1
Fork 0
mirror of https://github.com/jech/galene.git synced 2024-11-10 02:35:58 +01:00

Don't verify token issuer.

This makes it possible to use token authentication without
an authentication server.
This commit is contained in:
Juliusz Chroboczek 2022-02-18 19:21:02 +01:00
parent 7784a2ac96
commit 1d583e5367
3 changed files with 8 additions and 35 deletions

View file

@ -1097,10 +1097,9 @@ func (desc *Description) GetPermission(group string, creds ClientCredentials) (C
return p, ErrNotAuthorised return p, ErrNotAuthorised
} }
if desc.AuthServer != "" && creds.Token != "" { if creds.Token != "" {
aud, perms, err := token.Valid( aud, perms, err := token.Valid(
creds.Username, creds.Token, creds.Username, creds.Token, desc.AuthKeys,
desc.AuthKeys, desc.AuthServer,
) )
if err != nil { if err != nil {
log.Printf("Token authentication: %v", err) log.Printf("Token authentication: %v", err)

View file

@ -11,7 +11,6 @@ import (
) )
var ErrUnexpectedSub = errors.New("unexpected 'sub' field") var ErrUnexpectedSub = errors.New("unexpected 'sub' field")
var ErrUnexpectedIss = errors.New("unexpected 'iss' field")
func parseBase64(k string, d map[string]interface{}) ([]byte, error) { func parseBase64(k string, d map[string]interface{}) ([]byte, error) {
v, ok := d[k].(string) v, ok := d[k].(string)
@ -106,7 +105,7 @@ func getKey(header map[string]interface{}, keys []map[string]interface{}) (inter
return nil, errors.New("key not found") return nil, errors.New("key not found")
} }
func Valid(username, token string, keys []map[string]interface{}, issuer string) ([]string, map[string]interface{}, error) { func Valid(username, token string, keys []map[string]interface{}) ([]string, map[string]interface{}, error) {
tok, err := jwt.Parse(token, func(t *jwt.Token) (interface{}, error) { tok, err := jwt.Parse(token, func(t *jwt.Token) (interface{}, error) {
return getKey(t.Header, keys) return getKey(t.Header, keys)
}) })
@ -119,10 +118,6 @@ func Valid(username, token string, keys []map[string]interface{}, issuer string)
if !ok || sub != username { if !ok || sub != username {
return nil, nil, ErrUnexpectedSub return nil, nil, ErrUnexpectedSub
} }
iss, ok := claims["iss"].(string)
if !ok || iss != issuer {
return nil, nil, ErrUnexpectedIss
}
aud, ok := claims["aud"] aud, ok := claims["aud"]
var res []string var res []string
if ok { if ok {

