mirror of
https://github.com/documize/community.git
synced 2025-07-20 21:59:42 +02:00
224 lines
5.3 KiB
Go
224 lines
5.3 KiB
Go
// Copyright 2016 Documize Inc. <legal@documize.com>. All rights reserved.
|
|
//
|
|
// This software (Documize Community Edition) is licensed under
|
|
// GNU AGPL v3 http://www.gnu.org/licenses/agpl-3.0.en.html
|
|
//
|
|
// You can operate outside the AGPL restrictions by purchasing
|
|
// Documize Enterprise Edition and obtaining a commercial license
|
|
// by contacting <sales@documize.com>.
|
|
//
|
|
// https://documize.com
|
|
|
|
package endpoint
|
|
|
|
import (
|
|
"crypto/rand"
|
|
"crypto/rsa"
|
|
"fmt"
|
|
"net/http"
|
|
"strings"
|
|
"time"
|
|
|
|
jwt "github.com/dgrijalva/jwt-go"
|
|
|
|
"github.com/documize/community/core/api/request"
|
|
"github.com/documize/community/core/environment"
|
|
"github.com/documize/community/core/log"
|
|
)
|
|
|
|
var jwtKey string
|
|
|
|
func init() {
|
|
environment.GetString(&jwtKey, "salt", false, "the salt string used to encode JWT tokens, if not set a random value will be generated",
|
|
func(t *string, n string) bool {
|
|
if jwtKey == "" {
|
|
b := make([]byte, 17)
|
|
_, err := rand.Read(b)
|
|
if err != nil {
|
|
jwtKey = err.Error()
|
|
log.Error("problem using crypto/rand", err)
|
|
return false
|
|
}
|
|
for k, v := range b {
|
|
if (v >= 'a' && v <= 'z') || (v >= 'A' && v <= 'Z') || (v >= '0' && v <= '0') {
|
|
b[k] = v
|
|
} else {
|
|
s := fmt.Sprintf("%x", v)
|
|
b[k] = s[0]
|
|
}
|
|
}
|
|
jwtKey = string(b)
|
|
log.Info("Please set DOCUMIZESALT or use -salt with this value: " + jwtKey)
|
|
}
|
|
return true
|
|
})
|
|
}
|
|
|
|
// Generates JSON Web Token (http://jwt.io)
|
|
func generateJWT(user, org, domain string) string {
|
|
token := jwt.New(jwt.SigningMethodHS256)
|
|
|
|
// issuer
|
|
token.Claims["iss"] = "Documize"
|
|
// subject
|
|
token.Claims["sub"] = "webapp"
|
|
// expiry
|
|
token.Claims["exp"] = time.Now().Add(time.Hour * 168).Unix()
|
|
// data
|
|
token.Claims["user"] = user
|
|
token.Claims["org"] = org
|
|
token.Claims["domain"] = domain
|
|
|
|
tokenString, _ := token.SignedString([]byte(jwtKey))
|
|
|
|
return tokenString
|
|
}
|
|
|
|
// Check for authorization token.
|
|
// We look for 'Authorization' request header OR query string "?token=XXX".
|
|
func findJWT(r *http.Request) (token string) {
|
|
header := r.Header.Get("Authorization")
|
|
|
|
if header != "" {
|
|
header = strings.Replace(header, "Bearer ", "", 1)
|
|
}
|
|
|
|
if len(header) > 1 {
|
|
token = header
|
|
} else {
|
|
query := r.URL.Query()
|
|
token = query.Get("token")
|
|
}
|
|
|
|
if token == "null" {
|
|
token = ""
|
|
}
|
|
|
|
return
|
|
}
|
|
|
|
// We take in raw token string and decode it.
