mirror of
https://github.com/drakkan/sftpgo.git
synced 2025-12-06 14:20:55 +03:00
node token: embed permissions directly in JWT
Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
This commit is contained in:
Nicola Murino
@@ -132,17 +132,17 @@ func (n *Node) validate() error {
|
||||
return n.Data.validate()
|
||||
}
|
||||
|
||||
func (n *Node) authenticate(token string) (string, string, error) {
|
||||
func (n *Node) authenticate(token string) (string, string, []string, error) {
|
||||
if err := n.Data.Key.TryDecrypt(); err != nil {
|
||||
providerLog(logger.LevelError, "unable to decrypt node key: %v", err)
|
||||
return "", "", err
|
||||
return "", "", nil, err
|
||||
}
|
||||
if token == "" {
|
||||
return "", "", ErrInvalidCredentials
|
||||
return "", "", nil, ErrInvalidCredentials
|
||||
}
|
||||
t, err := jwt.Parse([]byte(token), jwt.WithKey(jwa.HS256, []byte(n.Data.Key.GetPayload())), jwt.WithValidate(true))
|
||||
if err != nil {
|
||||
return "", "", fmt.Errorf("unable to parse and validate token: %v", err)
|
||||
return "", "", nil, fmt.Errorf("unable to parse and validate token: %v", err)
|
||||
}
|
||||
var adminUsername, role string
|
||||
if admin, ok := t.Get("admin"); ok {
|
||||
@@ -151,14 +151,16 @@ func (n *Node) authenticate(token string) (string, string, error) {
|
||||
}
|
||||
}
|
||||
if adminUsername == "" {
|
||||
return "", "", errors.New("no admin username associated with node token")
|
||||
return "", "", nil, errors.New("no admin username associated with node token")
|
||||
}
|
||||
if r, ok := t.Get("role"); ok {
|
||||
if val, ok := r.(string); ok && val != "" {
|
||||
role = val
|
||||
}
|
||||
}
|
||||
return adminUsername, role, nil
|
||||
perms := getPermsFromToken(t)
|
||||
|
||||
return adminUsername, role, perms, nil
|
||||
}
|
||||
|
||||
// getBaseURL returns the base URL for this node
|
||||
@@ -175,7 +177,7 @@ func (n *Node) getBaseURL() string {
|
||||
}
|
||||
|
||||
// generateAuthToken generates a new auth token
|
||||
func (n *Node) generateAuthToken(username, role string) (string, error) {
|
||||
func (n *Node) generateAuthToken(username, role string, permissions []string) (string, error) {
|
||||
if err := n.Data.Key.TryDecrypt(); err != nil {
|
||||
return "", fmt.Errorf("unable to decrypt node key: %w", err)
|
||||
}
|
||||
@@ -184,6 +186,7 @@ func (n *Node) generateAuthToken(username, role string) (string, error) {
|
||||
t := jwt.New()
|
||||
t.Set("admin", username) //nolint:errcheck
|
||||
t.Set("role", role) //nolint:errcheck
|
||||
t.Set("perms", permissions) //nolint:errcheck
|
||||
t.Set(jwt.IssuedAtKey, now) //nolint:errcheck
|
||||
t.Set(jwt.JwtIDKey, xid.New().String()) //nolint:errcheck
|
||||
t.Set(jwt.NotBeforeKey, now.Add(-30*time.Second)) //nolint:errcheck
|
||||
@@ -197,14 +200,14 @@ func (n *Node) generateAuthToken(username, role string) (string, error) {
|
||||
}
|
||||
|
||||
func (n *Node) prepareRequest(ctx context.Context, username, role, relativeURL, method string,
|
||||
body io.Reader,
|
||||
permissions []string, body io.Reader,
|
||||
) (*http.Request, error) {
|
||||
url := fmt.Sprintf("%s%s", n.getBaseURL(), relativeURL)
|
||||
req, err := http.NewRequestWithContext(ctx, method, url, body)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
token, err := n.generateAuthToken(username, role)
|
||||
token, err := n.generateAuthToken(username, role, permissions)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
@@ -214,11 +217,11 @@ func (n *Node) prepareRequest(ctx context.Context, username, role, relativeURL,
|
||||
|
||||
// SendGetRequest sends an HTTP GET request to this node.
