Redesign authentication protocol

This commit is contained in:
wpetit 2019-02-22 17:35:49 +01:00
parent 4a69555578
commit 19732daaf5
33 changed files with 791 additions and 413 deletions

4
.gitignore vendored
View File

@ -1,2 +1,4 @@
/coverage
/vendor
/vendor
/bin
/testdata

View File

@ -26,5 +26,7 @@ doc:
@echo "open your browser to http://localhost:6060/pkg/forge.cadoles.com/wpetit/go-http-peering to see the documentation"
godoc -http=:6060
bin/keygen:
go build -o bin/keygen ./cmd/keygen
.PHONY: test lint doc sequence-diagram
.PHONY: test lint doc sequence-diagram bin/keygen

View File

@ -1,15 +1,17 @@
package chi
import (
"crypto/rsa"
peering "forge.cadoles.com/wpetit/go-http-peering"
"forge.cadoles.com/wpetit/go-http-peering/server"
"github.com/go-chi/chi"
)
func Mount(r chi.Router, store peering.Store, funcs ...server.OptionFunc) {
r.Post(peering.AdvertisePath, server.AdvertiseHandler(store, funcs...))
func Mount(r chi.Router, store peering.Store, key *rsa.PublicKey, funcs ...server.OptionFunc) {
r.Post(peering.AdvertisePath, server.AdvertiseHandler(store, key, funcs...))
r.Group(func(r chi.Router) {
r.Use(server.Authenticate(store, funcs...))
r.Use(server.Authenticate(store, key, funcs...))
r.Post(peering.UpdatePath, server.UpdateHandler(store, funcs...))
r.Post(peering.PingPath, server.PingHandler(store, funcs...))
})

View File

@ -4,6 +4,7 @@ import (
"testing"
peering "forge.cadoles.com/wpetit/go-http-peering"
peeringCrypto "forge.cadoles.com/wpetit/go-http-peering/crypto"
"forge.cadoles.com/wpetit/go-http-peering/memory"
"github.com/go-chi/chi"
)
@ -13,7 +14,12 @@ func TestMount(t *testing.T) {
r := chi.NewRouter()
store := memory.NewStore()
Mount(r, store)
pk, err := peeringCrypto.CreateRSAKey(1024)
if err != nil {
t.Fatal(err)
}
Mount(r, store, &pk.PublicKey)
routes := r.Routes()

View File

@ -2,10 +2,10 @@ package client
import (
"bytes"
"crypto/rsa"
"crypto/sha256"
"encoding/json"
"errors"
"fmt"
"net/http"
"time"
@ -25,6 +25,7 @@ var (
ErrUnexpectedResponse = errors.New("unexpected response")
ErrUnauthorized = errors.New("unauthorized")
ErrRejected = errors.New("rejected")
ErrInvalidServerToken = errors.New("invalid server token")
)
type Client struct {
@ -40,18 +41,15 @@ func (c *Client) Advertise(attrs peering.PeerAttributes) error {
}
data := &peering.AdvertisingRequest{
ID: c.options.PeerID,
Attributes: attrs,
PublicKey: publicKey,
}
req, _, err := c.createPostRequest(url, data)
res, err := c.Post(url, data)
if err != nil {
return err
}
res, err := c.options.HTTPClient.Do(req)
switch res.StatusCode {
case http.StatusCreated:
return nil
@ -111,7 +109,7 @@ func (c *Client) Get(url string) (*http.Response, error) {
if err != nil {
return nil, err
}
if err := c.signRequest(req, nil); err != nil {
if err := c.addClientToken(req, nil); err != nil {
return nil, err
}
return c.options.HTTPClient.Do(req)
@ -122,7 +120,7 @@ func (c *Client) Post(url string, data interface{}) (*http.Response, error) {
if err != nil {
return nil, err
}
if err := c.signRequest(req, body); err != nil {
if err := c.addClientToken(req, body); err != nil {
return nil, err
}
return c.options.HTTPClient.Do(req)
@ -144,16 +142,22 @@ func (c *Client) createPostRequest(url string, data interface{}) (*http.Request,
return req, body, nil
}
func (c *Client) signRequest(r *http.Request, body []byte) error {
func (c *Client) addServerToken(r *http.Request) {
r.Header.Set(
server.ServerTokenHeader,
c.options.ServerToken,
)
}
func (c *Client) addClientToken(r *http.Request, body []byte) error {
bodySum, err := c.createBodySum(body)
if err != nil {
return err
}
token := jwt.NewWithClaims(jwt.SigningMethodRS256, peering.PeerClaims{
token := jwt.NewWithClaims(jwt.SigningMethodRS256, peering.ClientTokenClaims{
StandardClaims: jwt.StandardClaims{
NotBefore: time.Now().Unix(),
Issuer: string(c.options.PeerID),
ExpiresAt: time.Now().Add(time.Minute * 10).Unix(),
},
BodySum: bodySum,
@ -164,7 +168,9 @@ func (c *Client) signRequest(r *http.Request, body []byte) error {
return err
}
r.Header.Set("Authorization", fmt.Sprintf("%s %s", server.AuthorizationType, tokenStr))
r.Header.Set(server.ClientTokenHeader, tokenStr)
c.addServerToken(r)
return nil
}
@ -181,6 +187,27 @@ func (c *Client) createBodySum(body []byte) ([]byte, error) {
return sha.Sum(nil), nil
}
func (c *Client) PeerID(serverPublicKey *rsa.PublicKey) (peering.PeerID, error) {
token, err := jwt.ParseWithClaims(
c.options.ServerToken,
&peering.ServerTokenClaims{},
func(token *jwt.Token) (interface{}, error) {
return serverPublicKey, nil
},
)
if err != nil {
return "", err
}
if !token.Valid {
return "", ErrInvalidServerToken
}
serverClaims, ok := token.Claims.(*peering.ServerTokenClaims)
if !ok {
return "", ErrInvalidServerToken
}
return serverClaims.PeerID, nil
}
func New(funcs ...OptionFunc) *Client {
options := createOptions(funcs...)
return &Client{options}

44
client/client_test.go Normal file
View File

@ -0,0 +1,44 @@
package client
import (
"crypto/rand"
"crypto/rsa"
"testing"
peeringCrypto "forge.cadoles.com/wpetit/go-http-peering/crypto"
peering "forge.cadoles.com/wpetit/go-http-peering"
)
func TestClientPeerID(t *testing.T) {
serverPK := mustGeneratePrivateKey()
peerID := peering.NewPeerID()
serverToken, err := peeringCrypto.CreateServerToken(serverPK, "test", peerID)
if err != nil {
t.Fatal(err)
}
client := New(
WithServerToken(serverToken),
)
clientPeerID, err := client.PeerID(&serverPK.PublicKey)
if err != nil {
t.Fatal(err)
}
if g, e := clientPeerID, peerID; g != e {
t.Errorf("client.PeerID(): got '%v', expected '%v'", g, e)
}
}
func mustGeneratePrivateKey() *rsa.PrivateKey {
privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
if err != nil {
panic(err)
}
return privateKey
}

View File

@ -3,22 +3,24 @@ package client
import (
"crypto/rsa"
"net/http"
peering "forge.cadoles.com/wpetit/go-http-peering"
)
type HTTPClient interface {
Do(*http.Request) (*http.Response, error)
}
type Options struct {
PeerID peering.PeerID
HTTPClient *http.Client
BaseURL string
PrivateKey *rsa.PrivateKey
HTTPClient HTTPClient
BaseURL string
PrivateKey *rsa.PrivateKey
ServerToken string
}
type OptionFunc func(*Options)
func WithPeerID(id peering.PeerID) OptionFunc {
func WithServerToken(token string) OptionFunc {
return func(opts *Options) {
opts.PeerID = id
opts.ServerToken = token
}
}
@ -28,7 +30,7 @@ func WithPrivateKey(pk *rsa.PrivateKey) OptionFunc {
}
}
func WithHTTPClient(client *http.Client) OptionFunc {
func WithHTTPClient(client HTTPClient) OptionFunc {
return func(opts *Options) {
opts.HTTPClient = client
}
@ -43,7 +45,6 @@ func WithBaseURL(url string) OptionFunc {
func defaultOptions() *Options {
return &Options{
HTTPClient: http.DefaultClient,
PeerID: peering.NewPeerID(),
}
}

