cc-backend/internal/auth/jwt.go

// Copyright (C) 2022 NHR@FAU, University Erlangen-Nuremberg.
// All rights reserved.
// Use of this source code is governed by a MIT-style
// license that can be found in the LICENSE file.
package auth

import (
	"crypto/ed25519"
	"database/sql"
	"encoding/base64"
	"errors"
	"fmt"
	"net/http"
	"os"
	"strings"
	"time"

	"github.com/ClusterCockpit/cc-backend/pkg/log"
	"github.com/ClusterCockpit/cc-backend/pkg/schema"
	"github.com/golang-jwt/jwt/v4"
)

type JWTAuthenticator struct {
	auth *Authentication

	publicKey  ed25519.PublicKey
	privateKey ed25519.PrivateKey

	loginTokenKey []byte // HS256 key

	config *schema.JWTAuthConfig
}

var _ Authenticator = (*JWTAuthenticator)(nil)

func (ja *JWTAuthenticator) Init(auth *Authentication, conf interface{}) error {

	ja.auth = auth
	ja.config = conf.(*schema.JWTAuthConfig)

	pubKey, privKey := os.Getenv("JWT_PUBLIC_KEY"), os.Getenv("JWT_PRIVATE_KEY")
	if pubKey == "" || privKey == "" {
		log.Warn("environment variables 'JWT_PUBLIC_KEY' or 'JWT_PRIVATE_KEY' not set (token based authentication will not work)")
	} else {
		bytes, err := base64.StdEncoding.DecodeString(pubKey)
		if err != nil {
			return err
		}
		ja.publicKey = ed25519.PublicKey(bytes)
		bytes, err = base64.StdEncoding.DecodeString(privKey)
		if err != nil {
			return err
		}
		ja.privateKey = ed25519.PrivateKey(bytes)
	}

	if pubKey = os.Getenv("CROSS_LOGIN_JWT_HS512_KEY"); pubKey != "" {
		bytes, err := base64.StdEncoding.DecodeString(pubKey)
		if err != nil {
			return err
		}
		ja.loginTokenKey = bytes
	}

	return nil
}

func (ja *JWTAuthenticator) CanLogin(
	user *User,
	rw http.ResponseWriter,
	r *http.Request) bool {

	return (user != nil && user.AuthSource == AuthViaToken) || r.Header.Get("Authorization") != "" || r.URL.Query().Get("login-token") != ""
}

func (ja *JWTAuthenticator) Login(
	user *User,
	rw http.ResponseWriter,
	r *http.Request) (*User, error) {

	rawtoken := r.Header.Get("X-Auth-Token")
	if rawtoken == "" {
		rawtoken = r.Header.Get("Authorization")
		rawtoken = strings.TrimPrefix(rawtoken, "Bearer ")
		if rawtoken == "" {
			rawtoken = r.URL.Query().Get("login-token")
		}
	}

	token, err := jwt.Parse(rawtoken, func(t *jwt.Token) (interface{}, error) {
		if t.Method == jwt.SigningMethodEdDSA {
			return ja.publicKey, nil
		}
		if t.Method == jwt.SigningMethodHS256 || t.Method == jwt.SigningMethodHS512 {
			return ja.loginTokenKey, nil
		}
		return nil, fmt.Errorf("unkown signing method for login token: %s (known: HS256, HS512, EdDSA)", t.Method.Alg())
	})
	if err != nil {
		return nil, err
	}

	if err := token.Claims.Valid(); err != nil {
		return nil, err
	}

	claims := token.Claims.(jwt.MapClaims)
	sub, _ := claims["sub"].(string)
	exp, _ := claims["exp"].(float64)
	var roles []string
	if rawroles, ok := claims["roles"].([]interface{}); ok {
		for _, rr := range rawroles {
			if r, ok := rr.(string); ok {
				roles = append(roles, r)
			}
		}
	}
	if rawrole, ok := claims["roles"].(string); ok {
		roles = append(roles, rawrole)
	}

	if user == nil {
		user, err = ja.auth.GetUser(sub)
		if err != nil && err != sql.ErrNoRows {
			return nil, err
		} else if user == nil {
			user = &User{
				Username:   sub,
				Roles:      roles,
				AuthSource: AuthViaToken,
			}
			if err := ja.auth.AddUser(user); err != nil {
				return nil, err
			}
		}
	}

	user.Expiration = time.Unix(int64(exp), 0)
	return user, nil
}

func (ja *JWTAuthenticator) Auth(
	rw http.ResponseWriter,
	r *http.Request) (*User, error) {

	rawtoken := r.Header.Get("X-Auth-Token")
	if rawtoken == "" {
		rawtoken = r.Header.Get("Authorization")
		rawtoken = strings.TrimPrefix(rawtoken, "Bearer ")
	}

	// Because a user can also log in via a token, the
	// session cookie must be checked here as well:
	if rawtoken == "" {
		return ja.auth.AuthViaSession(rw, r)
	}

	token, err := jwt.Parse(rawtoken, func(t *jwt.Token) (interface{}, error) {
		if t.Method != jwt.SigningMethodEdDSA {
			return nil, errors.New("only Ed25519/EdDSA supported")
		}
		return ja.publicKey, nil
	})
	if err != nil {
		return nil, err
	}

	if err := token.Claims.Valid(); err != nil {
		return nil, err
	}

	claims := token.Claims.(jwt.MapClaims)
	sub, _ := claims["sub"].(string)

	var roles []string
	if rawroles, ok := claims["roles"].([]interface{}); ok {
		for _, rr := range rawroles {
			if r, ok := rr.(string); ok {
				roles = append(roles, r)
			}
		}
	}

	return &User{
		Username:   sub,
		Roles:      roles,
		AuthSource: AuthViaToken,
	}, nil
}

// Generate a new JWT that can be used for authentication
func (ja *JWTAuthenticator) ProvideJWT(user *User) (string, error) {

	if ja.privateKey == nil {
		return "", errors.New("environment variable 'JWT_PRIVATE_KEY' not set")
	}

	now := time.Now()
	claims := jwt.MapClaims{
		"sub":   user.Username,
		"roles": user.Roles,
		"iat":   now.Unix(),
	}
	if ja.config != nil && ja.config.MaxAge != 0 {
		claims["exp"] = now.Add(time.Duration(ja.config.MaxAge)).Unix()
	}

	return jwt.NewWithClaims(jwt.SigningMethodEdDSA, claims).SignedString(ja.privateKey)
}
Add copyright and license header. Update license year 2022-07-29 06:29:21 +02:00			`// Copyright (C) 2022 NHR@FAU, University Erlangen-Nuremberg.`
			`// All rights reserved.`
			`// Use of this source code is governed by a MIT-style`
			`// license that can be found in the LICENSE file.`
Integrate new auth interface 2022-07-07 14:08:37 +02:00			`package auth`
Refactor authentication 2022-07-07 12:11:49 +02:00
			`import (`
			`"crypto/ed25519"`
token based login: fix re-logins 2022-07-26 13:50:54 +02:00			`"database/sql"`
Refactor authentication 2022-07-07 12:11:49 +02:00			`"encoding/base64"`
			`"errors"`
Change to HS256 as login token alg 2022-07-25 09:03:48 +02:00			`"fmt"`
Refactor authentication 2022-07-07 12:11:49 +02:00			`"net/http"`
			`"os"`
			`"strings"`
Add login via JWT 2022-07-07 12:48:04 +02:00			`"time"`
Refactor authentication 2022-07-07 12:11:49 +02:00
			`"github.com/ClusterCockpit/cc-backend/pkg/log"`
Reformat and Refactor packages. Rebuild GraphQL. 2022-09-07 12:24:45 +02:00			`"github.com/ClusterCockpit/cc-backend/pkg/schema"`
Refactor authentication 2022-07-07 12:11:49 +02:00			`"github.com/golang-jwt/jwt/v4"`
			`)`

			`type JWTAuthenticator struct {`
Change to HS256 as login token alg 2022-07-25 09:03:48 +02:00			`auth *Authentication`

			`publicKey ed25519.PublicKey`
			`privateKey ed25519.PrivateKey`

			`loginTokenKey []byte // HS256 key`
Add login via JWT 2022-07-07 12:48:04 +02:00
Reformat and Refactor packages. Rebuild GraphQL. 2022-09-07 12:24:45 +02:00			`config *schema.JWTAuthConfig`
Refactor authentication 2022-07-07 12:11:49 +02:00			`}`

