Mirrors/sftpgo
1
0
Fork 0
mirror of https://github.com/drakkan/sftpgo.git synced 2025-12-06 14:20:55 +03:00
Code Issues Packages Projects Releases Wiki Activity

node token: embed permissions directly in JWT

Browse Source 
Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
This commit is contained in:
Nicola Murino
2025-08-22 15:50:20 +02:00
parent 6bde42fc3f
commit a5dd529d88
4 changed files with 54 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

51
internal/dataprovider/node.go
View File

@@ -132,17 +132,17 @@ func (n *Node) validate() error {
return n.Data.validate() return n.Data.validate()
} }
func (n *Node) authenticate(token string) (string, string, error) { func (n *Node) authenticate(token string) (string, string, []string, error) {
if err := n.Data.Key.TryDecrypt(); err != nil { if err := n.Data.Key.TryDecrypt(); err != nil {
providerLog(logger.LevelError, "unable to decrypt node key: %v", err) providerLog(logger.LevelError, "unable to decrypt node key: %v", err)
return "", "", err return "", "", nil, err
} }
if token == "" { if token == "" {
return "", "", ErrInvalidCredentials return "", "", nil, ErrInvalidCredentials
} }
t, err := jwt.Parse([]byte(token), jwt.WithKey(jwa.HS256, []byte(n.Data.Key.GetPayload())), jwt.WithValidate(true)) t, err := jwt.Parse([]byte(token), jwt.WithKey(jwa.HS256, []byte(n.Data.Key.GetPayload())), jwt.WithValidate(true))
if err != nil { if err != nil {
return "", "", fmt.Errorf("unable to parse and validate token: %v", err) return "", "", nil, fmt.Errorf("unable to parse and validate token: %v", err)
} }
var adminUsername, role string var adminUsername, role string
if admin, ok := t.Get("admin"); ok { if admin, ok := t.Get("admin"); ok {
@@ -151,14 +151,16 @@ func (n *Node) authenticate(token string) (string, string, error) {
} }
} }
if adminUsername == "" { if adminUsername == "" {
return "", "", errors.New("no admin username associated with node token") return "", "", nil, errors.New("no admin username associated with node token")
} }
if r, ok := t.Get("role"); ok { if r, ok := t.Get("role"); ok {
if val, ok := r.(string); ok && val != "" { if val, ok := r.(string); ok && val != "" {
role = val role = val
} }
} }
return adminUsername, role, nil perms := getPermsFromToken(t)
return adminUsername, role, perms, nil
} }
// getBaseURL returns the base URL for this node // getBaseURL returns the base URL for this node
@@ -175,7 +177,7 @@ func (n *Node) getBaseURL() string {
} }
// generateAuthToken generates a new auth token // generateAuthToken generates a new auth token
func (n *Node) generateAuthToken(username, role string) (string, error) { func (n *Node) generateAuthToken(username, role string, permissions []string) (string, error) {
if err := n.Data.Key.TryDecrypt(); err != nil { if err := n.Data.Key.TryDecrypt(); err != nil {
return "", fmt.Errorf("unable to decrypt node key: %w", err) return "", fmt.Errorf("unable to decrypt node key: %w", err)
} }
@@ -184,6 +186,7 @@ func (n *Node) generateAuthToken(username, role string) (string, error) {
t := jwt.New() t := jwt.New()
t.Set("admin", username) //nolint:errcheck t.Set("admin", username) //nolint:errcheck
t.Set("role", role) //nolint:errcheck t.Set("role", role) //nolint:errcheck
t.Set("perms", permissions) //nolint:errcheck
t.Set(jwt.IssuedAtKey, now) //nolint:errcheck t.Set(jwt.IssuedAtKey, now) //nolint:errcheck
t.Set(jwt.JwtIDKey, xid.New().String()) //nolint:errcheck t.Set(jwt.JwtIDKey, xid.New().String()) //nolint:errcheck
t.Set(jwt.NotBeforeKey, now.Add(-30*time.Second)) //nolint:errcheck t.Set(jwt.NotBeforeKey, now.Add(-30*time.Second)) //nolint:errcheck
