From b2188bbb007056263cd9899b851e86f88f11187a Mon Sep 17 00:00:00 2001
From: Sergey Yakubov <sergey.yakubov@desy.de>
Date: Tue, 9 Mar 2021 17:00:42 +0100
Subject: [PATCH] use separate secrets for user and admi tokens
---
.../authorization/authorization.go | 19 ++++++++------
.../src/asapo_authorizer/cli/command_test.go | 2 +-
.../src/asapo_authorizer/cli/create_token.go | 14 +++++-----
.../asapo_authorizer/cli/create_token_test.go | 26 ++++++++++++-------
.../src/asapo_authorizer/server/authorize.go | 4 +--
.../asapo_authorizer/server/authorize_test.go | 3 ++-
.../asapo_authorizer/server/folder_token.go | 2 +-
.../asapo_authorizer/server/issue_token.go | 2 +-
.../server/issue_token_test.go | 5 ++--
.../server/server_nottested.go | 2 +-
10 files changed, 46 insertions(+), 33 deletions(-)
diff --git a/authorizer/src/asapo_authorizer/authorization/authorization.go b/authorizer/src/asapo_authorizer/authorization/authorization.go
index ba8e08114..89cb04564 100644
--- a/authorizer/src/asapo_authorizer/authorization/authorization.go
+++ b/authorizer/src/asapo_authorizer/authorization/authorization.go
@@ -8,21 +8,21 @@ import (
)
type Auth struct {
- authHMAC utils.Auth
+ authUser utils.Auth
authAdmin utils.Auth
authJWT utils.Auth
}
-func NewAuth(authHMAC,authHMACAdmin,authJWT utils.Auth) *Auth {
- return &Auth{authHMAC,authHMACAdmin,authJWT}
+func NewAuth(authUser,authAdmin,authJWT utils.Auth) *Auth {
+ return &Auth{authUser,authAdmin,authJWT}
}
func (auth *Auth) AdminAuth() utils.Auth {
return auth.authAdmin
}
-func (auth *Auth) HmacAuth() utils.Auth {
- return auth.authHMAC
+func (auth *Auth) UserAuth() utils.Auth {
+ return auth.authUser
}
func (auth *Auth) JWTAuth() utils.Auth {
@@ -43,7 +43,7 @@ func subjectFromRequest(request TokenRequest) string {
return ""
}
-func (auth *Auth) PrepareAccessToken(request TokenRequest) (string, error) {
+func (auth *Auth) PrepareAccessToken(request TokenRequest, userToken bool) (string, error) {
var claims utils.CustomClaims
var extraClaim utils.AccessTokenExtraClaim
@@ -55,8 +55,11 @@ func (auth *Auth) PrepareAccessToken(request TokenRequest) (string, error) {
uid := xid.New()
claims.Id = uid.String()
- return auth.authAdmin.GenerateToken(&claims)
-
+ if userToken {
+ return auth.UserAuth().GenerateToken(&claims)
+ } else {
+ return auth.AdminAuth().GenerateToken(&claims)
+ }
}
func UserTokenResponce(request TokenRequest, token string) []byte {
diff --git a/authorizer/src/asapo_authorizer/cli/command_test.go b/authorizer/src/asapo_authorizer/cli/command_test.go
index 5fb4e423a..d1aad81b7 100644
--- a/authorizer/src/asapo_authorizer/cli/command_test.go
+++ b/authorizer/src/asapo_authorizer/cli/command_test.go
@@ -20,7 +20,7 @@ var CommandTests = []struct {
func TestCommand(t *testing.T) {
outBuf = new(bytes.Buffer)
- server.Auth = authorization.NewAuth(utils.NewHMACAuth("secret"),utils.NewJWTAuth("secret_admin"),utils.NewJWTAuth("secret"))
+ server.Auth = authorization.NewAuth(utils.NewJWTAuth("secret"),utils.NewJWTAuth("secret_admin"),utils.NewJWTAuth("secret"))
for _, test := range CommandTests {
outBuf.(*bytes.Buffer).Reset()
diff --git a/authorizer/src/asapo_authorizer/cli/create_token.go b/authorizer/src/asapo_authorizer/cli/create_token.go
index 2dc031019..b1eba14c9 100644
--- a/authorizer/src/asapo_authorizer/cli/create_token.go
+++ b/authorizer/src/asapo_authorizer/cli/create_token.go
@@ -63,12 +63,12 @@ func (cmd *command) CommandCreate_token() (err error) {
return err
}
- request, err := getTokenRequest(flags)
+ request, userToken, err := getTokenRequest(flags)
if err != nil {
return err
}
- token, err := server.Auth.PrepareAccessToken(request)
+ token, err := server.Auth.PrepareAccessToken(request,userToken)
if err != nil {
return err
}
@@ -78,19 +78,21 @@ func (cmd *command) CommandCreate_token() (err error) {
return nil
}
-func getTokenRequest(flags tokenFlags) (request authorization.TokenRequest, err error) {
+func getTokenRequest(flags tokenFlags) (request authorization.TokenRequest, userToken bool, err error) {
switch flags.Type {
case "user-token":
request, err = userTokenRequest(flags)
