switch to jwt admin token

590d18ef · Sergey Yakubov · 0ff767f7 · 590d18ef · 590d18ef · 590d18ef
Commit 590d18ef authored 4 years ago by Sergey Yakubov
--- a/authorizer/src/asapo_authorizer/authorization/authorization.go
+++ b/authorizer/src/asapo_authorizer/authorization/authorization.go
@@ -8,9 +8,9 @@ import (
 )
 type Auth struct {
-	authHMAC utils.Auth
+	authHMAC  utils.Auth
-	authHMACAdmin utils.Auth
+	authAdmin utils.Auth
-	authJWT utils.Auth
+	authJWT   utils.Auth
 }
 func NewAuth(authHMAC,authHMACAdmin,authJWT utils.Auth) *Auth {
@@ -18,7 +18,7 @@ func NewAuth(authHMAC,authHMACAdmin,authJWT utils.Auth) *Auth {
 }
 func (auth *Auth) AdminAuth() utils.Auth {
-	return auth.authHMACAdmin
+	return auth.authAdmin
 }
 func (auth *Auth) HmacAuth() utils.Auth {
@@ -43,7 +43,7 @@ func subjectFromRequest(request TokenRequest) string {
 	return ""
 }
-func (auth *Auth) PrepareUserJWTToken(request TokenRequest) (string, error) {
+func (auth *Auth) PrepareAccessToken(request TokenRequest) (string, error) {
 	var claims utils.CustomClaims
 	var extraClaim utils.AccessTokenExtraClaim
@@ -55,7 +55,7 @@ func (auth *Auth) PrepareUserJWTToken(request TokenRequest) (string, error) {
 	uid := xid.New()
 	claims.Id = uid.String()
-	return auth.authJWT.GenerateToken(&claims)
+	return auth.authAdmin.GenerateToken(&claims)
 }

--- a/authorizer/src/asapo_authorizer/cli/command_test.go
+++ b/authorizer/src/asapo_authorizer/cli/command_test.go
@@ -20,7 +20,7 @@ var CommandTests = []struct {
 func TestCommand(t *testing.T) {
 	outBuf = new(bytes.Buffer)
-	server.Auth = authorization.NewAuth(utils.NewHMACAuth("secret"),utils.NewHMACAuth("secret"),utils.NewJWTAuth("secret"))
+	server.Auth = authorization.NewAuth(utils.NewHMACAuth("secret"),utils.NewJWTAuth("secret_admin"),utils.NewJWTAuth("secret"))
 	for _, test := range CommandTests {
 		outBuf.(*bytes.Buffer).Reset()

--- a/authorizer/src/asapo_authorizer/cli/create_token.go
+++ b/authorizer/src/asapo_authorizer/cli/create_token.go
@@ -72,7 +72,7 @@ func (cmd *command) CommandCreate_token() (err error) {
 		return err
 	}
-	token, err := server.Auth.PrepareUserJWTToken(request)
+	token, err := server.Auth.PrepareAccessToken(request)
 	if err != nil {
 		return err
 	}

--- a/authorizer/src/asapo_authorizer/cli/create_token_test.go
+++ b/authorizer/src/asapo_authorizer/cli/create_token_test.go
@@ -38,7 +38,7 @@ var tokenTests = []struct {
 }
 func TestGenerateToken(t *testing.T) {
-	server.Auth = authorization.NewAuth(utils.NewHMACAuth("secret"),utils.NewHMACAuth("secret"),utils.NewJWTAuth("secret"))
+	server.Auth = authorization.NewAuth(utils.NewHMACAuth("secret"),utils.NewJWTAuth("secret_admin"),utils.NewJWTAuth("secret"))
 	for _, test := range tokenTests {
 		outBuf = new(bytes.Buffer)
 		err := test.cmd.CommandCreate_token()

