update README.md; gen-keypair utility

This commit is contained in:
Lou Knauer 2022-01-17 13:35:49 +01:00
parent ef91f862c9
commit a64944f3c3
5 changed files with 44 additions and 7 deletions

14
.env
View File

@ -1,4 +1,10 @@
export JWT_PUBLIC_KEY="kzfYrYy+TzpanWZHJ5qSdMj5uKUWgq74BWhQG6copP0=" # Base64 encoded Ed25519 keys (DO NOT USE THESE TWO IN PRODUCTION!)
export JWT_PRIVATE_KEY="dtPC/6dWJFKZK7KZ78CvWuynylOmjBFyMsUWArwmodOTN9itjL5POlqdZkcnmpJ0yPm4pRaCrvgFaFAbpyik/Q==" # You can generate your own keypair using `go run utils/gen-keypair.go`
export SESSION_KEY="67d829bf61dc5f87a73fd814e2c9f629" JWT_PUBLIC_KEY="kzfYrYy+TzpanWZHJ5qSdMj5uKUWgq74BWhQG6copP0="
export LDAP_ADMIN_PASSWORD="mashup" JWT_PRIVATE_KEY="dtPC/6dWJFKZK7KZ78CvWuynylOmjBFyMsUWArwmodOTN9itjL5POlqdZkcnmpJ0yPm4pRaCrvgFaFAbpyik/Q=="
# Some random bytes used as secret for cookie-based sessions (DO NOT USE THIS ONE IN PRODUCTION)
SESSION_KEY="67d829bf61dc5f87a73fd814e2c9f629"
# Password for the ldap server (optional)
LDAP_ADMIN_PASSWORD="mashup"

4
.gitignore vendored
View File

@ -3,4 +3,8 @@ cc-jobarchive
/var/job-archive /var/job-archive
/var/*.db /var/*.db
/var/machine-state
/.env
/config.json

View File

@ -1,7 +1,5 @@
# ClusterCockpit with a Golang backend # ClusterCockpit with a Golang backend
__*DOES NOT WORK WITH CURRENT FRONTEND*__
[![Build](https://github.com/ClusterCockpit/cc-jobarchive/actions/workflows/test.yml/badge.svg)](https://github.com/ClusterCockpit/cc-jobarchive/actions/workflows/test.yml) [![Build](https://github.com/ClusterCockpit/cc-jobarchive/actions/workflows/test.yml/badge.svg)](https://github.com/ClusterCockpit/cc-jobarchive/actions/workflows/test.yml)
Create your job-archive accoring to [this specification](https://github.com/ClusterCockpit/cc-specifications). At least one cluster with a valid `cluster.json` file is required. Having no jobs in the job-archive at all is fine. You may use the sample job-archive available for download [in cc-docker/develop](https://github.com/ClusterCockpit/cc-docker/tree/develop). Create your job-archive accoring to [this specification](https://github.com/ClusterCockpit/cc-specifications). At least one cluster with a valid `cluster.json` file is required. Having no jobs in the job-archive at all is fine. You may use the sample job-archive available for download [in cc-docker/develop](https://github.com/ClusterCockpit/cc-docker/tree/develop).
@ -30,7 +28,7 @@ touch ./var/job.db
# EDIT THE .env FILE BEFORE YOU DEPLOY (Change the secrets)! # EDIT THE .env FILE BEFORE YOU DEPLOY (Change the secrets)!
# If authentication is disabled, it can be empty. # If authentication is disabled, it can be empty.
source .env vim ./.env
# This will first initialize the job.db database by traversing all # This will first initialize the job.db database by traversing all
# `meta.json` files in the job-archive and add a new user. `--no-server` will cause the # `meta.json` files in the job-archive and add a new user. `--no-server` will cause the

View File

@ -22,6 +22,8 @@ import (
"golang.org/x/crypto/bcrypt" "golang.org/x/crypto/bcrypt"
) )
// TODO: Properly do this "roles" stuff.
// Add a roles array and `user.HasRole(...)` functions.
type User struct { type User struct {
Username string Username string
Password string Password string
@ -191,6 +193,7 @@ func Login(db *sqlx.DB) http.Handler {
return return
} }
session.Options.MaxAge = 30 * 24 * 60 * 60
session.Values["username"] = user.Username session.Values["username"] = user.Username
session.Values["is_admin"] = user.IsAdmin session.Values["is_admin"] = user.IsAdmin
if err := sessionStore.Save(r, rw, session); err != nil { if err := sessionStore.Save(r, rw, session); err != nil {
@ -239,6 +242,8 @@ func authViaToken(r *http.Request) (*User, error) {
sub, _ := claims["sub"].(string) sub, _ := claims["sub"].(string)
isAdmin, _ := claims["is_admin"].(bool) isAdmin, _ := claims["is_admin"].(bool)
isAPIUser, _ := claims["is_api"].(bool) isAPIUser, _ := claims["is_api"].(bool)
// TODO: Check if sub is still a valid user!
return &User{ return &User{
Username: sub, Username: sub,
IsAdmin: isAdmin, IsAdmin: isAdmin,
@ -258,6 +263,7 @@ func Auth(next http.Handler) http.Handler {
return return
} }
if user != nil { if user != nil {
// Successfull authentication using a token
ctx := context.WithValue(r.Context(), ContextUserKey, user) ctx := context.WithValue(r.Context(), ContextUserKey, user)
next.ServeHTTP(rw, r.WithContext(ctx)) next.ServeHTTP(rw, r.WithContext(ctx))
return return
@ -265,6 +271,7 @@ func Auth(next http.Handler) http.Handler {
session, err := sessionStore.Get(r, "session") session, err := sessionStore.Get(r, "session")
if err != nil { if err != nil {
// sessionStore.Get will return a new session if no current one is attached to this request.
http.Error(rw, err.Error(), http.StatusInternalServerError) http.Error(rw, err.Error(), http.StatusInternalServerError)
return return
} }

22
utils/gen-keypair.go Normal file
View File

@ -0,0 +1,22 @@
package main
import (
"crypto/ed25519"
"crypto/rand"
"encoding/base64"
"fmt"
"os"
)
func main() {
// rand.Reader uses /dev/urandom on Linux
pub, priv, err := ed25519.GenerateKey(rand.Reader)
if err != nil {
fmt.Fprintf(os.Stderr, "error: %s\n", err.Error())
os.Exit(1)
}
fmt.Fprintf(os.Stdout, "JWT_PUBLIC_KEY=%#v\nJWT_PRIVATE_KEY=%#v\n",
base64.StdEncoding.EncodeToString(pub),
base64.StdEncoding.EncodeToString(priv))
}