|
|
func decodeJWT(tokenString string) (c request.Context, claims map[string]interface{}, err error) {
|
|
method := "decodeJWT"
|
|
|
|
// sensible defaults
|
|
c.UserID = ""
|
|
c.OrgID = ""
|
|
c.Authenticated = false
|
|
c.Guest = false
|
|
|
|
token, err := jwt.Parse(tokenString, func(token *jwt.Token) (interface{}, error) {
|
|
return []byte(jwtKey), nil
|
|
})
|
|
|
|
if err != nil {
|
|
err = fmt.Errorf("bad authorization token")
|
|
return
|
|
}
|
|
|
|
if !token.Valid {
|
|
if ve, ok := err.(*jwt.ValidationError); ok {
|
|
if ve.Errors&jwt.ValidationErrorMalformed != 0 {
|
|
log.Error("invalid token", err)
|
|
err = fmt.Errorf("bad token")
|
|
return
|
|
} else if ve.Errors&(jwt.ValidationErrorExpired|jwt.ValidationErrorNotValidYet) != 0 {
|
|
log.Error("expired token", err)
|
|
err = fmt.Errorf("expired token")
|
|
return
|
|
} else {
|
|
log.Error("invalid token", err)
|
|
err = fmt.Errorf("bad token")
|
|
return
|
|
}
|
|
} else {
|
|
log.Error("invalid token", err)
|
|
err = fmt.Errorf("bad token")
|
|
return
|
|
}
|
|
}
|
|
|
|
c = request.NewContext()
|
|
c.UserID = token.Claims["user"].(string)
|
|
c.OrgID = token.Claims["org"].(string)
|
|
|
|
if len(c.UserID) == 0 || len(c.OrgID) == 0 {
|
|
err = fmt.Errorf("%s : unable parse token data", method)
|
|
return
|
|
}
|
|
|
|
c.Authenticated = true
|
|
c.Guest = false
|
|
|
|
return c, token.Claims, nil
|
|
}
|
|
|
|
// We take in Keycloak token string and decode it.
|
|
func decodeKeycloakJWT(t, pk string) (err error) {
|
|
// method := "decodeKeycloakJWT"
|
|
|
|
log.Info(t)
|
|
log.Info(pk)
|
|
|
|
var rsaPSSKey *rsa.PublicKey
|
|
if rsaPSSKey, err = jwt.ParseRSAPublicKeyFromPEM([]byte(pk)); err != nil {
|
|
log.Error("Unable to parse RSA public key", err)
|
|
return
|
|
}
|
|
|
|
parts := strings.Split(t, ".")
|
|
m := jwt.GetSigningMethod("RSA256")
|
|
|
|
err = m.Verify(strings.Join(parts[0:2], "."), parts[2], rsaPSSKey)
|
|
if err != nil {
|
|
log.Error("Error while verifying key", err)
|
|
return
|
|
}
|
|
|
|
// token, err := jwt.Parse(t, func(token *jwt.Token) (interface{}, error) {
|
|
// p, pe := jwt.ParseRSAPublicKeyFromPEM([]byte(pk))
|
|
// if pe != nil {
|
|
// log.Error("have jwt err", pe)
|
|
// }
|
|
// return p, pe
|
|
// // return []byte(jwtKey), nil
|
|
// })
|
|
|
|
// if err != nil {
|
|
// err = fmt.Errorf("bad authorization token")
|
|
// return
|
|
// }
|
|
|
|
// if !token.Valid {
|
|
// if ve, ok := err.(*jwt.ValidationError); ok {
|
|
// if ve.Errors&jwt.ValidationErrorMalformed != 0 {
|
|
// log.Error("invalid token", err)
|
|
// err = fmt.Errorf("bad token")
|
|
// return
|
|
// } else if ve.Errors&(jwt.ValidationErrorExpired|jwt.ValidationErrorNotValidYet) != 0 {
|
|
// log.Error("expired token", err)
|
|
// err = fmt.Errorf("expired token")
|
|
// return
|
|
// } else {
|
|
// log.Error("invalid token", err)
|
|
// err = fmt.Errorf("bad token")
|
|
// return
|
|
// }
|
|
// } else {
|
|
// log.Error("invalid token", err)
|
|
// err = fmt.Errorf("bad token")
|
|
// return
|
|
// }
|
|
// }
|
|
|
|
// email := token.Claims["user"].(string)
|
|
// exp := token.Claims["exp"].(string)
|
|
// sub := token.Claims["sub"].(string)
|
|
|
|
// if len(email) == 0 || len(exp) == 0 || len(sub) == 0 {
|
|
// err = fmt.Errorf("%s : unable parse Keycloak token data", method)
|
|
// return
|
|
// }
|
|
|
|
return nil
|
|
}
|