diff --git a/authorizer/src/asapo_authorizer/authorization/authorization.go b/authorizer/src/asapo_authorizer/authorization/authorization.go
index ba8e0811453dd42f6affe9ae3be6e17657592747..89cb04564244e16fa533333d389924f593ab7c0f 100644
--- a/authorizer/src/asapo_authorizer/authorization/authorization.go
+++ b/authorizer/src/asapo_authorizer/authorization/authorization.go
@@ -8,21 +8,21 @@ import (
)
type Auth struct {
- authHMAC utils.Auth
+ authUser utils.Auth
authAdmin utils.Auth
authJWT utils.Auth
}
-func NewAuth(authHMAC,authHMACAdmin,authJWT utils.Auth) *Auth {
- return &Auth{authHMAC,authHMACAdmin,authJWT}
+func NewAuth(authUser,authAdmin,authJWT utils.Auth) *Auth {
+ return &Auth{authUser,authAdmin,authJWT}
}
func (auth *Auth) AdminAuth() utils.Auth {
return auth.authAdmin
}
-func (auth *Auth) HmacAuth() utils.Auth {
- return auth.authHMAC
+func (auth *Auth) UserAuth() utils.Auth {
+ return auth.authUser
}
func (auth *Auth) JWTAuth() utils.Auth {
@@ -43,7 +43,7 @@ func subjectFromRequest(request TokenRequest) string {
return ""
}
-func (auth *Auth) PrepareAccessToken(request TokenRequest) (string, error) {
+func (auth *Auth) PrepareAccessToken(request TokenRequest, userToken bool) (string, error) {
var claims utils.CustomClaims
var extraClaim utils.AccessTokenExtraClaim
@@ -55,8 +55,11 @@ func (auth *Auth) PrepareAccessToken(request TokenRequest) (string, error) {
uid := xid.New()
claims.Id = uid.String()
- return auth.authAdmin.GenerateToken(&claims)
-
+ if userToken {
+ return auth.UserAuth().GenerateToken(&claims)
+ } else {
+ return auth.AdminAuth().GenerateToken(&claims)
+ }
}
func UserTokenResponce(request TokenRequest, token string) []byte {
diff --git a/authorizer/src/asapo_authorizer/cli/command_test.go b/authorizer/src/asapo_authorizer/cli/command_test.go
index 5fb4e423a6ab73297bb0b1c962c2e19c9d59dbf7..d1aad81b78e2267b69d7593eb150292083ba12e1 100644
--- a/authorizer/src/asapo_authorizer/cli/command_test.go
+++ b/authorizer/src/asapo_authorizer/cli/command_test.go
@@ -20,7 +20,7 @@ var CommandTests = []struct {
func TestCommand(t *testing.T) {
outBuf = new(bytes.Buffer)
- server.Auth = authorization.NewAuth(utils.NewHMACAuth("secret"),utils.NewJWTAuth("secret_admin"),utils.NewJWTAuth("secret"))
+ server.Auth = authorization.NewAuth(utils.NewJWTAuth("secret"),utils.NewJWTAuth("secret_admin"),utils.NewJWTAuth("secret"))
for _, test := range CommandTests {
outBuf.(*bytes.Buffer).Reset()
diff --git a/authorizer/src/asapo_authorizer/cli/create_token.go b/authorizer/src/asapo_authorizer/cli/create_token.go
index 2dc0310190e943f06a7ae834f89e49134a9e6172..b1eba14c9c0e2aa2b4614d223ef84708f658e222 100644
--- a/authorizer/src/asapo_authorizer/cli/create_token.go
+++ b/authorizer/src/asapo_authorizer/cli/create_token.go
@@ -63,12 +63,12 @@ func (cmd *command) CommandCreate_token() (err error) {
return err
}
- request, err := getTokenRequest(flags)
+ request, userToken, err := getTokenRequest(flags)
if err != nil {
return err
}
- token, err := server.Auth.PrepareAccessToken(request)
+ token, err := server.Auth.PrepareAccessToken(request,userToken)
if err != nil {
return err
}
@@ -78,19 +78,21 @@ func (cmd *command) CommandCreate_token() (err error) {
return nil
}
-func getTokenRequest(flags tokenFlags) (request authorization.TokenRequest, err error) {
+func getTokenRequest(flags tokenFlags) (request authorization.TokenRequest, userToken bool, err error) {
switch flags.Type {
case "user-token":
request, err = userTokenRequest(flags)
+ userToken = true
case "admin-token":
request, err = adminTokenRequest(flags)
+ userToken = false
default:
- return authorization.TokenRequest{}, errors.New("wrong token type")
+ return authorization.TokenRequest{}, false, errors.New("wrong token type")
}
if err != nil {
- return authorization.TokenRequest{}, err
+ return authorization.TokenRequest{},false, err
}
- return request, err
+ return request, userToken, err
}
diff --git a/authorizer/src/asapo_authorizer/cli/create_token_test.go b/authorizer/src/asapo_authorizer/cli/create_token_test.go
