* AuthN: Check API Key is not trying to access another organization
* Revert local change
* Add test
* Discussed with Kalle we should set r.OrgID
* Syntax sugar
* Suggestion org-mismatch
errAPIKeyInvalid=errutil.Unauthorized("api-key.invalid",errutil.WithPublicMessage("Invalid API key"))
errAPIKeyExpired=errutil.Unauthorized("api-key.expired",errutil.WithPublicMessage("Expired API key"))
errAPIKeyRevoked=errutil.Unauthorized("api-key.revoked",errutil.WithPublicMessage("Revoked API key"))
errAPIKeyInvalid=errutil.Unauthorized("api-key.invalid",errutil.WithPublicMessage("Invalid API key"))
errAPIKeyExpired=errutil.Unauthorized("api-key.expired",errutil.WithPublicMessage("Expired API key"))
errAPIKeyRevoked=errutil.Unauthorized("api-key.revoked",errutil.WithPublicMessage("Revoked API key"))
errAPIKeyOrgMismatch=errutil.Unauthorized("api-key.organization-mismatch",errutil.WithPublicMessage("API key does not belong to the requested organization"))
)
var_authn.HookClient=new(APIKey)
@ -62,6 +63,12 @@ func (s *APIKey) Authenticate(ctx context.Context, r *authn.Request) (*authn.Ide
returnnil,errAPIKeyRevoked.Errorf("Api key is revoked")
}
ifr.OrgID==0{
r.OrgID=apiKey.OrgID
}elseifr.OrgID!=apiKey.OrgID{
returnnil,errAPIKeyOrgMismatch.Errorf("API does not belong in Organization %v",r.OrgID)
}
// if the api key don't belong to a service account construct the identity and return it