Implement admin authenticator

internal/authenticator/admin_authenticator.go

@@ -0,0 +1,60 @@
+package authenticator
+
+import (
+	"fmt"
+
+	"github.com/golang-jwt/jwt/v5"
+	"github.com/snapp-incubator/soteria/internal/config"
+	"github.com/snapp-incubator/soteria/pkg/acl"
+)
+
+// AdminAuthenticator is responsible for Acl/Auth/Token of the internal system users,
+// these users have admin access.
+type AdminAuthenticator struct {
+	Key       any
+	Company   string
+	JwtConfig config.Jwt
+	Parser    *jwt.Parser
+}
+
+// Auth check user authentication by checking the user's token
+// isSuperuser is a flag that authenticator set it true when credentials is related to a superuser.
+func (a AdminAuthenticator) Auth(tokenString string) error {
+	_, err := a.Parser.Parse(tokenString, func(
+		token *jwt.Token,
+	) (interface{}, error) {
+		claims, ok := token.Claims.(jwt.MapClaims)
+		if !ok {
+			return nil, ErrInvalidClaims
+		}
+		if claims[a.JwtConfig.IssName] == nil {
+			return nil, ErrIssNotFound
+		}
+
+		return a.Key, nil
+	})
+	if err != nil {
+		return fmt.Errorf("token is invalid: %w", err)
+	}
+
+	return nil
+}
+
+// ACL check a system user access to a topic.
+// because we returns is-admin: true, this endpoint shouldn't
+// be called.
+func (a AdminAuthenticator) ACL(
+	_ acl.AccessType,
+	_ string,
+	_ string,
+) (bool, error) {
+	return true, nil
+}
+
+func (a AdminAuthenticator) ValidateAccessType(_ acl.AccessType) bool {
+	return true
+}
+
+func (a AdminAuthenticator) GetCompany() string {
+	return a.Company
+}

internal/authenticator/builder.go

@@ -17,6 +17,7 @@
 	ValidatorConfig config.Validator
 }
 
+// nolint: funlen
 func (b Builder) Authenticators() map[string]Authenticator {
 	all := make(map[string]Authenticator)
 
@@ -30,11 +31,12 @@
 			b.Logger.Fatal("cannot create hash-id manager", zap.Error(err))
 		}
 
-		client := validator.New(b.ValidatorConfig.URL, b.ValidatorConfig.Timeout)
-
 		var auth Authenticator
 
-		if vendor.UseValidator {
+		switch {
+		case vendor.UseValidator:
+			client := validator.New(b.ValidatorConfig.URL, b.ValidatorConfig.Timeout)
+
 			auth = &AutoAuthenticator{
 				AllowedAccessTypes: allowedAccessTypes,
 				Company:            vendor.Company,
@@ -50,7 +52,20 @@
 				Validator: client,
 				Parser:    jwt.NewParser(),
 			}
-		} else {
+		case vendor.IsInternal:
+			if _, ok := vendor.Keys["system"]; !ok || len(vendor.Keys) != 1 {
+				b.Logger.Fatal("admin authenticator supports only one key named system")
+			}
+
+			keys := b.GenerateKeys(vendor.Jwt.SigningMethod, vendor.Keys)
+
+			auth = &AdminAuthenticator{
+				Key:       keys["system"],
+				Company:   vendor.Company,
+				JwtConfig: vendor.Jwt,
+				Parser:    jwt.NewParser(),
+			}
+		default:
 			keys := b.GenerateKeys(vendor.Jwt.SigningMethod, vendor.Keys)
 
 			auth = &ManualAuthenticator{

internal/config/config.go

@@ -41,10 +41,13 @@ type (
 		IssEntityMap       map[string]string `json:"iss_entity_map,omitempty"       koanf:"iss_entity_map"`
 		IssPeerMap         map[string]string `json:"iss_peer_map,omitempty"         koanf:"iss_peer_map"`
 		Jwt                Jwt               `json:"jwt,omitempty"                  koanf:"jwt"`
-		// by setting do validate to false we don't validate the jwt token and deligate
-		// it into a function.
-		UseValidator bool                       `json:"use_validator,omitempty" koanf:"use_validator"`
-		HashIDMap    map[string]topics.HashData `json:"hash_id_map,omitempty"   koanf:"hashid_map"`
+		// by setting use validator to true we don't validate the jwt token and deligate
+		// it into an http client.
+		UseValidator bool `json:"use_validator,omitempty" koanf:"use_validator"`
+		// by setting is internal to true we use internal authenticator which provides admin access
+		// on the authentication method.
+		IsInternal bool                       `json:"is_internal,omitempty" koanf:"is_internal"`
+		HashIDMap  map[string]topics.HashData `json:"hash_id_map,omitempty" koanf:"hashid_map"`
 	}
 
 	Jwt struct {

internal/config/default.go

@@ -43,6 +43,7 @@ func Default() Config {
 func SnappVendor() Vendor {
 	return Vendor{
 		UseValidator: false,
+		IsInternal:   false,
 		AllowedAccessTypes: []string{
 			"pub",
 			"sub",