index e1210201719098fefafd482bf8723d2324717678..3b26cc8d8124cc161013a0b28a08715a719538df 100644
--- a/authorizer/src/asapo_authorizer/cli/create_token_test.go
+++ b/authorizer/src/asapo_authorizer/cli/create_token_test.go
@@ -13,6 +13,7 @@ import (
var tokenTests = []struct {
cmd command
+ key string
ok bool
tokenAccessType string
tokenSubject string
@@ -21,24 +22,24 @@ var tokenTests = []struct {
}{
// good
{command{args: []string{"-type", "user-token", "-beamtime","123","-access-type","read","-duration-days","10"}},
- true, "read", "bt_123", true,"user token beamtime ok"},
+ "secret_user",true, "read", "bt_123", true,"user token beamtime ok"},
{command{args: []string{"-type", "user-token", "-beamline","123","-access-type","read","-duration-days","10"}},
- true, "read", "bl_123", true,"user token beamline ok"},
+ "secret_user", true, "read", "bl_123", true,"user token beamline ok"},
{command{args: []string{"-type", "admin-token","-access-type","create"}},
- true, "create", "admin", false,"admin token ok"},
+ "secret_admin",true, "create", "admin", false,"admin token ok"},
// bad
{command{args: []string{"-type", "user-token", "-beamtime","123","-access-type","create","-duration-days","10"}},
- false, "", "", true,"user token wrong type"},
+ "secret_user",false, "", "", true,"user token wrong type"},
{command{args: []string{"-type", "user-token", "-access-type","create","-duration-days","10"}},
- false, "", "", true,"user token no beamtime or beamline"},
+ "secret_user",false, "", "", true,"user token no beamtime or beamline"},
{command{args: []string{"-type", "user-token", "-beamtime","123","-beamline","1234", "-access-type","create","-duration-days","10"}},
- false, "", "", true,"user token both beamtime and beamline"},
+ "secret_user",false, "", "", true,"user token both beamtime and beamline"},
{command{args: []string{"-type", "admin-token","-access-type","bla"}},
- false, "", "", false,"admin token wrong type"},
+ "secret_admin",false, "", "", false,"admin token wrong type"},
}
func TestGenerateToken(t *testing.T) {
- server.Auth = authorization.NewAuth(utils.NewHMACAuth("secret"),utils.NewJWTAuth("secret_admin"),utils.NewJWTAuth("secret"))
+ server.Auth = authorization.NewAuth(utils.NewJWTAuth("secret_user"),utils.NewJWTAuth("secret_admin"),utils.NewJWTAuth("secret"))
for _, test := range tokenTests {
outBuf = new(bytes.Buffer)
err := test.cmd.CommandCreate_token()
@@ -49,8 +50,13 @@ func TestGenerateToken(t *testing.T) {
assert.Nil(t, err, test.msg)
var token authorization.TokenResponce
json.Unmarshal(outBuf.(*bytes.Buffer).Bytes(), &token)
- assert.Equal(t, test.tokenSubject, token.Sub, test.msg)
- assert.Equal(t, test.tokenAccessType, token.AccessType, test.msg)
+
+ claims,_ := utils.CheckJWTToken(token.Token,test.key)
+ cclaims,_:= claims.(*utils.CustomClaims)
+ var extra_claim utils.AccessTokenExtraClaim
+ utils.MapToStruct(cclaims.ExtraClaims.(map[string]interface{}), &extra_claim)
+ assert.Equal(t, test.tokenSubject, cclaims.Subject, test.msg)
+ assert.Equal(t, test.tokenAccessType, extra_claim.AccessType, test.msg)
if test.tokenExpires {
assert.Equal(t, true, len(token.Expires)>0, test.msg)
} else {
diff --git a/authorizer/src/asapo_authorizer/server/authorize.go b/authorizer/src/asapo_authorizer/server/authorize.go
index 89020bf127c793d08acfb010c759a6da98d3d444..160229223ab183e92f1c7a440f593e15a315e6d7 100644
--- a/authorizer/src/asapo_authorizer/server/authorize.go
+++ b/authorizer/src/asapo_authorizer/server/authorize.go
@@ -155,10 +155,10 @@ func needHostAuthorization(creds SourceCredentials) bool {
func authorizeByToken(creds SourceCredentials) error {
var token_expect string
if (creds.BeamtimeId != "auto") {
- token_expect, _ = Auth.HmacAuth().GenerateToken(&creds.BeamtimeId)
+ token_expect, _ = Auth.UserAuth().GenerateToken(&creds.BeamtimeId)
} else {
key := "bl_" + creds.Beamline
- token_expect, _ = Auth.HmacAuth().GenerateToken(&key)
+ token_expect, _ = Auth.UserAuth().GenerateToken(&key)
}
var err_string string
