merge conflicts

author: Chris Lu <chris.lu@gmail.com> 2015-02-07 15:35:28 -0800
committer: Chris Lu <chris.lu@gmail.com> 2015-02-07 15:35:28 -0800
commit: f7998f86522ef04717e22bb094f00138bdf18748 (patch)
tree: 5d8454179564d52feae0ad78caa2648518f63eb8 /go/security/guard.go
parent: 714ccb6e2b709355bed617947ccaa6ad4b68b77b (diff)
download: seaweedfs-f7998f86522ef04717e22bb094f00138bdf18748.tar.xz
seaweedfs-f7998f86522ef04717e22bb094f00138bdf18748.zip
1 files changed, 47 insertions, 64 deletions
diff --git a/go/security/guard.go b/go/security/guard.go
index a2beb48f4..d39985034 100644
--- a/go/security/guard.go
+++ b/go/security/guard.go
@@ -5,11 +5,8 @@ import (
 	"fmt"
 	"net"
 	"net/http"
-	"strings"
-	"time"
 
 	"github.com/chrislusf/weed-fs/go/glog"
-	"github.com/dgrijalva/jwt-go"
 )
 
 var (
@@ -44,24 +41,24 @@ https://github.com/pkieltyka/jwtauth/blob/master/jwtauth.go
 */
 type Guard struct {
 	whiteList []string
-	secretKey string
+	SecretKey Secret
 
 	isActive bool
 }
 
 func NewGuard(whiteList []string, secretKey string) *Guard {
-	g := &Guard{whiteList: whiteList, secretKey: secretKey}
-	g.isActive = len(g.whiteList) != 0 || len(g.secretKey) != 0
+	g := &Guard{whiteList: whiteList, SecretKey: Secret(secretKey)}
+	g.isActive = len(g.whiteList) != 0 || len(g.SecretKey) != 0
 	return g
 }
 
-func (g *Guard) Secure(f func(w http.ResponseWriter, r *http.Request)) func(w http.ResponseWriter, r *http.Request) {
+func (g *Guard) WhiteList(f func(w http.ResponseWriter, r *http.Request)) func(w http.ResponseWriter, r *http.Request) {
 	if !g.isActive {
 		//if no security needed, just skip all checkings
 		return f
 	}
 	return func(w http.ResponseWriter, r *http.Request) {
-		if err := g.doCheck(w, r); err != nil {
+		if err := g.checkWhiteList(w, r); err != nil {
 			w.WriteHeader(http.StatusUnauthorized)
 			return
 		}
@@ -69,76 +66,62 @@ func (g *Guard) Secure(f func(w http.ResponseWriter, r *http.Request)) func(w ht
 	}
 }
 
-func (g *Guard) NewToken() (tokenString string, err error) {
-	m := make(map[string]interface{})
-	m["exp"] = time.Now().Unix() + 10
-	return g.Encode(m)
-}
-
-func (g *Guard) Encode(claims map[string]interface{}) (tokenString string, err error) {
+func (g *Guard) Secure(f func(w http.ResponseWriter, r *http.Request)) func(w http.ResponseWriter, r *http.Request) {
 	if !g.isActive {
-		return "", nil
+		//if no security needed, just skip all checkings
+		return f
+	}
+	return func(w http.ResponseWriter, r *http.Request) {
+		if err := g.checkJwt(w, r); err != nil {
+			w.WriteHeader(http.StatusUnauthorized)
+			return
+		}
+		f(w, r)
 	}
-
-	t := jwt.New(jwt.GetSigningMethod("HS256"))
-	t.Claims = claims
-	return t.SignedString(g.secretKey)
 }
 
-func (g *Guard) Decode(tokenString string) (token *jwt.Token, err error) {
-	return jwt.Parse(tokenString, func(token *jwt.Token) (interface{}, error) {
-		return g.secretKey, nil
-	})
-}
+func (g *Guard) checkWhiteList(w http.ResponseWriter, r *http.Request) error {
+	if len(g.whiteList) == 0 {
+		return nil
+	}
 
-func (g *Guard) doCheck(w http.ResponseWriter, r *http.Request) error {
-	if len(g.whiteList) != 0 {
-		host, _, err := net.SplitHostPort(r.RemoteAddr)
-		if err == nil {
-			for _, ip := range g.whiteList {
-				if ip == host {
-					return nil
-				}
+	host, _, err := net.SplitHostPort(r.RemoteAddr)
+	if err == nil {
+		for _, ip := range g.whiteList {
+			if ip == host {
+				return nil
 			}
 		}
 	}
 
-	if len(g.secretKey) != 0 {
-
-		// Get token from query params
-		tokenStr := r.URL.Query().Get("jwt")
+	glog.V(1).Infof("Not in whitelist: %s", r.RemoteAddr)
+	return fmt.Errorf("Not in whitelis: %s", r.RemoteAddr)
+}
 
-		// Get token from authorization header
-		if tokenStr == "" {
-			bearer := r.Header.Get("Authorization")
-			if len(bearer) > 7 && strings.ToUpper(bearer[0:6]) == "BEARER" {
-				tokenStr = bearer[7:]
-			}
-		}
+func (g *Guard) checkJwt(w http.ResponseWriter, r *http.Request) error {
+	if g.checkWhiteList(w, r) == nil {
+		return nil
+	}
 
-		// Get token from cookie
-		if tokenStr == "" {
-			cookie, err := r.Cookie("jwt")
-			if err == nil {
-				tokenStr = cookie.Value
-			}
-		}
+	if len(g.SecretKey) == 0 {
+		return nil
+	}
 
-		if tokenStr == "" {
-			return ErrUnauthorized
-		}
+	tokenStr := GetJwt(r)
 
-		// Verify the token
-		token, err := g.Decode(tokenStr)
-		if err != nil {
-			glog.V(1).Infof("Token verification error from %s: %v", r.RemoteAddr, err)
-			return ErrUnauthorized
-		}
-		if !token.Valid {
-			glog.V(1).Infof("Token invliad from %s: %v", r.RemoteAddr, tokenStr)
-			return ErrUnauthorized
-		}
+	if tokenStr == "" {
+		return ErrUnauthorized
+	}
 
+	// Verify the token
+	token, err := DecodeJwt(g.SecretKey, tokenStr)
+	if err != nil {
+		glog.V(1).Infof("Token verification error from %s: %v", r.RemoteAddr, err)
+		return ErrUnauthorized
+	}
+	if !token.Valid {
+		glog.V(1).Infof("Token invliad from %s: %v", r.RemoteAddr, tokenStr)
+		return ErrUnauthorized
 	}
 
 	glog.V(1).Infof("No permission from %s", r.RemoteAddr)
author	Chris Lu <chris.lu@gmail.com>	2015-02-07 15:35:28 -0800
committer	Chris Lu <chris.lu@gmail.com>	2015-02-07 15:35:28 -0800
commit	f7998f86522ef04717e22bb094f00138bdf18748 (patch)
tree	5d8454179564d52feae0ad78caa2648518f63eb8 /go/security/guard.go
parent	714ccb6e2b709355bed617947ccaa6ad4b68b77b (diff)
download	seaweedfs-f7998f86522ef04717e22bb094f00138bdf18748.tar.xz seaweedfs-f7998f86522ef04717e22bb094f00138bdf18748.zip