auth_utility.go 6.3 KB
edit raw blame history



1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245


package webutility

import (
	"crypto/rand"
	"crypto/sha256"
	"encoding/hex"
	"errors"
	"net/http"
	"strings"
	"time"

	"github.com/dgrijalva/jwt-go"
)

const OneDay = time.Hour * 24
const OneWeek = OneDay * 7
const saltSize = 32

var appName = "webutility"
var secret = "webutility"

type Role struct {
	Name string `json:"name"`
	ID   int32  `json:"id"`
}

// TokenClaims are JWT token claims.
type TokenClaims struct {
	Token     string `json:"access_token"`
	TokenType string `json:"token_type"`
	Username  string `json:"username"`
	Role      string `json:"role"`
	RoleID    int32  `json:"role_id"`
	ExpiresIn int64  `json:"expires_in"`

	// extending a struct
	jwt.StandardClaims
}

func InitJWT(appName, secret string) {
	appName = appName
	secret = secret
}

// ValidateCredentials hashes pass and salt and returns comparison result with resultHash
func ValidateCredentials(pass, salt, resultHash string) (bool, error) {
	hash, _, err := CreateHash(pass, salt)
	if err != nil {
		return false, err
	}
	res := hash == resultHash
	return res, nil
}

// CreateHash hashes str using SHA256.
// If the presalt parameter is not provided CreateHash will generate new salt string.
// Returns hash and salt strings or an error if it fails.
func CreateHash(str, presalt string) (hash, salt string, err error) {
	// chech if message is presalted
	if presalt == "" {
		salt, err = randomSalt()
		if err != nil {
			return "", "", err
		}
	} else {
		salt = presalt
	}

	// convert strings to raw byte slices
	rawstr := []byte(str)
	rawsalt, err := hex.DecodeString(salt)
	if err != nil {
		return "", "", err
	}

	rawdata := make([]byte, len(rawstr)+len(rawsalt))
	rawdata = append(rawdata, rawstr...)
	rawdata = append(rawdata, rawsalt...)

	// hash message + salt
	hasher := sha256.New()
	hasher.Write(rawdata)
	rawhash := hasher.Sum(nil)

	hash = hex.EncodeToString(rawhash)
	return hash, salt, nil
}

// CreateAuthToken returns JWT token with encoded username, role, expiration date and issuer claims.
// It returns an error if it fails.
func CreateAuthToken(username string, role Role) (TokenClaims, error) {
	t0 := (time.Now()).Unix()
	t1 := (time.Now().Add(OneWeek)).Unix()
	claims := TokenClaims{
		TokenType: "Bearer",
		Username:  username,
		Role:      role.Name,
		RoleID:    role.ID,
		ExpiresIn: t1 - t0,
	}
	// initialize jwt.StandardClaims fields (anonymous struct)
	claims.IssuedAt = t0
	claims.ExpiresAt = t1
	claims.Issuer = appName

	jwtToken := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
	token, err := jwtToken.SignedString([]byte(secret))
	if err != nil {
		return TokenClaims{}, err
	}
	claims.Token = token
	return claims, nil
}

// RefreshAuthToken returns new JWT token with sprolongs JWT token's expiration date for one week.
// It returns new JWT token or an error if it fails.
func RefreshAuthToken(tok string) (TokenClaims, error) {
	token, err := jwt.ParseWithClaims(tok, &TokenClaims{}, secretFunc)
	if err != nil {
		if validation, ok := err.(*jwt.ValidationError); ok {
			// don't return error if token is expired
			// just extend it
			if !(validation.Errors&jwt.ValidationErrorExpired != 0) {
				return TokenClaims{}, err
			}
		} else {
			return TokenClaims{}, err
		}
	}

	// type assertion
	claims, ok := token.Claims.(*TokenClaims)
	if !ok {
		return TokenClaims{}, errors.New("token is not valid")
	}

	// extend token expiration date
	return CreateAuthToken(claims.Username, Role{claims.Role, claims.RoleID})
}

// RbacCheck returns true if user that made HTTP request is authorized to
// access the resource it is targeting.
// It exctracts user's role from the JWT token located in Authorization header of
// http.Request and then compares it with the list of supplied roles and returns
// true if there's a match, if "*" is provided or if the authRoles is nil.
// Otherwise it returns false.
func RbacCheck(req *http.Request, authRoles []string) bool {
	if authRoles == nil {
		return true
	}

	// validate token and check expiration date
	claims, err := GetTokenClaims(req)
	if err != nil {
		return false
	}
	// check if token has expired
	if claims.ExpiresAt < (time.Now()).Unix() {
		return false
	}

	// check if role extracted from token matches
	// any of the provided (allowed) ones
	for _, r := range authRoles {
		if claims.Role == r || r == "*" {
			return true
		}
	}

	return false
}

// ProcessRBAC returns token claims and boolean value based on user's rights to access resource specified in req.
// It exctracts user's role from the JWT token located in Authorization header of
// HTTP request and then compares it with the list of supplied (authorized);
// it returns true if there's a match, if "*" is provided or if the authRoles is nil.
func ProcessRBAC(req *http.Request, authRoles []string) (*TokenClaims, bool) {
	if authRoles == nil {
		return nil, true
	}

	// validate token and check expiration date
	claims, err := GetTokenClaims(req)
	if err != nil {
		return claims, false
	}
	// check if token has expired
	if claims.ExpiresAt < (time.Now()).Unix() {
		return claims, false
	}

	// check if role extracted from token matches
	// any of the provided (allowed) ones
	for _, r := range authRoles {
		if claims.Role == r || r == "*" {
			return claims, true
		}
	}

	return claims, false
}

// GetTokenClaims extracts JWT claims from Authorization header of the request.
// Returns token claims or an error.
func GetTokenClaims(req *http.Request) (*TokenClaims, error) {
	// check for and strip 'Bearer' prefix
	var tokstr string
	authHead := req.Header.Get("Authorization")
	if ok := strings.HasPrefix(authHead, "Bearer "); ok {
		tokstr = strings.TrimPrefix(authHead, "Bearer ")
	} else {
		return &TokenClaims{}, errors.New("authorization header in incomplete")
	}

	token, err := jwt.ParseWithClaims(tokstr, &TokenClaims{}, secretFunc)
	if err != nil {
		return &TokenClaims{}, err
	}

	// type assertion
	claims, ok := token.Claims.(*TokenClaims)
	if !ok || !token.Valid {
		return &TokenClaims{}, errors.New("token is not valid")
	}

	return claims, nil
}

// randomSalt returns a string of random characters of 'saltSize' length.
func randomSalt() (s string, err error) {
	rawsalt := make([]byte, saltSize)

	_, err = rand.Read(rawsalt)
	if err != nil {
		return "", err
	}

	s = hex.EncodeToString(rawsalt)
	return s, nil
}

// secretFunc returns byte slice of API secret keyword.
func secretFunc(token *jwt.Token) (interface{}, error) {
	return []byte(secret), nil
}