33
cmd/keygen/README.md Normal file
View File

@ -0,0 +1,33 @@
# keygen
Utilitaire de génération de jetons d'authentifications.
## Usage
### Créer une nouvelle clé privée
```
bin/keygen -create-key
```
### Récupérer la clé publique associée à une clé privée précedemment créée
```
bin/keygen -get-public-key -key chemin/vers/clé/privée
```
### Générer un jeton d'authentification à partir d'une clé privée
```
bin/keygen -create-token -key chemin/vers/clé/privée
```
### Afficher l'aide
```
bin/keygen -help
```
## Mode sans interaction
Les commandes nécessitant l'entrée d'une phrase de passe peuvent utiliser la variable d'environnement `KEY_PASSPHRASE` pour fonctionner sans interaction.

23
cmd/keygen/create_key.go Normal file
View File

@ -0,0 +1,23 @@
package main
import (
"fmt"
"forge.cadoles.com/wpetit/go-http-peering/crypto"
)
func createKey() {
passphrase, err := getPassphrase()
if err != nil {
handleError(err)
}
key, err := crypto.CreateRSAKey(keySize)
if err != nil {
handleError(err)
}
privatePEM, err := crypto.EncodePrivateKeyToEncryptedPEM(key, passphrase)
if err != nil {
handleError(err)
}
fmt.Print(string(privatePEM))
}

View File

@ -0,0 +1,21 @@
package main
import (
"fmt"
"forge.cadoles.com/wpetit/go-http-peering/crypto"
peering "forge.cadoles.com/wpetit/go-http-peering"
)
func createToken() {
privateKey, err := loadPrivateKey()
if err != nil {
handleError(err)
}
token, err := crypto.CreateServerToken(privateKey, tokenIssuer, peering.PeerID(tokenPeerID))
if err != nil {
handleError(err)
}
fmt.Println(token)
}

View File

@ -0,0 +1,19 @@
package main
import (
"fmt"
"forge.cadoles.com/wpetit/go-http-peering/crypto"
)
func getPublicKey() {
privateKey, err := loadPrivateKey()
if err != nil {
handleError(err)
}
publicPEM, err := crypto.EncodePublicKeyToPEM(privateKey.Public())
if err != nil {
handleError(err)
}
fmt.Print(string(publicPEM))
}

54
cmd/keygen/main.go Normal file
View File

@ -0,0 +1,54 @@
package main
import (
"flag"
"github.com/pborman/uuid"
)
// nolint:gochecknoglobals
var (
createKeyCmd = false
getPublicKeyCmd = false
createTokenCmd = false
debug = false
keyFile string
tokenIssuer string
tokenPeerID = uuid.New()
keySize = 2048
)
// nolint:gochecknoinits
func init() {
flag.BoolVar(
&createKeyCmd, "create-key", createKeyCmd,
"Create a new encrypted PEM private key to sign authentication tokens",
)
flag.BoolVar(
&createTokenCmd, "create-token", createTokenCmd,
"Create a new signed authentication token",
)
flag.BoolVar(
&getPublicKeyCmd, "get-public-key", getPublicKeyCmd,
"Get the PEM encoded public key associated with the private key",
)
flag.BoolVar(&debug, "debug", debug, "Debug mode")
flag.StringVar(&keyFile, "key", keyFile, "Path to the encrypted PEM encoded key")
flag.StringVar(&tokenIssuer, "token-issuer", tokenIssuer, "Token issuer")
flag.StringVar(&tokenPeerID, "token-peer-id", tokenPeerID, "Token peer ID")
flag.IntVar(&keySize, "key-size", keySize, "Size of the private key")
}
func main() {
flag.Parse()
switch {
case createKeyCmd:
createKey()
case getPublicKeyCmd:
getPublicKey()
case createTokenCmd:
createToken()
default:
flag.Usage()
}
}

96
cmd/keygen/util.go Normal file
View File

@ -0,0 +1,96 @@
package main
import (
"bytes"
"crypto/rand"
"crypto/rsa"
"crypto/x509"
"encoding/pem"
"errors"
"fmt"
"io/ioutil"
"os"
"syscall"
"forge.cadoles.com/wpetit/go-http-peering/crypto"
"golang.org/x/crypto/ssh/terminal"
)
func getPassphrase() ([]byte, error) {
passphrase := os.Getenv("KEY_PASSPHRASE")
if passphrase != "" {
return []byte(passphrase), nil
}
return askPassphrase()
}
func askPassphrase() ([]byte, error) {
fmt.Print("Passphrase: ")
passphrase, err := terminal.ReadPassword(syscall.Stdin)
if err != nil {
return nil, err
}
fmt.Println()
fmt.Print("Confirm passphrase: ")
passphraseConfirmation, err := terminal.ReadPassword(syscall.Stdin)
if err != nil {
return nil, err
}
fmt.Println()
if !bytes.Equal(passphrase, passphraseConfirmation) {
return nil, errors.New("passphrases does not match")
}
return passphrase, nil
}
func privateKeyToEncryptedPEM(key *rsa.PrivateKey, passphrase []byte) ([]byte, error) {
if passphrase == nil {
return nil, errors.New("passphrase cannot be empty")
}
// Convert it to pem
block := &pem.Block{
Type: "RSA PRIVATE KEY",
Bytes: x509.MarshalPKCS1PrivateKey(key),
}
block, err := x509.EncryptPEMBlock(rand.Reader, block.Type, block.Bytes, passphrase, x509.PEMCipherAES256)
if err != nil {
return nil, err
}
return pem.EncodeToMemory(block), nil
}
func loadPrivateKey() (*rsa.PrivateKey, error) {
if keyFile == "" {
return nil, errors.New("you must specify a key file to load")
}
pem, err := ioutil.ReadFile(keyFile)
if err != nil {
return nil, err
}
passphrase, err := getPassphrase()
if err != nil {
return nil, err
}
privateKey, err := crypto.DecodePEMEncryptedPrivateKey(pem, passphrase)
if err != nil {
return nil, err
}
return privateKey, nil
}
func handleError(err error) {
if !debug {
fmt.Println(err)
} else {
panic(err)
}
os.Exit(1)
}

View File

@ -1,14 +1,17 @@
package crypto
import (
"crypto"
"crypto/rand"
"crypto/rsa"
"crypto/x509"
"encoding/pem"
"errors"
jwt "github.com/dgrijalva/jwt-go"
)
func EncodePublicKeyToPEM(key interface{}) ([]byte, error) {
func EncodePublicKeyToPEM(key crypto.PublicKey) ([]byte, error) {
pub, err := x509.MarshalPKIXPublicKey(key)
if err != nil {
return nil, err
@ -20,6 +23,55 @@ func EncodePublicKeyToPEM(key interface{}) ([]byte, error) {
return data, nil
}
func DecodePEMToPublicKey(pem []byte) (*rsa.PublicKey, error) {
func DecodePEMToPublicKey(pem []byte) (crypto.PublicKey, error) {
return jwt.ParseRSAPublicKeyFromPEM(pem)
}
func DecodePEMEncryptedPrivateKey(key []byte, passphrase []byte) (*rsa.PrivateKey, error) {
var err error
// Parse PEM block
var block *pem.Block
if block, _ = pem.Decode(key); block == nil {
return nil, errors.New("invalid PEM block")
}
decryptedBlock, err := x509.DecryptPEMBlock(block, passphrase)
if err != nil {
return nil, err
}
var parsedKey interface{}
if parsedKey, err = x509.ParsePKCS1PrivateKey(decryptedBlock); err != nil {
return nil, err
}
var privateKey *rsa.PrivateKey
var ok bool
if privateKey, ok = parsedKey.(*rsa.PrivateKey); !ok {
return nil, errors.New("invalid RSA private key")
}
return privateKey, nil
}
func EncodePrivateKeyToEncryptedPEM(key *rsa.PrivateKey, passphrase []byte) ([]byte, error) {
if passphrase == nil {
return nil, errors.New("passphrase cannot be empty")
}
block := &pem.Block{
Type: "RSA PRIVATE KEY",
Bytes: x509.MarshalPKCS1PrivateKey(key),
}
block, err := x509.EncryptPEMBlock(
rand.Reader, block.Type,
block.Bytes, passphrase, x509.PEMCipherAES256,
)
if err != nil {
return nil, err
}
return pem.EncodeToMemory(block), nil
}

