use a rsa private key to sign jwt

if not given will auto-generate a HMAC key

Author: rmb938

cmd/gaia/main.go

@@ -1,11 +1,15 @@
 package main
 
 import (
+	"crypto/rand"
 	"flag"
 	"fmt"
 	"os"
 	"path/filepath"
 
+	"io/ioutil"
+
+	"github.com/dgrijalva/jwt-go"
 	"github.com/gaia-pipeline/gaia"
 	"github.com/gaia-pipeline/gaia/handlers"
 	"github.com/gaia-pipeline/gaia/pipeline"
@@ -16,7 +20,8 @@ import (
 )
 
 var (
-	echoInstance *echo.Echo
+	echoInstance      *echo.Echo
+	jwtPrivateKeyPath string
 )
 
 const (
@@ -35,6 +40,7 @@ func init() {
 	flag.StringVar(&gaia.Cfg.ListenPort, "port", "8080", "Listen port for gaia")
 	flag.StringVar(&gaia.Cfg.HomePath, "homepath", "", "Path to the gaia home folder")
 	flag.StringVar(&gaia.Cfg.Worker, "worker", "2", "Number of worker gaia will use to execute pipelines in parallel")
+	flag.StringVar(&jwtPrivateKeyPath, "jwtPrivateKeyPath", "", "A RSA private key used to sign JWT tokens")
 	flag.BoolVar(&gaia.Cfg.DevMode, "dev", false, "If true, gaia will be started in development mode. Don't use this in production!")
 	flag.BoolVar(&gaia.Cfg.VersionSwitch, "version", false, "If true, will print the version and immediately exit")
 
@@ -59,6 +65,30 @@ func main() {
 		Name:   "Gaia",
 	})
 
+	var jwtKey interface{}
+	// Check JWT key is set
+	if jwtPrivateKeyPath == "" {
+		gaia.Cfg.Logger.Warn("using auto-generated key to sign jwt tokens, do not use in production")
+		jwtKey = make([]byte, 64)
+		_, err := rand.Read(jwtKey.([]byte))
+		if err != nil {
+			gaia.Cfg.Logger.Error("error auto-generating jwt key", "error", err.Error())
+			os.Exit(1)
+		}
+	} else {
+		keyData, err := ioutil.ReadFile(jwtPrivateKeyPath)
+		if err != nil {
+			gaia.Cfg.Logger.Error("could not read jwt key file", "error", err.Error())
+			os.Exit(1)
+		}
+		jwtKey, err = jwt.ParseRSAPrivateKeyFromPEM(keyData)
+		if err != nil {
+			gaia.Cfg.Logger.Error("could not parse jwt key file", "error", err.Error())
+			os.Exit(1)
+		}
+	}
+	gaia.Cfg.JWTKey = jwtKey
+
 	// Find path for gaia home folder if not given by parameter
 	if gaia.Cfg.HomePath == "" {
 		// Find executeable path

gaia.go

@@ -153,6 +153,7 @@ type Config struct {
 	PipelinePath  string
 	WorkspacePath string
 	Worker        string
+	JWTKey        interface{}
 	Logger        hclog.Logger
 
 	Bolt struct {

handlers/User.go

@@ -6,7 +6,9 @@ import (
 
 	"github.com/labstack/echo"
 
-	jwt "github.com/dgrijalva/jwt-go"
+	"crypto/rsa"
+
+	"github.com/dgrijalva/jwt-go"
 	"github.com/gaia-pipeline/gaia"
 )
 
@@ -45,11 +47,20 @@ func UserLogin(c echo.Context) error {
 		},
 	}
 
+	var token *jwt.Token
 	// Generate JWT token
-	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
+	switch t := gaia.Cfg.JWTKey.(type) {
+	case []byte:
+		token = jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
+	case *rsa.PrivateKey:
+		token = jwt.NewWithClaims(jwt.SigningMethodRS512, claims)
+	default:
+		gaia.Cfg.Logger.Error("invalid jwt key type", "type", t)
+		return c.String(http.StatusInternalServerError, "error creating jwt token: invalid jwt key type")
+	}
 
 	// Sign and get encoded token
-	tokenstring, err := token.SignedString(jwtKey)
+	tokenstring, err := token.SignedString(gaia.Cfg.JWTKey)
 	if err != nil {
 		gaia.Cfg.Logger.Error("error signing jwt token", "error", err.Error())
 		return c.String(http.StatusInternalServerError, err.Error())

handlers/handler.go

@@ -1,14 +1,15 @@
 package handlers
 
 import (
-	"crypto/rand"
 	"errors"
 	"fmt"
 	"net/http"
 	"strings"
 
 	"github.com/GeertJohan/go.rice"
 
+	"crypto/rsa"
+
 	jwt "github.com/dgrijalva/jwt-go"
 	"github.com/gaia-pipeline/gaia"
 	scheduler "github.com/gaia-pipeline/gaia/scheduler"
@@ -48,22 +49,12 @@ var storeService *store.Store
 
 var schedulerService *scheduler.Scheduler
 
-// jwtKey is a random generated key for jwt signing
-var jwtKey []byte
-
 // InitHandlers initializes(registers) all handlers
 func InitHandlers(e *echo.Echo, store *store.Store, scheduler *scheduler.Scheduler) error {
 	// Set instances
 	storeService = store
 	schedulerService = scheduler
 
-	// Generate signing key for jwt
-	jwtKey = make([]byte, 64)
-	_, err := rand.Read(jwtKey)
-	if err != nil {
-		return err
-	}
-
 	// Define prefix
 	p := "/api/" + apiVersion + "/"
 
@@ -142,13 +133,21 @@ func authBarrier(next echo.HandlerFunc) echo.HandlerFunc {
 
 		// Parse token
 		token, err := jwt.Parse(jwtString, func(token *jwt.Token) (interface{}, error) {
-			// Validate signing method
-			if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
-				return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"])
+			signingMethodError := fmt.Errorf("unexpected signing method: %v", token.Header["alg"])
+			switch token.Method.(type) {
+			case *jwt.SigningMethodHMAC:
+				if _, ok := gaia.Cfg.JWTKey.([]byte); !ok {
+					return nil, signingMethodError
+				}
+				return gaia.Cfg.JWTKey, nil
+			case *jwt.SigningMethodRSA:
+				if _, ok := gaia.Cfg.JWTKey.(*rsa.PrivateKey); !ok {
+					return nil, signingMethodError
+				}
+				return gaia.Cfg.JWTKey.(*rsa.PrivateKey).Public(), nil
+			default:
+				return nil, signingMethodError
 			}
-
-			// return secret
-			return jwtKey, nil
 		})
 		if err != nil {
 			return c.String(http.StatusForbidden, err.Error())