2022-07-29 06:29:21 +02:00
|
|
|
// Copyright (C) 2022 NHR@FAU, University Erlangen-Nuremberg.
|
|
|
|
// All rights reserved.
|
|
|
|
// Use of this source code is governed by a MIT-style
|
|
|
|
// license that can be found in the LICENSE file.
|
2022-07-07 14:08:37 +02:00
|
|
|
package auth
|
2022-07-07 12:11:49 +02:00
|
|
|
|
|
|
|
import (
|
|
|
|
"crypto/ed25519"
|
|
|
|
"encoding/base64"
|
|
|
|
"errors"
|
|
|
|
"net/http"
|
|
|
|
"os"
|
|
|
|
"strings"
|
2022-07-07 12:48:04 +02:00
|
|
|
"time"
|
2022-07-07 12:11:49 +02:00
|
|
|
|
2023-08-18 10:43:06 +02:00
|
|
|
"github.com/ClusterCockpit/cc-backend/internal/config"
|
2023-08-17 10:29:00 +02:00
|
|
|
"github.com/ClusterCockpit/cc-backend/internal/repository"
|
2022-07-07 12:11:49 +02:00
|
|
|
"github.com/ClusterCockpit/cc-backend/pkg/log"
|
2022-09-07 12:24:45 +02:00
|
|
|
"github.com/ClusterCockpit/cc-backend/pkg/schema"
|
2024-03-21 22:02:59 +01:00
|
|
|
"github.com/golang-jwt/jwt/v5"
|
2022-07-07 12:11:49 +02:00
|
|
|
)
|
|
|
|
|
|
|
|
type JWTAuthenticator struct {
|
2023-08-11 10:00:23 +02:00
|
|
|
publicKey ed25519.PublicKey
|
|
|
|
privateKey ed25519.PrivateKey
|
2022-07-07 12:11:49 +02:00
|
|
|
}
|
|
|
|
|
2023-08-18 10:43:06 +02:00
|
|
|
func (ja *JWTAuthenticator) Init() error {
|
2022-07-07 12:11:49 +02:00
|
|
|
pubKey, privKey := os.Getenv("JWT_PUBLIC_KEY"), os.Getenv("JWT_PRIVATE_KEY")
|
|
|
|
if pubKey == "" || privKey == "" {
|
2023-01-23 18:48:06 +01:00
|
|
|
log.Warn("environment variables 'JWT_PUBLIC_KEY' or 'JWT_PRIVATE_KEY' not set (token based authentication will not work)")
|
2022-07-07 12:11:49 +02:00
|
|
|
} else {
|
|
|
|
bytes, err := base64.StdEncoding.DecodeString(pubKey)
|
|
|
|
if err != nil {
|
2023-02-01 11:58:27 +01:00
|
|
|
log.Warn("Could not decode JWT public key")
|
2022-07-07 12:11:49 +02:00
|
|
|
return err
|
|
|
|
}
|
|
|
|
ja.publicKey = ed25519.PublicKey(bytes)
|
|
|
|
bytes, err = base64.StdEncoding.DecodeString(privKey)
|
|
|
|
if err != nil {
|
2023-02-01 11:58:27 +01:00
|
|
|
log.Warn("Could not decode JWT private key")
|
2022-07-07 12:11:49 +02:00
|
|
|
return err
|
|
|
|
}
|
|
|
|
ja.privateKey = ed25519.PrivateKey(bytes)
|
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2023-08-11 10:00:23 +02:00
|
|
|
func (ja *JWTAuthenticator) AuthViaJWT(
|
2022-09-07 12:24:45 +02:00
|
|
|
rw http.ResponseWriter,
|
2024-03-21 22:02:59 +01:00
|
|
|
r *http.Request,
|
|
|
|
) (*schema.User, error) {
|
2022-07-07 12:11:49 +02:00
|
|
|
rawtoken := r.Header.Get("X-Auth-Token")
|
|
|
|
if rawtoken == "" {
|
|
|
|
rawtoken = r.Header.Get("Authorization")
|
2022-07-25 09:33:36 +02:00
|
|
|
rawtoken = strings.TrimPrefix(rawtoken, "Bearer ")
|
2022-07-07 12:48:04 +02:00
|
|
|
}
|
|
|
|
|
2023-08-12 09:02:41 +02:00
|
|
|
// there is no token
|
|
|
|
if rawtoken == "" {
|
|
|
|
return nil, nil
|
|
|
|
}
|
|
|
|
|
2022-07-07 12:11:49 +02:00
|
|
|
token, err := jwt.Parse(rawtoken, func(t *jwt.Token) (interface{}, error) {
|
|
|
|
if t.Method != jwt.SigningMethodEdDSA {
|
|
|
|
return nil, errors.New("only Ed25519/EdDSA supported")
