Blame view
auth_utility.go
5.98 KB
ea858b8a7 refactoring |
1 |
package webutility |
90fd36e9b resolved some dep... |
2 3 |
import ( |
90fd36e9b resolved some dep... |
4 |
"crypto/rand" |
d2ddf82ef started on new rbac |
5 |
"crypto/sha256" |
90fd36e9b resolved some dep... |
6 |
"encoding/hex" |
d2ddf82ef started on new rbac |
7 |
"errors" |
33d137a67 Functional role c... |
8 |
"net/http" |
d2ddf82ef started on new rbac |
9 10 |
"strings" "time" |
33d137a67 Functional role c... |
11 |
|
90fd36e9b resolved some dep... |
12 |
"github.com/dgrijalva/jwt-go" |
90fd36e9b resolved some dep... |
13 |
) |
d2ddf82ef started on new rbac |
14 15 |
const OneDay = time.Hour * 24 const OneWeek = OneDay * 7 |
90fd36e9b resolved some dep... |
16 |
const saltSize = 32 |
d2ddf82ef started on new rbac |
17 18 |
const appName = "korisnicki-centar" const secret = "korisnicki-centar-api" |
90fd36e9b resolved some dep... |
19 |
|
d2ddf82ef started on new rbac |
20 |
type Role struct { |
077dae33c removed role cons... |
21 22 |
Name string `json:"name"` ID uint32 `json:"id"` |
d2ddf82ef started on new rbac |
23 |
} |
6ec91280b working on docume... |
24 |
// TokenClaims are JWT token claims. |
90fd36e9b resolved some dep... |
25 |
type TokenClaims struct { |
6620591d8 moved DeliverPayl... |
26 27 28 29 30 31 32 33 34 |
Token string `json:"access_token"` TokenType string `json:"token_type"` Username string `json:"username"` Role string `json:"role"` RoleID uint32 `json:"role_id"` ExpiresIn int64 `json:"expires_in"` // extending a struct jwt.StandardClaims |
90fd36e9b resolved some dep... |
35 |
} |
1d0f61553 can't fetch clob |
36 |
// CredentialsStruct is an instace of username/password values. |
90fd36e9b resolved some dep... |
37 38 39 40 |
type CredentialsStruct struct { Username string `json:"username"` Password string `json:"password"` } |
bc3671b26 refactoring token... |
41 42 43 |
// ValidateCredentials hashes pass and salt and returns comparison result with resultHash func ValidateCredentials(pass, salt, resultHash string) bool { hash, _, err := CreateHash(pass, salt) |
90fd36e9b resolved some dep... |
44 |
if err != nil { |
bc3671b26 refactoring token... |
45 |
return false |
90fd36e9b resolved some dep... |
46 |
} |
bc3671b26 refactoring token... |
47 |
return hash == resultHash |
90fd36e9b resolved some dep... |
48 |
} |
bc3671b26 refactoring token... |
49 50 51 52 |
// CreateHash hashes str using SHA256. // If the presalt parameter is not provided CreateHash will generate new salt string. // Returns hash and salt strings or an error if it fails. func CreateHash(str, presalt string) (hash, salt string, err error) { |
90fd36e9b resolved some dep... |
53 54 |
// chech if message is presalted if presalt == "" { |
bc3671b26 refactoring token... |
55 |
salt, err = randomSalt() |
90fd36e9b resolved some dep... |
56 57 58 59 60 61 62 63 |
if err != nil { return "", "", err } } else { salt = presalt } // convert strings to raw byte slices |
33fd58161 minor changes, sh... |
64 |
rawstr := []byte(str) |
90fd36e9b resolved some dep... |
65 66 67 68 |
rawsalt, err := hex.DecodeString(salt) if err != nil { return "", "", err } |
33fd58161 minor changes, sh... |
69 |
|
d2ddf82ef started on new rbac |
70 |
rawdata := make([]byte, len(rawstr)+len(rawsalt)) |
33fd58161 minor changes, sh... |
71 |
rawdata = append(rawdata, rawstr...) |
90fd36e9b resolved some dep... |
72 73 74 75 76 77 |
rawdata = append(rawdata, rawsalt...) // hash message + salt hasher := sha256.New() hasher.Write(rawdata) rawhash := hasher.Sum(nil) |
