143 lines
2.9 KiB
Go
143 lines
2.9 KiB
Go
package auth
|
|
|
|
import (
|
|
"context"
|
|
"fmt"
|
|
"github.com/cortezaproject/corteza-server/pkg/api"
|
|
"github.com/dgrijalva/jwt-go"
|
|
"github.com/go-chi/jwtauth"
|
|
"github.com/pkg/errors"
|
|
"net/http"
|
|
"strconv"
|
|
"strings"
|
|
"time"
|
|
)
|
|
|
|
type (
|
|
token struct {
|
|
// Expiration time in minutes
|
|
expiry time.Duration
|
|
tokenAuth *jwtauth.JWTAuth
|
|
}
|
|
)
|
|
|
|
var (
|
|
DefaultJwtHandler TokenHandler
|
|
)
|
|
|
|
func SetupDefault(secret string, expiry time.Duration) {
|
|
// Use JWT secret for hmac signer for now
|
|
DefaultSigner = HmacSigner(secret)
|
|
DefaultJwtHandler, _ = JWT(secret, expiry)
|
|
|
|
}
|
|
|
|
func JWT(secret string, expiry time.Duration) (tkn *token, err error) {
|
|
if len(secret) == 0 {
|
|
return nil, errors.New("JWT secret missing")
|
|
}
|
|
|
|
tkn = &token{
|
|
expiry: expiry,
|
|
tokenAuth: jwtauth.New(jwt.SigningMethodHS512.Alg(), []byte(secret), nil),
|
|
}
|
|
|
|
return tkn, nil
|
|
}
|
|
|
|
// Verifies JWT and stores it into context
|
|
func (t *token) HttpVerifier() func(http.Handler) http.Handler {
|
|
return jwtauth.Verifier(t.tokenAuth)
|
|
}
|
|
|
|
func (t *token) Encode(i Identifiable) string {
|
|
|
|
roles := ""
|
|
for _, r := range i.Roles() {
|
|
roles += fmt.Sprintf(" %d", r)
|
|
}
|
|
|
|
_, tkn, _ := t.tokenAuth.Encode(jwt.MapClaims{
|
|
"sub": i.String(),
|
|
"exp": time.Now().Add(t.expiry).Unix(),
|
|
|
|
// when possible, extend this with the client
|
|
"aud": "0", // we should be more strict here and provide a client!
|
|
|
|
// at some point, we'll need to do this a bit more carefully;
|
|
// for now, we just add all necessary scopes so that users of this (cli, corredor)
|
|
// can create a useful JWT
|
|
"scope": "profile api",
|
|
|
|
"roles": strings.TrimSpace(roles),
|
|
})
|
|
|
|
return tkn
|
|
}
|
|
|
|
// HttpAuthenticator converts JWT claims into Identity and stores it into context
|
|
func (t *token) HttpAuthenticator() func(http.Handler) http.Handler {
|
|
return func(next http.Handler) http.Handler {
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
ctx := r.Context()
|
|
|
|
tkn, claims, err := jwtauth.FromContext(ctx)
|
|
|
|
// When token is present, expect no errors and valid claims!
|
|
if tkn != nil {
|
|
if err != nil {
|
|
// But if token is present, the shouldn't be an error
|
|
api.Send(w, r, err)
|
|
return
|
|
}
|
|
|
|
ctx = SetIdentityToContext(ctx, claimsToIdentity(claims))
|
|
ctx = context.WithValue(ctx, scopeCtxKey{}, claims["scope"])
|
|
|
|
r = r.WithContext(ctx)
|
|
}
|
|
|
|
next.ServeHTTP(w, r)
|
|
})
|
|
}
|
|
}
|
|
|
|
// decodes sub & roles claims into identity
|
|
func claimsToIdentity(c jwt.MapClaims) (i *Identity) {
|
|
var (
|
|
aux interface{}
|
|
ok bool
|
|
id, roles string
|
|
)
|
|
|
|
if aux, ok = c["sub"]; !ok {
|
|
return
|
|
}
|
|
|
|
i = &Identity{}
|
|
if id, ok = aux.(string); ok {
|
|
i.id, _ = strconv.ParseUint(id, 10, 64)
|
|
}
|
|
|
|
if i.id == 0 {
|
|
// pointless to decode roles if id is 0
|
|
return nil
|
|
}
|
|
|
|
if aux, ok = c["roles"]; !ok {
|
|
return
|
|
}
|
|
|
|
if roles, ok = aux.(string); !ok {
|
|
return
|
|
}
|
|
|
|
for _, role := range strings.Split(roles, " ") {
|
|
if roleID, _ := strconv.ParseUint(role, 10, 64); roleID != 0 {
|
|
i.memberOf = append(i.memberOf, roleID)
|
|
}
|
|
}
|
|
|
|
return
|
|
}
|