aboutsummaryrefslogtreecommitdiff
path: root/weed/security/jwt.go
diff options
context:
space:
mode:
Diffstat (limited to 'weed/security/jwt.go')
-rw-r--r--weed/security/jwt.go37
1 files changed, 34 insertions, 3 deletions
diff --git a/weed/security/jwt.go b/weed/security/jwt.go
index 7327f7b8b..82ba0df12 100644
--- a/weed/security/jwt.go
+++ b/weed/security/jwt.go
@@ -13,12 +13,21 @@ import (
type EncodedJwt string
type SigningKey []byte
+// SeaweedFileIdClaims is created by Master server(s) and consumed by Volume server(s),
+// restricting the access this JWT allows to only a single file.
type SeaweedFileIdClaims struct {
Fid string `json:"fid"`
jwt.StandardClaims
}
-func GenJwt(signingKey SigningKey, expiresAfterSec int, fileId string) EncodedJwt {
+// SeaweedFilerClaims is created e.g. by S3 proxy server and consumed by Filer server.
+// Right now, it only contains the standard claims; but this might be extended later
+// for more fine-grained permissions.
+type SeaweedFilerClaims struct {
+ jwt.StandardClaims
+}
+
+func GenJwtForVolumeServer(signingKey SigningKey, expiresAfterSec int, fileId string) EncodedJwt {
if len(signingKey) == 0 {
return ""
}
@@ -39,6 +48,28 @@ func GenJwt(signingKey SigningKey, expiresAfterSec int, fileId string) EncodedJw
return EncodedJwt(encoded)
}
+// GenJwtForFilerServer creates a JSON-web-token for using the authenticated Filer API. Used f.e. inside
+// the S3 API
+func GenJwtForFilerServer(signingKey SigningKey, expiresAfterSec int) EncodedJwt {
+ if len(signingKey) == 0 {
+ return ""
+ }
+
+ claims := SeaweedFilerClaims{
+ jwt.StandardClaims{},
+ }
+ if expiresAfterSec > 0 {
+ claims.ExpiresAt = time.Now().Add(time.Second * time.Duration(expiresAfterSec)).Unix()
+ }
+ t := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
+ encoded, e := t.SignedString([]byte(signingKey))
+ if e != nil {
+ glog.V(0).Infof("Failed to sign claims %+v: %v", t.Claims, e)
+ return ""
+ }
+ return EncodedJwt(encoded)
+}
+
func GetJwt(r *http.Request) EncodedJwt {
// Get token from query params
@@ -55,9 +86,9 @@ func GetJwt(r *http.Request) EncodedJwt {
return EncodedJwt(tokenStr)
}
-func DecodeJwt(signingKey SigningKey, tokenString EncodedJwt) (token *jwt.Token, err error) {
+func DecodeJwt(signingKey SigningKey, tokenString EncodedJwt, claims jwt.Claims) (token *jwt.Token, err error) {
// check exp, nbf
- return jwt.ParseWithClaims(string(tokenString), &SeaweedFileIdClaims{}, func(token *jwt.Token) (interface{}, error) {
+ return jwt.ParseWithClaims(string(tokenString), claims, func(token *jwt.Token) (interface{}, error) {
if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
return nil, fmt.Errorf("unknown token method")
}
generated by cgit v1.2.3 (git 2.25.1) at 2025-12-21 20:37:00 +0000