--- a/authorizer/src/asapo_authorizer/server/authorize_test.go
+++ b/authorizer/src/asapo_authorizer/server/authorize_test.go
@@ -22,8 +22,14 @@ func prepareToken(payload string) string{
 }
 func prepareAdminToken(payload string) string{
-	Auth = authorization.NewAuth(nil,utils.NewHMACAuth("secret_admin"),nil)
+	Auth = authorization.NewAuth(nil,utils.NewJWTAuth("secret_admin"),nil)
-	token, _ := Auth.AdminAuth().GenerateToken(&payload)
+	var claims utils.CustomClaims
+	var extraClaim utils.AccessTokenExtraClaim
+	claims.Subject = payload
+	extraClaim.AccessType = "create"
+	claims.ExtraClaims = &extraClaim
+	token, _ := Auth.AdminAuth().GenerateToken(&claims)
 	return token
 }

--- a/authorizer/src/asapo_authorizer/server/issue_token.go
+++ b/authorizer/src/asapo_authorizer/server/issue_token.go
@@ -32,7 +32,36 @@ func extractUserTokenrequest(r *http.Request) (request authorization.TokenReques
 func routeAuthorisedTokenIssue(w http.ResponseWriter, r *http.Request) {
-	Auth.AdminAuth().ProcessAuth(issueUserToken, "admin")(w, r)
+	Auth.AdminAuth().ProcessAuth(checkAccessToken, "admin")(w, r)
+}
+func checkAccessToken(w http.ResponseWriter, r *http.Request) {
+	c := r.Context().Value("TokenClaims")
+	if c == nil {
+		w.WriteHeader(http.StatusInternalServerError)
+		w.Write([]byte("Empty context"))
+	}
+	claim := c.(*utils.CustomClaims)
+	if claim.Subject != "admin" {
+		err_txt := "wrong token subject type "+claim.Subject
+		w.WriteHeader(http.StatusUnauthorized)
+		w.Write([]byte(err_txt))
+	}
+	var extraClaim utils.AccessTokenExtraClaim
+	if err := utils.JobClaimFromContext(r, &extraClaim); err != nil {
+		w.WriteHeader(http.StatusInternalServerError)
+		w.Write([]byte(err.Error()))
+	}
+	if extraClaim.AccessType!="create" {
+		err_txt := "wrong access type "+extraClaim.AccessType
+		w.WriteHeader(http.StatusUnauthorized)
+		w.Write([]byte(err_txt))
+	}
+	issueUserToken(w, r)
 }
 func issueUserToken(w http.ResponseWriter, r *http.Request) {
@@ -42,7 +71,7 @@ func issueUserToken(w http.ResponseWriter, r *http.Request) {
 		return
 	}
-	token, err := Auth.PrepareUserJWTToken(request)
+	token, err := Auth.PrepareAccessToken(request)
 	if err != nil {
 		utils.WriteServerError(w, err, http.StatusInternalServerError)
 		return

--- a/authorizer/src/asapo_authorizer/server/issue_token_test.go
+++ b/authorizer/src/asapo_authorizer/server/issue_token_test.go
@@ -32,16 +32,16 @@ var  IssueTokenTests = [] struct {
 func TestIssueToken(t *testing.T) {
 	authJWT := utils.NewJWTAuth("secret")
-	authHMACAdmin := utils.NewHMACAuth("secret_admin")
+	authAdmin := utils.NewJWTAuth("secret_admin")
-	Auth = authorization.NewAuth(nil,authHMACAdmin,authJWT)
+	Auth = authorization.NewAuth(nil,authAdmin,authJWT)
 	for _, test := range IssueTokenTests {
 		request :=  makeRequest(authorization.TokenRequest{test.requestSubject,test.validDays,test.role})
-		w := doPostRequest("/admin/issue",request,authHMACAdmin.Name()+" "+test.adminToken)
+		w := doPostRequest("/admin/issue",request,authAdmin.Name()+" "+test.adminToken)
 		if w.Code == http.StatusOK {
 			body, _ := ioutil.ReadAll(w.Body)
 			var token authorization.TokenResponce
 			json.Unmarshal(body,&token)
-			claims,_ := utils.CheckJWTToken(token.Token,"secret")
+			claims,_ := utils.CheckJWTToken(token.Token,"secret_admin")
 			cclaims,_:= claims.(*utils.CustomClaims)
 			var extra_claim utils.AccessTokenExtraClaim
 			utils.MapToStruct(claims.(*utils.CustomClaims).ExtraClaims.(map[string]interface{}), &extra_claim)