34
crypto/rsa.go Normal file
View File

@ -0,0 +1,34 @@
package crypto
import (
"crypto/rand"
"crypto/rsa"
"time"
peering "forge.cadoles.com/wpetit/go-http-peering"
jwt "github.com/dgrijalva/jwt-go"
)
func CreateRSAKey(bits int) (*rsa.PrivateKey, error) {
key, err := rsa.GenerateKey(rand.Reader, bits)
if err != nil {
return nil, err
}
return key, nil
}
func CreateServerToken(privateKey *rsa.PrivateKey, issuer string, peerID peering.PeerID) (string, error) {
token := jwt.NewWithClaims(jwt.SigningMethodRS256, peering.ServerTokenClaims{
StandardClaims: jwt.StandardClaims{
NotBefore: time.Now().Unix(),
Issuer: issuer,
},
PeerID: peerID,
})
tokenStr, err := token.SignedString(privateKey)
if err != nil {
return "", err
}
return tokenStr, nil
}

View File

@ -1,2 +1,2 @@
Client -> Server: POST /advertise\n\n{"ID": <PEER_ID>, "Attributes": <PEER_ATTRIBUTES>, "PublicKey": <PUBLIC_KEY> }
Client -> Server: POST /advertise\nX-Server-Token: <JWT_TOKEN>\n\n{"Attributes": <PEER_ATTRIBUTES>, "PublicKey": <PUBLIC_KEY> }
Server -> Client: 201 Created

View File

@ -1,6 +1,6 @@
<?xml version="1.0"?>
<!-- Generated by SVGo -->
<svg width="711" height="196"
<svg width="589" height="212"
xmlns="http://www.w3.org/2000/svg"
xmlns:xlink="http://www.w3.org/1999/xlink">
<defs>
@ -13,23 +13,24 @@
}
</style>
</defs>
<line x1="45" y1="24" x2="45" y2="172" style="stroke-dasharray:8,8;stroke-width:2px;stroke:black;" />
<line x1="45" y1="24" x2="45" y2="188" style="stroke-dasharray:8,8;stroke-width:2px;stroke:black;" />
<rect x="8" y="8" width="75" height="32" style="fill:white;stroke-width:2px;stroke:black;" />
<text x="24" y="29" style="fill:black;font-family:DejaVuSans,sans-serif;font-size:16px;" >Client</text>
<rect x="8" y="156" width="75" height="32" style="fill:white;stroke-width:2px;stroke:black;" />
<text x="24" y="177" style="fill:black;font-family:DejaVuSans,sans-serif;font-size:16px;" >Client</text>
<line x1="661" y1="24" x2="661" y2="172" style="stroke-dasharray:8,8;stroke-width:2px;stroke:black;" />
<rect x="619" y="8" width="84" height="32" style="fill:white;stroke-width:2px;stroke:black;" />
<text x="635" y="29" style="fill:black;font-family:DejaVuSans,sans-serif;font-size:16px;" >Server</text>
<rect x="619" y="156" width="84" height="32" style="fill:white;stroke-width:2px;stroke:black;" />
<text x="635" y="177" style="fill:black;font-family:DejaVuSans,sans-serif;font-size:16px;" >Server</text>
<rect x="61" y="56" width="584" height="46" style="fill:white;stroke:white;" />
<text x="298" y="68" style="font-family:DejaVuSans,sans-serif;font-size:14px;" >POST /advertise</text>
<text x="61" y="100" style="font-family:DejaVuSans,sans-serif;font-size:14px;" >{&#34;ID&#34;: &lt;PEER_ID&gt;, &#34;Attributes&#34;: &lt;PEER_ATTRIBUTES&gt;, &#34;PublicKey&#34;: &lt;PUBLIC_KEY&gt; }</text>
<line x1="45" y1="106" x2="661" y2="106" style="stroke:black;stroke-width:2px;" />
<polyline points="652,101 661,106 652,111" style="fill:black;stroke-width:2px;stroke:black;" />
<rect x="310" y="122" width="87" height="14" style="fill:white;stroke:white;" />
<text x="310" y="134" style="font-family:DejaVuSans,sans-serif;font-size:14px;" >201 Created</text>
<line x1="661" y1="140" x2="45" y2="140" style="stroke:black;stroke-width:2px;" />
<polyline points="54,135 45,140 54,145" style="fill:black;stroke-width:2px;stroke:black;" />
<rect x="8" y="172" width="75" height="32" style="fill:white;stroke-width:2px;stroke:black;" />
<text x="24" y="193" style="fill:black;font-family:DejaVuSans,sans-serif;font-size:16px;" >Client</text>
<line x1="539" y1="24" x2="539" y2="188" style="stroke-dasharray:8,8;stroke-width:2px;stroke:black;" />
<rect x="497" y="8" width="84" height="32" style="fill:white;stroke-width:2px;stroke:black;" />
<text x="513" y="29" style="fill:black;font-family:DejaVuSans,sans-serif;font-size:16px;" >Server</text>
<rect x="497" y="172" width="84" height="32" style="fill:white;stroke-width:2px;stroke:black;" />
<text x="513" y="193" style="fill:black;font-family:DejaVuSans,sans-serif;font-size:16px;" >Server</text>
<rect x="61" y="56" width="462" height="62" style="fill:white;stroke:white;" />
<text x="237" y="68" style="font-family:DejaVuSans,sans-serif;font-size:14px;" >POST /advertise</text>
<text x="184" y="84" style="font-family:DejaVuSans,sans-serif;font-size:14px;" >X-Server-Token: &lt;JWT_TOKEN&gt;</text>
<text x="61" y="116" style="font-family:DejaVuSans,sans-serif;font-size:14px;" >{&#34;Attributes&#34;: &lt;PEER_ATTRIBUTES&gt;, &#34;PublicKey&#34;: &lt;PUBLIC_KEY&gt; }</text>
<line x1="45" y1="122" x2="539" y2="122" style="stroke:black;stroke-width:2px;" />
<polyline points="530,117 539,122 530,127" style="fill:black;stroke-width:2px;stroke:black;" />
<rect x="249" y="138" width="87" height="14" style="fill:white;stroke:white;" />
<text x="249" y="150" style="font-family:DejaVuSans,sans-serif;font-size:14px;" >201 Created</text>
<line x1="539" y1="156" x2="45" y2="156" style="stroke:black;stroke-width:2px;" />
<polyline points="54,151 45,156 54,161" style="fill:black;stroke-width:2px;stroke:black;" />
</svg>

