mirror of
https://github.com/seaweedfs/seaweedfs.git
synced 2024-12-03 18:09:07 +08:00
147 lines
3.2 KiB
Go
147 lines
3.2 KiB
Go
package security
|
|
|
|
import (
|
|
"errors"
|
|
"fmt"
|
|
"net"
|
|
"net/http"
|
|
"strings"
|
|
"time"
|
|
|
|
"github.com/chrislusf/weed-fs/go/glog"
|
|
"github.com/dgrijalva/jwt-go"
|
|
)
|
|
|
|
var (
|
|
ErrUnauthorized = errors.New("unauthorized token")
|
|
)
|
|
|
|
/*
|
|
Guard is to ensure data access security.
|
|
There are 2 ways to check access:
|
|
1. white list. It's checking request ip address.
|
|
2. JSON Web Token(JWT) generated from secretKey.
|
|
The jwt can come from:
|
|
1. url parameter jwt=...
|
|
2. request header "Authorization"
|
|
3. cookie with the name "jwt"
|
|
|
|
The white list is checked first because it is easy.
|
|
Then the JWT is checked.
|
|
|
|
The Guard will also check these claims if provided:
|
|
1. "exp" Expiration Time
|
|
2. "nbf" Not Before
|
|
|
|
Generating JWT:
|
|
1. use HS256 to sign
|
|
2. optionally set "exp", "nbf" fields, in Unix time,
|
|
the number of seconds elapsed since January 1, 1970 UTC.
|
|
|
|
Referenced:
|
|
https://github.com/pkieltyka/jwtauth/blob/master/jwtauth.go
|
|
|
|
*/
|
|
type Guard struct {
|
|
whiteList []string
|
|
secretKey string
|
|
|
|
isActive bool
|
|
}
|
|
|
|
func NewGuard(whiteList []string, secretKey string) *Guard {
|
|
g := &Guard{whiteList: whiteList, secretKey: secretKey}
|
|
g.isActive = len(g.whiteList) != 0 || len(g.secretKey) != 0
|
|
return g
|
|
}
|
|
|
|
func (g *Guard) Secure(f func(w http.ResponseWriter, r *http.Request)) func(w http.ResponseWriter, r *http.Request) {
|
|
if !g.isActive {
|
|
//if no security needed, just skip all checkings
|
|
return f
|
|
}
|
|
return func(w http.ResponseWriter, r *http.Request) {
|
|
if err := g.doCheck(w, r); err != nil {
|
|
w.WriteHeader(http.StatusUnauthorized)
|
|
return
|
|
}
|
|
f(w, r)
|
|
}
|
|
}
|
|
|
|
func (g *Guard) NewToken() (tokenString string, err error) {
|
|
m := make(map[string]interface{})
|
|
m["exp"] = time.Now().Unix() + 10
|
|
return g.Encode(m)
|
|
}
|
|
|
|
func (g *Guard) Encode(claims map[string]interface{}) (tokenString string, err error) {
|
|
if !g.isActive {
|
|
return "", nil
|
|
}
|
|
|
|
t := jwt.New(jwt.GetSigningMethod("HS256"))
|
|
t.Claims = claims
|
|
return t.SignedString(g.secretKey)
|
|
}
|
|
|
|
func (g *Guard) Decode(tokenString string) (token *jwt.Token, err error) {
|
|
return jwt.Parse(tokenString, func(token *jwt.Token) (interface{}, error) {
|
|
return g.secretKey, nil
|
|
})
|
|
}
|
|
|
|
func (g *Guard) doCheck(w http.ResponseWriter, r *http.Request) error {
|
|
if len(g.whiteList) != 0 {
|
|
host, _, err := net.SplitHostPort(r.RemoteAddr)
|
|
if err == nil {
|
|
for _, ip := range g.whiteList {
|
|
if ip == host {
|
|
return nil
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
if len(g.secretKey) != 0 {
|
|
|
|
// Get token from query params
|
|
tokenStr := r.URL.Query().Get("jwt")
|
|
|
|
// Get token from authorization header
|
|
if tokenStr == "" {
|
|
bearer := r.Header.Get("Authorization")
|
|
if len(bearer) > 7 && strings.ToUpper(bearer[0:6]) == "BEARER" {
|
|
tokenStr = bearer[7:]
|
|
}
|
|
}
|
|
|
|
// Get token from cookie
|
|
if tokenStr == "" {
|
|
cookie, err := r.Cookie("jwt")
|
|
if err == nil {
|
|
tokenStr = cookie.Value
|
|
}
|
|
}
|
|
|
|
if tokenStr == "" {
|
|
return ErrUnauthorized
|
|
}
|
|
|
|
// Verify the token
|
|
token, err := g.Decode(tokenStr)
|
|
if err != nil {
|
|
glog.V(1).Infof("Token verification error from %s: %v", r.RemoteAddr, err)
|
|
return ErrUnauthorized
|
|
}
|
|
if !token.Valid {
|
|
glog.V(1).Infof("Token invliad from %s: %v", r.RemoteAddr, tokenStr)
|
|
return ErrUnauthorized
|
|
}
|
|
|
|
}
|
|
|
|
glog.V(1).Infof("No permission from %s", r.RemoteAddr)
|
|
return fmt.Errorf("No write permisson from %s", r.RemoteAddr)
|
|
}
|