@@ -197,14 +200,14 @@ func (n *Node) generateAuthToken(username, role string) (string, error) {
} }
func (n *Node) prepareRequest(ctx context.Context, username, role, relativeURL, method string, func (n *Node) prepareRequest(ctx context.Context, username, role, relativeURL, method string,
body io.Reader, permissions []string, body io.Reader,
) (*http.Request, error) { ) (*http.Request, error) {
url := fmt.Sprintf("%s%s", n.getBaseURL(), relativeURL) url := fmt.Sprintf("%s%s", n.getBaseURL(), relativeURL)
req, err := http.NewRequestWithContext(ctx, method, url, body) req, err := http.NewRequestWithContext(ctx, method, url, body)
if err != nil { if err != nil {
return nil, err return nil, err
} }
token, err := n.generateAuthToken(username, role) token, err := n.generateAuthToken(username, role, permissions)
if err != nil { if err != nil {
return nil, err return nil, err
} }
@@ -214,11 +217,11 @@ func (n *Node) prepareRequest(ctx context.Context, username, role, relativeURL,
// SendGetRequest sends an HTTP GET request to this node. // SendGetRequest sends an HTTP GET request to this node.
// The responseHolder must be a pointer // The responseHolder must be a pointer
func (n *Node) SendGetRequest(username, role, relativeURL string, responseHolder any) error { func (n *Node) SendGetRequest(username, role, relativeURL string, permissions []string, responseHolder any) error {
ctx, cancel := context.WithTimeout(context.Background(), nodeReqTimeout) ctx, cancel := context.WithTimeout(context.Background(), nodeReqTimeout)
defer cancel() defer cancel()
req, err := n.prepareRequest(ctx, username, role, relativeURL, http.MethodGet, nil) req, err := n.prepareRequest(ctx, username, role, relativeURL, http.MethodGet, permissions, nil)
if err != nil { if err != nil {
return err return err
} }
@@ -246,11 +249,11 @@ func (n *Node) SendGetRequest(username, role, relativeURL string, responseHolder
} }
// SendDeleteRequest sends an HTTP DELETE request to this node // SendDeleteRequest sends an HTTP DELETE request to this node
func (n *Node) SendDeleteRequest(username, role, relativeURL string) error { func (n *Node) SendDeleteRequest(username, role, relativeURL string, permissions []string) error {
ctx, cancel := context.WithTimeout(context.Background(), nodeReqTimeout) ctx, cancel := context.WithTimeout(context.Background(), nodeReqTimeout)
defer cancel() defer cancel()
req, err := n.prepareRequest(ctx, username, role, relativeURL, http.MethodDelete, nil) req, err := n.prepareRequest(ctx, username, role, relativeURL, http.MethodDelete, permissions, nil)
if err != nil { if err != nil {
return err return err
} }
@@ -270,9 +273,9 @@ func (n *Node) SendDeleteRequest(username, role, relativeURL string) error {
} }
// AuthenticateNodeToken check the validity of the provided token // AuthenticateNodeToken check the validity of the provided token
func AuthenticateNodeToken(token string) (string, string, error) { func AuthenticateNodeToken(token string) (string, string, []string, error) {
if currentNode == nil { if currentNode == nil {
return "", "", errNoClusterNodes return "", "", nil, errNoClusterNodes
} }
return currentNode.authenticate(token) return currentNode.authenticate(token)
} }
@@ -284,3 +287,21 @@ func GetNodeName() string {
} }
return currentNode.Name return currentNode.Name
} }
func getPermsFromToken(t jwt.Token) []string {
var perms []string
if p, ok := t.Get("perms"); ok {
switch v := p.(type) {
case []any:
for _, elem := range v {
switch elemValue := elem.(type) {
case string:
perms = append(perms, elemValue)
}
}
case []string:
perms = v
}
}
return perms
}

