NotificationsYou must be signed in to change notification settings
Fork244
Star5.2k

Commit76bde95

committed

use a rsa private key to sign jwt

if not given will auto-generate a HMAC key

1 parent59bb2bf commit76bde95Copy full SHA for 76bde95

File tree

4 files changed

+62

-21

lines changed

cmd/gaia
- main.go
gaia.go
handlers
- User.go
- handler.go

4 files changed

+62

-21

lines changed

`‎cmd/gaia/main.go‎`

Lines changed: 31 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -1,11 +1,15 @@`
`1`	`1`	`package main`
`2`	`2`
`3`	`3`	`import (`
	`4`	`+"crypto/rand"`
`4`	`5`	`"flag"`
`5`	`6`	`"fmt"`
`6`	`7`	`"os"`
`7`	`8`	`"path/filepath"`
`8`	`9`
	`10`	`+"io/ioutil"`
	`11`	`+`
	`12`	`+"github.com/dgrijalva/jwt-go"`
`9`	`13`	`"github.com/gaia-pipeline/gaia"`
`10`	`14`	`"github.com/gaia-pipeline/gaia/handlers"`
`11`	`15`	`"github.com/gaia-pipeline/gaia/pipeline"`
`@@ -16,7 +20,8 @@ import (`
`16`	`20`	`)`
`17`	`21`
`18`	`22`	`var (`
`19`		`-echoInstance*echo.Echo`
	`23`	`+echoInstance*echo.Echo`
	`24`	`+jwtPrivateKeyPathstring`
`20`	`25`	`)`
`21`	`26`
`22`	`27`	`const (`
`@@ -35,6 +40,7 @@ func init() {`
`35`	`40`	`flag.StringVar(&gaia.Cfg.ListenPort,"port","8080","Listen port for gaia")`
`36`	`41`	`flag.StringVar(&gaia.Cfg.HomePath,"homepath","","Path to the gaia home folder")`
`37`	`42`	`flag.StringVar(&gaia.Cfg.Worker,"worker","2","Number of worker gaia will use to execute pipelines in parallel")`
	`43`	`+flag.StringVar(&jwtPrivateKeyPath,"jwtPrivateKeyPath","","A RSA private key used to sign JWT tokens")`
`38`	`44`	`flag.BoolVar(&gaia.Cfg.DevMode,"dev",false,"If true, gaia will be started in development mode. Don't use this in production!")`
`39`	`45`	`flag.BoolVar(&gaia.Cfg.VersionSwitch,"version",false,"If true, will print the version and immediately exit")`
`40`	`46`
`@@ -59,6 +65,30 @@ func main() {`
`59`	`65`	`Name:"Gaia",`
`60`	`66`	`})`
`61`	`67`
	`68`	`+varjwtKeyinterface{}`
	`69`	`+// Check JWT key is set`
	`70`	`+ifjwtPrivateKeyPath=="" {`
	`71`	`+gaia.Cfg.Logger.Warn("using auto-generated key to sign jwt tokens, do not use in production")`
	`72`	`+jwtKey=make([]byte,64)`
	`73`	`+_,err:=rand.Read(jwtKey.([]byte))`
	`74`	`+iferr!=nil {`
	`75`	`+gaia.Cfg.Logger.Error("error auto-generating jwt key","error",err.Error())`
	`76`	`+os.Exit(1)`
	`77`	`+}`
	`78`	`+}else {`
	`79`	`+keyData,err:=ioutil.ReadFile(jwtPrivateKeyPath)`
	`80`	`+iferr!=nil {`
	`81`	`+gaia.Cfg.Logger.Error("could not read jwt key file","error",err.Error())`
	`82`	`+os.Exit(1)`
	`83`	`+}`
	`84`	`+jwtKey,err=jwt.ParseRSAPrivateKeyFromPEM(keyData)`
	`85`	`+iferr!=nil {`
	`86`	`+gaia.Cfg.Logger.Error("could not parse jwt key file","error",err.Error())`
	`87`	`+os.Exit(1)`
	`88`	`+}`
	`89`	`+}`
	`90`	`+gaia.Cfg.JWTKey=jwtKey`
	`91`	`+`
`62`	`92`	`// Find path for gaia home folder if not given by parameter`
`63`	`93`	`ifgaia.Cfg.HomePath=="" {`
`64`	`94`	`// Find executeable path`

`‎gaia.go‎`

Lines changed: 1 addition & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -153,6 +153,7 @@ type Config struct {`
`153`	`153`	`PipelinePathstring`
`154`	`154`	`WorkspacePathstring`
`155`	`155`	`Workerstring`
	`156`	`+JWTKeyinterface{}`
`156`	`157`	`Logger hclog.Logger`
`157`	`158`
`158`	`159`	`Boltstruct {`

