Mercurial > gemma

annotate auth/session.go @ 408:ac23905e64b1

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Improve WFS proxy a lot. It now generates signed re-writings.
author Sascha L. Teichmann <sascha.teichmann@intevation.de>
date Wed, 15 Aug 2018 15:55:41 +0200
parents 4c211ad5349e
children
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
119
29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
1 package auth
29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
2
29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
3 import (
134
0c56c56a1c44 Removed the JWT layer from the session management.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 124
diff changeset
4 "encoding/base64"
0c56c56a1c44 Removed the JWT layer from the session management.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 124
diff changeset
5 "io"
119
29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
6 "time"
339
33b59c848771 Factored out some miscellaneous code into own package.
Sascha L. Teichmann <teichmann@intevation.de>
parents: 337
diff changeset
7
408
ac23905e64b1 Improve WFS proxy a lot. It now generates signed re-writings.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 340
diff changeset
8 "gemma.intevation.de/gemma/common"
339
33b59c848771 Factored out some miscellaneous code into own package.
Sascha L. Teichmann <teichmann@intevation.de>
parents: 337
diff changeset
9 "gemma.intevation.de/gemma/misc"
119
29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
10 )
29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
11
326
a7b2db8b3d18 Added type for roles.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 215
diff changeset
12 type Roles []string
a7b2db8b3d18 Added type for roles.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 215
diff changeset
13
134
0c56c56a1c44 Removed the JWT layer from the session management.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 124
diff changeset
14 type Session struct {
326
a7b2db8b3d18 Added type for roles.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 215
diff changeset
15 ExpiresAt int64 `json:"expires"`
a7b2db8b3d18 Added type for roles.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 215
diff changeset
16 User string `json:"user"`
a7b2db8b3d18 Added type for roles.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 215
diff changeset
17 Password string `json:"password"`
a7b2db8b3d18 Added type for roles.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 215
diff changeset
18 Roles Roles `json:"roles"`
a7b2db8b3d18 Added type for roles.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 215
diff changeset
19 }
a7b2db8b3d18 Added type for roles.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 215
diff changeset
20
a7b2db8b3d18 Added type for roles.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 215
diff changeset
21 func (r Roles) Has(role string) bool {
a7b2db8b3d18 Added type for roles.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 215
diff changeset
22 for _, x := range r {
a7b2db8b3d18 Added type for roles.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 215
diff changeset
23 if x == role {
a7b2db8b3d18 Added type for roles.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 215
diff changeset
24 return true
a7b2db8b3d18 Added type for roles.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 215
diff changeset
25 }
a7b2db8b3d18 Added type for roles.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 215
diff changeset
26 }
a7b2db8b3d18 Added type for roles.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 215
diff changeset
27 return false
119
29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
28 }
29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
29
134
0c56c56a1c44 Removed the JWT layer from the session management.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 124
diff changeset
30 const (
0c56c56a1c44 Removed the JWT layer from the session management.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 124
diff changeset
31 sessionKeyLength = 20
0c56c56a1c44 Removed the JWT layer from the session management.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 124
diff changeset
32 maxTokenValid = time.Hour * 3
0c56c56a1c44 Removed the JWT layer from the session management.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 124
diff changeset
33 )
119
29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
34
134
0c56c56a1c44 Removed the JWT layer from the session management.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 124
diff changeset
35 func NewSession(user, password string, roles []string) *Session {
119
29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
36
29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
37 // Create the Claims
134
0c56c56a1c44 Removed the JWT layer from the session management.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 124
diff changeset
38 return &Session{
0c56c56a1c44 Removed the JWT layer from the session management.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 124
diff changeset
39 ExpiresAt: time.Now().Add(maxTokenValid).Unix(),
0c56c56a1c44 Removed the JWT layer from the session management.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 124
diff changeset
40 User: user,
0c56c56a1c44 Removed the JWT layer from the session management.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 124
diff changeset
41 Password: password,
0c56c56a1c44 Removed the JWT layer from the session management.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 124
diff changeset
42 Roles: roles,
119
29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
43 }
134
0c56c56a1c44 Removed the JWT layer from the session management.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 124
diff changeset
44 }
119
29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
45
197
e85413e5befa Cleaned up serialisation/deserilisation of sessions a bit.
Sascha L. Teichmann <teichmann@intevation.de>
parents: 193
diff changeset
46 func (s *Session) serialize(w io.Writer) error {
340
4c211ad5349e Embed Reader and Writer in BinReader and BinWriter to make API more distinct.
Sascha L. Teichmann <teichmann@intevation.de>
parents: 339
diff changeset
47 wr := misc.BinWriter{w, nil}
4c211ad5349e Embed Reader and Writer in BinReader and BinWriter to make API more distinct.
Sascha L. Teichmann <teichmann@intevation.de>
parents: 339
diff changeset
48 wr.WriteBin(s.ExpiresAt)
339
33b59c848771 Factored out some miscellaneous code into own package.
Sascha L. Teichmann <teichmann@intevation.de>
parents: 337
diff changeset
49 wr.WriteString(s.User)
33b59c848771 Factored out some miscellaneous code into own package.
Sascha L. Teichmann <teichmann@intevation.de>
parents: 337
diff changeset
50 wr.WriteString(s.Password)
340
4c211ad5349e Embed Reader and Writer in BinReader and BinWriter to make API more distinct.
Sascha L. Teichmann <teichmann@intevation.de>
parents: 339
diff changeset
51 wr.WriteBin(uint32(len(s.Roles)))
215
f345edb409b2 Made serialisation and deserialisation of sessions more robust (fixed a small bug on the way).