Before

Width:  |  Height:  |  Size: 2.3 KiB

After

Width:  |  Height:  |  Size: 2.4 KiB

View File

@ -1,2 +1,2 @@
Client -> Server: POST /ping\nAuthorization: Bearer <JWT_SIGNING_TOKEN>
Client -> Server: POST /ping\nX-Server-Token: <JWT_TOKEN>\nX-Client-Token: <JWT_TOKEN>
Server -> Client: 204 No Content

View File

@ -1,6 +1,6 @@
<?xml version="1.0"?>
<!-- Generated by SVGo -->
<svg width="446" height="180"
<svg width="343" height="196"
xmlns="http://www.w3.org/2000/svg"
xmlns:xlink="http://www.w3.org/1999/xlink">
<defs>
@ -13,23 +13,24 @@
}
</style>
</defs>
<line x1="45" y1="24" x2="45" y2="156" style="stroke-dasharray:8,8;stroke-width:2px;stroke:black;" />
<line x1="45" y1="24" x2="45" y2="172" style="stroke-dasharray:8,8;stroke-width:2px;stroke:black;" />
<rect x="8" y="8" width="75" height="32" style="fill:white;stroke-width:2px;stroke:black;" />
<text x="24" y="29" style="fill:black;font-family:DejaVuSans,sans-serif;font-size:16px;" >Client</text>
<rect x="8" y="140" width="75" height="32" style="fill:white;stroke-width:2px;stroke:black;" />
<text x="24" y="161" style="fill:black;font-family:DejaVuSans,sans-serif;font-size:16px;" >Client</text>
<line x1="396" y1="24" x2="396" y2="156" style="stroke-dasharray:8,8;stroke-width:2px;stroke:black;" />
<rect x="354" y="8" width="84" height="32" style="fill:white;stroke-width:2px;stroke:black;" />
<text x="370" y="29" style="fill:black;font-family:DejaVuSans,sans-serif;font-size:16px;" >Server</text>
<rect x="354" y="140" width="84" height="32" style="fill:white;stroke-width:2px;stroke:black;" />
<text x="370" y="161" style="fill:black;font-family:DejaVuSans,sans-serif;font-size:16px;" >Server</text>
<rect x="61" y="56" width="319" height="30" style="fill:white;stroke:white;" />
<text x="181" y="68" style="font-family:DejaVuSans,sans-serif;font-size:14px;" >POST /ping</text>
<text x="61" y="84" style="font-family:DejaVuSans,sans-serif;font-size:14px;" >Authorization: Bearer &lt;JWT_SIGNING_TOKEN&gt;</text>
<line x1="45" y1="90" x2="396" y2="90" style="stroke:black;stroke-width:2px;" />
<polyline points="387,85 396,90 387,95" style="fill:black;stroke-width:2px;stroke:black;" />
<rect x="166" y="106" width="111" height="14" style="fill:white;stroke:white;" />
<text x="166" y="118" style="font-family:DejaVuSans,sans-serif;font-size:14px;" >204 No Content</text>
<line x1="396" y1="124" x2="45" y2="124" style="stroke:black;stroke-width:2px;" />
<polyline points="54,119 45,124 54,129" style="fill:black;stroke-width:2px;stroke:black;" />
<rect x="8" y="156" width="75" height="32" style="fill:white;stroke-width:2px;stroke:black;" />
<text x="24" y="177" style="fill:black;font-family:DejaVuSans,sans-serif;font-size:16px;" >Client</text>
<line x1="293" y1="24" x2="293" y2="172" style="stroke-dasharray:8,8;stroke-width:2px;stroke:black;" />
<rect x="251" y="8" width="84" height="32" style="fill:white;stroke-width:2px;stroke:black;" />
<text x="267" y="29" style="fill:black;font-family:DejaVuSans,sans-serif;font-size:16px;" >Server</text>
<rect x="251" y="156" width="84" height="32" style="fill:white;stroke-width:2px;stroke:black;" />
<text x="267" y="177" style="fill:black;font-family:DejaVuSans,sans-serif;font-size:16px;" >Server</text>
<rect x="61" y="56" width="216" height="46" style="fill:white;stroke:white;" />
<text x="130" y="68" style="font-family:DejaVuSans,sans-serif;font-size:14px;" >POST /ping</text>
<text x="61" y="84" style="font-family:DejaVuSans,sans-serif;font-size:14px;" >X-Server-Token: &lt;JWT_TOKEN&gt;</text>
<text x="63" y="100" style="font-family:DejaVuSans,sans-serif;font-size:14px;" >X-Client-Token: &lt;JWT_TOKEN&gt;</text>
<line x1="45" y1="106" x2="293" y2="106" style="stroke:black;stroke-width:2px;" />
<polyline points="284,101 293,106 284,111" style="fill:black;stroke-width:2px;stroke:black;" />
<rect x="114" y="122" width="111" height="14" style="fill:white;stroke:white;" />
<text x="114" y="134" style="font-family:DejaVuSans,sans-serif;font-size:14px;" >204 No Content</text>
<line x1="293" y1="140" x2="45" y2="140" style="stroke:black;stroke-width:2px;" />
<polyline points="54,135 45,140 54,145" style="fill:black;stroke-width:2px;stroke:black;" />
</svg>

Before

Width:  |  Height:  |  Size: 2.3 KiB

After

Width:  |  Height:  |  Size: 2.4 KiB

View File

@ -1,2 +1,2 @@
Client -> Server: POST /update\nAuthorization: Bearer <JWT_SIGNING_TOKEN>\n\n{"Attributes": <PEER_ATTRIBUTES>}
Client -> Server: POST /update\nX-Server-Token: <JWT_TOKEN>\nX-Client-Token: <JWT_TOKEN>\n\n{"Attributes": <PEER_ATTRIBUTES>}
Server -> Client: 204 No Content