			`var _ Authenticator = (*JWTAuthenticator)(nil)`

Integrate new auth interface 2022-07-07 14:08:37 +02:00			`func (ja JWTAuthenticator) Init(auth Authentication, conf interface{}) error {`
Reformat and Refactor packages. Rebuild GraphQL. 2022-09-07 12:24:45 +02:00
Refactor authentication 2022-07-07 12:11:49 +02:00			`ja.auth = auth`
Reformat and Refactor packages. Rebuild GraphQL. 2022-09-07 12:24:45 +02:00			`ja.config = conf.(*schema.JWTAuthConfig)`
Refactor authentication 2022-07-07 12:11:49 +02:00
			`pubKey, privKey := os.Getenv("JWT_PUBLIC_KEY"), os.Getenv("JWT_PRIVATE_KEY")`
			`if pubKey == "" \|\| privKey == "" {`
			`log.Warn("environment variables 'JWT_PUBLIC_KEY' or 'JWT_PRIVATE_KEY' not set (token based authentication will not work)")`
			`} else {`
			`bytes, err := base64.StdEncoding.DecodeString(pubKey)`
			`if err != nil {`
			`return err`
			`}`
			`ja.publicKey = ed25519.PublicKey(bytes)`
			`bytes, err = base64.StdEncoding.DecodeString(privKey)`
			`if err != nil {`
			`return err`
			`}`
			`ja.privateKey = ed25519.PrivateKey(bytes)`
			`}`

Change to HS256 as login token alg 2022-07-25 09:03:48 +02:00			`if pubKey = os.Getenv("CROSS_LOGIN_JWT_HS512_KEY"); pubKey != "" {`
Different keypair for token based login 2022-07-13 15:04:11 +02:00			`bytes, err := base64.StdEncoding.DecodeString(pubKey)`
			`if err != nil {`
			`return err`
			`}`
Change to HS256 as login token alg 2022-07-25 09:03:48 +02:00			`ja.loginTokenKey = bytes`
Different keypair for token based login 2022-07-13 15:04:11 +02:00			`}`

Refactor authentication 2022-07-07 12:11:49 +02:00			`return nil`
			`}`

Reformat and Refactor packages. Rebuild GraphQL. 2022-09-07 12:24:45 +02:00			`func (ja *JWTAuthenticator) CanLogin(`
			`user *User,`
			`rw http.ResponseWriter,`
			`r *http.Request) bool {`

Allow login via token in URL 2022-07-25 10:36:20 +02:00			`return (user != nil && user.AuthSource == AuthViaToken) \|\| r.Header.Get("Authorization") != "" \|\| r.URL.Query().Get("login-token") != ""`
Refactor authentication 2022-07-07 12:11:49 +02:00			`}`

Reformat and Refactor packages. Rebuild GraphQL. 2022-09-07 12:24:45 +02:00			`func (ja *JWTAuthenticator) Login(`
			`user *User,`
			`rw http.ResponseWriter,`
			`r http.Request) (User, error) {`

Add login via JWT 2022-07-07 12:48:04 +02:00			`rawtoken := r.Header.Get("X-Auth-Token")`
			`if rawtoken == "" {`
			`rawtoken = r.Header.Get("Authorization")`
Allow login via token in URL 2022-07-25 10:36:20 +02:00			`rawtoken = strings.TrimPrefix(rawtoken, "Bearer ")`
			`if rawtoken == "" {`
			`rawtoken = r.URL.Query().Get("login-token")`
			`}`
Add login via JWT 2022-07-07 12:48:04 +02:00			`}`

			`token, err := jwt.Parse(rawtoken, func(t *jwt.Token) (interface{}, error) {`
Change to HS256 as login token alg 2022-07-25 09:03:48 +02:00			`if t.Method == jwt.SigningMethodEdDSA {`
			`return ja.publicKey, nil`
			`}`
			`if t.Method == jwt.SigningMethodHS256 \|\| t.Method == jwt.SigningMethodHS512 {`
			`return ja.loginTokenKey, nil`
Add login via JWT 2022-07-07 12:48:04 +02:00			`}`
Change to HS256 as login token alg 2022-07-25 09:03:48 +02:00			`return nil, fmt.Errorf("unkown signing method for login token: %s (known: HS256, HS512, EdDSA)", t.Method.Alg())`
Add login via JWT 2022-07-07 12:48:04 +02:00			`})`
			`if err != nil {`
			`return nil, err`
			`}`