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 197
diff changeset
52 for _, role := range s.Roles {
339
33b59c848771 Factored out some miscellaneous code into own package.
Sascha L. Teichmann <teichmann@intevation.de>
parents: 337
diff changeset
53 wr.WriteString(role)
197
e85413e5befa Cleaned up serialisation/deserilisation of sessions a bit.
Sascha L. Teichmann <teichmann@intevation.de>
parents: 193
diff changeset
54 }
339
33b59c848771 Factored out some miscellaneous code into own package.
Sascha L. Teichmann <teichmann@intevation.de>
parents: 337
diff changeset
55 return wr.Err
193
1585c334e8a7 More on persisting sessions.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 149
diff changeset
56 }
1585c334e8a7 More on persisting sessions.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 149
diff changeset
57
197
e85413e5befa Cleaned up serialisation/deserilisation of sessions a bit.
Sascha L. Teichmann <teichmann@intevation.de>
parents: 193
diff changeset
58 func (s *Session) deserialize(r io.Reader) error {
193
1585c334e8a7 More on persisting sessions.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 149
diff changeset
59 var x Session
1585c334e8a7 More on persisting sessions.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 149
diff changeset
60 var n uint32
340
4c211ad5349e Embed Reader and Writer in BinReader and BinWriter to make API more distinct.
Sascha L. Teichmann <teichmann@intevation.de>
parents: 339
diff changeset
61 rd := misc.BinReader{r, nil}
4c211ad5349e Embed Reader and Writer in BinReader and BinWriter to make API more distinct.
Sascha L. Teichmann <teichmann@intevation.de>
parents: 339
diff changeset
62 rd.ReadBin(&x.ExpiresAt)
339
33b59c848771 Factored out some miscellaneous code into own package.
Sascha L. Teichmann <teichmann@intevation.de>
parents: 337
diff changeset
63 rd.ReadString(&x.User)
33b59c848771 Factored out some miscellaneous code into own package.
Sascha L. Teichmann <teichmann@intevation.de>
parents: 337
diff changeset
64 rd.ReadString(&x.Password)
340
4c211ad5349e Embed Reader and Writer in BinReader and BinWriter to make API more distinct.
Sascha L. Teichmann <teichmann@intevation.de>
parents: 339
diff changeset
65 rd.ReadBin(&n)
337
e48da6f427c8 Be a bit more type precise in deserialisation of roles in sessions.
Sascha L. Teichmann <teichmann@intevation.de>
parents: 326
diff changeset
66 x.Roles = make(Roles, n)
193
1585c334e8a7 More on persisting sessions.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 149
diff changeset
67 for i := uint32(0); n > 0 && i < n; i++ {
339
33b59c848771 Factored out some miscellaneous code into own package.
Sascha L. Teichmann <teichmann@intevation.de>
parents: 337
diff changeset
68 rd.ReadString(&x.Roles[i])
193
1585c334e8a7 More on persisting sessions.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 149
diff changeset
69 }
339
33b59c848771 Factored out some miscellaneous code into own package.
Sascha L. Teichmann <teichmann@intevation.de>
parents: 337
diff changeset
70 if rd.Err == nil {
197
e85413e5befa Cleaned up serialisation/deserilisation of sessions a bit.
Sascha L. Teichmann <teichmann@intevation.de>
parents: 193
diff changeset
71 *s = x
e85413e5befa Cleaned up serialisation/deserilisation of sessions a bit.
Sascha L. Teichmann <teichmann@intevation.de>
parents: 193
diff changeset
72 }
339
33b59c848771 Factored out some miscellaneous code into own package.
Sascha L. Teichmann <teichmann@intevation.de>
parents: 337
diff changeset
73 return rd.Err
193
1585c334e8a7 More on persisting sessions.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 149
diff changeset
74 }
1585c334e8a7 More on persisting sessions.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 149
diff changeset
75
134
0c56c56a1c44 Removed the JWT layer from the session management.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 124
diff changeset
76 func GenerateSessionKey() string {
339
33b59c848771 Factored out some miscellaneous code into own package.
Sascha L. Teichmann <teichmann@intevation.de>
parents: 337
diff changeset
77 return base64.URLEncoding.EncodeToString(
408
ac23905e64b1 Improve WFS proxy a lot. It now generates signed re-writings.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 340
diff changeset
78 common.GenerateRandomKey(sessionKeyLength))
119
29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
79 }
124
bb9120d28950 Generate JWT from database roles.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 119
diff changeset
80
134
0c56c56a1c44 Removed the JWT layer from the session management.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 124
diff changeset
81 func GenerateSession(user, password string) (string, *Session, error) {
124
bb9120d28950 Generate JWT from database roles.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 119
diff changeset
82 roles, err := AllOtherRoles(user, password)
bb9120d28950 Generate JWT from database roles.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 119
diff changeset
83 if err != nil {
134
0c56c56a1c44 Removed the JWT layer from the session management.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 124
diff changeset
84 return "", nil, err
124
bb9120d28950 Generate JWT from database roles.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 119
diff changeset
85 }
134
0c56c56a1c44 Removed the JWT layer from the session management.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 124
diff changeset
86 token := GenerateSessionKey()
0c56c56a1c44 Removed the JWT layer from the session management.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 124
diff changeset
87 session := NewSession(user, password, roles)
0c56c56a1c44 Removed the JWT layer from the session management.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 124
diff changeset
88 ConnPool.Add(token, session)
0c56c56a1c44 Removed the JWT layer from the session management.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 124
diff changeset
89 return token, session, nil
124
bb9120d28950 Generate JWT from database roles.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 119
diff changeset
90 }