|
|
|
|
}
|
2022-10-19 13:36:13 +02:00
|
|
|
|
2022-07-07 12:11:49 +02:00
|
|
|
return ja.publicKey, nil
|
|
|
|
})
|
|
|
|
if err != nil {
|
2023-08-11 10:00:23 +02:00
|
|
|
log.Warn("Error while parsing JWT token")
|
2022-07-07 12:11:49 +02:00
|
|
|
return nil, err
|
|
|
|
}
|
2024-03-21 22:02:59 +01:00
|
|
|
if !token.Valid {
|
2023-01-31 18:28:44 +01:00
|
|
|
log.Warn("jwt token claims are not valid")
|
2024-03-21 22:02:59 +01:00
|
|
|
return nil, errors.New("jwt token claims are not valid")
|
2022-07-07 12:11:49 +02:00
|
|
|
}
|
|
|
|
|
2022-10-19 13:36:13 +02:00
|
|
|
// Token is valid, extract payload
|
2022-07-07 12:11:49 +02:00
|
|
|
claims := token.Claims.(jwt.MapClaims)
|
|
|
|
sub, _ := claims["sub"].(string)
|
|
|
|
|
|
|
|
var roles []string
|
2022-10-19 13:36:13 +02:00
|
|
|
|
|
|
|
// Validate user + roles from JWT against database?
|
2023-08-18 10:43:06 +02:00
|
|
|
if config.Keys.JwtConfig.ValidateUser {
|
2023-08-17 10:29:00 +02:00
|
|
|
ur := repository.GetUserRepository()
|
|
|
|
user, err := ur.GetUser(sub)
|
2022-10-19 13:36:13 +02:00
|
|
|
// Deny any logins for unknown usernames
|
|
|
|
if err != nil {
|
2023-01-23 18:48:06 +01:00
|
|
|
log.Warn("Could not find user from JWT in internal database.")
|
2022-10-19 13:36:13 +02:00
|
|
|
return nil, errors.New("unknown user")
|
|
|
|
}
|
|
|
|
// Take user roles from database instead of trusting the JWT
|
|
|
|
roles = user.Roles
|
|
|
|
} else {
|
|
|
|
// Extract roles from JWT (if present)
|
|
|
|
if rawroles, ok := claims["roles"].([]interface{}); ok {
|
|
|
|
for _, rr := range rawroles {
|
|
|
|
if r, ok := rr.(string); ok {
|
|
|
|
roles = append(roles, r)
|
|
|
|
}
|
2022-07-07 12:11:49 +02:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2023-08-17 10:29:00 +02:00
|
|
|
return &schema.User{
|
2022-07-07 12:11:49 +02:00
|
|
|
Username: sub,
|
|
|
|
Roles: roles,
|
2023-08-17 10:29:00 +02:00
|
|
|
AuthType: schema.AuthToken,
|
2023-08-12 09:02:41 +02:00
|
|
|
AuthSource: -1,
|
2022-07-07 12:11:49 +02:00
|
|
|
}, nil
|
|
|
|
}
|
2022-07-07 12:48:04 +02:00
|
|
|
|
|
|
|
// Generate a new JWT that can be used for authentication
|
2023-08-17 10:29:00 +02:00
|
|
|
func (ja *JWTAuthenticator) ProvideJWT(user *schema.User) (string, error) {
|
2022-07-07 12:48:04 +02:00
|
|
|
if ja.privateKey == nil {
|
|
|
|
return "", errors.New("environment variable 'JWT_PRIVATE_KEY' not set")
|
|
|
|
}
|
|
|
|
|
|
|
|
now := time.Now()
|
|
|
|
claims := jwt.MapClaims{
|
|
|
|
"sub": user.Username,
|
|
|
|
"roles": user.Roles,
|
|
|
|
"iat": now.Unix(),
|
|
|
|
}
|
2023-08-18 10:43:06 +02:00
|
|
|
if config.Keys.JwtConfig.MaxAge != "" {
|
|
|
|
d, err := time.ParseDuration(config.Keys.JwtConfig.MaxAge)
|
2023-08-18 09:19:30 +02:00
|
|
|
if err != nil {
|
|
|
|
return "", errors.New("cannot parse max-age config key")
|
|
|
|
}
|
|
|
|
claims["exp"] = now.Add(d).Unix()
|
2022-07-07 12:48:04 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
return jwt.NewWithClaims(jwt.SigningMethodEdDSA, claims).SignedString(ja.privateKey)
|
|
|
|
}
|