View File

@ -1,6 +1,6 @@
<?xml version="1.0"?>
<!-- Generated by SVGo -->
<svg width="446" height="212"
<svg width="386" height="228"
xmlns="http://www.w3.org/2000/svg"
xmlns:xlink="http://www.w3.org/1999/xlink">
<defs>
@ -13,24 +13,25 @@
}
</style>
</defs>
<line x1="45" y1="24" x2="45" y2="188" style="stroke-dasharray:8,8;stroke-width:2px;stroke:black;" />
<line x1="45" y1="24" x2="45" y2="204" style="stroke-dasharray:8,8;stroke-width:2px;stroke:black;" />
<rect x="8" y="8" width="75" height="32" style="fill:white;stroke-width:2px;stroke:black;" />
<text x="24" y="29" style="fill:black;font-family:DejaVuSans,sans-serif;font-size:16px;" >Client</text>
<rect x="8" y="172" width="75" height="32" style="fill:white;stroke-width:2px;stroke:black;" />
<text x="24" y="193" style="fill:black;font-family:DejaVuSans,sans-serif;font-size:16px;" >Client</text>
<line x1="396" y1="24" x2="396" y2="188" style="stroke-dasharray:8,8;stroke-width:2px;stroke:black;" />
<rect x="354" y="8" width="84" height="32" style="fill:white;stroke-width:2px;stroke:black;" />
<text x="370" y="29" style="fill:black;font-family:DejaVuSans,sans-serif;font-size:16px;" >Server</text>
<rect x="354" y="172" width="84" height="32" style="fill:white;stroke-width:2px;stroke:black;" />
<text x="370" y="193" style="fill:black;font-family:DejaVuSans,sans-serif;font-size:16px;" >Server</text>
<rect x="61" y="56" width="319" height="62" style="fill:white;stroke:white;" />
<text x="172" y="68" style="font-family:DejaVuSans,sans-serif;font-size:14px;" >POST /update</text>
<text x="61" y="84" style="font-family:DejaVuSans,sans-serif;font-size:14px;" >Authorization: Bearer &lt;JWT_SIGNING_TOKEN&gt;</text>
<text x="91" y="116" style="font-family:DejaVuSans,sans-serif;font-size:14px;" >{&#34;Attributes&#34;: &lt;PEER_ATTRIBUTES&gt;}</text>
<line x1="45" y1="122" x2="396" y2="122" style="stroke:black;stroke-width:2px;" />
<polyline points="387,117 396,122 387,127" style="fill:black;stroke-width:2px;stroke:black;" />
<rect x="166" y="138" width="111" height="14" style="fill:white;stroke:white;" />
<text x="166" y="150" style="font-family:DejaVuSans,sans-serif;font-size:14px;" >204 No Content</text>
<line x1="396" y1="156" x2="45" y2="156" style="stroke:black;stroke-width:2px;" />
<polyline points="54,151 45,156 54,161" style="fill:black;stroke-width:2px;stroke:black;" />
<rect x="8" y="188" width="75" height="32" style="fill:white;stroke-width:2px;stroke:black;" />
<text x="24" y="209" style="fill:black;font-family:DejaVuSans,sans-serif;font-size:16px;" >Client</text>
<line x1="336" y1="24" x2="336" y2="204" style="stroke-dasharray:8,8;stroke-width:2px;stroke:black;" />
<rect x="294" y="8" width="84" height="32" style="fill:white;stroke-width:2px;stroke:black;" />
<text x="310" y="29" style="fill:black;font-family:DejaVuSans,sans-serif;font-size:16px;" >Server</text>
<rect x="294" y="188" width="84" height="32" style="fill:white;stroke-width:2px;stroke:black;" />
<text x="310" y="209" style="fill:black;font-family:DejaVuSans,sans-serif;font-size:16px;" >Server</text>
<rect x="61" y="56" width="259" height="78" style="fill:white;stroke:white;" />
<text x="142" y="68" style="font-family:DejaVuSans,sans-serif;font-size:14px;" >POST /update</text>
<text x="82" y="84" style="font-family:DejaVuSans,sans-serif;font-size:14px;" >X-Server-Token: &lt;JWT_TOKEN&gt;</text>
<text x="84" y="100" style="font-family:DejaVuSans,sans-serif;font-size:14px;" >X-Client-Token: &lt;JWT_TOKEN&gt;</text>
<text x="61" y="132" style="font-family:DejaVuSans,sans-serif;font-size:14px;" >{&#34;Attributes&#34;: &lt;PEER_ATTRIBUTES&gt;}</text>
<line x1="45" y1="138" x2="336" y2="138" style="stroke:black;stroke-width:2px;" />
<polyline points="327,133 336,138 327,143" style="fill:black;stroke-width:2px;stroke:black;" />
<rect x="136" y="154" width="111" height="14" style="fill:white;stroke:white;" />
<text x="136" y="166" style="font-family:DejaVuSans,sans-serif;font-size:14px;" >204 No Content</text>
<line x1="336" y1="172" x2="45" y2="172" style="stroke:black;stroke-width:2px;" />
<polyline points="54,167 45,172 54,177" style="fill:black;stroke-width:2px;stroke:black;" />
</svg>

Before

Width:  |  Height:  |  Size: 2.4 KiB

After

Width:  |  Height:  |  Size: 2.5 KiB

3
go.mod
View File

@ -1,7 +1,10 @@
module forge.cadoles.com/wpetit/go-http-peering
require (
github.com/davecgh/go-spew v1.1.1
github.com/dgrijalva/jwt-go v3.2.0+incompatible
github.com/go-chi/chi v3.3.3+incompatible
github.com/pborman/uuid v1.2.0
golang.org/x/crypto v0.0.0-20190219172222-a4c6cb3142f2
golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223 // indirect
)

6
go.sum
View File

@ -1,3 +1,5 @@
github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/dgrijalva/jwt-go v3.2.0+incompatible h1:7qlOGliEKZXTDg6OTjfoBKDXWrumCAMpl/TFQ4/5kLM=
github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
github.com/go-chi/chi v3.3.3+incompatible h1:KHkmBEMNkwKuK4FdQL7N2wOeB9jnIx7jR5wsuSBEFI8=
@ -6,3 +8,7 @@ github.com/google/uuid v1.0.0 h1:b4Gk+7WdP/d3HZH8EJsZpvV7EtDOgaZLtnaNGIu1adA=
github.com/google/uuid v1.0.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
github.com/pborman/uuid v1.2.0 h1:J7Q5mO4ysT1dv8hyrUGHb9+ooztCXu1D8MY8DZYsu3g=
github.com/pborman/uuid v1.2.0/go.mod h1:X/NO0urCmaxf9VXbdlT7C2Yzkj2IKimNn4k+gtPdI/k=
golang.org/x/crypto v0.0.0-20190219172222-a4c6cb3142f2 h1:NwxKRvbkH5MsNkvOtPZi3/3kmI8CAzs3mtv+GLQMkNo=
golang.org/x/crypto v0.0.0-20190219172222-a4c6cb3142f2/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223 h1:DH4skfRX4EBpamg7iV4ZlCpblAHI6s6TDM39bFZumv8=
golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=

View File

@ -1,6 +1,7 @@
**/*.go
!vendor/**.go {
prep: make test
prep: make bin/keygen
}
doc/sequence-diagram/*.seq {

View File

@ -9,7 +9,6 @@ const (
)
type AdvertisingRequest struct {
ID PeerID
Attributes PeerAttributes
PublicKey []byte
}
@ -18,7 +17,12 @@ type UpdateRequest struct {
Attributes PeerAttributes
}
type PeerClaims struct {
type ClientTokenClaims struct {
jwt.StandardClaims
BodySum []byte `json:"bodySum"`
}
type ServerTokenClaims struct {
jwt.StandardClaims
PeerID PeerID `json:"peerID"`
}

View File

@ -1,158 +0,0 @@
package server
import (
"bytes"
"encoding/json"
"net/http"
"net/http/httptest"
"testing"
"forge.cadoles.com/wpetit/go-http-peering/crypto"
peering "forge.cadoles.com/wpetit/go-http-peering"
"forge.cadoles.com/wpetit/go-http-peering/memory"
)
func TestAdvertiseHandlerBadRequest(t *testing.T) {
store := memory.NewStore()
handler := AdvertiseHandler(store)
req := httptest.NewRequest("POST", peering.AdvertisePath, nil)
w := httptest.NewRecorder()
handler(w, req)
res := w.Result()
if g, e := res.StatusCode, http.StatusBadRequest; g != e {
t.Errorf("res.StatusCode: got '%v', expected '%v'", g, e)
}
peers, err := store.List()
if err != nil {
t.Fatal(err)
}
if g, e := len(peers), 0; g != e {
t.Errorf("len(peers): got '%v', expected '%v'", g, e)
}
}
func TestAdvertiseHandlerInvalidPublicKeyFormat(t *testing.T) {
store := memory.NewStore()
handler := AdvertiseHandler(store)
advertising := &peering.AdvertisingRequest{
ID: peering.NewPeerID(),
PublicKey: []byte("Test"),
}
body, err := json.Marshal(advertising)
if err != nil {
t.Fatal(err)
}
req := httptest.NewRequest("POST", peering.AdvertisePath, bytes.NewReader(body))
w := httptest.NewRecorder()
handler(w, req)
res := w.Result()
if g, e := res.StatusCode, http.StatusBadRequest; g != e {
t.Errorf("res.StatusCode: got '%v', expected '%v'", g, e)
}
peers, err := store.List()
if err != nil {
t.Fatal(err)
}
if g, e := len(peers), 0; g != e {
t.Errorf("len(peers): got '%v', expected '%v'", g, e)
}
}
func TestAdvertiseHandlerExistingPeer(t *testing.T) {
store := memory.NewStore()
handler := AdvertiseHandler(store)
pk := mustGeneratePrivateKey()
pem, err := crypto.EncodePublicKeyToPEM(pk.Public())
if err != nil {
t.Fatal(err)
}
peerID := peering.NewPeerID()
advertising := &peering.AdvertisingRequest{
ID: peerID,
PublicKey: pem,
}
body, err := json.Marshal(advertising)
if err != nil {
t.Fatal(err)
}
req := httptest.NewRequest("POST", peering.AdvertisePath, bytes.NewReader(body))
w := httptest.NewRecorder()
handler(w, req)
req = httptest.NewRequest("POST", peering.AdvertisePath, bytes.NewReader(body))
w = httptest.NewRecorder()
handler(w, req)
res := w.Result()
if g, e := res.StatusCode, http.StatusConflict; g != e {
t.Errorf("res.StatusCode: got '%v', expected '%v'", g, e)
}
}
func TestAdvertiseHandlerValidRequest(t *testing.T) {
store := memory.NewStore()
handler := AdvertiseHandler(store)
pk := mustGeneratePrivateKey()
pem, err := crypto.EncodePublicKeyToPEM(pk.Public())
if err != nil {
t.Fatal(err)
}
peerID := peering.NewPeerID()
advertising := &peering.AdvertisingRequest{
ID: peerID,
PublicKey: pem,
}
body, err := json.Marshal(advertising)
if err != nil {
t.Fatal(err)
}
req := httptest.NewRequest("POST", peering.AdvertisePath, bytes.NewReader(body))
w := httptest.NewRecorder()
handler(w, req)
res := w.Result()
if g, e := res.StatusCode, http.StatusCreated; g != e {
t.Errorf("res.StatusCode: got '%v', expected '%v'", g, e)
}
peer, err := store.Get(peerID)
if err != nil {
t.Fatal(err)
}
if g, e := peer.PublicKey, advertising.PublicKey; !bytes.Equal(peer.PublicKey, advertising.PublicKey) {
t.Errorf("peer.PublicKey: got '%v', expected '%v'", g, e)
}
}

