From fa4bf5178a3d7a7dbf0d4984e465091eb539ed08 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C5=81ukasz=20Magiera?= Date: Tue, 23 Jul 2019 17:33:25 +0200 Subject: [PATCH] auth: Restructure for getting tokens form keystore --- daemon/cmd.go | 5 ++++ daemon/rpc.go | 12 ++++++++-- lib/auth/handler.go | 55 +++++++++++++++++++++++++++++++++++++++++++ lib/jsonrpc/auth.go | 19 --------------- lib/jsonrpc/server.go | 24 +------------------ node/builder.go | 2 ++ 6 files changed, 73 insertions(+), 44 deletions(-) create mode 100644 lib/auth/handler.go delete mode 100644 lib/jsonrpc/auth.go diff --git a/daemon/cmd.go b/daemon/cmd.go index 4029f581e..bd92c30c1 100644 --- a/daemon/cmd.go +++ b/daemon/cmd.go @@ -6,6 +6,7 @@ import ( "context" "github.com/multiformats/go-multiaddr" + "go.uber.org/fx" "gopkg.in/urfave/cli.v2" "github.com/filecoin-project/go-lotus/node" @@ -44,6 +45,10 @@ var Cmd = &cli.Command{ } return lr.SetAPIEndpoint(apima) }), + + node.Override(node.ServeRPCKey, func(lc fx.Lifecycle) error { + + }), ) if err != nil { return err diff --git a/daemon/rpc.go b/daemon/rpc.go index fde85bc98..e06ac4532 100644 --- a/daemon/rpc.go +++ b/daemon/rpc.go @@ -1,15 +1,23 @@ package daemon import ( + "github.com/filecoin-project/go-lotus/lib/auth" + "github.com/gbrlsnchs/jwt/v3" "net/http" "github.com/filecoin-project/go-lotus/api" "github.com/filecoin-project/go-lotus/lib/jsonrpc" ) -func serveRPC(a api.API, addr string) error { +func serveRPC(a api.API, addr string, authSecret []byte) error { rpcServer := jsonrpc.NewServer() rpcServer.Register("Filecoin", api.Permissioned(a)) - http.Handle("/rpc/v0", rpcServer) + + authHandler := &auth.Handler{ + Secret: jwt.NewHS256(authSecret), + Next: rpcServer.ServeHTTP, + } + + http.Handle("/rpc/v0", authHandler) return http.ListenAndServe(addr, http.DefaultServeMux) } diff --git a/lib/auth/handler.go b/lib/auth/handler.go new file mode 100644 index 000000000..2c46a86f0 --- /dev/null +++ b/lib/auth/handler.go @@ -0,0 +1,55 @@ +package auth + +import ( + "net/http" + "strings" + + "github.com/filecoin-project/go-lotus/api" + "github.com/gbrlsnchs/jwt/v3" + logging "github.com/ipfs/go-log" +) + +var log = logging.Logger("auth") + +type Handler struct { + Secret *jwt.HMACSHA + Next http.HandlerFunc +} + +func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) { + ctx := r.Context() + + token := r.Header.Get("Authorization") + if token != "" { + if !strings.HasPrefix(token, "Bearer ") { + log.Warn("missing Bearer prefix in auth header") + w.WriteHeader(401) + return + } + token = token[len("Bearer "):] + + var payload jwtPayload + if _, err := jwt.Verify([]byte(token), h.Secret, &payload); err != nil { + log.Warnf("JWT Verification failed: %s", err) + w.WriteHeader(401) + return + } + + ctx = api.WithPerm(ctx, payload.Allow) + } + + h.Next(w, r.WithContext(ctx)) +} + +type jwtPayload struct { + Allow []string +} + +/*func init() { + p := jwtPayload{ + Allow: []string{"read", "write"}, + } + r, _ := jwt.Sign(&p, secret) + log.Infof("WRITE TOKEN: %s", string(r)) +} +*/ \ No newline at end of file diff --git a/lib/jsonrpc/auth.go b/lib/jsonrpc/auth.go deleted file mode 100644 index 71536598d..000000000 --- a/lib/jsonrpc/auth.go +++ /dev/null @@ -1,19 +0,0 @@ -package jsonrpc - -import ( - "github.com/gbrlsnchs/jwt/v3" -) - -var secret = jwt.NewHS256([]byte("todo: get me from the repo")) - -type jwtPayload struct { - Allow []string -} - -func init() { - p := jwtPayload{ - Allow: []string{"read", "write"}, - } - r, _ := jwt.Sign(&p, secret) - log.Infof("WRITE TOKEN: %s", string(r)) -} diff --git a/lib/jsonrpc/server.go b/lib/jsonrpc/server.go index 7a27ef3a1..009710f85 100644 --- a/lib/jsonrpc/server.go +++ b/lib/jsonrpc/server.go @@ -3,14 +3,9 @@ package jsonrpc import ( "context" "encoding/json" + "github.com/gorilla/websocket" "io" "net/http" - "strings" - - "github.com/gbrlsnchs/jwt/v3" - "github.com/gorilla/websocket" - - "github.com/filecoin-project/go-lotus/api" ) const ( @@ -56,23 +51,6 @@ func (s *RPCServer) handleWS(ctx context.Context, w http.ResponseWriter, r *http func (s *RPCServer) ServeHTTP(w http.ResponseWriter, r *http.Request) { ctx := r.Context() - token := r.Header.Get("Authorization") - if token != "" { - if !strings.HasPrefix(token, "Bearer ") { - w.WriteHeader(401) - return - } - token = token[len("Bearer "):] - - var payload jwtPayload - if _, err := jwt.Verify([]byte(token), secret, &payload); err != nil { - w.WriteHeader(401) - return - } - - ctx = api.WithPerm(ctx, payload.Allow) - } - if r.Header.Get("Connection") == "Upgrade" { s.handleWS(ctx, w, r) return diff --git a/node/builder.go b/node/builder.go index b9d98176b..c8aea9a3c 100644 --- a/node/builder.go +++ b/node/builder.go @@ -70,7 +70,9 @@ const ( HandleIncomingBlocksKey HandleIncomingMessagesKey + // daemon SetApiEndpointKey + ServeRPCKey _nInvokes // keep this last )