+ userToken = true
case "admin-token":
request, err = adminTokenRequest(flags)
+ userToken = false
default:
- return authorization.TokenRequest{}, errors.New("wrong token type")
+ return authorization.TokenRequest{}, false, errors.New("wrong token type")
}
if err != nil {
- return authorization.TokenRequest{}, err
+ return authorization.TokenRequest{},false, err
}
- return request, err
+ return request, userToken, err
}
diff --git a/authorizer/src/asapo_authorizer/cli/create_token_test.go b/authorizer/src/asapo_authorizer/cli/create_token_test.go
index e12102017..3b26cc8d8 100644
--- a/authorizer/src/asapo_authorizer/cli/create_token_test.go
+++ b/authorizer/src/asapo_authorizer/cli/create_token_test.go
@@ -13,6 +13,7 @@ import (
var tokenTests = []struct {
cmd command
+ key string
ok bool
tokenAccessType string
tokenSubject string
@@ -21,24 +22,24 @@ var tokenTests = []struct {
}{
// good
{command{args: []string{"-type", "user-token", "-beamtime","123","-access-type","read","-duration-days","10"}},
- true, "read", "bt_123", true,"user token beamtime ok"},
+ "secret_user",true, "read", "bt_123", true,"user token beamtime ok"},
{command{args: []string{"-type", "user-token", "-beamline","123","-access-type","read","-duration-days","10"}},
- true, "read", "bl_123", true,"user token beamline ok"},
+ "secret_user", true, "read", "bl_123", true,"user token beamline ok"},
{command{args: []string{"-type", "admin-token","-access-type","create"}},
- true, "create", "admin", false,"admin token ok"},
+ "secret_admin",true, "create", "admin", false,"admin token ok"},
// bad
{command{args: []string{"-type", "user-token", "-beamtime","123","-access-type","create","-duration-days","10"}},
- false, "", "", true,"user token wrong type"},
+ "secret_user",false, "", "", true,"user token wrong type"},
{command{args: []string{"-type", "user-token", "-access-type","create","-duration-days","10"}},
- false, "", "", true,"user token no beamtime or beamline"},
+ "secret_user",false, "", "", true,"user token no beamtime or beamline"},
{command{args: []string{"-type", "user-token", "-beamtime","123","-beamline","1234", "-access-type","create","-duration-days","10"}},
- false, "", "", true,"user token both beamtime and beamline"},
+ "secret_user",false, "", "", true,"user token both beamtime and beamline"},
{command{args: []string{"-type", "admin-token","-access-type","bla"}},
- false, "", "", false,"admin token wrong type"},
+ "secret_admin",false, "", "", false,"admin token wrong type"},
}
func TestGenerateToken(t *testing.T) {
- server.Auth = authorization.NewAuth(utils.NewHMACAuth("secret"),utils.NewJWTAuth("secret_admin"),utils.NewJWTAuth("secret"))
+ server.Auth = authorization.NewAuth(utils.NewJWTAuth("secret_user"),utils.NewJWTAuth("secret_admin"),utils.NewJWTAuth("secret"))
for _, test := range tokenTests {
outBuf = new(bytes.Buffer)
err := test.cmd.CommandCreate_token()
@@ -49,8 +50,13 @@ func TestGenerateToken(t *testing.T) {
assert.Nil(t, err, test.msg)
var token authorization.TokenResponce
json.Unmarshal(outBuf.(*bytes.Buffer).Bytes(), &token)
- assert.Equal(t, test.tokenSubject, token.Sub, test.msg)
- assert.Equal(t, test.tokenAccessType, token.AccessType, test.msg)
+
+ claims,_ := utils.CheckJWTToken(token.Token,test.key)
+ cclaims,_:= claims.(*utils.CustomClaims)
+ var extra_claim utils.AccessTokenExtraClaim
+ utils.MapToStruct(cclaims.ExtraClaims.(map[string]interface{}), &extra_claim)
+ assert.Equal(t, test.tokenSubject, cclaims.Subject, test.msg)
+ assert.Equal(t, test.tokenAccessType, extra_claim.AccessType, test.msg)
if test.tokenExpires {
assert.Equal(t, true, len(token.Expires)>0, test.msg)
} else {
diff --git a/authorizer/src/asapo_authorizer/server/authorize.go b/authorizer/src/asapo_authorizer/server/authorize.go
index 89020bf12..160229223 100644
--- a/authorizer/src/asapo_authorizer/server/authorize.go
+++ b/authorizer/src/asapo_authorizer/server/authorize.go
@@ -155,10 +155,10 @@ func needHostAuthorization(creds SourceCredentials) bool {
func authorizeByToken(creds SourceCredentials) error {
var token_expect string
if (creds.BeamtimeId != "auto") {
