Commit 607c65ed authored by Sietse Ringers's avatar Sietse Ringers
Browse files

Improve authentication configuration

parent 6ed6d237
......@@ -18,7 +18,7 @@ type Authenticator interface {
Authenticate(
headers http.Header, body []byte,
) (applies bool, request irma.SessionRequest, requestor string, err *irma.RemoteError)
Initialize(requestors map[string]Requestor) error
Initialize(name string, requestor Requestor) error
}
type AuthenticationMethod string
......@@ -37,7 +37,7 @@ type PresharedKeyAuthenticator struct {
}
type NilAuthenticator struct{}
var authenticators map[string]Authenticator
var authenticators map[AuthenticationMethod]Authenticator
func (NilAuthenticator) Authenticate(
headers http.Header, body []byte,
......@@ -52,7 +52,7 @@ func (NilAuthenticator) Authenticate(
return true, request, "", nil
}
func (NilAuthenticator) Initialize(requestors map[string]Requestor) error {
func (NilAuthenticator) Initialize(name string, requestor Requestor) error {
return nil
}
......@@ -86,32 +86,27 @@ func (pkauth *PublicKeyAuthenticator) Authenticate(
return true, parsedJwt.SessionRequest(), requestor, nil
}
func (pkauth *PublicKeyAuthenticator) Initialize(requestors map[string]Requestor) error {
pkauth.publickeys = map[string]*rsa.PublicKey{}
for name, requestor := range requestors {
if requestor.AuthenticationMethod != AuthenticationMethodPublicKey {
continue
}
var bts []byte
var err error
if strings.HasPrefix(requestor.AuthenticationKey, "-----BEGIN") {
bts = []byte(requestor.AuthenticationKey)
}
if _, err := os.Stat(requestor.AuthenticationKey); err == nil {
bts, err = ioutil.ReadFile(requestor.AuthenticationKey)
if err != nil {
return err
}
}
if len(bts) == 0 {
return errors.Errorf("Requestor %s has invalid public key", name)
}
pk, err := jwt.ParseRSAPublicKeyFromPEM(bts)
func (pkauth *PublicKeyAuthenticator) Initialize(name string, requestor Requestor) error {
var bts []byte
var err error
if strings.HasPrefix(requestor.AuthenticationKey, "-----BEGIN") {
bts = []byte(requestor.AuthenticationKey)
}
if _, err := os.Stat(requestor.AuthenticationKey); err == nil {
bts, err = ioutil.ReadFile(requestor.AuthenticationKey)
if err != nil {
return err
}
pkauth.publickeys[name] = pk
}
if len(bts) == 0 {
return errors.Errorf("Requestor %s has invalid public key", name)
}
pk, err := jwt.ParseRSAPublicKeyFromPEM(bts)
if err != nil {
return err
}
pkauth.publickeys[name] = pk
return nil
}
......@@ -133,17 +128,11 @@ func (pskauth *PresharedKeyAuthenticator) Authenticate(
return true, request, requestor, nil
}
func (pskauth *PresharedKeyAuthenticator) Initialize(requestors map[string]Requestor) error {
pskauth.presharedkeys = map[string]string{}
for name, requestor := range requestors {
if requestor.AuthenticationMethod != AuthenticationMethodPSK {
continue
}
if requestor.AuthenticationKey == "" {
return errors.Errorf("Requestor %s had no authentication key")
}
pskauth.presharedkeys[requestor.AuthenticationKey] = name
func (pskauth *PresharedKeyAuthenticator) Initialize(name string, requestor Requestor) error {
if requestor.AuthenticationKey == "" {
return errors.Errorf("Requestor %s had no authentication key")
}
pskauth.presharedkeys[requestor.AuthenticationKey] = name
return nil
}
......
......@@ -6,6 +6,7 @@ import (
"strings"
"github.com/dgrijalva/jwt-go"
"github.com/go-errors/errors"
"github.com/privacybydesign/irmago"
"github.com/privacybydesign/irmago/internal/fs"
"github.com/privacybydesign/irmago/server"
......@@ -104,7 +105,7 @@ func (conf *Configuration) initialize() error {
if !conf.AuthenticateRequestors {
conf.Logger.Warn("Requestor authentication disabled")
authenticators = map[string]Authenticator{AuthenticationMethodNone: NilAuthenticator{}}
authenticators = map[AuthenticationMethod]Authenticator{AuthenticationMethodNone: NilAuthenticator{}}
// Leaving the global permission whitelists empty in this mode means enabling it for everyone
if len(conf.GlobalPermissions.Disclosing) == 0 {
......@@ -123,13 +124,17 @@ func (conf *Configuration) initialize() error {
return nil
}
authenticators = map[string]Authenticator{
AuthenticationMethodPublicKey: &PublicKeyAuthenticator{},
AuthenticationMethodPSK: &PresharedKeyAuthenticator{},
authenticators = map[AuthenticationMethod]Authenticator{
AuthenticationMethodPublicKey: &PublicKeyAuthenticator{publickeys: map[string]*rsa.PublicKey{}},
AuthenticationMethodPSK: &PresharedKeyAuthenticator{presharedkeys: map[string]string{}},
}
for _, authenticator := range authenticators {
if err := authenticator.Initialize(conf.Requestors); err != nil {
for name, requestor := range conf.Requestors {
authenticator, ok := authenticators[requestor.AuthenticationMethod]
if !ok {
return errors.Errorf("Requestor %s has unsupported authentication type")
}
if err := authenticator.Initialize(name, requestor); err != nil {
return err
}
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment