Home Explore Help
Register Sign In
publics
/
etcd-io__etcd
0
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: adb126afc4
Branches Tags
etcd-io__etcd
/
auth
/
jwt.go

jwt.go 4.3 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184 
  1. // Copyright 2017 The etcd Authors
    2. 

  2. //
    3. 

  3. // Licensed under the Apache License, Version 2.0 (the "License");
    4. 

  4. // you may not use this file except in compliance with the License.
    5. 

  5. // You may obtain a copy of the License at
    6. 

  6. //
    7. 

  7. //     http://www.apache.org/licenses/LICENSE-2.0
    8. 

  8. //
    9. 

  9. // Unless required by applicable law or agreed to in writing, software
    10. 

  10. // distributed under the License is distributed on an "AS IS" BASIS,
    11. 

  11. // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12. 

  12. // See the License for the specific language governing permissions and
    13. 

  13. // limitations under the License.
    14. 

  14. 

  15. package auth
    16. 

  16. 

  17. import (
    18. 

  18. 	"context"
    19. 

  19. 	"crypto/ecdsa"
    20. 

  20. 	"crypto/rsa"
    21. 

  21. 	"errors"
    22. 

  22. 	"time"
    23. 

  23. 

  24. 	jwt "github.com/dgrijalva/jwt-go"
    25. 

  25. 	"go.uber.org/zap"
    26. 

  26. )
    27. 

  27. 

  28. type tokenJWT struct {
    29. 

  29. 	lg         *zap.Logger
    30. 

  30. 	signMethod jwt.SigningMethod
    31. 

  31. 	key        interface{}
    32. 

  32. 	ttl        time.Duration
    33. 

  33. 	verifyOnly bool
    34. 

  34. }
    35. 

  35. 

  36. func (t *tokenJWT) enable()                         {}
    37. 

  37. func (t *tokenJWT) disable()                        {}
    38. 

  38. func (t *tokenJWT) invalidateUser(string)           {}
    39. 

  39. func (t *tokenJWT) genTokenPrefix() (string, error) { return "", nil }
    40. 

  40. 

  41. func (t *tokenJWT) info(ctx context.Context, token string, rev uint64) (*AuthInfo, bool) {
    42. 

  42. 	// rev isn't used in JWT, it is only used in simple token
    43. 

  43. 	var (
    44. 

  44. 		username string
    45. 

  45. 		revision uint64
    46. 

  46. 	)
    47. 

  47. 

  48. 	parsed, err := jwt.Parse(token, func(token *jwt.Token) (interface{}, error) {
    49. 

  49. 		if token.Method.Alg() != t.signMethod.Alg() {
    50. 

  50. 			return nil, errors.New("invalid signing method")
    51. 

  51. 		}
    52. 

  52. 		switch k := t.key.(type) {
    53. 

  53. 		case *rsa.PrivateKey:
    54. 

  54. 			return &k.PublicKey, nil
    55. 

  55. 		case *ecdsa.PrivateKey:
    56. 

  56. 			return &k.PublicKey, nil
    57. 

  57. 		default:
    58. 

  58. 			return t.key, nil
    59. 

  59. 		}
    60. 

  60. 	})
    61. 

  61. 

  62. 	if err != nil {
    63. 

  63. 		if t.lg != nil {
    64. 

  64. 			t.lg.Warn(
    65. 

  65. 				"failed to parse a JWT token",
    66. 

  66. 				zap.String("token", token),
    67. 

  67. 				zap.Error(err),
    68. 

  68. 			)
    69. 

  69. 		} else {
    70. 

  70. 			plog.Warningf("failed to parse jwt token: %s", err)
    71. 

  71. 		}
    72. 

  72. 		return nil, false
    73. 

  73. 	}
    74. 

  74. 

  75. 	claims, ok := parsed.Claims.(jwt.MapClaims)
    76. 

  76. 	if !parsed.Valid || !ok {
    77. 

  77. 		if t.lg != nil {
    78. 

  78. 			t.lg.Warn("invalid JWT token", zap.String("token", token))
    79. 

  79. 		} else {
    80. 

  80. 			plog.Warningf("invalid jwt token: %s", token)
    81. 

  81. 		}
    82. 

  82. 		return nil, false
    83. 

  83. 	}
    84. 

  84. 

  85. 	username = claims["username"].(string)
    86. 

  86. 	revision = uint64(claims["revision"].(float64))
    87. 

  87. 

  88. 	return &AuthInfo{Username: username, Revision: revision}, true
    89. 

  89. }
    90. 

  90. 

