diff options
-rw-r--r-- | exampleconfig.json | 10 | ||||
-rw-r--r-- | server/config/config.go | 1 | ||||
-rw-r--r-- | server/config/config_test.go | 1 | ||||
-rw-r--r-- | server/main.go | 49 | ||||
-rw-r--r-- | testdata/config.go | 3 |
5 files changed, 27 insertions, 37 deletions
diff --git a/exampleconfig.json b/exampleconfig.json index 0007ffe..2d65365 100644 --- a/exampleconfig.json +++ b/exampleconfig.json @@ -6,6 +6,13 @@ "port": 443, "cookie_secret": "supersecret" }, + "database": { + "host": "localhost", + "user": "user", + "password": "supersecret", + "database": "dbname", + "dbtype": "mysql" + }, "auth": { "provider": "google", "oauth_client_id": "nnnnnnnnnnnnnnnn.apps.googleusercontent.com", @@ -13,8 +20,7 @@ "oauth_callback_url": "https://sshca.example.com/auth/callback", "google_opts": { "domain": "example.com" - }, - "jwt_signing_key": "supersecret" + } }, "ssh": { "signing_key": "signing_key", diff --git a/server/config/config.go b/server/config/config.go index 3d12665..bf5bfc7 100644 --- a/server/config/config.go +++ b/server/config/config.go @@ -39,7 +39,6 @@ type Auth struct { OauthCallbackURL string `mapstructure:"oauth_callback_url"` Provider string `mapstructure:"provider"` ProviderOpts map[string]string `mapstructure:"provider_opts"` - JWTSigningKey string `mapstructure:"jwt_signing_key"` } // SSH holds the configuration specific to signing ssh keys. diff --git a/server/config/config_test.go b/server/config/config_test.go index f97961a..067b0dc 100644 --- a/server/config/config_test.go +++ b/server/config/config_test.go @@ -37,7 +37,6 @@ func TestAuthConfig(t *testing.T) { a.Equal(auth.OauthClientID, "client_id") a.Equal(auth.OauthClientSecret, "secret") a.Equal(auth.OauthCallbackURL, "https://sshca.example.com/auth/callback") - a.Equal(auth.JWTSigningKey, "supersecret") } func TestSSHConfig(t *testing.T) { diff --git a/server/main.go b/server/main.go index 786fc9f..402b321 100644 --- a/server/main.go +++ b/server/main.go @@ -13,11 +13,11 @@ import ( "log" "net/http" "os" + "strings" "time" "golang.org/x/oauth2" - "github.com/dgrijalva/jwt-go" "github.com/gorilla/mux" "github.com/gorilla/sessions" "github.com/nsheridan/cashier/lib" @@ -34,12 +34,11 @@ var ( // appContext contains local context - cookiestore, authprovider, authsession, templates etc. type appContext struct { - cookiestore *sessions.CookieStore - authprovider auth.Provider - authsession *auth.Session - views *template.Template - sshKeySigner *signer.KeySigner - jwtSigningKey []byte + cookiestore *sessions.CookieStore + authprovider auth.Provider + authsession *auth.Session + views *template.Template + sshKeySigner *signer.KeySigner } // getAuthCookie retrieves a cookie from the request and validates it. @@ -83,21 +82,17 @@ func parseKey(r *http.Request) (*lib.SignRequest, error) { // signHandler handles the "/sign" path. // It unmarshals the client token to an oauth token, validates it and signs the provided public ssh key. func signHandler(a *appContext, w http.ResponseWriter, r *http.Request) (int, error) { - // Retrieve the client token and verify it. - jwtoken, err := jwt.ParseFromRequest(r, func(t *jwt.Token) (interface{}, error) { - return a.jwtSigningKey, nil - }) - if err != nil { - return http.StatusUnauthorized, errors.New(http.StatusText(http.StatusUnauthorized)) + var t string + if ah := r.Header.Get("Authorization"); ah != "" { + if len(ah) > 6 && strings.ToUpper(ah[0:7]) == "BEARER " { + t = ah[7:] + } } - if !jwtoken.Valid { - log.Printf("Token %v not valid", jwtoken) + if t == "" { return http.StatusUnauthorized, errors.New(http.StatusText(http.StatusUnauthorized)) } - expiry := int64(jwtoken.Claims["exp"].(float64)) token := &oauth2.Token{ - AccessToken: jwtoken.Claims["token"].(string), - Expiry: time.Unix(expiry, 0), + AccessToken: t, } ok := a.authprovider.Valid(token) if !ok { @@ -156,16 +151,9 @@ func rootHandler(a *appContext, w http.ResponseWriter, r *http.Request) (int, er http.Redirect(w, r, "/auth/login", http.StatusSeeOther) return http.StatusSeeOther, nil } - j := jwt.New(jwt.SigningMethodHS256) - j.Claims["token"] = tok.AccessToken - j.Claims["exp"] = tok.Expiry.Unix() - t, err := j.SignedString(a.jwtSigningKey) - if err != nil { - return http.StatusInternalServerError, err - } page := struct { Token string - }{t} + }{tok.AccessToken} a.views.ExecuteTemplate(w, "token.html", page) return http.StatusOK, nil } @@ -232,11 +220,10 @@ func main() { } ctx := &appContext{ - cookiestore: sessions.NewCookieStore([]byte(config.Server.CookieSecret)), - authprovider: authprovider, - views: template.Must(template.ParseGlob("templates/*")), - sshKeySigner: signer, - jwtSigningKey: []byte(config.Auth.JWTSigningKey), + cookiestore: sessions.NewCookieStore([]byte(config.Server.CookieSecret)), + authprovider: authprovider, + views: template.Must(template.ParseGlob("templates/*")), + sshKeySigner: signer, } ctx.cookiestore.Options = &sessions.Options{ MaxAge: 900, diff --git a/testdata/config.go b/testdata/config.go index ca856a8..8b38fa6 100644 --- a/testdata/config.go +++ b/testdata/config.go @@ -18,8 +18,7 @@ var AuthConfig = []byte(`{ "oauth_callback_url": "https://sshca.example.com/auth/callback", "provider_opts": { "domain": "example.com" - }, - "jwt_signing_key": "supersecret" + } } }`) |