add it as a scope - NOT IDEAL
	func CloudEndPointsWrapper(name string, authenticate security.ScopedTokenAuthentication) runtime.Authenticator {
	const header = "X-Endpoint-API-UserInfo"
	defaultAuthenticator := security.BearerAuth(name, authenticate)
	return security.ScopedAuthenticator(func(r *security.ScopedAuthRequest) (bool, interface{}, error) {
	encodedInfo := r.Request.Header.Get(header)
	if encodedInfo == "" {
	return false, nil, fmt.Errorf("missing %s header when it is required", header)
	}

	b, err := base64.StdEncoding.DecodeString(encodedInfo)
	if err != nil {
	return false, nil, err
	}
	r.RequiredScopes = append(r.RequiredScopes, string(b))

	return defaultAuthenticator.Authenticate(r)
	})
	}

	// GoogleIDTokenAuth will parse the ESP Header and validate the email is an admin email, otherwise it will fail
	func GoogleIDTokenAuth(token string, scopes []string) (*models.UserInfo, error) {
	if len(scopes) < 1 {
	return nil, errors.Unauthenticated("OIDC")
	}
	endPointsJSONHeader := scopes[len(scopes)-1]
	// scopes = scopes[:len(scopes)-1]

	oidcUser := &CloudEndpointsUserInfo{}
	if err := json.Unmarshal([]byte(endPointsJSONHeader), oidcUser); err != nil {
	return nil, errors.Unauthenticated("OIDC")
	}

	if !isAdminEamil(oidcUser.Email) {
	return nil, errors.New(http.StatusForbidden, "not allowed")
	}

	userInfo := &models.UserInfo{
	ID: oidcUser.ID,
	Email: strfmt.Email(oidcUser.Email),
	Admin: true,
	}
	return userInfo, nil
	}

	func main() {
	swaggerSpec, err := loads.Analyzed(restapi.SwaggerJSON, "")
	if err != nil {
	panic(err)
	}

	api := operations.NewAPI(swaggerSpec)
	api.BearerAuthenticator = CloudEndPointsWrapper
	api.GoogleIDTokenAuth = GoogleIDTokenAuth
	// and so on...
	}