merge conflicts

2015-02-07 15:35:28 -08:00
parent 714ccb6e2b
commit f7998f8652
21 changed files with 271 additions and 137 deletions
--- a/go/security/guard.go
+++ b/go/security/guard.go
@@ -5,11 +5,8 @@ import (
 	"fmt"
 	"net"
 	"net/http"
-	"strings"
-	"time"

 	"github.com/chrislusf/weed-fs/go/glog"
-	"github.com/dgrijalva/jwt-go"
 )

 var (
@@ -44,24 +41,38 @@ https://github.com/pkieltyka/jwtauth/blob/master/jwtauth.go
 */
 type Guard struct {
 	whiteList []string
-	secretKey string
+	SecretKey Secret

 	isActive bool
 }

 func NewGuard(whiteList []string, secretKey string) *Guard {
-	g := &Guard{whiteList: whiteList, secretKey: secretKey}
-	g.isActive = len(g.whiteList) != 0 || len(g.secretKey) != 0
+	g := &Guard{whiteList: whiteList, SecretKey: Secret(secretKey)}
+	g.isActive = len(g.whiteList) != 0 || len(g.SecretKey) != 0
 	return g
 }

+func (g *Guard) WhiteList(f func(w http.ResponseWriter, r *http.Request)) func(w http.ResponseWriter, r *http.Request) {
+	if !g.isActive {
+		//if no security needed, just skip all checkings
+		return f
+	}
+	return func(w http.ResponseWriter, r *http.Request) {
+		if err := g.checkWhiteList(w, r); err != nil {
+			w.WriteHeader(http.StatusUnauthorized)
+			return
+		}
+		f(w, r)
+	}
+}
+
 func (g *Guard) Secure(f func(w http.ResponseWriter, r *http.Request)) func(w http.ResponseWriter, r *http.Request) {
 	if !g.isActive {
 		//if no security needed, just skip all checkings
 		return f
 	}
 	return func(w http.ResponseWriter, r *http.Request) {
-		if err := g.doCheck(w, r); err != nil {
+		if err := g.checkJwt(w, r); err != nil {
 			w.WriteHeader(http.StatusUnauthorized)
 			return
 		}
@@ -69,76 +80,48 @@ func (g *Guard) Secure(f func(w http.ResponseWriter, r *http.Request)) func(w ht
 	}
 }

-func (g *Guard) NewToken() (tokenString string, err error) {
-	m := make(map[string]interface{})
-	m["exp"] = time.Now().Unix() + 10
-	return g.Encode(m)
-}
-
-func (g *Guard) Encode(claims map[string]interface{}) (tokenString string, err error) {
-	if !g.isActive {
-		return "", nil
+func (g *Guard) checkWhiteList(w http.ResponseWriter, r *http.Request) error {
+	if len(g.whiteList) == 0 {
+		return nil
 	}

-	t := jwt.New(jwt.GetSigningMethod("HS256"))
-	t.Claims = claims
-	return t.SignedString(g.secretKey)
-}
-
-func (g *Guard) Decode(tokenString string) (token *jwt.Token, err error) {
-	return jwt.Parse(tokenString, func(token *jwt.Token) (interface{}, error) {
-		return g.secretKey, nil
-	})
-}
-
-func (g *Guard) doCheck(w http.ResponseWriter, r *http.Request) error {
-	if len(g.whiteList) != 0 {
-		host, _, err := net.SplitHostPort(r.RemoteAddr)
-		if err == nil {
-			for _, ip := range g.whiteList {
-				if ip == host {
-					return nil
-				}
+	host, _, err := net.SplitHostPort(r.RemoteAddr)
+	if err == nil {
+		for _, ip := range g.whiteList {
+			if ip == host {
+				return nil
 			}
 		}
 	}

-	if len(g.secretKey) != 0 {
+	glog.V(1).Infof("Not in whitelist: %s", r.RemoteAddr)
+	return fmt.Errorf("Not in whitelis: %s", r.RemoteAddr)
+}

