Merge pull request #27 from rmb938/jwtflag

use rsa key for jwt

Author: michelvocks

cmd/gaia/main.go

@@ -1,11 +1,15 @@
 package main
 
 import (
+	"crypto/rand"
 	"flag"
 	"fmt"
 	"os"
 	"path/filepath"
 
+	"io/ioutil"
+
+	"github.com/dgrijalva/jwt-go"
 	"github.com/gaia-pipeline/gaia"
 	"github.com/gaia-pipeline/gaia/handlers"
 	"github.com/gaia-pipeline/gaia/pipeline"
@@ -35,6 +39,7 @@ func init() {
 	flag.StringVar(&gaia.Cfg.ListenPort, "port", "8080", "Listen port for gaia")
 	flag.StringVar(&gaia.Cfg.HomePath, "homepath", "", "Path to the gaia home folder")
 	flag.StringVar(&gaia.Cfg.Worker, "worker", "2", "Number of worker gaia will use to execute pipelines in parallel")
+	flag.StringVar(&gaia.Cfg.JwtPrivateKeyPath, "jwtPrivateKeyPath", "", "A RSA private key used to sign JWT tokens")
 	flag.BoolVar(&gaia.Cfg.DevMode, "dev", false, "If true, gaia will be started in development mode. Don't use this in production!")
 	flag.BoolVar(&gaia.Cfg.VersionSwitch, "version", false, "If true, will print the version and immediately exit")
 
@@ -59,6 +64,30 @@ func main() {
 		Name:   "Gaia",
 	})
 
+	var jwtKey interface{}
+	// Check JWT key is set
+	if gaia.Cfg.JwtPrivateKeyPath == "" {
+		gaia.Cfg.Logger.Warn("using auto-generated key to sign jwt tokens, do not use in production")
+		jwtKey = make([]byte, 64)
+		_, err := rand.Read(jwtKey.([]byte))
+		if err != nil {
+			gaia.Cfg.Logger.Error("error auto-generating jwt key", "error", err.Error())
+			os.Exit(1)
+		}
+	} else {
+		keyData, err := ioutil.ReadFile(gaia.Cfg.JwtPrivateKeyPath)
+		if err != nil {
+			gaia.Cfg.Logger.Error("could not read jwt key file", "error", err.Error())
+			os.Exit(1)
+		}
+		jwtKey, err = jwt.ParseRSAPrivateKeyFromPEM(keyData)
+		if err != nil {
+			gaia.Cfg.Logger.Error("could not parse jwt key file", "error", err.Error())
+			os.Exit(1)
+		}
+	}
+	gaia.Cfg.JWTKey = jwtKey
+
 	// Find path for gaia home folder if not given by parameter
 	if gaia.Cfg.HomePath == "" {
 		// Find executeable path

gaia.go

@@ -145,15 +145,17 @@ var Cfg *Config
 
 // Config holds all config options
 type Config struct {
-	DevMode       bool
-	VersionSwitch bool
-	ListenPort    string
-	HomePath      string
-	DataPath      string
-	PipelinePath  string
-	WorkspacePath string
-	Worker        string
-	Logger        hclog.Logger
+	DevMode           bool
+	VersionSwitch     bool
+	ListenPort        string
+	HomePath          string
+	DataPath          string
+	PipelinePath      string
+	WorkspacePath     string
+	Worker            string
+	JwtPrivateKeyPath string
+	JWTKey            interface{}
+	Logger            hclog.Logger
 
 	Bolt struct {
 		Mode os.FileMode

handlers/User.go

@@ -6,7 +6,9 @@ import (
 
 	"github.com/labstack/echo"
 
-	jwt "github.com/dgrijalva/jwt-go"
+	"crypto/rsa"
+
+	"github.com/dgrijalva/jwt-go"
 	"github.com/gaia-pipeline/gaia"
 )
 