diff --git a/authorizer/src/asapo_authorizer/server/authorize_test.go b/authorizer/src/asapo_authorizer/server/authorize_test.go
index c813c38dc80020172f413aa548825851d88351ea..185bf0d7aa96afc052f6d4dbea065b7c6fd3ac26 100644
--- a/authorizer/src/asapo_authorizer/server/authorize_test.go
+++ b/authorizer/src/asapo_authorizer/server/authorize_test.go
@@ -15,9 +15,10 @@ import (
"testing"
)
+
func prepareToken(payload string) string{
Auth = authorization.NewAuth(utils.NewHMACAuth("secret"),nil,nil)
- token, _ := Auth.HmacAuth().GenerateToken(&payload)
+ token, _ := Auth.UserAuth().GenerateToken(&payload)
return token
}
diff --git a/authorizer/src/asapo_authorizer/server/folder_token.go b/authorizer/src/asapo_authorizer/server/folder_token.go
index be3d6b7ec7e693f9c67b17913dd6d0ada394f5d7..cd6dd83803645361b805905b3e711bd48f1c4a7b 100644
--- a/authorizer/src/asapo_authorizer/server/folder_token.go
+++ b/authorizer/src/asapo_authorizer/server/folder_token.go
@@ -39,7 +39,7 @@ func folderTokenResponce(token string) []byte{
}
func checkBeamtimeToken(request folderTokenRequest) error {
- token_expect, _ := Auth.HmacAuth().GenerateToken(&request.BeamtimeId)
+ token_expect, _ := Auth.UserAuth().GenerateToken(&request.BeamtimeId)
var err_string string
if request.Token != token_expect {
err_string = "wrong token for beamtime " + request.BeamtimeId
diff --git a/authorizer/src/asapo_authorizer/server/issue_token.go b/authorizer/src/asapo_authorizer/server/issue_token.go
index 0623bff1a5858b87b45e2cb293f7c57cce96506e..b86888446152b5ba6f72ca30a1c12abd046e82b2 100644
--- a/authorizer/src/asapo_authorizer/server/issue_token.go
+++ b/authorizer/src/asapo_authorizer/server/issue_token.go
@@ -59,7 +59,7 @@ func issueUserToken(w http.ResponseWriter, r *http.Request) {
return
}
- token, err := Auth.PrepareAccessToken(request)
+ token, err := Auth.PrepareAccessToken(request,true)
if err != nil {
utils.WriteServerError(w, err, http.StatusInternalServerError)
return
diff --git a/authorizer/src/asapo_authorizer/server/issue_token_test.go b/authorizer/src/asapo_authorizer/server/issue_token_test.go
index 2a49803d581b3d7fbc077e996468b2c0134476fb..a6d86446be85031193f5e96306e2ff525b3c4398 100644
--- a/authorizer/src/asapo_authorizer/server/issue_token_test.go
+++ b/authorizer/src/asapo_authorizer/server/issue_token_test.go
@@ -35,7 +35,8 @@ var IssueTokenTests = [] struct {
func TestIssueToken(t *testing.T) {
authJWT := utils.NewJWTAuth("secret")
authAdmin := utils.NewJWTAuth("secret_admin")
- Auth = authorization.NewAuth(nil,authAdmin,authJWT)
+ authUser := utils.NewJWTAuth("secret_user")
+ Auth = authorization.NewAuth(authUser,authAdmin,authJWT)
for _, test := range IssueTokenTests {
request := makeRequest(authorization.TokenRequest{test.requestSubject,test.validDays,test.role})
w := doPostRequest("/admin/issue",request,authAdmin.Name()+" "+test.adminToken)
@@ -43,7 +44,7 @@ func TestIssueToken(t *testing.T) {
body, _ := ioutil.ReadAll(w.Body)
var token authorization.TokenResponce
json.Unmarshal(body,&token)
- claims,_ := utils.CheckJWTToken(token.Token,"secret_admin")
+ claims,_ := utils.CheckJWTToken(token.Token,"secret_user")
cclaims,_:= claims.(*utils.CustomClaims)
var extra_claim utils.AccessTokenExtraClaim
utils.MapToStruct(claims.(*utils.CustomClaims).ExtraClaims.(map[string]interface{}), &extra_claim)
diff --git a/authorizer/src/asapo_authorizer/server/server_nottested.go b/authorizer/src/asapo_authorizer/server/server_nottested.go
index 20b5da29809048dfa23db28e59e60ea17cd3a1c0..2f428370f6955303d582f7bd22a551cb4dace88c 100644
--- a/authorizer/src/asapo_authorizer/server/server_nottested.go
+++ b/authorizer/src/asapo_authorizer/server/server_nottested.go
@@ -30,7 +30,7 @@ func createAuth() (*authorization.Auth,error) {
if err != nil {
return nil, err
}
- return authorization.NewAuth(utils.NewHMACAuth(secret), utils.NewJWTAuth(adminSecret), utils.NewJWTAuth(secret)),nil
+ return authorization.NewAuth(utils.NewJWTAuth(secret), utils.NewJWTAuth(adminSecret), utils.NewJWTAuth(secret)),nil
}
func ReadConfig(fname string) (log.Level, error) {