  91. func (t *tokenJWT) assign(ctx context.Context, username string, revision uint64) (string, error) {
    92. 

  92. 	if t.verifyOnly {
    93. 

  93. 		return "", ErrVerifyOnly
    94. 

  94. 	}
    95. 

  95. 

  96. 	// Future work: let a jwt token include permission information would be useful for
    97. 

  97. 	// permission checking in proxy side.
    98. 

  98. 	tk := jwt.NewWithClaims(t.signMethod,
    99. 

  99. 		jwt.MapClaims{
    100. 

  100. 			"username": username,
    101. 

  101. 			"revision": revision,
    102. 

  102. 			"exp":      time.Now().Add(t.ttl).Unix(),
    103. 

  103. 		})
    104. 

  104. 

  105. 	token, err := tk.SignedString(t.key)
    106. 

  106. 	if err != nil {
    107. 

  107. 		if t.lg != nil {
    108. 

  108. 			t.lg.Warn(
    109. 

  109. 				"failed to sign a JWT token",
    110. 

  110. 				zap.String("user-name", username),
    111. 

  111. 				zap.Uint64("revision", revision),
    112. 

  112. 				zap.Error(err),
    113. 

  113. 			)
    114. 

  114. 		} else {
    115. 

  115. 			plog.Debugf("failed to sign jwt token: %s", err)
    116. 

  116. 		}
    117. 

  117. 		return "", err
    118. 

  118. 	}
    119. 

  119. 

  120. 	if t.lg != nil {
    121. 

  121. 		t.lg.Info(
    122. 

  122. 			"created/assigned a new JWT token",
    123. 

  123. 			zap.String("user-name", username),
    124. 

  124. 			zap.Uint64("revision", revision),
    125. 

  125. 			zap.String("token", token),
    126. 

  126. 		)
    127. 

  127. 	} else {
    128. 

  128. 		plog.Debugf("jwt token: %s", token)
    129. 

  129. 	}
    130. 

  130. 	return token, err
    131. 

  131. }
    132. 

  132. 

  133. func newTokenProviderJWT(lg *zap.Logger, optMap map[string]string) (*tokenJWT, error) {
    134. 

  134. 	var err error
    135. 

  135. 	var opts jwtOptions
    136. 

  136. 	err = opts.ParseWithDefaults(optMap)
    137. 

  137. 	if err != nil {
    138. 

  138. 		if lg != nil {
    139. 

  139. 			lg.Warn("problem loading JWT options", zap.Error(err))
    140. 

  140. 		} else {
    141. 

  141. 			plog.Errorf("problem loading JWT options: %s", err)
    142. 

  142. 		}
    143. 

  143. 		return nil, ErrInvalidAuthOpts
    144. 

  144. 	}
    145. 

  145. 

  146. 	var keys = make([]string, 0, len(optMap))
    147. 

  147. 	for k := range optMap {
    148. 

  148. 		if !knownOptions[k] {
    149. 

  149. 			keys = append(keys, k)
    150. 

  150. 		}
    151. 

  151. 	}
    152. 

  152. 	if len(keys) > 0 {
    153. 

  153. 		if lg != nil {
    154. 

  154. 			lg.Warn("unknown JWT options", zap.Strings("keys", keys))
    155. 

  155. 		} else {
    156. 

  156. 			plog.Warningf("unknown JWT options: %v", keys)
    157. 

  157. 		}
    158. 

  158. 	}
    159. 

  159. 

  160. 	key, err := opts.Key()
    161. 

  161. 	if err != nil {
    162. 

  162. 		return nil, err
    163. 

  163. 	}
    164. 

  164. 

  165. 	t := &tokenJWT{
    166. 

  166. 		lg:         lg,
    167. 

  167. 		ttl:        opts.TTL,
    168. 

  168. 		signMethod: opts.SignMethod,
    169. 

  169. 		key:        key,
    170. 

  170. 	}
    171. 

  171. 

  172. 	switch t.signMethod.(type) {
    173. 

  173. 	case *jwt.SigningMethodECDSA:
    174. 

  174. 		if _, ok := t.key.(*ecdsa.PublicKey); ok {
    175. 

  175. 			t.verifyOnly = true
    176. 

  176. 		}
    177. 

  177. 	case *jwt.SigningMethodRSA, *jwt.SigningMethodRSAPSS:
    178. 

  178. 		if _, ok := t.key.(*rsa.PublicKey); ok {
    179. 

  179. 			t.verifyOnly = true
    180. 

  180. 		}
    181. 

  181. 	}
    182. 

  182. 

  183. 	return t, nil
    184. 

  184. }
    185.