mirror of https://github.com/portainer/portainer
202 lines
5.6 KiB
Go
202 lines
5.6 KiB
Go
package jwt
|
|
|
|
import (
|
|
"errors"
|
|
"fmt"
|
|
"time"
|
|
|
|
portainer "github.com/portainer/portainer/api"
|
|
"github.com/portainer/portainer/api/dataservices"
|
|
|
|
"github.com/golang-jwt/jwt/v4"
|
|
"github.com/gorilla/securecookie"
|
|
"github.com/rs/zerolog/log"
|
|
)
|
|
|
|
// scope represents JWT scopes that are supported in JWT claims.
|
|
type scope string
|
|
|
|
// Service represents a service for managing JWT tokens.
|
|
type Service struct {
|
|
secrets map[scope][]byte
|
|
userSessionTimeout time.Duration
|
|
dataStore dataservices.DataStore
|
|
}
|
|
|
|
type claims struct {
|
|
UserID int `json:"id"`
|
|
Username string `json:"username"`
|
|
Role int `json:"role"`
|
|
Scope scope `json:"scope"`
|
|
ForceChangePassword bool `json:"forceChangePassword"`
|
|
jwt.StandardClaims
|
|
}
|
|
|
|
var (
|
|
errSecretGeneration = errors.New("Unable to generate secret key")
|
|
errInvalidJWTToken = errors.New("Invalid JWT token")
|
|
)
|
|
|
|
const (
|
|
defaultScope = scope("default")
|
|
kubeConfigScope = scope("kubeconfig")
|
|
)
|
|
|
|
// NewService initializes a new service. It will generate a random key that will be used to sign JWT tokens.
|
|
func NewService(userSessionDuration string, dataStore dataservices.DataStore) (*Service, error) {
|
|
userSessionTimeout, err := time.ParseDuration(userSessionDuration)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
secret := securecookie.GenerateRandomKey(32)
|
|
if secret == nil {
|
|
return nil, errSecretGeneration
|
|
}
|
|
|
|
kubeSecret, err := getOrCreateKubeSecret(dataStore)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
service := &Service{
|
|
map[scope][]byte{
|
|
defaultScope: secret,
|
|
kubeConfigScope: kubeSecret,
|
|
},
|
|
userSessionTimeout,
|
|
dataStore,
|
|
}
|
|
return service, nil
|
|
}
|
|
|
|
func getOrCreateKubeSecret(dataStore dataservices.DataStore) ([]byte, error) {
|
|
settings, err := dataStore.Settings().Settings()
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
kubeSecret := settings.OAuthSettings.KubeSecretKey
|
|
if kubeSecret == nil {
|
|
kubeSecret = securecookie.GenerateRandomKey(32)
|
|
if kubeSecret == nil {
|
|
return nil, errSecretGeneration
|
|
}
|
|
settings.OAuthSettings.KubeSecretKey = kubeSecret
|
|
err = dataStore.Settings().UpdateSettings(settings)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
}
|
|
return kubeSecret, nil
|
|
}
|
|
|
|
func (service *Service) defaultExpireAt() int64 {
|
|
return time.Now().Add(service.userSessionTimeout).Unix()
|
|
}
|
|
|
|
// GenerateToken generates a new JWT token.
|
|
func (service *Service) GenerateToken(data *portainer.TokenData) (string, error) {
|
|
return service.generateSignedToken(data, service.defaultExpireAt(), defaultScope)
|
|
}
|
|
|
|
// GenerateTokenForOAuth generates a new JWT token for OAuth login
|
|
// token expiry time response from OAuth provider is considered
|
|
func (service *Service) GenerateTokenForOAuth(data *portainer.TokenData, expiryTime *time.Time) (string, error) {
|
|
expireAt := service.defaultExpireAt()
|
|
if expiryTime != nil && !expiryTime.IsZero() {
|
|
expireAt = expiryTime.Unix()
|
|
}
|
|
return service.generateSignedToken(data, expireAt, defaultScope)
|
|
}
|
|
|
|
// ParseAndVerifyToken parses a JWT token and verify its validity. It returns an error if token is invalid.
|
|
func (service *Service) ParseAndVerifyToken(token string) (*portainer.TokenData, error) {
|
|
scope := parseScope(token)
|
|
secret := service.secrets[scope]
|
|
parsedToken, err := jwt.ParseWithClaims(token, &claims{}, func(token *jwt.Token) (interface{}, error) {
|
|
if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
|
|
msg := fmt.Errorf("unexpected signing method: %v", token.Header["alg"])
|
|
return nil, msg
|
|
}
|
|
return secret, nil
|
|
})
|
|
|
|
if err == nil && parsedToken != nil {
|
|
if cl, ok := parsedToken.Claims.(*claims); ok && parsedToken.Valid {
|
|
|
|
user, err := service.dataStore.User().User(portainer.UserID(cl.UserID))
|
|
if err != nil {
|
|
return nil, errInvalidJWTToken
|
|
}
|
|
if user.TokenIssueAt > cl.StandardClaims.IssuedAt {
|
|
return nil, errInvalidJWTToken
|
|
}
|
|
|
|
return &portainer.TokenData{
|
|
ID: portainer.UserID(cl.UserID),
|
|
Username: cl.Username,
|
|
Role: portainer.UserRole(cl.Role),
|
|
}, nil
|
|
}
|
|
}
|
|
return nil, errInvalidJWTToken
|
|
}
|
|
|
|
// parse a JWT token, fallback to defaultScope if no scope is present in the JWT
|
|
func parseScope(token string) scope {
|
|
unverifiedToken, _, _ := new(jwt.Parser).ParseUnverified(token, &claims{})
|
|
if unverifiedToken != nil {
|
|
if cl, ok := unverifiedToken.Claims.(*claims); ok {
|
|
if cl.Scope == kubeConfigScope {
|
|
return kubeConfigScope
|
|
}
|
|
}
|
|
}
|
|
|
|
return defaultScope
|
|
}
|
|
|
|
// SetUserSessionDuration sets the user session duration
|
|
func (service *Service) SetUserSessionDuration(userSessionDuration time.Duration) {
|
|
service.userSessionTimeout = userSessionDuration
|
|
}
|
|
|
|
func (service *Service) generateSignedToken(data *portainer.TokenData, expiresAt int64, scope scope) (string, error) {
|
|
secret, found := service.secrets[scope]
|
|
if !found {
|
|
return "", fmt.Errorf("invalid scope: %v", scope)
|
|
}
|
|
|
|
settings, err := service.dataStore.Settings().Settings()
|
|
if err != nil {
|
|
return "", fmt.Errorf("failed fetching settings from db: %w", err)
|
|
}
|
|
|
|
if settings.IsDockerDesktopExtension {
|
|
// Set expiration to 99 years for docker desktop extension.
|
|
log.Info().Msg("detected docker desktop extension mode")
|
|
expiresAt = time.Now().Add(time.Hour * 8760 * 99).Unix()
|
|
}
|
|
|
|
cl := claims{
|
|
UserID: int(data.ID),
|
|
Username: data.Username,
|
|
Role: int(data.Role),
|
|
Scope: scope,
|
|
ForceChangePassword: data.ForceChangePassword,
|
|
StandardClaims: jwt.StandardClaims{
|
|
ExpiresAt: expiresAt,
|
|
IssuedAt: time.Now().Unix(),
|
|
},
|
|
}
|
|
|
|
token := jwt.NewWithClaims(jwt.SigningMethodHS256, cl)
|
|
signedToken, err := token.SignedString(secret)
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
|
|
return signedToken, nil
|
|
}
|