seaweedfs/weed/security/jwt.go

package security

import (
	"fmt"
	"net/http"
	"strings"
	"time"

	"github.com/chrislusf/seaweedfs/weed/glog"
	jwt "github.com/dgrijalva/jwt-go"
)

type EncodedJwt string
type SigningKey []byte

type SeaweedFileIdClaims struct {
	Fid string `json:"fid"`
	jwt.StandardClaims
}

func GenJwt(signingKey SigningKey, expiresAfterSec int, fileId string) EncodedJwt {
	if len(signingKey) == 0 {
		return ""
	}

	claims := SeaweedFileIdClaims{
		fileId,
		jwt.StandardClaims{},
	}
	if expiresAfterSec > 0 {
		claims.ExpiresAt = time.Now().Add(time.Second * time.Duration(expiresAfterSec)).Unix()
	}
	t := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
	encoded, e := t.SignedString([]byte(signingKey))
	if e != nil {
		glog.V(0).Infof("Failed to sign claims %+v: %v", t.Claims, e)
		return ""
	}
	return EncodedJwt(encoded)
}

func GetJwt(r *http.Request) EncodedJwt {

	// Get token from query params
	tokenStr := r.URL.Query().Get("jwt")

	// Get token from authorization header
	if tokenStr == "" {
		bearer := r.Header.Get("Authorization")
		if len(bearer) > 7 && strings.ToUpper(bearer[0:6]) == "BEARER" {
			tokenStr = bearer[7:]
		}
	}

	return EncodedJwt(tokenStr)
}

func DecodeJwt(signingKey SigningKey, tokenString EncodedJwt) (token *jwt.Token, err error) {
	// check exp, nbf
	return jwt.ParseWithClaims(string(tokenString), &SeaweedFileIdClaims{}, func(token *jwt.Token) (interface{}, error) {
		if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
			return nil, fmt.Errorf("unknown token method")
		}
		return []byte(signingKey), nil
	})
}
merge conflicts 2015-02-07 23:35:28 +00:00			`package security`

			`import (`
add authorizing fileId write access need to secure upload/update/delete for benchmark/filer/mount need to add secure grpc 2019-02-14 08:08:20 +00:00			`"fmt"`
merge conflicts 2015-02-07 23:35:28 +00:00			`"net/http"`
			`"strings"`
			`"time"`

directory structure change to work with glide glide has its own requirements. My previous workaround caused me some code checkin errors. Need to fix this. 2016-06-03 01:09:14 +00:00			`"github.com/chrislusf/seaweedfs/weed/glog"`
merge conflicts 2015-02-07 23:35:28 +00:00			`jwt "github.com/dgrijalva/jwt-go"`
			`)`

			`type EncodedJwt string`
add authorizing fileId write access need to secure upload/update/delete for benchmark/filer/mount need to add secure grpc 2019-02-14 08:08:20 +00:00			`type SigningKey []byte`

			`type SeaweedFileIdClaims struct {`
			Fid string `json:"fid"`
			`jwt.StandardClaims`
			`}`
merge conflicts 2015-02-07 23:35:28 +00:00
master: add jwt expires_after_seconds 2019-05-04 15:42:25 +00:00			`func GenJwt(signingKey SigningKey, expiresAfterSec int, fileId string) EncodedJwt {`
add authorizing fileId write access need to secure upload/update/delete for benchmark/filer/mount need to add secure grpc 2019-02-14 08:08:20 +00:00			`if len(signingKey) == 0 {`
merge conflicts 2015-02-07 23:35:28 +00:00			`return ""`
			`}`

add authorizing fileId write access need to secure upload/update/delete for benchmark/filer/mount need to add secure grpc 2019-02-14 08:08:20 +00:00			`claims := SeaweedFileIdClaims{`
			`fileId,`
master: add jwt expires_after_seconds 2019-05-04 15:42:25 +00:00			`jwt.StandardClaims{},`
			`}`
			`if expiresAfterSec > 0 {`
			`claims.ExpiresAt = time.Now().Add(time.Second * time.Duration(expiresAfterSec)).Unix()`
fix compilation problem due to API changes 2016-06-19 01:57:33 +00:00			`}`
add authorizing fileId write access need to secure upload/update/delete for benchmark/filer/mount need to add secure grpc 2019-02-14 08:08:20 +00:00			`t := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)`
			`encoded, e := t.SignedString([]byte(signingKey))`
merge conflicts 2015-02-07 23:35:28 +00:00			`if e != nil {`
add authorizing fileId write access need to secure upload/update/delete for benchmark/filer/mount need to add secure grpc 2019-02-14 08:08:20 +00:00			`glog.V(0).Infof("Failed to sign claims %+v: %v", t.Claims, e)`
merge conflicts 2015-02-07 23:35:28 +00:00			`return ""`
			`}`
			`return EncodedJwt(encoded)`
			`}`

			`func GetJwt(r *http.Request) EncodedJwt {`

			`// Get token from query params`
			`tokenStr := r.URL.Query().Get("jwt")`

			`// Get token from authorization header`
			`if tokenStr == "" {`
			`bearer := r.Header.Get("Authorization")`
			`if len(bearer) > 7 && strings.ToUpper(bearer[0:6]) == "BEARER" {`
			`tokenStr = bearer[7:]`
			`}`
			`}`

			`return EncodedJwt(tokenStr)`
			`}`

cleanup security.Secret 2019-02-10 05:56:32 +00:00			`func DecodeJwt(signingKey SigningKey, tokenString EncodedJwt) (token *jwt.Token, err error) {`
merge conflicts 2015-02-07 23:35:28 +00:00			`// check exp, nbf`
benchmark can work in secure mode 2019-02-15 08:09:19 +00:00			`return jwt.ParseWithClaims(string(tokenString), &SeaweedFileIdClaims{}, func(token *jwt.Token) (interface{}, error) {`
add authorizing fileId write access need to secure upload/update/delete for benchmark/filer/mount need to add secure grpc 2019-02-14 08:08:20 +00:00			`if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {`
			`return nil, fmt.Errorf("unknown token method")`
			`}`
benchmark can work in secure mode 2019-02-15 08:09:19 +00:00			`return []byte(signingKey), nil`
merge conflicts 2015-02-07 23:35:28 +00:00			`})`
			`}`