aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--exampleconfig.json10
-rw-r--r--server/config/config.go1
-rw-r--r--server/config/config_test.go1
-rw-r--r--server/main.go49
-rw-r--r--testdata/config.go3
5 files changed, 27 insertions, 37 deletions
diff --git a/exampleconfig.json b/exampleconfig.json
index 0007ffe..2d65365 100644
--- a/exampleconfig.json
+++ b/exampleconfig.json
@@ -6,6 +6,13 @@
"port": 443,
"cookie_secret": "supersecret"
},
+ "database": {
+ "host": "localhost",
+ "user": "user",
+ "password": "supersecret",
+ "database": "dbname",
+ "dbtype": "mysql"
+ },
"auth": {
"provider": "google",
"oauth_client_id": "nnnnnnnnnnnnnnnn.apps.googleusercontent.com",
@@ -13,8 +20,7 @@
"oauth_callback_url": "https://sshca.example.com/auth/callback",
"google_opts": {
"domain": "example.com"
- },
- "jwt_signing_key": "supersecret"
+ }
},
"ssh": {
"signing_key": "signing_key",
diff --git a/server/config/config.go b/server/config/config.go
index 3d12665..bf5bfc7 100644
--- a/server/config/config.go
+++ b/server/config/config.go
@@ -39,7 +39,6 @@ type Auth struct {
OauthCallbackURL string `mapstructure:"oauth_callback_url"`
Provider string `mapstructure:"provider"`
ProviderOpts map[string]string `mapstructure:"provider_opts"`
- JWTSigningKey string `mapstructure:"jwt_signing_key"`
}
// SSH holds the configuration specific to signing ssh keys.
diff --git a/server/config/config_test.go b/server/config/config_test.go
index f97961a..067b0dc 100644
--- a/server/config/config_test.go
+++ b/server/config/config_test.go
@@ -37,7 +37,6 @@ func TestAuthConfig(t *testing.T) {
a.Equal(auth.OauthClientID, "client_id")
a.Equal(auth.OauthClientSecret, "secret")
a.Equal(auth.OauthCallbackURL, "https://sshca.example.com/auth/callback")
- a.Equal(auth.JWTSigningKey, "supersecret")
}
func TestSSHConfig(t *testing.T) {
diff --git a/server/main.go b/server/main.go
index 786fc9f..402b321 100644
--- a/server/main.go
+++ b/server/main.go
@@ -13,11 +13,11 @@ import (
"log"
"net/http"
"os"
+ "strings"
"time"
"golang.org/x/oauth2"
- "github.com/dgrijalva/jwt-go"
"github.com/gorilla/mux"
"github.com/gorilla/sessions"
"github.com/nsheridan/cashier/lib"
@@ -34,12 +34,11 @@ var (
// appContext contains local context - cookiestore, authprovider, authsession, templates etc.
type appContext struct {
- cookiestore *sessions.CookieStore
- authprovider auth.Provider
- authsession *auth.Session
- views *template.Template
- sshKeySigner *signer.KeySigner
- jwtSigningKey []byte
+ cookiestore *sessions.CookieStore
+ authprovider auth.Provider
+ authsession *auth.Session
+ views *template.Template
+ sshKeySigner *signer.KeySigner
}
// getAuthCookie retrieves a cookie from the request and validates it.
@@ -83,21 +82,17 @@ func parseKey(r *http.Request) (*lib.SignRequest, error) {
// signHandler handles the "/sign" path.
// It unmarshals the client token to an oauth token, validates it and signs the provided public ssh key.
func signHandler(a *appContext, w http.ResponseWriter, r *http.Request) (int, error) {
- // Retrieve the client token and verify it.
- jwtoken, err := jwt.ParseFromRequest(r, func(t *jwt.Token) (interface{}, error) {
- return a.jwtSigningKey, nil
- })
- if err != nil {
- return http.StatusUnauthorized, errors.New(http.StatusText(http.StatusUnauthorized))
+ var t string
+ if ah := r.Header.Get("Authorization"); ah != "" {
+ if len(ah) > 6 && strings.ToUpper(ah[0:7]) == "BEARER " {
+ t = ah[7:]
+ }
}
- if !jwtoken.Valid {
- log.Printf("Token %v not valid", jwtoken)
+ if t == "" {
return http.StatusUnauthorized, errors.New(http.StatusText(http.StatusUnauthorized))
}
- expiry := int64(jwtoken.Claims["exp"].(float64))
token := &oauth2.Token{
- AccessToken: jwtoken.Claims["token"].(string),
- Expiry: time.Unix(expiry, 0),
+ AccessToken: t,
}
ok := a.authprovider.Valid(token)
if !ok {
@@ -156,16 +151,9 @@ func rootHandler(a *appContext, w http.ResponseWriter, r *http.Request) (int, er
http.Redirect(w, r, "/auth/login", http.StatusSeeOther)
return http.StatusSeeOther, nil
}
- j := jwt.New(jwt.SigningMethodHS256)
- j.Claims["token"] = tok.AccessToken
- j.Claims["exp"] = tok.Expiry.Unix()
- t, err := j.SignedString(a.jwtSigningKey)
- if err != nil {
- return http.StatusInternalServerError, err
- }
page := struct {
Token string
- }{t}
+ }{tok.AccessToken}
a.views.ExecuteTemplate(w, "token.html", page)
return http.StatusOK, nil
}
@@ -232,11 +220,10 @@ func main() {
}
ctx := &appContext{
- cookiestore: sessions.NewCookieStore([]byte(config.Server.CookieSecret)),
- authprovider: authprovider,
- views: template.Must(template.ParseGlob("templates/*")),
- sshKeySigner: signer,
- jwtSigningKey: []byte(config.Auth.JWTSigningKey),
+ cookiestore: sessions.NewCookieStore([]byte(config.Server.CookieSecret)),
+ authprovider: authprovider,
+ views: template.Must(template.ParseGlob("templates/*")),
+ sshKeySigner: signer,
}
ctx.cookiestore.Options = &sessions.Options{
MaxAge: 900,
diff --git a/testdata/config.go b/testdata/config.go
index ca856a8..8b38fa6 100644
--- a/testdata/config.go
+++ b/testdata/config.go
@@ -18,8 +18,7 @@ var AuthConfig = []byte(`{
"oauth_callback_url": "https://sshca.example.com/auth/callback",
"provider_opts": {
"domain": "example.com"
- },
- "jwt_signing_key": "supersecret"
+ }
}
}`)