jwt.go 2.6 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697
  1. package security
  2. import (
  3. "fmt"
  4. "net/http"
  5. "strings"
  6. "time"
  7. "github.com/chrislusf/seaweedfs/weed/glog"
  8. "github.com/golang-jwt/jwt"
  9. )
  10. type EncodedJwt string
  11. type SigningKey []byte
  12. // SeaweedFileIdClaims is created by Master server(s) and consumed by Volume server(s),
  13. // restricting the access this JWT allows to only a single file.
  14. type SeaweedFileIdClaims struct {
  15. Fid string `json:"fid"`
  16. jwt.StandardClaims
  17. }
  18. // SeaweedFilerClaims is created e.g. by S3 proxy server and consumed by Filer server.
  19. // Right now, it only contains the standard claims; but this might be extended later
  20. // for more fine-grained permissions.
  21. type SeaweedFilerClaims struct {
  22. jwt.StandardClaims
  23. }
  24. func GenJwtForVolumeServer(signingKey SigningKey, expiresAfterSec int, fileId string) EncodedJwt {
  25. if len(signingKey) == 0 {
  26. return ""
  27. }
  28. claims := SeaweedFileIdClaims{
  29. fileId,
  30. jwt.StandardClaims{},
  31. }
  32. if expiresAfterSec > 0 {
  33. claims.ExpiresAt = time.Now().Add(time.Second * time.Duration(expiresAfterSec)).Unix()
  34. }
  35. t := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
  36. encoded, e := t.SignedString([]byte(signingKey))
  37. if e != nil {
  38. glog.V(0).Infof("Failed to sign claims %+v: %v", t.Claims, e)
  39. return ""
  40. }
  41. return EncodedJwt(encoded)
  42. }
  43. // GenJwtForFilerServer creates a JSON-web-token for using the authenticated Filer API. Used f.e. inside
  44. // the S3 API
  45. func GenJwtForFilerServer(signingKey SigningKey, expiresAfterSec int) EncodedJwt {
  46. if len(signingKey) == 0 {
  47. return ""
  48. }
  49. claims := SeaweedFilerClaims{
  50. jwt.StandardClaims{},
  51. }
  52. if expiresAfterSec > 0 {
  53. claims.ExpiresAt = time.Now().Add(time.Second * time.Duration(expiresAfterSec)).Unix()
  54. }
  55. t := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
  56. encoded, e := t.SignedString([]byte(signingKey))
  57. if e != nil {
  58. glog.V(0).Infof("Failed to sign claims %+v: %v", t.Claims, e)
  59. return ""
  60. }
  61. return EncodedJwt(encoded)
  62. }
  63. func GetJwt(r *http.Request) EncodedJwt {
  64. // Get token from query params
  65. tokenStr := r.URL.Query().Get("jwt")
  66. // Get token from authorization header
  67. if tokenStr == "" {
  68. bearer := r.Header.Get("Authorization")
  69. if len(bearer) > 7 && strings.ToUpper(bearer[0:6]) == "BEARER" {
  70. tokenStr = bearer[7:]
  71. }
  72. }
  73. return EncodedJwt(tokenStr)
  74. }
  75. func DecodeJwt(signingKey SigningKey, tokenString EncodedJwt, claims jwt.Claims) (token *jwt.Token, err error) {
  76. // check exp, nbf
  77. return jwt.ParseWithClaims(string(tokenString), claims, func(token *jwt.Token) (interface{}, error) {
  78. if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
  79. return nil, fmt.Errorf("unknown token method")
  80. }
  81. return []byte(signingKey), nil
  82. })
  83. }