mirror of
https://github.com/jech/galene.git
synced 2024-12-26 09:15:46 +01:00
Don't verify token issuer.
This makes it possible to use token authentication without an authentication server.
This commit is contained in:
parent
7784a2ac96
commit
1d583e5367
3 changed files with 8 additions and 35 deletions
|
@ -1097,10 +1097,9 @@ func (desc *Description) GetPermission(group string, creds ClientCredentials) (C
|
|||
return p, ErrNotAuthorised
|
||||
}
|
||||
|
||||
if desc.AuthServer != "" && creds.Token != "" {
|
||||
if creds.Token != "" {
|
||||
aud, perms, err := token.Valid(
|
||||
creds.Username, creds.Token,
|
||||
desc.AuthKeys, desc.AuthServer,
|
||||
creds.Username, creds.Token, desc.AuthKeys,
|
||||
)
|
||||
if err != nil {
|
||||
log.Printf("Token authentication: %v", err)
|
||||
|
|
|
@ -11,7 +11,6 @@ import (
|
|||
)
|
||||
|
||||
var ErrUnexpectedSub = errors.New("unexpected 'sub' field")
|
||||
var ErrUnexpectedIss = errors.New("unexpected 'iss' field")
|
||||
|
||||
func parseBase64(k string, d map[string]interface{}) ([]byte, error) {
|
||||
v, ok := d[k].(string)
|
||||
|
@ -106,7 +105,7 @@ func getKey(header map[string]interface{}, keys []map[string]interface{}) (inter
|
|||
return nil, errors.New("key not found")
|
||||
}
|
||||
|
||||
func Valid(username, token string, keys []map[string]interface{}, issuer string) ([]string, map[string]interface{}, error) {
|
||||
func Valid(username, token string, keys []map[string]interface{}) ([]string, map[string]interface{}, error) {
|
||||
tok, err := jwt.Parse(token, func(t *jwt.Token) (interface{}, error) {
|
||||
return getKey(t.Header, keys)
|
||||
})
|
||||
|
@ -119,10 +118,6 @@ func Valid(username, token string, keys []map[string]interface{}, issuer string)
|
|||
if !ok || sub != username {
|
||||
return nil, nil, ErrUnexpectedSub
|
||||
}
|
||||
iss, ok := claims["iss"].(string)
|
||||
if !ok || iss != issuer {
|
||||
return nil, nil, ErrUnexpectedIss
|
||||
}
|
||||
aud, ok := claims["aud"]
|
||||
var res []string
|
||||
if ok {
|
||||
|
|
|
@ -75,9 +75,7 @@ func TestValid(t *testing.T) {
|
|||
|
||||
goodToken := "eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiJ9.eyJzdWIiOiJqb2huIiwiYXVkIjoiaHR0cHM6Ly9nYWxlbmUub3JnOjg0NDMvZ3JvdXAvYXV0aC8iLCJwZXJtaXNzaW9ucyI6eyJwcmVzZW50Ijp0cnVlfSwiaWF0IjoxNjQ1MTk1MzkxLCJleHAiOjIyNzU5MTUzOTEsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6MTIzNC8ifQ.PMgfwYwSLSFIfcNJdOEfHEZ41HM2CzbATuS1fTxncbaGyX-xXq7d9V04enXpLOMGnAlsZpOJvd7eJN2mngJMAg"
|
||||
|
||||
aud, perms, err := Valid(
|
||||
"john", goodToken, keys, "http://localhost:1234/",
|
||||
)
|
||||
aud, perms, err := Valid("john", goodToken, keys)
|
||||
|
||||
if err != nil {
|
||||
t.Errorf("Token invalid: %v", err)
|
||||
|
@ -92,26 +90,14 @@ func TestValid(t *testing.T) {
|
|||
}
|
||||
}
|
||||
|
||||
aud, perms, err = Valid(
|
||||
"jack", goodToken, keys, "http://localhost:1234/",
|
||||
)
|
||||
aud, perms, err = Valid("jack", goodToken, keys)
|
||||
if err != ErrUnexpectedSub {
|
||||
t.Errorf("Token should have bad username")
|
||||
}
|
||||
|
||||
aud, perms, err = Valid(
|
||||
"john", goodToken, keys, "http://localhost:4567/",
|
||||
)
|
||||
if err != ErrUnexpectedIss {
|
||||
t.Errorf("Token should have bad issuer")
|
||||
}
|
||||
|
||||
badToken := "eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiJ9.eyJzdWIiOiJqb2huIiwiYXVkIjoiaHR0cHM6Ly9nYWxlbmUub3JnOjg0NDMvZ3JvdXAvYXV0aC8iLCJwZXJtaXNzaW9ucyI6eyJwcmVzZW50Ijp0cnVlfSwiaWF0IjoxNjQ1MTk2MDE5LCJleHAiOjIyNjAzNjQwMTksImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6MTIzNC8ifQ.4TN5zxzuKeNIw0rX0yirEkVYF1d0FHI_Lezmsa27ayi0R4ocSgTZ3q2bmlACXvyuoBqEEbuP4e77BUbGCHmpSg"
|
||||
|
||||
_, _, err = Valid(
|
||||
"john", badToken, keys,
|
||||
"https://localhost:1234/group/auth/",
|
||||
)
|
||||
_, _, err = Valid("john", badToken, keys)
|
||||
|
||||
var verr *jwt.ValidationError
|
||||
if !errors.As(err, &verr) {
|
||||
|
@ -120,10 +106,7 @@ func TestValid(t *testing.T) {
|
|||
|
||||
expiredToken := "eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiJ9.eyJzdWIiOiJqb2huIiwiYXVkIjoiaHR0cHM6Ly9nYWxlbmUub3JnOjg0NDMvZ3JvdXAvYXV0aC8iLCJwZXJtaXNzaW9ucyI6eyJwcmVzZW50Ijp0cnVlfSwiaWF0IjoxNjQ1MTk1NTY3LCJleHAiOjE2NDUxOTU1OTcsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6MTIzNC8ifQ.GXcLeyNVr5cnZjIECENyjMLH1HyNKWKkHMc9onvqA_RVYMyDLeeR_3NKH9Y7eKSXWC8jhatDWtH7Ed3KdsSxAA"
|
||||
|
||||
_, _, err = Valid(
|
||||
"john", expiredToken, keys,
|
||||
"https://localhost:1234/group/auth/",
|
||||
)
|
||||
_, _, err = Valid("john", expiredToken, keys)
|
||||
|
||||
if !errors.As(err, &verr) {
|
||||
t.Errorf("Token should be expired")
|
||||
|
@ -131,11 +114,7 @@ func TestValid(t *testing.T) {
|
|||
|
||||
noneToken := "eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJzdWIiOiJqb2huIiwiYXVkIjoiaHR0cHM6Ly9nYWxlbmUub3JnOjg0NDMvZ3JvdXAvYXV0aC8iLCJwZXJtaXNzaW9ucyI6eyJwcmVzZW50Ijp0cnVlfSwiaWF0IjoxNjQ1MTk1NzgyLCJleHAiOjIyNjAzNjM3ODIsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6MTIzNC8ifQ."
|
||||
|
||||
_, _, err = Valid(
|
||||
"john", noneToken, keys,
|
||||
"https://localhost:1234/group/auth/",
|
||||
)
|
||||
|
||||
_, _, err = Valid("john", noneToken, keys)
|
||||
if err == nil {
|
||||
t.Errorf("Unsigned token should fail")
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue