mirror
/
oragono
mirror of https://github.com/oragono/oragono
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 67 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
5259 Commits
19 Branches
Tree: 7afd6dbc74
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '7afd6dbc74'
${ noResults }
oragono/irc/jwt/bearer.go

bearer.go 3.6KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158 
  1. // Copyright (c) 2024 Shivaram Lingamneni <slingamn@cs.stanford.edu>

  2. // released under the MIT license

  3. 

  4. package jwt

  5. 

  6. import (

  7. 	"fmt"

  8. 	"io"

  9. 	"os"

  10. 	"strings"

  11. 

  12. 	jwt "github.com/golang-jwt/jwt/v5"

  13. )

  14. 

  15. var (

  16. 	ErrAuthDisabled        = fmt.Errorf("JWT authentication is disabled")

  17. 	ErrNoValidAccountClaim = fmt.Errorf("JWT token did not contain an acceptable account name claim")

  18. )

  19. 

  20. // JWTAuthConfig is the config for Ergo to accept JWTs via draft/bearer

  21. type JWTAuthConfig struct {

  22. 	Enabled    bool                 `yaml:"enabled"`

  23. 	Autocreate bool                 `yaml:"autocreate"`

  24. 	Tokens     []JWTAuthTokenConfig `yaml:"tokens"`

  25. }

  26. 

  27. type JWTAuthTokenConfig struct {

  28. 	Algorithm     string `yaml:"algorithm"`

  29. 	KeyString     string `yaml:"key"`

  30. 	KeyFile       string `yaml:"key-file"`

  31. 	key           any

  32. 	parser        *jwt.Parser

  33. 	AccountClaims []string `yaml:"account-claims"`

  34. 	StripDomain   string   `yaml:"strip-domain"`

  35. }

  36. 

  37. func (j *JWTAuthConfig) Postprocess() error {

  38. 	if !j.Enabled {

  39. 		return nil

  40. 	}

  41. 

  42. 	if len(j.Tokens) == 0 {

  43. 		return fmt.Errorf("JWT authentication enabled, but no valid tokens defined")

  44. 	}

  45. 

  46. 	for i := range j.Tokens {

  47. 		if err := j.Tokens[i].Postprocess(); err != nil {

  48. 			return err

  49. 		}

  50. 	}

  51. 

  52. 	return nil

  53. }

  54. 

  55. func (j *JWTAuthTokenConfig) Postprocess() error {

  56. 	keyBytes, err := j.keyBytes()

  57. 	if err != nil {

  58. 		return err

  59. 	}

  60. 

  61. 	j.Algorithm = strings.ToLower(j.Algorithm)

  62. 

  63. 	var methods []string

  64. 	switch j.Algorithm {

  65. 	case "hmac":

  66. 		j.key = keyBytes

  67. 		methods = []string{"HS256", "HS384", "HS512"}

  68. 	case "rsa":

  69. 		rsaKey, err := jwt.ParseRSAPublicKeyFromPEM(keyBytes)

  70. 		if err != nil {

  71. 			return err

  72. 		}

  73. 		j.key = rsaKey

  74. 		methods = []string{"RS256", "RS384", "RS512"}

  75. 	case "eddsa":

  76. 		eddsaKey, err := jwt.ParseEdPublicKeyFromPEM(keyBytes)

  77. 		if err != nil {

  78. 			return err

  79. 		}

  80. 		j.key = eddsaKey

  81. 		methods = []string{"EdDSA"}

  82. 	default:

  83. 		return fmt.Errorf("invalid jwt algorithm: %s", j.Algorithm)

  84. 	}

  85. 	j.parser = jwt.NewParser(jwt.WithValidMethods(methods))

  86. 

  87. 	if len(j.AccountClaims) == 0 {

  88. 		return fmt.Errorf("JWT auth enabled, but no account-claims specified")

  89. 	}

  90. 

  91. 	j.StripDomain = strings.ToLower(j.StripDomain)

  92. 	return nil

  93. }

  94. 

  95. func (j *JWTAuthConfig) Validate(t string) (accountName string, err error) {

  96. 	if !j.Enabled || len(j.Tokens) == 0 {

  97. 		return "", ErrAuthDisabled

  98. 	}

  99. 

  100. 	for i := range j.Tokens {

  101. 		accountName, err = j.Tokens[i].Validate(t)

  102. 		if err == nil {

  103. 			return

  104. 		}

  105. 	}

  106. 	return

  107. }

  108. 

  109. func (j *JWTAuthTokenConfig) keyBytes() (result []byte, err error) {

  110. 	if j.KeyFile != "" {

  111. 		o, err := os.Open(j.KeyFile)

  112. 		if err != nil {

  113. 			return nil, err

  114. 		}

  115. 		defer o.Close()

  116. 		return io.ReadAll(o)

  117. 	}

  118. 	if j.KeyString != "" {

  119. 		return []byte(j.KeyString), nil

  120. 	}

  121. 	return nil, fmt.Errorf("JWT auth enabled, but no JWT key specified")

  122. }

  123. 

  124. // implements jwt.Keyfunc

  125. func (j *JWTAuthTokenConfig) keyFunc(_ *jwt.Token) (interface{}, error) {

  126. 	return j.key, nil

  127. }

  128. 

  129. func (j *JWTAuthTokenConfig) Validate(t string) (accountName string, err error) {

  130. 	token, err := j.parser.Parse(t, j.keyFunc)

  131. 	if err != nil {

  132. 		return "", err

  133. 	}

  134. 

  135. 	claims, ok := token.Claims.(jwt.MapClaims)

  136. 	if !ok {

  137. 		// impossible with Parse (as opposed to ParseWithClaims)

  138. 		return "", fmt.Errorf("unexpected type from parsed token claims: %T", claims)

  139. 	}

  140. 

  141. 	for _, c := range j.AccountClaims {

  142. 		if v, ok := claims[c]; ok {

  143. 			if vstr, ok := v.(string); ok {

  144. 				// validate and strip email addresses:

  145. 				if idx := strings.IndexByte(vstr, '@'); idx != -1 {

  146. 					suffix := vstr[idx+1:]

  147. 					vstr = vstr[:idx]

  148. 					if strings.ToLower(suffix) != j.StripDomain {

  149. 						continue

  150. 					}

  151. 				}

  152. 				return vstr, nil // success

  153. 			}

  154. 		}

  155. 	}

  156. 

  157. 	return "", ErrNoValidAccountClaim

  158. }