`‎handlers/User.go‎`

Lines changed: 14 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -6,7 +6,9 @@ import (`
`6`	`6`
`7`	`7`	`"github.com/labstack/echo"`
`8`	`8`
`9`		`-jwt"github.com/dgrijalva/jwt-go"`
	`9`	`+"crypto/rsa"`
	`10`	`+`
	`11`	`+"github.com/dgrijalva/jwt-go"`
`10`	`12`	`"github.com/gaia-pipeline/gaia"`
`11`	`13`	`)`
`12`	`14`
`@@ -45,11 +47,20 @@ func UserLogin(c echo.Context) error {`
`45`	`47`	`},`
`46`	`48`	`}`
`47`	`49`
	`50`	`+vartoken*jwt.Token`
`48`	`51`	`// Generate JWT token`
`49`		`-token:=jwt.NewWithClaims(jwt.SigningMethodHS256,claims)`
	`52`	`+switcht:=gaia.Cfg.JWTKey.(type) {`
	`53`	`+case []byte:`
	`54`	`+token=jwt.NewWithClaims(jwt.SigningMethodHS256,claims)`
	`55`	`+case*rsa.PrivateKey:`
	`56`	`+token=jwt.NewWithClaims(jwt.SigningMethodRS512,claims)`
	`57`	`+default:`
	`58`	`+gaia.Cfg.Logger.Error("invalid jwt key type","type",t)`
	`59`	`+returnc.String(http.StatusInternalServerError,"error creating jwt token: invalid jwt key type")`
	`60`	`+}`
`50`	`61`
`51`	`62`	`// Sign and get encoded token`
`52`		`-tokenstring,err:=token.SignedString(jwtKey)`
	`63`	`+tokenstring,err:=token.SignedString(gaia.Cfg.JWTKey)`
`53`	`64`	`iferr!=nil {`
`54`	`65`	`gaia.Cfg.Logger.Error("error signing jwt token","error",err.Error())`
`55`	`66`	`returnc.String(http.StatusInternalServerError,err.Error())`

`‎handlers/handler.go‎`

Lines changed: 16 additions & 17 deletions

Original file line number	Diff line number	Diff line change
`@@ -1,14 +1,15 @@`
`1`	`1`	`package handlers`
`2`	`2`
`3`	`3`	`import (`
`4`		`-"crypto/rand"`
`5`	`4`	`"errors"`
`6`	`5`	`"fmt"`
`7`	`6`	`"net/http"`
`8`	`7`	`"strings"`
`9`	`8`
`10`	`9`	`"github.com/GeertJohan/go.rice"`
`11`	`10`
	`11`	`+"crypto/rsa"`
	`12`	`+`
`12`	`13`	`jwt"github.com/dgrijalva/jwt-go"`
`13`	`14`	`"github.com/gaia-pipeline/gaia"`
`14`	`15`	`scheduler"github.com/gaia-pipeline/gaia/scheduler"`
`@@ -48,22 +49,12 @@ var storeService *store.Store`
`48`	`49`
`49`	`50`	`varschedulerService*scheduler.Scheduler`
`50`	`51`
`51`		`-// jwtKey is a random generated key for jwt signing`
`52`		`-varjwtKey []byte`
`53`		`-`
`54`	`52`	`// InitHandlers initializes(registers) all handlers`
`55`	`53`	`funcInitHandlers(eecho.Echo,storestore.Store,scheduler*scheduler.Scheduler)error {`
`56`	`54`	`// Set instances`
`57`	`55`	`storeService=store`
`58`	`56`	`schedulerService=scheduler`
`59`	`57`
`60`		`-// Generate signing key for jwt`
`61`		`-jwtKey=make([]byte,64)`
`62`		`-_,err:=rand.Read(jwtKey)`
`63`		`-iferr!=nil {`
`64`		`-returnerr`
`65`		`-}`
`66`		`-`
`67`	`58`	`// Define prefix`
`68`	`59`	`p:="/api/"+apiVersion+"/"`
`69`	`60`
`@@ -142,13 +133,21 @@ func authBarrier(next echo.HandlerFunc) echo.HandlerFunc {`
`142`	`133`
`143`	`134`	`// Parse token`
`144`	`135`	`token,err:=jwt.Parse(jwtString,func(token*jwt.Token) (interface{},error) {`
`145`		`-// Validate signing method`
`146`		`-if_,ok:=token.Method.(*jwt.SigningMethodHMAC);!ok {`
`147`		`-returnnil,fmt.Errorf("unexpected signing method: %v",token.Header["alg"])`
	`136`	`+signingMethodError:=fmt.Errorf("unexpected signing method: %v",token.Header["alg"])`
	`137`	`+switchtoken.Method.(type) {`
	`138`	`+case*jwt.SigningMethodHMAC:`
	`139`	`+if_,ok:=gaia.Cfg.JWTKey.([]byte);!ok {`
	`140`	`+returnnil,signingMethodError`
	`141`	`+}`
	`142`	`+returngaia.Cfg.JWTKey,nil`
	`143`	`+case*jwt.SigningMethodRSA:`
	`144`	`+if_,ok:=gaia.Cfg.JWTKey.(*rsa.PrivateKey);!ok {`
	`145`	`+returnnil,signingMethodError`
	`146`	`+}`
	`147`	`+returngaia.Cfg.JWTKey.(*rsa.PrivateKey).Public(),nil`
	`148`	`+default:`
	`149`	`+returnnil,signingMethodError`
`148`	`150`	`}`
`149`		`-`
`150`		`-// return secret`
`151`		`-returnjwtKey,nil`
`152`	`151`	`})`
`153`	`152`	`iferr!=nil {`
`154`	`153`	`returnc.String(http.StatusForbidden,err.Error())`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit76bde95

File tree

4 files changed

4 files changed

`‎cmd/gaia/main.go‎`

`‎gaia.go‎`

`‎handlers/User.go‎`

`‎handlers/handler.go‎`

0 commit comments