4
internal/httpd/api_user.go
View File

@@ -264,7 +264,9 @@ func disconnectUser(username, admin, role string) {
logger.Warn(logSender, "", "unable to disconnect user %q, error getting node %q: %v", username, stat.Node, err) logger.Warn(logSender, "", "unable to disconnect user %q, error getting node %q: %v", username, stat.Node, err)
continue continue
} }
if err := n.SendDeleteRequest(admin, role, fmt.Sprintf("%s/%s", activeConnectionsPath, stat.ConnectionID)); err != nil { perms := []string{dataprovider.PermAdminCloseConnections}
uri := fmt.Sprintf("%s/%s", activeConnectionsPath, stat.ConnectionID)
if err := n.SendDeleteRequest(admin, role, uri, perms); err != nil {
logger.Warn(logSender, "", "unable to disconnect user %q from node %q, error: %v", username, n.Name, err) logger.Warn(logSender, "", "unable to disconnect user %q from node %q, error: %v", username, n.Name, err)
} }
} }

7
internal/httpd/api_utils.go
View File

@@ -217,7 +217,9 @@ func handleCloseConnection(w http.ResponseWriter, r *http.Request) {
sendAPIResponse(w, r, nil, http.StatusText(status), status) sendAPIResponse(w, r, nil, http.StatusText(status), status)
return return
} }
if err := n.SendDeleteRequest(claims.Username, claims.Role, fmt.Sprintf("%s/%s", activeConnectionsPath, connectionID)); err != nil { perms := []string{dataprovider.PermAdminCloseConnections}
uri := fmt.Sprintf("%s/%s", activeConnectionsPath, connectionID)
if err := n.SendDeleteRequest(claims.Username, claims.Role, uri, perms); err != nil {
logger.Warn(logSender, "", "unable to delete connection id %q from node %q: %v", connectionID, n.Name, err) logger.Warn(logSender, "", "unable to delete connection id %q from node %q: %v", connectionID, n.Name, err)
sendAPIResponse(w, r, nil, "Not Found", http.StatusNotFound) sendAPIResponse(w, r, nil, "Not Found", http.StatusNotFound)
return return
@@ -243,7 +245,8 @@ func getNodesConnections(admin, role string) []common.ConnectionStatus {
defer wg.Done() defer wg.Done()
var stats []common.ConnectionStatus var stats []common.ConnectionStatus
if err := node.SendGetRequest(admin, role, activeConnectionsPath, &stats); err != nil { perms := []string{dataprovider.PermAdminViewConnections}
if err := node.SendGetRequest(admin, role, activeConnectionsPath, perms, &stats); err != nil {
logger.Warn(logSender, "", "unable to get connections from node %s: %v", node.Name, err) logger.Warn(logSender, "", "unable to get connections from node %s: %v", node.Name, err)
return return
} }

12
internal/httpd/middleware.go
View File

@@ -22,6 +22,7 @@ import (
"net/url" "net/url"
"slices" "slices"
"strings" "strings"
"time"
"github.com/go-chi/jwtauth/v5" "github.com/go-chi/jwtauth/v5"
"github.com/rs/xid" "github.com/rs/xid"
@@ -369,15 +370,22 @@ func checkNodeToken(tokenAuth *jwtauth.JWTAuth) func(next http.Handler) http.Han
if len(token) > 7 && strings.ToUpper(token[0:6]) == "BEARER" { if len(token) > 7 && strings.ToUpper(token[0:6]) == "BEARER" {
token = token[7:] token = token[7:]
} }
admin, role, err := dataprovider.AuthenticateNodeToken(token) if invalidatedJWTTokens.Get(token) {
logger.Debug(logSender, "", "the node token has been invalidated")
sendAPIResponse(w, r, fmt.Errorf("the provided token is not valid"), "", http.StatusUnauthorized)
return
}
admin, role, perms, err := dataprovider.AuthenticateNodeToken(token)
if err != nil { if err != nil {
logger.Debug(logSender, "", "unable to authenticate node token %q: %v", token, err) logger.Debug(logSender, "", "unable to authenticate node token %q: %v", token, err)
sendAPIResponse(w, r, fmt.Errorf("the provided token cannot be authenticated"), "", http.StatusUnauthorized) sendAPIResponse(w, r, fmt.Errorf("the provided token cannot be authenticated"), "", http.StatusUnauthorized)
return return
} }
defer invalidatedJWTTokens.Add(token, time.Now().Add(2*time.Minute).UTC())
c := jwtTokenClaims{ c := jwtTokenClaims{
Username: admin, Username: admin,
Permissions: []string{dataprovider.PermAdminViewConnections, dataprovider.PermAdminCloseConnections}, Permissions: perms,
NodeID: dataprovider.GetNodeName(), NodeID: dataprovider.GetNodeName(),
Role: role, Role: role,
} }