--- a/authorizer/src/asapo_authorizer/server/server_nottested.go
+++ b/authorizer/src/asapo_authorizer/server/server_nottested.go
@@ -30,8 +30,7 @@ func createAuth() (*authorization.Auth,error) {
 	if err != nil {
 		return nil, err
 	}
+	return authorization.NewAuth(utils.NewHMACAuth(secret), utils.NewJWTAuth(adminSecret), utils.NewJWTAuth(secret)),nil
-	return authorization.NewAuth(utils.NewHMACAuth(adminSecret), utils.NewHMACAuth(secret), utils.NewJWTAuth(secret)),nil
 }
 func ReadConfig(fname string) (log.Level, error) {

--- a/common/go/src/asapo_common/utils/authorization.go
+++ b/common/go/src/asapo_common/utils/authorization.go
@@ -139,7 +139,7 @@ func ProcessJWTAuth(fn http.HandlerFunc, key string) http.HandlerFunc {
 		if authType == "Bearer" {
 			if claims, ok := CheckJWTToken(token, key); !ok {
-				http.Error(w, "Authorization error - tocken does not match", http.StatusUnauthorized)
+				http.Error(w, "Authorization error - token does not match", http.StatusUnauthorized)
 				return
 			} else {
 				ctx = context.WithValue(ctx, "TokenClaims", claims)

--- a/tests/automatic/authorizer/check_authorize/check_linux.sh
+++ b/tests/automatic/authorizer/check_authorize/check_linux.sh
@@ -20,9 +20,9 @@ mkdir -p beamline/p07/current
 cp beamtime-metadata* beamline/p07/current/
 #tokens
-AdminToken=C5cwHN2hjWGo6A2Ca3YuumCwwm_SVqC962oqVa0y09k=
+AdminToken=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJqdGkiOiJjMTNvcGpyaXB0MzNlb2ZjbWJuZyIsInN1YiI6ImFkbWluIiwiRXh0cmFDbGFpbXMiOnsiQWNjZXNzVHlwZSI6ImNyZWF0ZSJ9fQ.uRjtGPaRpOlOfKroijHRgMDNaZHnXsVPf0JaJ1XMg7o
-curl -v --silent -H "Authorization: HMAC-SHA-256 $AdminToken" --data '{"BeamtimeId":"12345678","DaysValid":123,"Role":"read"}' 127.0.0.1:5007/admin/issue --stderr -  | tee /dev/stderr | grep "HTTP/1.1 200 OK"
+curl -v --silent -H "Authorization: Bearer $AdminToken" --data '{"Subject": {"beamtimeId":"12345678"},"DaysValid":123,"AccessType":"read"}' 127.0.0.1:5007/admin/issue --stderr -  | tee /dev/stderr | grep "bt_12345678"
-curl -v --silent -H "Authorization: HMAC-SHA-256 blabla" --data '{"BeamtimeId":"12345678","DaysValid":123,"Role":"read"}' 127.0.0.1:5007/admin/issue --stderr -  | tee /dev/stderr | grep "token does not match"
+curl -v --silent -H "Authorization: Bearer blabla" --data '{"Subject": {"beamtimeId":"12345678"},"DaysValid":123,"AccessType":"read"}' 127.0.0.1:5007/admin/issue --stderr -  | tee /dev/stderr | grep "token does not match"
 curl -v --silent --data '{"SourceCredentials":"processed%c20180508-000-COM20181%%detector%","OriginHost":"127.0.0.1:5555"}' 127.0.0.1:5007/authorize --stderr -  | tee /dev/stderr  | grep c20180508-000-COM20181
 curl -v --silent --data '{"SourceCredentials":"processed%c20180508-000-COM20181%%detector%","OriginHost":"127.0.0.1:5555"}' 127.0.0.1:5007/authorize --stderr -  | tee /dev/stderr  | grep p00

--- a/tests/automatic/settings/auth_secret_admin.key
+++ b/tests/automatic/settings/auth_secret_admin.key
 12c2ljwewezgnea
\ No newline at end of file