33fd58161 minor changes, sh... |
78 |
|
90fd36e9b resolved some dep... |
79 80 81 |
hash = hex.EncodeToString(rawhash) return hash, salt, nil } |
bc3671b26 refactoring token... |
82 |
// CreateAuthToken returns JWT token with encoded username, role, expiration date and issuer claims. |
6ec91280b working on docume... |
83 |
// It returns an error if it fails. |
bc3671b26 refactoring token... |
84 85 86 |
func CreateAuthToken(username string, role Role) (TokenClaims, error) { t0 := (time.Now()).Unix() t1 := (time.Now().Add(OneWeek)).Unix() |
90fd36e9b resolved some dep... |
87 |
claims := TokenClaims{ |
bc3671b26 refactoring token... |
88 89 90 91 92 |
TokenType: "Bearer", Username: username, Role: role.Name, RoleID: role.ID, ExpiresIn: t1 - t0, |
90fd36e9b resolved some dep... |
93 |
} |
bc3671b26 refactoring token... |
94 95 96 97 |
// initialize jwt.StandardClaims fields (anonymous struct) claims.IssuedAt = t0 claims.ExpiresAt = t1 claims.Issuer = appName |
90fd36e9b resolved some dep... |
98 99 |
jwtToken := jwt.NewWithClaims(jwt.SigningMethodHS256, claims) |
bc3671b26 refactoring token... |
100 |
token, err := jwtToken.SignedString([]byte(secret)) |
90fd36e9b resolved some dep... |
101 |
if err != nil { |
bc3671b26 refactoring token... |
102 |
return TokenClaims{}, err |
90fd36e9b resolved some dep... |
103 |
} |
bc3671b26 refactoring token... |
104 105 |
claims.Token = token return claims, nil |
90fd36e9b resolved some dep... |
106 |
} |
bc3671b26 refactoring token... |
107 |
// RefreshAuthToken prolongs JWT token's expiration date for one week. |
6ec91280b working on docume... |
108 |
// It returns new JWT token or an error if it fails. |
bc3671b26 refactoring token... |
109 110 111 112 |
func RefreshAuthToken(req *http.Request) (TokenClaims, error) { authHead := req.Header.Get("Authorization") tokenstr := strings.TrimPrefix(authHead, "Bearer ") token, err := jwt.ParseWithClaims(tokenstr, &TokenClaims{}, secretFunc) |
90fd36e9b resolved some dep... |
113 |
if err != nil { |
bc3671b26 refactoring token... |
114 |
return TokenClaims{}, err |
90fd36e9b resolved some dep... |
115 116 117 118 119 |
} // type assertion claims, ok := token.Claims.(*TokenClaims) if !ok || !token.Valid { |
bc3671b26 refactoring token... |
120 |
return TokenClaims{}, errors.New("token is not valid") |
90fd36e9b resolved some dep... |
121 |
} |
bc3671b26 refactoring token... |
122 123 |
// extend token expiration date return CreateAuthToken(claims.Username, Role{claims.Role, claims.RoleID}) |
90fd36e9b resolved some dep... |
124 |
} |
bc3671b26 refactoring token... |
125 126 127 128 129 130 |
// RbacCheck returns true if role that made HTTP request is authorized to // access the resource it is targeting. // It exctracts user's role from the JWT token located in Authorization header of // http.Request and then compares it with the list of supplied roles and returns // true if there's a match, if "*" is provided or if the authRoles is nil. // Otherwise it returns false. |
2d79a4120 Responses contain... |
131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 |
func RbacCheck(req *http.Request, authRoles []string) bool { if authRoles == nil { return true } // validate token and check expiration date claims, err := GetTokenClaims(req) if err != nil { return false } // check if token has expired if claims.ExpiresAt < (time.Now()).Unix() { return false } // check if role extracted from token matches // any of the provided (allowed) ones for _, r := range authRoles { if claims.Role == r || r == "*" { return true } } return false } // TODO func AuthCheck(req *http.Request, authRoles []string) (*TokenClaims, error) { |