@@ -45,11 +47,20 @@ func UserLogin(c echo.Context) error {
 		},
 	}
 
+	var token *jwt.Token
 	// Generate JWT token
-	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
+	switch t := gaia.Cfg.JWTKey.(type) {
+	case []byte:
+		token = jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
+	case *rsa.PrivateKey:
+		token = jwt.NewWithClaims(jwt.SigningMethodRS512, claims)
+	default:
+		gaia.Cfg.Logger.Error("invalid jwt key type", "type", t)
+		return c.String(http.StatusInternalServerError, "error creating jwt token: invalid jwt key type")
+	}
 
 	// Sign and get encoded token
-	tokenstring, err := token.SignedString(jwtKey)
+	tokenstring, err := token.SignedString(gaia.Cfg.JWTKey)
 	if err != nil {
 		gaia.Cfg.Logger.Error("error signing jwt token", "error", err.Error())
 		return c.String(http.StatusInternalServerError, err.Error())

handlers/User_test.go

@@ -0,0 +1,145 @@
+package handlers
+
+import (
+	"testing"
+
+	"bytes"
+	"encoding/json"
+	"net/http"
+	"net/http/httptest"
+
+	"io/ioutil"
+	"os"
+
+	"crypto/rand"
+	"crypto/rsa"
+
+	jwt "github.com/dgrijalva/jwt-go"
+	"github.com/gaia-pipeline/gaia"
+	"github.com/gaia-pipeline/gaia/store"
+	"github.com/hashicorp/go-hclog"
+	"github.com/labstack/echo"
+)
+
+func TestUserLoginHMACKey(t *testing.T) {
+
+	dataDir, err := ioutil.TempDir("", "hmac")
+	if err != nil {
+		t.Fatalf("error creating data dir %v", err.Error())
+	}
+
+	defer func() {
+		gaia.Cfg = nil
+		os.RemoveAll(dataDir)
+	}()
+
+	gaia.Cfg = &gaia.Config{
+		JWTKey: []byte("hmac-jwt-key"),
+		Logger: hclog.New(&hclog.LoggerOptions{
+			Level:  hclog.Trace,
+			Output: hclog.DefaultOutput,
+			Name:   "Gaia",
+		}),
+		DataPath: dataDir,
+	}
+
+	dataStore := store.NewStore()
+	err = dataStore.Init()
+	if err != nil {
+		t.Fatalf("cannot initialize store: %v", err.Error())
+	}
+
+	e := echo.New()
+	InitHandlers(e, dataStore, nil)
+
+	body := map[string]string{
+		"username": "admin",
+		"password": "admin",
+	}
+	bodyBytes, _ := json.Marshal(body)
+	req := httptest.NewRequest(echo.POST, "/api/"+apiVersion+"/login", bytes.NewBuffer(bodyBytes))
+	req.Header.Set("Content-Type", "application/json")
+	rec := httptest.NewRecorder()
+	e.ServeHTTP(rec, req)
+
+	if rec.Code != http.StatusOK {
+		t.Fatalf("expected response code %v got %v", http.StatusOK, rec.Code)
+	}
+
+	data, err := ioutil.ReadAll(rec.Body)
+	user := &gaia.User{}
+	err = json.Unmarshal(data, user)
+	if err != nil {
+		t.Fatalf("error unmarshaling responce %v", err.Error())
+	}
+	token, _, err := new(jwt.Parser).ParseUnverified(user.Tokenstring, jwt.MapClaims{})
+	if err != nil {
+		t.Fatalf("error parsing the token %v", err.Error())
+	}
+	alg := "HS256"
+	if token.Header["alg"] != alg {
+		t.Fatalf("expected token alg %v got %v", alg, token.Header["alg"])
+	}
+
+}
+
+func TestUserLoginRSAKey(t *testing.T) {
+	dataDir, err := ioutil.TempDir("", "rsa")
+	if err != nil {
+		t.Fatalf("error creating data dir %v", err.Error())
+	}
+
+	defer func() {
+		gaia.Cfg = nil
+		os.RemoveAll(dataDir)
+	}()
+
+	key, _ := rsa.GenerateKey(rand.Reader, 2048)
+	gaia.Cfg = &gaia.Config{
+		JWTKey: key,
+		Logger: hclog.New(&hclog.LoggerOptions{
+			Level:  hclog.Trace,
+			Output: hclog.DefaultOutput,
+			Name:   "Gaia",
+		}),
+		DataPath: dataDir,
+	}
+
+	dataStore := store.NewStore()
+	err = dataStore.Init()
+	if err != nil {
+		t.Fatalf("cannot initialize store: %v", err.Error())
+	}
+
+	e := echo.New()
+	InitHandlers(e, dataStore, nil)
+
+	body := map[string]string{
+		"username": "admin",
+		"password": "admin",
+	}
+	bodyBytes, _ := json.Marshal(body)
+	req := httptest.NewRequest(echo.POST, "/api/"+apiVersion+"/login", bytes.NewBuffer(bodyBytes))
+	req.Header.Set("Content-Type", "application/json")
+	rec := httptest.NewRecorder()
+	e.ServeHTTP(rec, req)
+
+	if rec.Code != http.StatusOK {
+		t.Fatalf("expected response code %v got %v", http.StatusOK, rec.Code)
+	}
+
+	data, err := ioutil.ReadAll(rec.Body)
+	user := &gaia.User{}
+	err = json.Unmarshal(data, user)
+	if err != nil {
+		t.Fatalf("error unmarshaling responce %v", err.Error())
+	}
+	token, _, err := new(jwt.Parser).ParseUnverified(user.Tokenstring, jwt.MapClaims{})
+	if err != nil {
+		t.Fatalf("error parsing the token %v", err.Error())
+	}
+	alg := "RS512"
+	if token.Header["alg"] != alg {
+		t.Fatalf("expected token alg %v got %v", alg, token.Header["alg"])
+	}
+}