View File

@ -1,13 +1,14 @@
package server
import (
"crypto/rsa"
"encoding/json"
"errors"
"net/http"
"time"
peering "forge.cadoles.com/wpetit/go-http-peering"
"forge.cadoles.com/wpetit/go-http-peering/crypto"
peeringCrypto "forge.cadoles.com/wpetit/go-http-peering/crypto"
)
var (
@ -18,12 +19,26 @@ var (
ErrUnauthorized = errors.New("unauthorized")
)
func AdvertiseHandler(store peering.Store, funcs ...OptionFunc) http.HandlerFunc {
func AdvertiseHandler(store peering.Store, key *rsa.PublicKey, funcs ...OptionFunc) http.HandlerFunc {
options := createOptions(funcs...)
logger := options.Logger
handler := func(w http.ResponseWriter, r *http.Request) {
serverToken := r.Header.Get(ServerTokenHeader)
if serverToken == "" {
options.ErrorHandler(w, r, ErrInvalidAdvertisingRequest)
return
}
serverClaims, err := assertServerToken(key, serverToken)
if err != nil {
logger.Printf("[ERROR] %s", err)
sendError(w, http.StatusUnauthorized)
return
}
advertising := &peering.AdvertisingRequest{}
decoder := json.NewDecoder(r.Body)
@ -33,19 +48,13 @@ func AdvertiseHandler(store peering.Store, funcs ...OptionFunc) http.HandlerFunc
return
}
if !options.PeerIDValidator(advertising.ID) {
logger.Printf("[ERROR] %s", ErrInvalidAdvertisingRequest)
options.ErrorHandler(w, r, ErrInvalidAdvertisingRequest)
return
}
if _, err := crypto.DecodePEMToPublicKey(advertising.PublicKey); err != nil {
if _, err := peeringCrypto.DecodePEMToPublicKey(advertising.PublicKey); err != nil {
logger.Printf("[ERROR] %s", err)
options.ErrorHandler(w, r, ErrInvalidAdvertisingRequest)
return
}
peer, err := store.Get(advertising.ID)
peer, err := store.Get(serverClaims.PeerID)
if err == nil {
logger.Printf("[ERROR] %s", ErrPeerIDAlreadyInUse)
@ -61,7 +70,7 @@ func AdvertiseHandler(store peering.Store, funcs ...OptionFunc) http.HandlerFunc
attrs := filterAttributes(options.PeerAttributes, advertising.Attributes)
peer, err = store.Create(advertising.ID, attrs)
peer, err = store.Create(serverClaims.PeerID, attrs)
if err != nil {
logger.Printf("[ERROR] %s", err)
options.ErrorHandler(w, r, err)
@ -74,6 +83,12 @@ func AdvertiseHandler(store peering.Store, funcs ...OptionFunc) http.HandlerFunc
return
}
if err := store.UpdateLastContact(peer.ID, r.RemoteAddr, time.Now()); err != nil {
logger.Printf("[ERROR] %s", err)
options.ErrorHandler(w, r, err)
return
}
if err := store.UpdatePublicKey(peer.ID, advertising.PublicKey); err != nil {
logger.Printf("[ERROR] %s", err)
options.ErrorHandler(w, r, err)
@ -212,10 +227,6 @@ func DefaultErrorHandler(w http.ResponseWriter, r *http.Request, err error) {
}
}
func DefaultPeerIDValidator(id peering.PeerID) bool {
return string(id) != ""
}
func filterAttributes(filters []string, attrs peering.PeerAttributes) peering.PeerAttributes {
filtered := peering.PeerAttributes{}
for _, key := range filters {