bc3671b26 refactoring token... |
159 160 |
if authRoles == nil { return &TokenClaims{}, nil |
90fd36e9b resolved some dep... |
161 |
} |
bc3671b26 refactoring token... |
162 163 |
// validate token and check expiration date claims, err := GetTokenClaims(req) |
90fd36e9b resolved some dep... |
164 165 166 |
if err != nil { return &TokenClaims{}, err } |
bc3671b26 refactoring token... |
167 168 169 170 |
// check if token has expired if claims.ExpiresAt < (time.Now()).Unix() { return &TokenClaims{}, errors.New("token has expired") } |
90fd36e9b resolved some dep... |
171 |
|
bc3671b26 refactoring token... |
172 173 174 175 176 177 |
// check if role extracted from token matches // any of the provided (allowed) ones for _, r := range authRoles { if claims.Role == r || r == "*" { return claims, nil } |
90fd36e9b resolved some dep... |
178 |
} |
bc3671b26 refactoring token... |
179 |
|
2d79a4120 Responses contain... |
180 |
return claims, errors.New("role is not authorized") |
90fd36e9b resolved some dep... |
181 |
} |
bc3671b26 refactoring token... |
182 183 184 185 186 187 188 |
// GetTokenClaims extracts JWT claims from Authorization header of the request. // Returns token claims or an error. func GetTokenClaims(req *http.Request) (*TokenClaims, error) { // check for and strip 'Bearer' prefix var tokstr string authHead := req.Header.Get("Authorization") if ok := strings.HasPrefix(authHead, "Bearer "); ok { |
2d79a4120 Responses contain... |
189 |
tokstr = strings.TrimPrefix(authHead, "Bearer ") |
33d137a67 Functional role c... |
190 |
} else { |
bc3671b26 refactoring token... |
191 |
return &TokenClaims{}, errors.New("authorization header in incomplete") |
33d137a67 Functional role c... |
192 |
} |
bc3671b26 refactoring token... |
193 |
token, err := jwt.ParseWithClaims(tokstr, &TokenClaims{}, secretFunc) |
33d137a67 Functional role c... |
194 195 196 197 198 |
if err != nil { return &TokenClaims{}, err } // type assertion |
bc3671b26 refactoring token... |
199 200 |
claims, ok := token.Claims.(*TokenClaims) if !ok || !token.Valid { |
33d137a67 Functional role c... |
201 202 |
return &TokenClaims{}, errors.New("token is not valid") } |
33d137a67 Functional role c... |
203 |
|
bc3671b26 refactoring token... |
204 |
return claims, nil |
90fd36e9b resolved some dep... |
205 |
} |
33d137a67 Functional role c... |
206 |
|
bc3671b26 refactoring token... |
207 208 209 |
// randomSalt returns a string of random characters of 'saltSize' length. func randomSalt() (s string, err error) { rawsalt := make([]byte, saltSize) |
d2ddf82ef started on new rbac |
210 |
|
bc3671b26 refactoring token... |
211 |
_, err = rand.Read(rawsalt) |
d2ddf82ef started on new rbac |
212 |
if err != nil { |
bc3671b26 refactoring token... |
213 |
return "", err |
33d137a67 Functional role c... |
214 |
} |
d2ddf82ef started on new rbac |
215 |
|
bc3671b26 refactoring token... |
216 217 |
s = hex.EncodeToString(rawsalt) return s, nil |
33d137a67 Functional role c... |
218 |
} |
d2ddf82ef started on new rbac |
219 |
|
bc3671b26 refactoring token... |
220 221 222 |
// secretFunc returns byte slice of API secret keyword. func secretFunc(token *jwt.Token) (interface{}, error) { return []byte(secret), nil |
d2ddf82ef started on new rbac |
223 |
} |