- token_expect, _ = Auth.HmacAuth().GenerateToken(&creds.BeamtimeId)
+ token_expect, _ = Auth.UserAuth().GenerateToken(&creds.BeamtimeId)
} else {
key := "bl_" + creds.Beamline
- token_expect, _ = Auth.HmacAuth().GenerateToken(&key)
+ token_expect, _ = Auth.UserAuth().GenerateToken(&key)
}
var err_string string
diff --git a/authorizer/src/asapo_authorizer/server/authorize_test.go b/authorizer/src/asapo_authorizer/server/authorize_test.go
index c813c38dc..185bf0d7a 100644
--- a/authorizer/src/asapo_authorizer/server/authorize_test.go
+++ b/authorizer/src/asapo_authorizer/server/authorize_test.go
@@ -15,9 +15,10 @@ import (
"testing"
)
+
func prepareToken(payload string) string{
Auth = authorization.NewAuth(utils.NewHMACAuth("secret"),nil,nil)
- token, _ := Auth.HmacAuth().GenerateToken(&payload)
+ token, _ := Auth.UserAuth().GenerateToken(&payload)
return token
}
diff --git a/authorizer/src/asapo_authorizer/server/folder_token.go b/authorizer/src/asapo_authorizer/server/folder_token.go
index be3d6b7ec..cd6dd8380 100644
--- a/authorizer/src/asapo_authorizer/server/folder_token.go
+++ b/authorizer/src/asapo_authorizer/server/folder_token.go
@@ -39,7 +39,7 @@ func folderTokenResponce(token string) []byte{
}
func checkBeamtimeToken(request folderTokenRequest) error {
- token_expect, _ := Auth.HmacAuth().GenerateToken(&request.BeamtimeId)
+ token_expect, _ := Auth.UserAuth().GenerateToken(&request.BeamtimeId)
var err_string string
if request.Token != token_expect {
err_string = "wrong token for beamtime " + request.BeamtimeId
diff --git a/authorizer/src/asapo_authorizer/server/issue_token.go b/authorizer/src/asapo_authorizer/server/issue_token.go
index 0623bff1a..b86888446 100644
--- a/authorizer/src/asapo_authorizer/server/issue_token.go
+++ b/authorizer/src/asapo_authorizer/server/issue_token.go
@@ -59,7 +59,7 @@ func issueUserToken(w http.ResponseWriter, r *http.Request) {
return
}
- token, err := Auth.PrepareAccessToken(request)
+ token, err := Auth.PrepareAccessToken(request,true)
if err != nil {
utils.WriteServerError(w, err, http.StatusInternalServerError)
return
diff --git a/authorizer/src/asapo_authorizer/server/issue_token_test.go b/authorizer/src/asapo_authorizer/server/issue_token_test.go
index 2a49803d5..a6d86446b 100644
--- a/authorizer/src/asapo_authorizer/server/issue_token_test.go
+++ b/authorizer/src/asapo_authorizer/server/issue_token_test.go
@@ -35,7 +35,8 @@ var IssueTokenTests = [] struct {
func TestIssueToken(t *testing.T) {
authJWT := utils.NewJWTAuth("secret")
authAdmin := utils.NewJWTAuth("secret_admin")
- Auth = authorization.NewAuth(nil,authAdmin,authJWT)
+ authUser := utils.NewJWTAuth("secret_user")
+ Auth = authorization.NewAuth(authUser,authAdmin,authJWT)
for _, test := range IssueTokenTests {
request := makeRequest(authorization.TokenRequest{test.requestSubject,test.validDays,test.role})
w := doPostRequest("/admin/issue",request,authAdmin.Name()+" "+test.adminToken)
@@ -43,7 +44,7 @@ func TestIssueToken(t *testing.T) {
body, _ := ioutil.ReadAll(w.Body)
var token authorization.TokenResponce
json.Unmarshal(body,&token)
- claims,_ := utils.CheckJWTToken(token.Token,"secret_admin")
+ claims,_ := utils.CheckJWTToken(token.Token,"secret_user")
cclaims,_:= claims.(*utils.CustomClaims)
var extra_claim utils.AccessTokenExtraClaim
utils.MapToStruct(claims.(*utils.CustomClaims).ExtraClaims.(map[string]interface{}), &extra_claim)
diff --git a/authorizer/src/asapo_authorizer/server/server_nottested.go b/authorizer/src/asapo_authorizer/server/server_nottested.go
index 20b5da298..2f428370f 100644
--- a/authorizer/src/asapo_authorizer/server/server_nottested.go
+++ b/authorizer/src/asapo_authorizer/server/server_nottested.go
@@ -30,7 +30,7 @@ func createAuth() (*authorization.Auth,error) {
if err != nil {
return nil, err
}
- return authorization.NewAuth(utils.NewHMACAuth(secret), utils.NewJWTAuth(adminSecret), utils.NewJWTAuth(secret)),nil
+ return authorization.NewAuth(utils.NewJWTAuth(secret), utils.NewJWTAuth(adminSecret), utils.NewJWTAuth(secret)),nil
}
func ReadConfig(fname string) (log.Level, error) {
--
GitLab