simon987/task_tracker
1
0
Fork 0
mirror of https://github.com/simon987/task_tracker.git synced 2025-04-19 18:16:45 +00:00
Code Issues Projects Releases Wiki Activity

Rework auth

Browse Source
This commit is contained in:
simon987 2019-03-30 10:16:46 -04:00
parent ae32cb43d1
commit 26dee89672
5 changed files with 25 additions and 76 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
api/log.go
View File

@ -47,7 +47,7 @@ func (api *WebAPI) SetupLogger() {
func (api *WebAPI) parseLogEntry(r *Request) (*LogRequest, error) { func (api *WebAPI) parseLogEntry(r *Request) (*LogRequest, error) {
worker, err := api.validateSignature(r) worker, err := api.validateSecret(r)
if err != nil { if err != nil {
return nil, err return nil, err
} }

4
api/project.go
View File

@ -380,7 +380,7 @@ func (api *WebAPI) CreateWorkerAccess(r *Request) {
return return
} }
worker, err := api.validateSignature(r) worker, err := api.validateSecret(r)
if err != nil { if err != nil {
r.Json(JsonResponse{ r.Json(JsonResponse{
Ok: false, Ok: false,
@ -578,7 +578,7 @@ func (api *WebAPI) GetSecret(r *Request) {
var secret string var secret string
worker, err := api.validateSignature(r) worker, err := api.validateSecret(r)
if err == nil { if err == nil {
secret, err = api.Database.GetSecret(pid, worker.Id) secret, err = api.Database.GetSecret(pid, worker.Id)
if err != nil { if err != nil {

62
api/task.go
View File

@ -2,22 +2,19 @@ package api
import ( import (
"bytes" "bytes"
"crypto" "encoding/base64"
"crypto/hmac"
"encoding/hex"
"encoding/json" "encoding/json"
"errors" "errors"
"github.com/dchest/siphash" "github.com/dchest/siphash"
"github.com/simon987/task_tracker/storage" "github.com/simon987/task_tracker/storage"
"github.com/sirupsen/logrus" "github.com/sirupsen/logrus"
"math"
"strconv" "strconv"
"time" "time"
) )
func (api *WebAPI) SubmitTask(r *Request) { func (api *WebAPI) SubmitTask(r *Request) {
worker, err := api.validateSignature(r) worker, err := api.validateSecret(r)
if err != nil { if err != nil {
r.Json(JsonResponse{ r.Json(JsonResponse{
Ok: false, Ok: false,
@ -96,7 +93,7 @@ func (api *WebAPI) SubmitTask(r *Request) {
func (api *WebAPI) GetTaskFromProject(r *Request) { func (api *WebAPI) GetTaskFromProject(r *Request) {
worker, err := api.validateSignature(r) worker, err := api.validateSecret(r)
if err != nil { if err != nil {
r.Json(JsonResponse{ r.Json(JsonResponse{
Ok: false, Ok: false,
@ -152,34 +149,16 @@ func (api *WebAPI) GetTaskFromProject(r *Request) {
}) })
} }
func (api *WebAPI) validateSignature(r *Request) (*storage.Worker, error) { func (api *WebAPI) validateSecret(r *Request) (*storage.Worker, error) {
widStr := string(r.Ctx.Request.Header.Peek("X-Worker-Id")) widStr := string(r.Ctx.Request.Header.Peek("X-Worker-Id"))
timeStampStr := string(r.Ctx.Request.Header.Peek("Timestamp")) secretHeader := r.Ctx.Request.Header.Peek("X-Secret")
signature := r.Ctx.Request.Header.Peek("X-Signature")
if widStr == "" { if widStr == "" {
return nil, errors.New("worker id not specified") return nil, errors.New("worker id not specified")
} }
if timeStampStr == "" { if bytes.Equal(secretHeader, []byte("")) {
return nil, errors.New("date is not specified") return nil, errors.New("secret is not specified")
}
timestamp, err := time.Parse(time.RFC1123, timeStampStr)
if err != nil {
logrus.WithError(err).WithFields(logrus.Fields{
"date": timeStampStr,
}).Warn("Can't parse Timestamp")
return nil, err
}
if math.Abs(float64(timestamp.Unix()-time.Now().Unix())) > 60 {
logrus.WithError(err).WithFields(logrus.Fields{
"date": timeStampStr,
}).Warn("Invalid Timestamp")
return nil, errors.New("invalid Timestamp")
} }
wid, err := strconv.ParseInt(widStr, 10, 64) wid, err := strconv.ParseInt(widStr, 10, 64)
@ -201,29 +180,18 @@ func (api *WebAPI) validateSignature(r *Request) (*storage.Worker, error) {
return nil, errors.New("worker id does not match any valid worker") return nil, errors.New("worker id does not match any valid worker")
} }
var body []byte secret := make([]byte, base64.StdEncoding.EncodedLen(len(worker.Secret)))
if r.Ctx.Request.Header.IsGet() { secretLen, _ := base64.StdEncoding.Decode(secret, secretHeader)
body = r.Ctx.Request.RequestURI() matches := bytes.Equal(worker.Secret, secret[:secretLen])
} else {
body = r.Ctx.Request.Body()
}
mac := hmac.New(crypto.SHA256.New, worker.Secret)
mac.Write(body)
mac.Write([]byte(timeStampStr))
expectedMac := make([]byte, 64)
hex.Encode(expectedMac, mac.Sum(nil))
matches := bytes.Compare(expectedMac, signature) == 0
logrus.WithFields(logrus.Fields{ logrus.WithFields(logrus.Fields{
"expected": string(expectedMac), "expected": string(worker.Secret),
"signature": string(signature), "header": string(secretHeader),
"matches": matches, "matches": matches,
}).Trace("Validating Worker signature") }).Trace("Validating Worker secret")
if !matches { if !matches {
return nil, errors.New("invalid signature") return nil, errors.New("invalid secret")
} }
return worker, nil return worker, nil
@ -231,7 +199,7 @@ func (api *WebAPI) validateSignature(r *Request) (*storage.Worker, error) {
func (api *WebAPI) ReleaseTask(r *Request) { func (api *WebAPI) ReleaseTask(r *Request) {
worker, err := api.validateSignature(r) worker, err := api.validateSecret(r)
if err != nil { if err != nil {
r.Json(JsonResponse{ r.Json(JsonResponse{
Ok: false, Ok: false,

2
api/worker.go
View File

@ -92,7 +92,7 @@ func (api *WebAPI) GetWorker(r *Request) {
func (api *WebAPI) UpdateWorker(r *Request) { func (api *WebAPI) UpdateWorker(r *Request) {
worker, err := api.validateSignature(r) worker, err := api.validateSecret(r)
if err != nil { if err != nil {
r.Json(JsonResponse{ r.Json(JsonResponse{
Ok: false, Ok: false,

29
test/common.go
View File

@ -2,9 +2,7 @@ package test
import ( import (
"bytes" "bytes"
"crypto" "encoding/base64"
"crypto/hmac"
"encoding/hex"
"encoding/json" "encoding/json"
"fmt" "fmt"
"github.com/simon987/task_tracker/api" "github.com/simon987/task_tracker/api"
@ -14,7 +12,6 @@ import (
"io/ioutil" "io/ioutil"
"net/http" "net/http"
"strconv" "strconv"
"time"
) )
type SessionContext struct { type SessionContext struct {
@ -40,17 +37,9 @@ func Post(path string, x interface{}, worker *storage.Worker, s *http.Client) *h
handleErr(err) handleErr(err)
if worker != nil { if worker != nil {
ts := time.Now().Format(time.RFC1123)
mac := hmac.New(crypto.SHA256.New, worker.Secret)
mac.Write(body)
mac.Write([]byte(ts))
sig := hex.EncodeToString(mac.Sum(nil))
req.Header.Add("X-Worker-Id", strconv.FormatInt(worker.Id, 10)) req.Header.Add("X-Worker-Id", strconv.FormatInt(worker.Id, 10))
req.Header.Add("X-Signature", sig) secretHeader := base64.StdEncoding.EncodeToString(worker.Secret)
req.Header.Add("Timestamp", ts) req.Header.Add("X-Secret", string(secretHeader))
} }
r, err := s.Do(req) r, err := s.Do(req)
@ -69,17 +58,9 @@ func Get(path string, worker *storage.Worker, s *http.Client) *http.Response {
req, err := http.NewRequest("GET", url, nil) req, err := http.NewRequest("GET", url, nil)
if worker != nil { if worker != nil {
ts := time.Now().Format(time.RFC1123)
mac := hmac.New(crypto.SHA256.New, worker.Secret)
mac.Write([]byte(path))
mac.Write([]byte(ts))
sig := hex.EncodeToString(mac.Sum(nil))
req.Header.Add("X-Worker-Id", strconv.FormatInt(worker.Id, 10)) req.Header.Add("X-Worker-Id", strconv.FormatInt(worker.Id, 10))
req.Header.Add("X-Signature", sig) secretHeader := base64.StdEncoding.EncodeToString(worker.Secret)
req.Header.Add("Timestamp", ts) req.Header.Add("X-Secret", string(secretHeader))
} }
r, err := s.Do(req) r, err := s.Do(req)