|
@@ -19,8 +19,12 @@ var (
|
19
|
19
|
|
20
|
20
|
// JWTAuthConfig is the config for Ergo to accept JWTs via draft/bearer
|
21
|
21
|
type JWTAuthConfig struct {
|
22
|
|
- Enabled bool `yaml:"enabled"`
|
23
|
|
- Autocreate bool `yaml:"autocreate"`
|
|
22
|
+ Enabled bool `yaml:"enabled"`
|
|
23
|
+ Autocreate bool `yaml:"autocreate"`
|
|
24
|
+ Tokens []JWTAuthTokenConfig `yaml:"tokens"`
|
|
25
|
+}
|
|
26
|
+
|
|
27
|
+type JWTAuthTokenConfig struct {
|
24
|
28
|
Algorithm string `yaml:"algorithm"`
|
25
|
29
|
KeyString string `yaml:"key"`
|
26
|
30
|
KeyFile string `yaml:"key-file"`
|
|
@@ -35,6 +39,20 @@ func (j *JWTAuthConfig) Postprocess() error {
|
35
|
39
|
return nil
|
36
|
40
|
}
|
37
|
41
|
|
|
42
|
+ if len(j.Tokens) == 0 {
|
|
43
|
+ return fmt.Errorf("JWT authentication enabled, but no valid tokens defined")
|
|
44
|
+ }
|
|
45
|
+
|
|
46
|
+ for i := range j.Tokens {
|
|
47
|
+ if err := j.Tokens[i].Postprocess(); err != nil {
|
|
48
|
+ return err
|
|
49
|
+ }
|
|
50
|
+ }
|
|
51
|
+
|
|
52
|
+ return nil
|
|
53
|
+}
|
|
54
|
+
|
|
55
|
+func (j *JWTAuthTokenConfig) Postprocess() error {
|
38
|
56
|
keyBytes, err := j.keyBytes()
|
39
|
57
|
if err != nil {
|
40
|
58
|
return err
|
|
@@ -74,7 +92,21 @@ func (j *JWTAuthConfig) Postprocess() error {
|
74
|
92
|
return nil
|
75
|
93
|
}
|
76
|
94
|
|
77
|
|
-func (j *JWTAuthConfig) keyBytes() (result []byte, err error) {
|
|
95
|
+func (j *JWTAuthConfig) Validate(t string) (accountName string, err error) {
|
|
96
|
+ if !j.Enabled || len(j.Tokens) == 0 {
|
|
97
|
+ return "", ErrAuthDisabled
|
|
98
|
+ }
|
|
99
|
+
|
|
100
|
+ for i := range j.Tokens {
|
|
101
|
+ accountName, err = j.Tokens[i].Validate(t)
|
|
102
|
+ if err == nil {
|
|
103
|
+ return
|
|
104
|
+ }
|
|
105
|
+ }
|
|
106
|
+ return
|
|
107
|
+}
|
|
108
|
+
|
|
109
|
+func (j *JWTAuthTokenConfig) keyBytes() (result []byte, err error) {
|
78
|
110
|
if j.KeyFile != "" {
|
79
|
111
|
o, err := os.Open(j.KeyFile)
|
80
|
112
|
if err != nil {
|
|
@@ -89,15 +121,11 @@ func (j *JWTAuthConfig) keyBytes() (result []byte, err error) {
|
89
|
121
|
}
|
90
|
122
|
|
91
|
123
|
// implements jwt.Keyfunc
|
92
|
|
-func (j *JWTAuthConfig) keyFunc(_ *jwt.Token) (interface{}, error) {
|
|
124
|
+func (j *JWTAuthTokenConfig) keyFunc(_ *jwt.Token) (interface{}, error) {
|
93
|
125
|
return j.key, nil
|
94
|
126
|
}
|
95
|
127
|
|
96
|
|
-func (j *JWTAuthConfig) Validate(t string) (accountName string, err error) {
|
97
|
|
- if !j.Enabled {
|
98
|
|
- return "", ErrAuthDisabled
|
99
|
|
- }
|
100
|
|
-
|
|
128
|
+func (j *JWTAuthTokenConfig) Validate(t string) (accountName string, err error) {
|
101
|
129
|
token, err := j.parser.Parse(t, j.keyFunc)
|
102
|
130
|
if err != nil {
|
103
|
131
|
return "", err
|