			`if err := token.Claims.Valid(); err != nil {`
			`return nil, err`
			`}`

			`claims := token.Claims.(jwt.MapClaims)`
			`sub, _ := claims["sub"].(string)`
			`exp, _ := claims["exp"].(float64)`
			`var roles []string`
			`if rawroles, ok := claims["roles"].([]interface{}); ok {`
			`for _, rr := range rawroles {`
			`if r, ok := rr.(string); ok {`
			`roles = append(roles, r)`
			`}`
			`}`
			`}`
token based login: fix re-logins 2022-07-26 13:50:54 +02:00			`if rawrole, ok := claims["roles"].(string); ok {`
			`roles = append(roles, rawrole)`
			`}`
Add login via JWT 2022-07-07 12:48:04 +02:00
Glue authenticators together 2022-07-07 13:40:38 +02:00			`if user == nil {`
token based login: fix re-logins 2022-07-26 13:50:54 +02:00			`user, err = ja.auth.GetUser(sub)`
			`if err != nil && err != sql.ErrNoRows {`
Add login via JWT 2022-07-07 12:48:04 +02:00			`return nil, err`
token based login: fix re-logins 2022-07-26 13:50:54 +02:00			`} else if user == nil {`
			`user = &User{`
			`Username: sub,`
			`Roles: roles,`
			`AuthSource: AuthViaToken,`
			`}`
			`if err := ja.auth.AddUser(user); err != nil {`
			`return nil, err`
			`}`
Add login via JWT 2022-07-07 12:48:04 +02:00			`}`
			`}`

			`user.Expiration = time.Unix(int64(exp), 0)`
			`return user, nil`
Refactor authentication 2022-07-07 12:11:49 +02:00			`}`

Reformat and Refactor packages. Rebuild GraphQL. 2022-09-07 12:24:45 +02:00			`func (ja *JWTAuthenticator) Auth(`
			`rw http.ResponseWriter,`
			`r http.Request) (User, error) {`

Refactor authentication 2022-07-07 12:11:49 +02:00			`rawtoken := r.Header.Get("X-Auth-Token")`
			`if rawtoken == "" {`
			`rawtoken = r.Header.Get("Authorization")`
bugfixes in auth/ 2022-07-25 09:33:36 +02:00			`rawtoken = strings.TrimPrefix(rawtoken, "Bearer ")`
Add login via JWT 2022-07-07 12:48:04 +02:00			`}`

			`// Because a user can also log in via a token, the`
			`// session cookie must be checked here as well:`
			`if rawtoken == "" {`
Glue authenticators together 2022-07-07 13:40:38 +02:00			`return ja.auth.AuthViaSession(rw, r)`
Refactor authentication 2022-07-07 12:11:49 +02:00			`}`

			`token, err := jwt.Parse(rawtoken, func(t *jwt.Token) (interface{}, error) {`
			`if t.Method != jwt.SigningMethodEdDSA {`
			`return nil, errors.New("only Ed25519/EdDSA supported")`
			`}`
			`return ja.publicKey, nil`
			`})`
			`if err != nil {`
			`return nil, err`
			`}`

			`if err := token.Claims.Valid(); err != nil {`
			`return nil, err`
			`}`

			`claims := token.Claims.(jwt.MapClaims)`
			`sub, _ := claims["sub"].(string)`

			`var roles []string`
			`if rawroles, ok := claims["roles"].([]interface{}); ok {`
			`for _, rr := range rawroles {`
			`if r, ok := rr.(string); ok {`
			`roles = append(roles, r)`
			`}`
			`}`
			`}`

			`return &User{`
			`Username: sub,`
			`Roles: roles,`
			`AuthSource: AuthViaToken,`
			`}, nil`
			`}`
Add login via JWT 2022-07-07 12:48:04 +02:00
			`// Generate a new JWT that can be used for authentication`
			`func (ja JWTAuthenticator) ProvideJWT(user User) (string, error) {`
Reformat and Refactor packages. Rebuild GraphQL. 2022-09-07 12:24:45 +02:00
Add login via JWT 2022-07-07 12:48:04 +02:00			`if ja.privateKey == nil {`
			`return "", errors.New("environment variable 'JWT_PRIVATE_KEY' not set")`
			`}`

			`now := time.Now()`
			`claims := jwt.MapClaims{`
			`"sub": user.Username,`
			`"roles": user.Roles,`
			`"iat": now.Unix(),`
			`}`
Integrate new auth interface 2022-07-07 14:08:37 +02:00			`if ja.config != nil && ja.config.MaxAge != 0 {`
			`claims["exp"] = now.Add(time.Duration(ja.config.MaxAge)).Unix()`
Add login via JWT 2022-07-07 12:48:04 +02:00			`}`

			`return jwt.NewWithClaims(jwt.SigningMethodEdDSA, claims).SignedString(ja.privateKey)`
			`}`