View File

@ -3,13 +3,14 @@ package server
import (
"bytes"
"context"
"crypto/rsa"
"crypto/sha256"
"errors"
"io"
"io/ioutil"
"strings"
"time"
"forge.cadoles.com/wpetit/go-http-peering/crypto"
peeringCrypto "forge.cadoles.com/wpetit/go-http-peering/crypto"
peering "forge.cadoles.com/wpetit/go-http-peering"
jwt "github.com/dgrijalva/jwt-go"
@ -18,8 +19,9 @@ import (
)
const (
AuthorizationType = "Bearer"
KeyPeerID ContextKey = "peerID"
ServerTokenHeader = "X-Server-Token" // nolint: gosec
ClientTokenHeader = "X-Client-Token"
KeyPeerID ContextKey = "PeerID"
)
var (
@ -30,100 +32,63 @@ var (
type ContextKey string
func Authenticate(store peering.Store, funcs ...OptionFunc) func(http.Handler) http.Handler {
func Authenticate(store peering.Store, key *rsa.PublicKey, funcs ...OptionFunc) func(http.Handler) http.Handler {
options := createOptions(funcs...)
logger := options.Logger
middleware := func(next http.Handler) http.Handler {
fn := func(w http.ResponseWriter, r *http.Request) {
authorization := r.Header.Get("Authorization")
if authorization == "" {
serverToken := r.Header.Get(ServerTokenHeader)
if serverToken == "" {
sendError(w, http.StatusUnauthorized)
return
}
parts := strings.SplitN(authorization, " ", 2)
if len(parts) != 2 || parts[0] != AuthorizationType {
clientToken := r.Header.Get(ClientTokenHeader)
if clientToken == "" {
sendError(w, http.StatusUnauthorized)
return
}
token, err := jwt.ParseWithClaims(parts[1], &peering.PeerClaims{}, func(token *jwt.Token) (interface{}, error) {
claims, ok := token.Claims.(*peering.PeerClaims)
if !ok {
return nil, ErrInvalidClaims
}
peerID := peering.PeerID(claims.Issuer)
peer, err := store.Get(peerID)
if err != nil {
return nil, err
}
if peer.Status == peering.StatusRejected {
return nil, ErrPeerRejected
}
if peer.Status != peering.StatusPeered {
return nil, ErrNotPeered
}
publicKey, err := crypto.DecodePEMToPublicKey(peer.PublicKey)
if err != nil {
return nil, err
}
return publicKey, nil
})
if err != nil || !token.Valid {
serverClaims, err := assertServerToken(key, serverToken)
if err != nil {
logger.Printf("[ERROR] %s", err)
if err == ErrPeerRejected {
sendError(w, http.StatusForbidden)
} else {
sendError(w, http.StatusUnauthorized)
return
}
clientClaims, err := assertClientToken(serverClaims.PeerID, store, clientToken)
if err != nil {
logger.Printf("[ERROR] %s", err)
if err == peering.ErrPeerNotFound {
sendError(w, http.StatusUnauthorized)
} else {
sendError(w, http.StatusInternalServerError)
}
return
}
claims, ok := token.Claims.(*peering.PeerClaims)
if !ok {
logger.Printf("[ERROR] %s", ErrInvalidClaims)
sendError(w, http.StatusUnauthorized)
return
}
body, err := ioutil.ReadAll(r.Body)
match, body, err := assertBodySum(r.Body, clientClaims.BodySum)
if err != nil {
logger.Printf("[ERROR] %s", err)
sendError(w, http.StatusInternalServerError)
return
}
if err := r.Body.Close(); err != nil {
logger.Printf("[ERROR] %s", err)
sendError(w, http.StatusInternalServerError)
return
}
match, err := compareChecksum(body, claims.BodySum)
if err != nil {
logger.Printf("[ERROR] %s", err)
sendError(w, http.StatusUnauthorized)
return
}
if !match {
logger.Printf("[ERROR] %s", ErrInvalidChecksum)
sendError(w, http.StatusBadRequest)
return
}
peerID := peering.PeerID(claims.Issuer)
if err := store.UpdateLastContact(peerID, r.RemoteAddr, time.Now()); err != nil {
if err := store.UpdateLastContact(serverClaims.PeerID, r.RemoteAddr, time.Now()); err != nil {
logger.Printf("[ERROR] %s", err)
sendError(w, http.StatusInternalServerError)
return
}
ctx := context.WithValue(r.Context(), KeyPeerID, peerID)
ctx := context.WithValue(r.Context(), KeyPeerID, serverClaims.PeerID)
r = r.WithContext(ctx)
r.Body = ioutil.NopCloser(bytes.NewBuffer(body))
@ -143,6 +108,71 @@ func GetPeerID(r *http.Request) (peering.PeerID, error) {
return peerID, nil
}
func assertServerToken(key *rsa.PublicKey, serverToken string) (*peering.ServerTokenClaims, error) {
fn := func(token *jwt.Token) (interface{}, error) {
return key, nil
}
token, err := jwt.ParseWithClaims(serverToken, &peering.ServerTokenClaims{}, fn)
if err != nil {
return nil, err
}
if !token.Valid {
return nil, ErrInvalidClaims
}
claims, ok := token.Claims.(*peering.ServerTokenClaims)
if !ok {
return nil, ErrInvalidClaims
}
return claims, nil
}
func assertClientToken(peerID peering.PeerID, store peering.Store, clientToken string) (*peering.ClientTokenClaims, error) {
fn := func(token *jwt.Token) (interface{}, error) {
peer, err := store.Get(peerID)
if err != nil {
return nil, err
}
if peer.Status == peering.StatusRejected {
return nil, ErrPeerRejected
}
if peer.Status != peering.StatusPeered {
return nil, ErrNotPeered
}
publicKey, err := peeringCrypto.DecodePEMToPublicKey(peer.PublicKey)
if err != nil {
return nil, err
}
return publicKey, nil
}
token, err := jwt.ParseWithClaims(clientToken, &peering.ClientTokenClaims{}, fn)
if err != nil {
return nil, err
}
if !token.Valid {
return nil, ErrInvalidClaims
}
claims, ok := token.Claims.(*peering.ClientTokenClaims)
if !ok {
return nil, ErrInvalidClaims
}
return claims, nil
}
func assertBodySum(rc io.ReadCloser, bodySum []byte) (bool, []byte, error) {
body, err := ioutil.ReadAll(rc)
if err != nil {
return false, nil, err
}
if err := rc.Close(); err != nil {
return false, nil, err
}
match, err := compareChecksum(body, bodySum)
if err != nil {
return false, nil, err
}
return match, body, nil
}
func sendError(w http.ResponseWriter, status int) {
http.Error(w, http.StatusText(status), status)
}

View File

@ -4,8 +4,6 @@ import (
"log"
"net/http"
"os"
peering "forge.cadoles.com/wpetit/go-http-peering"
)
type Logger interface {
@ -13,10 +11,9 @@ type Logger interface {
}
type Options struct {
PeerAttributes []string
ErrorHandler ErrorHandler
PeerIDValidator func(peering.PeerID) bool
Logger Logger
PeerAttributes []string
ErrorHandler ErrorHandler
Logger Logger
}
type OptionFunc func(*Options)
@ -44,10 +41,9 @@ func WithErrorHandler(handler ErrorHandler) OptionFunc {
func defaultOptions() *Options {
logger := log.New(os.Stdout, "[go-http-peering] ", log.LstdFlags|log.Lshortfile)
return &Options{
PeerAttributes: []string{"Label"},
ErrorHandler: DefaultErrorHandler,
PeerIDValidator: DefaultPeerIDValidator,
Logger: logger,
PeerAttributes: []string{"Label"},
ErrorHandler: DefaultErrorHandler,
Logger: logger,
}
}

View File

@ -5,6 +5,11 @@ import (
"testing"
"time"
"forge.cadoles.com/wpetit/go-http-peering/client"
peeringCrypto "forge.cadoles.com/wpetit/go-http-peering/crypto"
"forge.cadoles.com/wpetit/go-http-peering/memory"
"forge.cadoles.com/wpetit/go-http-peering/server"
peering "forge.cadoles.com/wpetit/go-http-peering"
"forge.cadoles.com/wpetit/go-http-peering/crypto"
)
@ -15,19 +20,35 @@ func TestAdvertise(t *testing.T) {
t.SkipNow()
}
id, pk, client, store := setup(t)
store := memory.NewStore()
serverPK := mustGeneratePrivateKey()
clientPK := mustGeneratePrivateKey()
peerID := peering.NewPeerID()
serverToken, err := peeringCrypto.CreateServerToken(serverPK, "test", peerID)
if err != nil {
t.Fatal(err)
}
advertise := server.AdvertiseHandler(store, &serverPK.PublicKey)
client := client.New(
client.WithHTTPClient(NewHTTPClientMock(advertise)),
client.WithPrivateKey(clientPK),
client.WithServerToken(serverToken),
)
attrs := peering.PeerAttributes{}
if err := client.Advertise(attrs); err != nil {
t.Fatal(err)
}
peer, err := store.Get(id)
peer, err := store.Get(peerID)
if err != nil {
t.Error(err)
}
if g, e := peer.ID, id; g != e {
if g, e := peer.ID, peerID; g != e {
t.Errorf("peer.ID: got '%v', expected '%v'", g, e)
}
@ -40,11 +61,7 @@ func TestAdvertise(t *testing.T) {
t.Error("peer.LastContact should not be time.Time zero value")
}
if peer.LastAddress == "" {
t.Error("peer.LastAddress should not be empty")
}
pem, err := crypto.EncodePublicKeyToPEM(pk.Public())
pem, err := crypto.EncodePublicKeyToPEM(clientPK.Public())
if err != nil {
t.Fatal(err)
}