|
||||
// The responseHolder must be a pointer
|
||||
func (n *Node) SendGetRequest(username, role, relativeURL string, responseHolder any) error {
|
||||
func (n *Node) SendGetRequest(username, role, relativeURL string, permissions []string, responseHolder any) error {
|
||||
ctx, cancel := context.WithTimeout(context.Background(), nodeReqTimeout)
|
||||
defer cancel()
|
||||
|
||||
req, err := n.prepareRequest(ctx, username, role, relativeURL, http.MethodGet, nil)
|
||||
req, err := n.prepareRequest(ctx, username, role, relativeURL, http.MethodGet, permissions, nil)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
@@ -246,11 +249,11 @@ func (n *Node) SendGetRequest(username, role, relativeURL string, responseHolder
|
||||
}
|
||||
|
||||
// SendDeleteRequest sends an HTTP DELETE request to this node
|
||||
func (n *Node) SendDeleteRequest(username, role, relativeURL string) error {
|
||||
func (n *Node) SendDeleteRequest(username, role, relativeURL string, permissions []string) error {
|
||||
ctx, cancel := context.WithTimeout(context.Background(), nodeReqTimeout)
|
||||
defer cancel()
|
||||
|
||||
req, err := n.prepareRequest(ctx, username, role, relativeURL, http.MethodDelete, nil)
|
||||
req, err := n.prepareRequest(ctx, username, role, relativeURL, http.MethodDelete, permissions, nil)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
@@ -270,9 +273,9 @@ func (n *Node) SendDeleteRequest(username, role, relativeURL string) error {
|
||||
}
|
||||
|
||||
// AuthenticateNodeToken check the validity of the provided token
|
||||
func AuthenticateNodeToken(token string) (string, string, error) {
|
||||
func AuthenticateNodeToken(token string) (string, string, []string, error) {
|
||||
if currentNode == nil {
|
||||
return "", "", errNoClusterNodes
|
||||
return "", "", nil, errNoClusterNodes
|
||||
}
|
||||
return currentNode.authenticate(token)
|
||||
}
|
||||
@@ -284,3 +287,21 @@ func GetNodeName() string {
|
||||
}
|
||||
return currentNode.Name
|
||||
}
|
||||
|
||||
func getPermsFromToken(t jwt.Token) []string {
|
||||
var perms []string
|
||||
if p, ok := t.Get("perms"); ok {
|
||||
switch v := p.(type) {
|
||||
case []any:
|
||||
for _, elem := range v {
|
||||
switch elemValue := elem.(type) {
|
||||
case string:
|
||||
perms = append(perms, elemValue)
|
||||
}
|
||||
}
|
||||
case []string:
|
||||
perms = v
|
||||
}
|
||||
}
|
||||
return perms
|
||||
}
|
||||
|
||||
@@ -264,7 +264,9 @@ func disconnectUser(username, admin, role string) {
|
||||
logger.Warn(logSender, "", "unable to disconnect user %q, error getting node %q: %v", username, stat.Node, err)
|
||||
continue
|
||||
}
|
||||
if err := n.SendDeleteRequest(admin, role, fmt.Sprintf("%s/%s", activeConnectionsPath, stat.ConnectionID)); err != nil {
|
||||
perms := []string{dataprovider.PermAdminCloseConnections}
|
||||
uri := fmt.Sprintf("%s/%s", activeConnectionsPath, stat.ConnectionID)
|
||||
if err := n.SendDeleteRequest(admin, role, uri, perms); err != nil {
|
||||
logger.Warn(logSender, "", "unable to disconnect user %q from node %q, error: %v", username, n.Name, err)
|
||||
}
|
||||
}
|
||||
|
||||
@@ -217,7 +217,9 @@ func handleCloseConnection(w http.ResponseWriter, r *http.Request) {
|
||||
sendAPIResponse(w, r, nil, http.StatusText(status), status)
|
||||
return
|
||||
}
|
||||
if err := n.SendDeleteRequest(claims.Username, claims.Role, fmt.Sprintf("%s/%s", activeConnectionsPath, connectionID)); err != nil {
|
||||
perms := []string{dataprovider.PermAdminCloseConnections}
|
||||
uri := fmt.Sprintf("%s/%s", activeConnectionsPath, connectionID)
|
||||
if err := n.SendDeleteRequest(claims.Username, claims.Role, uri, perms); err != nil {
|
||||
logger.Warn(logSender, "", "unable to delete connection id %q from node %q: %v", connectionID, n.Name, err)
|
||||
sendAPIResponse(w, r, nil, "Not Found", http.StatusNotFound)
|
||||
return
|
||||
@@ -243,7 +245,8 @@ func getNodesConnections(admin, role string) []common.ConnectionStatus {
|
||||
defer wg.Done()
|
||||
|
||||
var stats []common.ConnectionStatus
|
||||
if err := node.SendGetRequest(admin, role, activeConnectionsPath, &stats); err != nil {
|
||||
perms := []string{dataprovider.PermAdminViewConnections}
|
||||
if err := node.SendGetRequest(admin, role, activeConnectionsPath, perms, &stats); err != nil {
|
||||
logger.Warn(logSender, "", "unable to get connections from node %s: %v", node.Name, err)
|
||||
return
|
||||
}
|
||||
|
||||
@@ -22,6 +22,7 @@ import (
|
||||
"net/url"
|
||||
"slices"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"github.com/go-chi/jwtauth/v5"
|
||||
"github.com/rs/xid"
|
||||
@@ -369,15 +370,22 @@ func checkNodeToken(tokenAuth *jwtauth.JWTAuth) func(next http.Handler) http.Han
|
||||
if len(token) > 7 && strings.ToUpper(token[0:6]) == "BEARER" {
|
||||
token = token[7:]
|
||||
}
|
||||
admin, role, err := dataprovider.AuthenticateNodeToken(token)
|
||||
if invalidatedJWTTokens.Get(token) {
|
||||
logger.Debug(logSender, "", "the node token has been invalidated")
|
||||
sendAPIResponse(w, r, fmt.Errorf("the provided token is not valid"), "", http.StatusUnauthorized)
|
||||
return
|
||||
}
|
||||
admin, role, perms, err := dataprovider.AuthenticateNodeToken(token)
|
||||
if err != nil {
|
||||
logger.Debug(logSender, "", "unable to authenticate node token %q: %v", token, err)
|
||||
sendAPIResponse(w, r, fmt.Errorf("the provided token cannot be authenticated"), "", http.StatusUnauthorized)
|
||||
return
|
||||
}
|
||||
defer invalidatedJWTTokens.Add(token, time.Now().Add(2*time.Minute).UTC())
|
||||
|
||||
c := jwtTokenClaims{
|
||||
Username: admin,
|
||||
Permissions: []string{dataprovider.PermAdminViewConnections, dataprovider.PermAdminCloseConnections},
|
||||
Permissions: perms,
|
||||
NodeID: dataprovider.GetNodeName(),
|
||||
Role: role,
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user