Skip to content
GitLab
Projects
Groups
Snippets
/
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
Menu
Open sidebar
IRMA
Github mirrors
irmago
Commits
607c65ed
Commit
607c65ed
authored
Aug 30, 2018
by
Sietse Ringers
Browse files
Improve authentication configuration
parent
6ed6d237
Changes
2
Hide whitespace changes
Inline
Side-by-side
server/irmaserver/auth.go
View file @
607c65ed
...
...
@@ -18,7 +18,7 @@ type Authenticator interface {
Authenticate
(
headers
http
.
Header
,
body
[]
byte
,
)
(
applies
bool
,
request
irma
.
SessionRequest
,
requestor
string
,
err
*
irma
.
RemoteError
)
Initialize
(
requestors
map
[
string
]
Requestor
)
error
Initialize
(
name
string
,
requestor
Requestor
)
error
}
type
AuthenticationMethod
string
...
...
@@ -37,7 +37,7 @@ type PresharedKeyAuthenticator struct {
}
type
NilAuthenticator
struct
{}
var
authenticators
map
[
string
]
Authenticator
var
authenticators
map
[
AuthenticationMethod
]
Authenticator
func
(
NilAuthenticator
)
Authenticate
(
headers
http
.
Header
,
body
[]
byte
,
...
...
@@ -52,7 +52,7 @@ func (NilAuthenticator) Authenticate(
return
true
,
request
,
""
,
nil
}
func
(
NilAuthenticator
)
Initialize
(
requestors
map
[
string
]
Requestor
)
error
{
func
(
NilAuthenticator
)
Initialize
(
name
string
,
requestor
Requestor
)
error
{
return
nil
}
...
...
@@ -86,32 +86,27 @@ func (pkauth *PublicKeyAuthenticator) Authenticate(
return
true
,
parsedJwt
.
SessionRequest
(),
requestor
,
nil
}
func
(
pkauth
*
PublicKeyAuthenticator
)
Initialize
(
requestors
map
[
string
]
Requestor
)
error
{
pkauth
.
publickeys
=
map
[
string
]
*
rsa
.
PublicKey
{}
for
name
,
requestor
:=
range
requestors
{
if
requestor
.
AuthenticationMethod
!=
AuthenticationMethodPublicKey
{
continue
}
var
bts
[]
byte
var
err
error
if
strings
.
HasPrefix
(
requestor
.
AuthenticationKey
,
"-----BEGIN"
)
{
bts
=
[]
byte
(
requestor
.
AuthenticationKey
)
}
if
_
,
err
:=
os
.
Stat
(
requestor
.
AuthenticationKey
);
err
==
nil
{
bts
,
err
=
ioutil
.
ReadFile
(
requestor
.
AuthenticationKey
)
if
err
!=
nil
{
return
err
}
}
if
len
(
bts
)
==
0
{
return
errors
.
Errorf
(
"Requestor %s has invalid public key"
,
name
)
}
pk
,
err
:=
jwt
.
ParseRSAPublicKeyFromPEM
(
bts
)
func
(
pkauth
*
PublicKeyAuthenticator
)
Initialize
(
name
string
,
requestor
Requestor
)
error
{
var
bts
[]
byte
var
err
error
if
strings
.
HasPrefix
(
requestor
.
AuthenticationKey
,
"-----BEGIN"
)
{
bts
=
[]
byte
(
requestor
.
AuthenticationKey
)
}
if
_
,
err
:=
os
.
Stat
(
requestor
.
AuthenticationKey
);
err
==
nil
{
bts
,
err
=
ioutil
.
ReadFile
(
requestor
.
AuthenticationKey
)
if
err
!=
nil
{
return
err
}
pkauth
.
publickeys
[
name
]
=
pk
}
if
len
(
bts
)
==
0
{
return
errors
.
Errorf
(
"Requestor %s has invalid public key"
,
name
)
}
pk
,
err
:=
jwt
.
ParseRSAPublicKeyFromPEM
(
bts
)
if
err
!=
nil
{
return
err
}
pkauth
.
publickeys
[
name
]
=
pk
return
nil
}
...
...
@@ -133,17 +128,11 @@ func (pskauth *PresharedKeyAuthenticator) Authenticate(
return
true
,
request
,
requestor
,
nil
}
func
(
pskauth
*
PresharedKeyAuthenticator
)
Initialize
(
requestors
map
[
string
]
Requestor
)
error
{
pskauth
.
presharedkeys
=
map
[
string
]
string
{}
for
name
,
requestor
:=
range
requestors
{
if
requestor
.
AuthenticationMethod
!=
AuthenticationMethodPSK
{
continue
}
if
requestor
.
AuthenticationKey
==
""
{
return
errors
.
Errorf
(
"Requestor %s had no authentication key"
)
}
pskauth
.
presharedkeys
[
requestor
.
AuthenticationKey
]
=
name
func
(
pskauth
*
PresharedKeyAuthenticator
)
Initialize
(
name
string
,
requestor
Requestor
)
error
{
if
requestor
.
AuthenticationKey
==
""
{
return
errors
.
Errorf
(
"Requestor %s had no authentication key"
)
}
pskauth
.
presharedkeys
[
requestor
.
AuthenticationKey
]
=
name
return
nil
}
...
...
server/irmaserver/conf.go
View file @
607c65ed
...
...
@@ -6,6 +6,7 @@ import (
"strings"
"github.com/dgrijalva/jwt-go"
"github.com/go-errors/errors"
"github.com/privacybydesign/irmago"
"github.com/privacybydesign/irmago/internal/fs"
"github.com/privacybydesign/irmago/server"
...
...
@@ -104,7 +105,7 @@ func (conf *Configuration) initialize() error {
if
!
conf
.
AuthenticateRequestors
{
conf
.
Logger
.
Warn
(
"Requestor authentication disabled"
)
authenticators
=
map
[
string
]
Authenticator
{
AuthenticationMethodNone
:
NilAuthenticator
{}}
authenticators
=
map
[
AuthenticationMethod
]
Authenticator
{
AuthenticationMethodNone
:
NilAuthenticator
{}}
// Leaving the global permission whitelists empty in this mode means enabling it for everyone
if
len
(
conf
.
GlobalPermissions
.
Disclosing
)
==
0
{
...
...
@@ -123,13 +124,17 @@ func (conf *Configuration) initialize() error {
return
nil
}
authenticators
=
map
[
string
]
Authenticator
{
AuthenticationMethodPublicKey
:
&
PublicKeyAuthenticator
{},
AuthenticationMethodPSK
:
&
PresharedKeyAuthenticator
{},
authenticators
=
map
[
AuthenticationMethod
]
Authenticator
{
AuthenticationMethodPublicKey
:
&
PublicKeyAuthenticator
{
publickeys
:
map
[
string
]
*
rsa
.
PublicKey
{}
},
AuthenticationMethodPSK
:
&
PresharedKeyAuthenticator
{
presharedkeys
:
map
[
string
]
string
{}
},
}
for
_
,
authenticator
:=
range
authenticators
{
if
err
:=
authenticator
.
Initialize
(
conf
.
Requestors
);
err
!=
nil
{
for
name
,
requestor
:=
range
conf
.
Requestors
{
authenticator
,
ok
:=
authenticators
[
requestor
.
AuthenticationMethod
]
if
!
ok
{
return
errors
.
Errorf
(
"Requestor %s has unsupported authentication type"
)
}
if
err
:=
authenticator
.
Initialize
(
name
,
requestor
);
err
!=
nil
{
return
err
}
}
...
...
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment