Add config option for JWT token in config.jwt_cookie_name / config.jwt_secret_key (std base64 HS256) [#2]; Redirect config.jwt_login_url on failure [#3]

karmakaze · karmakaze · commit fe79d62596cd · 2018-11-10T21:31:43.000-05:00
diff --git a/config/config.go b/config/config.go
@@ -60,6 +60,9 @@ type Config struct {
 	HealthCheckURI        string           `json:"health-check-uri"`
 	FullCertFilename      string           `json:"full_cert_filename"`
 	PrivCertFilename      string           `json:"priv_cert_filename"`
+	JwtLoginURL           string           `json:"jwt_login_url"`
+	JwtCookieName         string           `json:"jwt_cookie_name"`
+	JwtSecretKey          string           `json:"jwt_secret_key"`
 }
 
 // SecretMessage is just like json.RawMessage but it will not
diff --git a/web/jwt.go b/web/jwt.go
@@ -0,0 +1,67 @@
+package web
+
+import (
+	"context"
+	"encoding/base64"
+	"fmt"
+	"log"
+	"net/http"
+
+	jwt "github.com/dgrijalva/jwt-go"
+	"github.com/gitgrep-com/hound/config"
+)
+
+func jwtCookieAuth(s *Server) *Server {
+	cfg := s.cfg
+	if cfg.JwtLoginURL == "" || cfg.JwtCookieName == "" || cfg.JwtSecretKey == "" {
+		if cfg.JwtLoginURL != "" || cfg.JwtCookieName != "" || cfg.JwtSecretKey != "" {
+			log.Printf("Ignoring incomplete configuration for JWT Auth")
+		}
+		return s
+	}
+	log.Printf("Using JWT auth with cookie name '%s' and login url: %s",
+		cfg.JwtCookieName, cfg.JwtLoginURL)
+
+	sMux := s.mux
+	h := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		var jwtClaims jwt.MapClaims
+		cookie, err := r.Cookie(cfg.JwtCookieName)
+		if err == nil {
+			jwtClaims, err = validateTokenClaims(cfg, cookie.Value)
+			if err != nil {
+				log.Printf("error in validateToken: %v", err)
+			}
+		}
+		if err != nil || jwtClaims == nil {
+			http.Redirect(w, r, cfg.JwtLoginURL, http.StatusSeeOther)
+		} else {
+			ctx := context.WithValue(r.Context(), "jwt.claims", jwtClaims)
+			sMux.ServeHTTP(w, r.WithContext(ctx))
+		}
+	})
+	s.serveWith(h)
+	return s
+}
+
+func validateTokenClaims(cfg *config.Config, authToken string) (jwt.MapClaims, error) {
+	jwToken, err := jwt.Parse(authToken, func(token *jwt.Token) (interface{}, error) {
+		if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
+			return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"])
+		}
+		if _, ok := token.Claims.(jwt.MapClaims); ok {
+			secretKey, err := base64.StdEncoding.DecodeString(cfg.JwtSecretKey)
+			return secretKey, err
+		} else {
+			return nil, fmt.Errorf("token is missing claims")
+		}
+	})
+	if err != nil {
+		log.Printf("Unauthorized: %v", err)
+		return nil, fmt.Errorf("unauthorized")
+	}
+	if claims, ok := jwToken.Claims.(jwt.MapClaims); ok && jwToken.Valid {
+		return claims, nil
+	} else {
+		return nil, fmt.Errorf("unauthorized")
+	}
+}
diff --git a/web/web.go b/web/web.go
@@ -2,6 +2,7 @@ package web
 
 import (
 	"fmt"
+	"log"
 	"net/http"
 	"sync"
 
@@ -20,7 +21,7 @@ type Server struct {
 	dev bool
 	ch  chan error
 
-	mux *http.ServeMux
+	mux http.Handler
 	lck sync.RWMutex
 }
 
@@ -32,16 +33,16 @@ func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 
 	s.lck.RLock()
 	defer s.lck.RUnlock()
-	if m := s.mux; m != nil {
-		m.ServeHTTP(w, r)
+	if s.mux != nil {
+		s.mux.ServeHTTP(w, r)
 	} else {
 		http.Error(w,
 			"Hound is not ready.",
 			http.StatusServiceUnavailable)
 	}
 }
 
-func (s *Server) serveWith(m *http.ServeMux) {
+func (s *Server) serveWith(m http.Handler) {
 	s.lck.Lock()
 	defer s.lck.Unlock()
 	s.mux = m
@@ -64,13 +65,13 @@ func Start(cfg *config.Config, addr string, dev bool) *Server {
 		if cfg.FullCertFilename != "" && cfg.PrivCertFilename != "" {
 			err := http.ListenAndServeTLS(addr, cfg.FullCertFilename, cfg.PrivCertFilename, s)
 			if err != nil {
-				fmt.Printf("ListenAndServeTLS %s: %v\n", addr, err)
+				log.Printf("ListenAndServeTLS %s: %v", addr, err)
 			}
 			ch <- err
 		} else {
 			err := http.ListenAndServe(addr, s)
 			if err != nil {
-				fmt.Printf("ListenAndServe %s: %v\n", addr, err)
+				log.Printf("ListenAndServe %s: %v", addr, err)
 			}
 			ch <- err
 		}
@@ -92,6 +93,7 @@ func (s *Server) ServeWithIndex(idx map[string]*searcher.Searcher) error {
 	api.Setup(m, idx)
 
 	s.serveWith(m)
+	s = jwtCookieAuth(s)
 
 	return <-s.ch
 }

Original file line number	Diff line number	Diff line change
`@@ -60,6 +60,9 @@ type Config struct {`
`60`	`60`	HealthCheckURI string `json:"health-check-uri"`
`61`	`61`	FullCertFilename string `json:"full_cert_filename"`
`62`	`62`	PrivCertFilename string `json:"priv_cert_filename"`
	`63`	+ JwtLoginURL string `json:"jwt_login_url"`
	`64`	+ JwtCookieName string `json:"jwt_cookie_name"`
	`65`	+ JwtSecretKey string `json:"jwt_secret_key"`
`63`	`66`	`}`
`64`	`67`
`65`	`68`	`// SecretMessage is just like json.RawMessage but it will not`