141 lines
3.5 KiB
Go
141 lines
3.5 KiB
Go
package jsonweb
|
|
|
|
import (
|
|
"errors"
|
|
|
|
"github.com/dgrijalva/jwt-go"
|
|
"github.com/influxdata/influxdb"
|
|
)
|
|
|
|
const kind = "jwt"
|
|
|
|
var (
|
|
// ErrKeyNotFound should be returned by a KeyStore when
|
|
// a key cannot be located for the provided key ID
|
|
ErrKeyNotFound = errors.New("key not found")
|
|
|
|
// EmptyKeyStore is a KeyStore implementation which contains no keys
|
|
EmptyKeyStore = KeyStoreFunc(func(string) ([]byte, error) {
|
|
return nil, ErrKeyNotFound
|
|
})
|
|
)
|
|
|
|
// KeyStore is a type which holds a set of keys accessed
|
|
// via an id
|
|
type KeyStore interface {
|
|
Key(string) ([]byte, error)
|
|
}
|
|
|
|
// KeyStoreFunc is a function which can be used as a KeyStore
|
|
type KeyStoreFunc func(string) ([]byte, error)
|
|
|
|
// Key delegates to the receiver KeyStoreFunc
|
|
func (k KeyStoreFunc) Key(v string) ([]byte, error) { return k(v) }
|
|
|
|
// TokenParser is a type which can parse and validate tokens
|
|
type TokenParser struct {
|
|
keyStore KeyStore
|
|
parser *jwt.Parser
|
|
}
|
|
|
|
// NewTokenParser returns a configured token parser used to
|
|
// parse Token types from strings
|
|
func NewTokenParser(keyStore KeyStore) *TokenParser {
|
|
return &TokenParser{
|
|
keyStore: keyStore,
|
|
parser: &jwt.Parser{
|
|
ValidMethods: []string{jwt.SigningMethodHS256.Alg()},
|
|
},
|
|
}
|
|
}
|
|
|
|
// Parse takes a string then parses and validates it as a jwt based on
|
|
// the key described within the token
|
|
func (t *TokenParser) Parse(v string) (*Token, error) {
|
|
jwt, err := t.parser.ParseWithClaims(v, &Token{}, func(jwt *jwt.Token) (interface{}, error) {
|
|
token, ok := jwt.Claims.(*Token)
|
|
if !ok {
|
|
return nil, errors.New("missing kid in token claims")
|
|
}
|
|
|
|
// fetch key for "kid" from key store
|
|
return t.keyStore.Key(token.KeyID)
|
|
})
|
|
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
token, ok := jwt.Claims.(*Token)
|
|
if !ok {
|
|
return nil, errors.New("token is unexpected type")
|
|
}
|
|
|
|
return token, nil
|
|
}
|
|
|
|
// IsMalformedError returns true if the error returned represents
|
|
// a jwt malformed token error
|
|
func IsMalformedError(err error) bool {
|
|
verr, ok := err.(*jwt.ValidationError)
|
|
return ok && verr.Errors&jwt.ValidationErrorMalformed > 0
|
|
}
|
|
|
|
// Token is a structure which is serialized as a json web token
|
|
// It contains the necessary claims required to authorize
|
|
type Token struct {
|
|
jwt.StandardClaims
|
|
// KeyID is the identifier of the key used to sign the token
|
|
KeyID string `json:"kid"`
|
|
// Permissions is the set of authorized permissions for the token
|
|
Permissions []influxdb.Permission `json:"permissions"`
|
|
}
|
|
|
|
// Allowed returns whether or not a permission is allowed based
|
|
// on the set of permissions within the Token
|
|
func (t *Token) Allowed(p influxdb.Permission) bool {
|
|
if err := p.Valid(); err != nil {
|
|
return false
|
|
}
|
|
|
|
for _, perm := range t.Permissions {
|
|
if perm.Matches(p) {
|
|
return true
|
|
}
|
|
}
|
|
|
|
return false
|
|
}
|
|
|
|
// Identifier returns the identifier for this Token
|
|
// as found in the standard claims
|
|
func (t *Token) Identifier() influxdb.ID {
|
|
id, err := influxdb.IDFromString(t.Id)
|
|
if err != nil || id == nil {
|
|
return influxdb.ID(1)
|
|
}
|
|
|
|
return *id
|
|
}
|
|
|
|
// GetUserID returns an invalid id as tokens are generated
|
|
// with permissions rather than for or by a particular user
|
|
func (t *Token) GetUserID() influxdb.ID {
|
|
return influxdb.InvalidID()
|
|
}
|
|
|
|
// Kind returns the string "jwt" which is used for auditing
|
|
func (t *Token) Kind() string {
|
|
return kind
|
|
}
|
|
|
|
// EphemeralAuth creates a influxdb Auth form a jwt token
|
|
func (t *Token) EphemeralAuth(orgID influxdb.ID) *influxdb.Authorization {
|
|
return &influxdb.Authorization{
|
|
ID: t.Identifier(),
|
|
OrgID: orgID,
|
|
Status: influxdb.Active,
|
|
Permissions: t.Permissions,
|
|
}
|
|
}
|