Improve authentication configuration

607c65ed · Sietse Ringers · 6ed6d237 · 607c65ed · 607c65ed
Commit 607c65ed authored Aug 30, 2018 by Sietse Ringers
--- a/server/irmaserver/auth.go
+++ b/server/irmaserver/auth.go
@@ -18,7 +18,7 @@ type Authenticator interface {
 	Authenticate(
 		headers http.Header, body []byte,
 	) (applies bool, request irma.SessionRequest, requestor string, err *irma.RemoteError)
-	Initialize(requestors map[string]Requestor) error
+	Initialize(name string, requestor Requestor) error
 }

 type AuthenticationMethod string
@@ -37,7 +37,7 @@ type PresharedKeyAuthenticator struct {
 }
 type NilAuthenticator struct{}

-var authenticators map[string]Authenticator
+var authenticators map[AuthenticationMethod]Authenticator

 func (NilAuthenticator) Authenticate(
 	headers http.Header, body []byte,
@@ -52,7 +52,7 @@ func (NilAuthenticator) Authenticate(
 	return true, request, "", nil
 }

-func (NilAuthenticator) Initialize(requestors map[string]Requestor) error {
+func (NilAuthenticator) Initialize(name string, requestor Requestor) error {
 	return nil
 }

@@ -86,32 +86,27 @@ func (pkauth *PublicKeyAuthenticator) Authenticate(
 	return true, parsedJwt.SessionRequest(), requestor, nil
 }

-func (pkauth *PublicKeyAuthenticator) Initialize(requestors map[string]Requestor) error {
-	pkauth.publickeys = map[string]*rsa.PublicKey{}
-	for name, requestor := range requestors {
-		if requestor.AuthenticationMethod != AuthenticationMethodPublicKey {
-			continue
-		}
-		var bts []byte
-		var err error
-		if strings.HasPrefix(requestor.AuthenticationKey, "-----BEGIN") {
-			bts = []byte(requestor.AuthenticationKey)
-		}
-		if _, err := os.Stat(requestor.AuthenticationKey); err == nil {
-			bts, err = ioutil.ReadFile(requestor.AuthenticationKey)
-			if err != nil {
-				return err
-			}
-		}
-		if len(bts) == 0 {
-			return errors.Errorf("Requestor %s has invalid public key", name)
-		}
-		pk, err := jwt.ParseRSAPublicKeyFromPEM(bts)
+func (pkauth *PublicKeyAuthenticator) Initialize(name string, requestor Requestor) error {
+	var bts []byte
+	var err error
+	if strings.HasPrefix(requestor.AuthenticationKey, "-----BEGIN") {
+		bts = []byte(requestor.AuthenticationKey)
+	}
+	if _, err := os.Stat(requestor.AuthenticationKey); err == nil {
+		bts, err = ioutil.ReadFile(requestor.AuthenticationKey)
 		if err != nil {
 			return err
 		}
-		pkauth.publickeys[name] = pk
 	}
+	if len(bts) == 0 {
+		return errors.Errorf("Requestor %s has invalid public key", name)
+	}
+	pk, err := jwt.ParseRSAPublicKeyFromPEM(bts)
+	if err != nil {
+		return err
+	}
+	pkauth.publickeys[name] = pk
+
 	return nil
 }

@@ -133,17 +128,11 @@ func (pskauth *PresharedKeyAuthenticator) Authenticate(
 	return true, request, requestor, nil
 }

-func (pskauth *PresharedKeyAuthenticator) Initialize(requestors map[string]Requestor) error {
-	pskauth.presharedkeys = map[string]string{}
-	for name, requestor := range requestors {
-		if requestor.AuthenticationMethod != AuthenticationMethodPSK {
-			continue
-		}
-		if requestor.AuthenticationKey == "" {
-			return errors.Errorf("Requestor %s had no authentication key")
-		}
-		pskauth.presharedkeys[requestor.AuthenticationKey] = name
+func (pskauth *PresharedKeyAuthenticator) Initialize(name string, requestor Requestor) error {
+	if requestor.AuthenticationKey == "" {
+		return errors.Errorf("Requestor %s had no authentication key")
 	}
+	pskauth.presharedkeys[requestor.AuthenticationKey] = name
 	return nil
 }


--- a/server/irmaserver/conf.go
+++ b/server/irmaserver/conf.go
@@ -6,6 +6,7 @@ import (
 	"strings"

 	"github.com/dgrijalva/jwt-go"
+	"github.com/go-errors/errors"
 	"github.com/privacybydesign/irmago"
 	"github.com/privacybydesign/irmago/internal/fs"
 	"github.com/privacybydesign/irmago/server"
@@ -104,7 +105,7 @@ func (conf *Configuration) initialize() error {

 	if !conf.AuthenticateRequestors {
 		conf.Logger.Warn("Requestor authentication disabled")
-		authenticators = map[string]Authenticator{AuthenticationMethodNone: NilAuthenticator{}}
+		authenticators = map[AuthenticationMethod]Authenticator{AuthenticationMethodNone: NilAuthenticator{}}

 		// Leaving the global permission whitelists empty in this mode means enabling it for everyone
 		if len(conf.GlobalPermissions.Disclosing) == 0 {
@@ -123,13 +124,17 @@ func (conf *Configuration) initialize() error {
 		return nil
 	}

-	authenticators = map[string]Authenticator{
-		AuthenticationMethodPublicKey: &PublicKeyAuthenticator{},
-		AuthenticationMethodPSK:       &PresharedKeyAuthenticator{},
+	authenticators = map[AuthenticationMethod]Authenticator{
+		AuthenticationMethodPublicKey: &PublicKeyAuthenticator{publickeys: map[string]*rsa.PublicKey{}},
+		AuthenticationMethodPSK:       &PresharedKeyAuthenticator{presharedkeys: map[string]string{}},
 	}

-	for _, authenticator := range authenticators {
-		if err := authenticator.Initialize(conf.Requestors); err != nil {
+	for name, requestor := range conf.Requestors {
+		authenticator, ok := authenticators[requestor.AuthenticationMethod]
+		if !ok {
+			return errors.Errorf("Requestor %s has unsupported authentication type")
+		}
+		if err := authenticator.Initialize(name, requestor); err != nil {
 			return err
 		}
 	}