View File

@ -4,6 +4,10 @@ import (
"testing"
peering "forge.cadoles.com/wpetit/go-http-peering"
"forge.cadoles.com/wpetit/go-http-peering/client"
peeringCrypto "forge.cadoles.com/wpetit/go-http-peering/crypto"
"forge.cadoles.com/wpetit/go-http-peering/memory"
"forge.cadoles.com/wpetit/go-http-peering/server"
)
func TestPing(t *testing.T) {
@ -12,33 +16,67 @@ func TestPing(t *testing.T) {
t.SkipNow()
}
id, _, client, store := setup(t)
store := memory.NewStore()
serverPK := mustGeneratePrivateKey()
clientPK := mustGeneratePrivateKey()
peerID := peering.NewPeerID()
attrs := peering.PeerAttributes{}
if err := client.Advertise(attrs); err != nil {
t.Fatal(err)
}
peer, err := store.Get(id)
// Generate a server token for the peer client
serverToken, err := peeringCrypto.CreateServerToken(serverPK, "test", peerID)
if err != nil {
t.Fatal(err)
}
advertise := server.AdvertiseHandler(store, &serverPK.PublicKey)
// Create advertise client
c := client.New(
client.WithHTTPClient(NewHTTPClientMock(advertise)),
client.WithPrivateKey(clientPK),
client.WithServerToken(serverToken),
)
// Advertise client with empty peer attributes
attrs := peering.PeerAttributes{}
if err := c.Advertise(attrs); err != nil {
t.Fatal(err)
}
// Retrieve peer from store
peer, err := store.Get(peerID)
if err != nil {
t.Fatal(err)
}
// Store last contact after advertising
lastContact := peer.LastContact
if err := store.Accept(id); err != nil {
// Accept peer
if err := store.Accept(peerID); err != nil {
t.Error(err)
}
if err := client.Ping(); err != nil {
// Create ping authenticated handler
ping := server.Authenticate(store, &serverPK.PublicKey)(server.PingHandler(store))
// Create client
c = client.New(
client.WithHTTPClient(NewHTTPClientMock(ping)),
client.WithPrivateKey(clientPK),
client.WithServerToken(serverToken),
)
// Do ping
if err := c.Ping(); err != nil {
t.Fatal(err)
}
peer, err = store.Get(id)
// Retrieve peer
peer, err = store.Get(peerID)
if err != nil {
t.Fatal(err)
}
// Assert that last contact has changed after ping
if peer.LastContact == lastContact {
t.Error("peer.LastContact should have been updated")
}

View File

@ -6,7 +6,11 @@ import (
"time"
peering "forge.cadoles.com/wpetit/go-http-peering"
"forge.cadoles.com/wpetit/go-http-peering/client"
"forge.cadoles.com/wpetit/go-http-peering/crypto"
peeringCrypto "forge.cadoles.com/wpetit/go-http-peering/crypto"
"forge.cadoles.com/wpetit/go-http-peering/memory"
"forge.cadoles.com/wpetit/go-http-peering/server"
)
func TestUpdate(t *testing.T) {
@ -15,42 +19,77 @@ func TestUpdate(t *testing.T) {
t.SkipNow()
}
id, pk, client, store := setup(t)
store := memory.NewStore()
serverPK := mustGeneratePrivateKey()
clientPK := mustGeneratePrivateKey()
peerID := peering.NewPeerID()
attrs := peering.PeerAttributes{}
if err := client.Advertise(attrs); err != nil {
t.Fatal(err)
}
if err := store.Accept(id); err != nil {
t.Error(err)
}
attrs["Label"] = "Foo Bar"
if err := client.UpdateAttributes(attrs); err != nil {
t.Fatal(err)
}
peer, err := store.Get(id)
// Generate a server token for the peer client
serverToken, err := peeringCrypto.CreateServerToken(serverPK, "test", peerID)
if err != nil {
t.Fatal(err)
}
if g, e := peer.ID, id; g != e {
advertise := server.AdvertiseHandler(store, &serverPK.PublicKey)
// Create advertise client
c := client.New(
client.WithHTTPClient(NewHTTPClientMock(advertise)),
client.WithPrivateKey(clientPK),
client.WithServerToken(serverToken),
)
// Advertise client with empty peer attributes
attrs := peering.PeerAttributes{}
if err := c.Advertise(attrs); err != nil {
t.Fatal(err)
}
// Accept peer
if err := store.Accept(peerID); err != nil {
t.Error(err)
}
// Create authenticated update handler
update := server.Authenticate(store, &serverPK.PublicKey)(server.UpdateHandler(store))
// Create update client
c = client.New(
client.WithHTTPClient(NewHTTPClientMock(update)),
client.WithPrivateKey(clientPK),
client.WithServerToken(serverToken),
)
// Update local attributes
attrs["Label"] = "Foo Bar"
// Update attributes
if err := c.UpdateAttributes(attrs); err != nil {
t.Fatal(err)
}
// Retrieve peer from store
peer, err := store.Get(peerID)
if err != nil {
t.Fatal(err)
}
// Assert that peer's ID did not change
if g, e := peer.ID, peerID; g != e {
t.Errorf("peer.ID: got '%v', expected '%v'", g, e)
}
// Assert that stored attributes are the same as the local ones
if g, e := peer.Attributes, attrs; !reflect.DeepEqual(g, e) {
t.Errorf("peer.Attributes: got '%v', expected '%v'", g, e)
}
// Assert that lastContact has changed
var defaultTime time.Time
if peer.LastContact == defaultTime {
t.Error("peer.LastContact should not be time.Time zero value")
}
pem, err := crypto.EncodePublicKeyToPEM(pk.Public())
pem, err := crypto.EncodePublicKeyToPEM(clientPK.Public())
if err != nil {
t.Fatal(err)
}

View File

@ -3,15 +3,8 @@ package test
import (
"crypto/rand"
"crypto/rsa"
"fmt"
"net"
"net/http"
"testing"
peering "forge.cadoles.com/wpetit/go-http-peering"
"forge.cadoles.com/wpetit/go-http-peering/client"
"forge.cadoles.com/wpetit/go-http-peering/memory"
"forge.cadoles.com/wpetit/go-http-peering/server"
"net/http/httptest"
)
func mustGeneratePrivateKey() *rsa.PrivateKey {
@ -22,43 +15,22 @@ func mustGeneratePrivateKey() *rsa.PrivateKey {
return privateKey
}
func startServer(store peering.Store) (int, error) {
listener, err := net.Listen("tcp", ":0")
if err != nil {
return -1, err
}
mux := createServerMux(store)
go http.Serve(listener, mux)
port := listener.Addr().(*net.TCPAddr).Port
return port, nil
type HTTPClientMock struct {
handler http.Handler
recorder *httptest.ResponseRecorder
}
func createServerMux(store peering.Store) *http.ServeMux {
mux := http.NewServeMux()
mux.HandleFunc(peering.AdvertisePath, server.AdvertiseHandler(store))
update := server.Authenticate(store)(server.UpdateHandler(store))
mux.Handle(peering.UpdatePath, update)
ping := server.Authenticate(store)(server.PingHandler(store))
mux.Handle(peering.PingPath, ping)
return mux
func (c *HTTPClientMock) Do(r *http.Request) (*http.Response, error) {
w := httptest.NewRecorder()
c.recorder = w
c.handler.ServeHTTP(w, r)
return w.Result(), nil
}
func setup(t *testing.T) (peering.PeerID, *rsa.PrivateKey, *client.Client, peering.Store) {
store := memory.NewStore()
port, err := startServer(store)
if err != nil {
t.Fatal(err)
}
pk := mustGeneratePrivateKey()
id := peering.NewPeerID()
c := client.New(
client.WithBaseURL(fmt.Sprintf("http://127.0.0.1:%d", port)),
client.WithPrivateKey(pk),
client.WithPeerID(id),
)
return id, pk, c, store
func (c *HTTPClientMock) Recorder() *httptest.ResponseRecorder {
return c.recorder
}
func NewHTTPClientMock(h http.Handler) *HTTPClientMock {
return &HTTPClientMock{h, nil}
}