handlers/handler.go

@@ -1,14 +1,15 @@
 package handlers
 
 import (
-	"crypto/rand"
 	"errors"
 	"fmt"
 	"net/http"
 	"strings"
 
 	"github.com/GeertJohan/go.rice"
 
+	"crypto/rsa"
+
 	jwt "github.com/dgrijalva/jwt-go"
 	"github.com/gaia-pipeline/gaia"
 	scheduler "github.com/gaia-pipeline/gaia/scheduler"
@@ -48,22 +49,12 @@ var storeService *store.Store
 
 var schedulerService *scheduler.Scheduler
 
-// jwtKey is a random generated key for jwt signing
-var jwtKey []byte
-
 // InitHandlers initializes(registers) all handlers
 func InitHandlers(e *echo.Echo, store *store.Store, scheduler *scheduler.Scheduler) error {
 	// Set instances
 	storeService = store
 	schedulerService = scheduler
 
-	// Generate signing key for jwt
-	jwtKey = make([]byte, 64)
-	_, err := rand.Read(jwtKey)
-	if err != nil {
-		return err
-	}
-
 	// Define prefix
 	p := "/api/" + apiVersion + "/"
 
@@ -142,13 +133,21 @@ func authBarrier(next echo.HandlerFunc) echo.HandlerFunc {
 
 		// Parse token
 		token, err := jwt.Parse(jwtString, func(token *jwt.Token) (interface{}, error) {
-			// Validate signing method
-			if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
-				return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"])
+			signingMethodError := fmt.Errorf("unexpected signing method: %v", token.Header["alg"])
+			switch token.Method.(type) {
+			case *jwt.SigningMethodHMAC:
+				if _, ok := gaia.Cfg.JWTKey.([]byte); !ok {
+					return nil, signingMethodError
+				}
+				return gaia.Cfg.JWTKey, nil
+			case *jwt.SigningMethodRSA:
+				if _, ok := gaia.Cfg.JWTKey.(*rsa.PrivateKey); !ok {
+					return nil, signingMethodError
+				}
+				return gaia.Cfg.JWTKey.(*rsa.PrivateKey).Public(), nil
+			default:
+				return nil, signingMethodError
 			}
-
-			// return secret
-			return jwtKey, nil
 		})
 		if err != nil {
 			return c.String(http.StatusForbidden, err.Error())