-		// Get token from query params
-		tokenStr := r.URL.Query().Get("jwt")
+func (g *Guard) checkJwt(w http.ResponseWriter, r *http.Request) error {
+	if g.checkWhiteList(w, r) == nil {
+		return nil
+	}

-		// Get token from authorization header
-		if tokenStr == "" {
-			bearer := r.Header.Get("Authorization")
-			if len(bearer) > 7 && strings.ToUpper(bearer[0:6]) == "BEARER" {
-				tokenStr = bearer[7:]
-			}
-		}
+	if len(g.SecretKey) == 0 {
+		return nil
+	}

-		// Get token from cookie
-		if tokenStr == "" {
-			cookie, err := r.Cookie("jwt")
-			if err == nil {
-				tokenStr = cookie.Value
-			}
-		}
+	tokenStr := GetJwt(r)

-		if tokenStr == "" {
-			return ErrUnauthorized
-		}
-
-		// Verify the token
-		token, err := g.Decode(tokenStr)
-		if err != nil {
-			glog.V(1).Infof("Token verification error from %s: %v", r.RemoteAddr, err)
-			return ErrUnauthorized
-		}
-		if !token.Valid {
-			glog.V(1).Infof("Token invliad from %s: %v", r.RemoteAddr, tokenStr)
-			return ErrUnauthorized
-		}
+	if tokenStr == "" {
+		return ErrUnauthorized
+	}

+	// Verify the token
+	token, err := DecodeJwt(g.SecretKey, tokenStr)
+	if err != nil {
+		glog.V(1).Infof("Token verification error from %s: %v", r.RemoteAddr, err)
+		return ErrUnauthorized
+	}
+	if !token.Valid {
+		glog.V(1).Infof("Token invliad from %s: %v", r.RemoteAddr, tokenStr)
+		return ErrUnauthorized
 	}

 	glog.V(1).Infof("No permission from %s", r.RemoteAddr)
--- a/go/security/jwt.go
+++ b/go/security/jwt.go
@@ -0,0 +1,72 @@
+package security
+
+import (
+	"net/http"
+	"strings"
+
+	"time"
+
+	"github.com/chrislusf/weed-fs/go/glog"
+	jwt "github.com/dgrijalva/jwt-go"
+)
+
+type EncodedJwt string
+type Secret string
+
+func GenJwt(secret Secret, fileId string) EncodedJwt {
+	if secret == "" {
+		return ""
+	}
+
+	t := jwt.New(jwt.GetSigningMethod("HS256"))
+	t.Claims["exp"] = time.Now().Unix() + 10
+	t.Claims["sub"] = fileId
+	encoded, e := t.SignedString(secret)
+	if e != nil {
+		glog.V(0).Infof("Failed to sign claims: %v", t.Claims)
+		return ""
+	}
+	return EncodedJwt(encoded)
+}
+
+func GetJwt(r *http.Request) EncodedJwt {
+
+	// Get token from query params
+	tokenStr := r.URL.Query().Get("jwt")
+
+	// Get token from authorization header
+	if tokenStr == "" {
+		bearer := r.Header.Get("Authorization")
+		if len(bearer) > 7 && strings.ToUpper(bearer[0:6]) == "BEARER" {
+			tokenStr = bearer[7:]
+		}
+	}
+
+	// Get token from cookie
+	if tokenStr == "" {
+		cookie, err := r.Cookie("jwt")
+		if err == nil {
+			tokenStr = cookie.Value
+		}
+	}
+
+	return EncodedJwt(tokenStr)
+}
+
+func EncodeJwt(secret Secret, claims map[string]interface{}) (EncodedJwt, error) {
+	if secret == "" {
+		return "", nil
+	}
+
+	t := jwt.New(jwt.GetSigningMethod("HS256"))
+	t.Claims = claims
+	encoded, e := t.SignedString(secret)
+	return EncodedJwt(encoded), e
+}
+
+func DecodeJwt(secret Secret, tokenString EncodedJwt) (token *jwt.Token, err error) {
+	// check exp, nbf
+	return jwt.Parse(string(tokenString), func(token *jwt.Token) (interface{}, error) {
+		return secret, nil
+	})
+}