View file

@ -75,9 +75,7 @@ func TestValid(t *testing.T) {
goodToken := "eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiJ9.eyJzdWIiOiJqb2huIiwiYXVkIjoiaHR0cHM6Ly9nYWxlbmUub3JnOjg0NDMvZ3JvdXAvYXV0aC8iLCJwZXJtaXNzaW9ucyI6eyJwcmVzZW50Ijp0cnVlfSwiaWF0IjoxNjQ1MTk1MzkxLCJleHAiOjIyNzU5MTUzOTEsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6MTIzNC8ifQ.PMgfwYwSLSFIfcNJdOEfHEZ41HM2CzbATuS1fTxncbaGyX-xXq7d9V04enXpLOMGnAlsZpOJvd7eJN2mngJMAg" goodToken := "eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiJ9.eyJzdWIiOiJqb2huIiwiYXVkIjoiaHR0cHM6Ly9nYWxlbmUub3JnOjg0NDMvZ3JvdXAvYXV0aC8iLCJwZXJtaXNzaW9ucyI6eyJwcmVzZW50Ijp0cnVlfSwiaWF0IjoxNjQ1MTk1MzkxLCJleHAiOjIyNzU5MTUzOTEsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6MTIzNC8ifQ.PMgfwYwSLSFIfcNJdOEfHEZ41HM2CzbATuS1fTxncbaGyX-xXq7d9V04enXpLOMGnAlsZpOJvd7eJN2mngJMAg"
aud, perms, err := Valid( aud, perms, err := Valid("john", goodToken, keys)
"john", goodToken, keys, "http://localhost:1234/",
)
if err != nil { if err != nil {
t.Errorf("Token invalid: %v", err) t.Errorf("Token invalid: %v", err)
@ -92,26 +90,14 @@ func TestValid(t *testing.T) {
} }
} }
aud, perms, err = Valid( aud, perms, err = Valid("jack", goodToken, keys)
"jack", goodToken, keys, "http://localhost:1234/",
)
if err != ErrUnexpectedSub { if err != ErrUnexpectedSub {
t.Errorf("Token should have bad username") t.Errorf("Token should have bad username")
} }
aud, perms, err = Valid(
"john", goodToken, keys, "http://localhost:4567/",
)
if err != ErrUnexpectedIss {
t.Errorf("Token should have bad issuer")
}
badToken := "eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiJ9.eyJzdWIiOiJqb2huIiwiYXVkIjoiaHR0cHM6Ly9nYWxlbmUub3JnOjg0NDMvZ3JvdXAvYXV0aC8iLCJwZXJtaXNzaW9ucyI6eyJwcmVzZW50Ijp0cnVlfSwiaWF0IjoxNjQ1MTk2MDE5LCJleHAiOjIyNjAzNjQwMTksImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6MTIzNC8ifQ.4TN5zxzuKeNIw0rX0yirEkVYF1d0FHI_Lezmsa27ayi0R4ocSgTZ3q2bmlACXvyuoBqEEbuP4e77BUbGCHmpSg" badToken := "eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiJ9.eyJzdWIiOiJqb2huIiwiYXVkIjoiaHR0cHM6Ly9nYWxlbmUub3JnOjg0NDMvZ3JvdXAvYXV0aC8iLCJwZXJtaXNzaW9ucyI6eyJwcmVzZW50Ijp0cnVlfSwiaWF0IjoxNjQ1MTk2MDE5LCJleHAiOjIyNjAzNjQwMTksImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6MTIzNC8ifQ.4TN5zxzuKeNIw0rX0yirEkVYF1d0FHI_Lezmsa27ayi0R4ocSgTZ3q2bmlACXvyuoBqEEbuP4e77BUbGCHmpSg"
_, _, err = Valid( _, _, err = Valid("john", badToken, keys)
"john", badToken, keys,
"https://localhost:1234/group/auth/",
)
var verr *jwt.ValidationError var verr *jwt.ValidationError
if !errors.As(err, &verr) { if !errors.As(err, &verr) {
@ -120,10 +106,7 @@ func TestValid(t *testing.T) {
expiredToken := "eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiJ9.eyJzdWIiOiJqb2huIiwiYXVkIjoiaHR0cHM6Ly9nYWxlbmUub3JnOjg0NDMvZ3JvdXAvYXV0aC8iLCJwZXJtaXNzaW9ucyI6eyJwcmVzZW50Ijp0cnVlfSwiaWF0IjoxNjQ1MTk1NTY3LCJleHAiOjE2NDUxOTU1OTcsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6MTIzNC8ifQ.GXcLeyNVr5cnZjIECENyjMLH1HyNKWKkHMc9onvqA_RVYMyDLeeR_3NKH9Y7eKSXWC8jhatDWtH7Ed3KdsSxAA" expiredToken := "eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiJ9.eyJzdWIiOiJqb2huIiwiYXVkIjoiaHR0cHM6Ly9nYWxlbmUub3JnOjg0NDMvZ3JvdXAvYXV0aC8iLCJwZXJtaXNzaW9ucyI6eyJwcmVzZW50Ijp0cnVlfSwiaWF0IjoxNjQ1MTk1NTY3LCJleHAiOjE2NDUxOTU1OTcsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6MTIzNC8ifQ.GXcLeyNVr5cnZjIECENyjMLH1HyNKWKkHMc9onvqA_RVYMyDLeeR_3NKH9Y7eKSXWC8jhatDWtH7Ed3KdsSxAA"
_, _, err = Valid( _, _, err = Valid("john", expiredToken, keys)
"john", expiredToken, keys,
"https://localhost:1234/group/auth/",
)
if !errors.As(err, &verr) { if !errors.As(err, &verr) {
t.Errorf("Token should be expired") t.Errorf("Token should be expired")
@ -131,11 +114,7 @@ func TestValid(t *testing.T) {
noneToken := "eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJzdWIiOiJqb2huIiwiYXVkIjoiaHR0cHM6Ly9nYWxlbmUub3JnOjg0NDMvZ3JvdXAvYXV0aC8iLCJwZXJtaXNzaW9ucyI6eyJwcmVzZW50Ijp0cnVlfSwiaWF0IjoxNjQ1MTk1NzgyLCJleHAiOjIyNjAzNjM3ODIsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6MTIzNC8ifQ." noneToken := "eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJzdWIiOiJqb2huIiwiYXVkIjoiaHR0cHM6Ly9nYWxlbmUub3JnOjg0NDMvZ3JvdXAvYXV0aC8iLCJwZXJtaXNzaW9ucyI6eyJwcmVzZW50Ijp0cnVlfSwiaWF0IjoxNjQ1MTk1NzgyLCJleHAiOjIyNjAzNjM3ODIsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6MTIzNC8ifQ."
_, _, err = Valid( _, _, err = Valid("john", noneToken, keys)
"john", noneToken, keys,
"https://localhost:1234/group/auth/",
)
if err == nil { if err == nil {
t.Errorf("Unsigned token should fail") t.Errorf("Unsigned token should fail")
} }