Merge branch 'master' of ssh://forge.cadoles.com:4242/Cadoles/go-http-peering

server/middleware.go

@@ -58,7 +58,13 @@ func Authenticate(store peering.Store, key *rsa.PublicKey, funcs ...OptionFunc)
 				return
 			}
 
-			clientClaims, err := assertClientToken(serverClaims.PeerID, store, clientToken)
+			clientClaims, err := assertClientToken(
+				serverClaims.PeerID,
+				store,
+				clientToken,
+				logger,
+				options.IgnoredClientTokenErrors...,
+			)
 			if err != nil {
 				logger.Printf("[ERROR] %s", err)
 				switch err {
@@ -78,11 +84,12 @@ func Authenticate(store peering.Store, key *rsa.PublicKey, funcs ...OptionFunc)
 						return
 					}
 					sendError(w, http.StatusForbidden)
+					return
 				default:
 					sendError(w, http.StatusInternalServerError)
-				}
 					return
 				}
+			}
 
 			match, body, err := assertBodySum(r.Body, clientClaims.BodySum)
 			if err != nil {
@@ -145,7 +152,7 @@ func assertServerToken(key *rsa.PublicKey, serverToken string) (*peering.ServerT
 	return claims, nil
 }
 
-func assertClientToken(peerID peering.PeerID, store peering.Store, clientToken string) (*peering.ClientTokenClaims, error) {
+func assertClientToken(peerID peering.PeerID, store peering.Store, clientToken string, logger Logger, ignoredValidationErrors ...uint32) (*peering.ClientTokenClaims, error) {
 	fn := func(token *jwt.Token) (interface{}, error) {
 		peer, err := store.Get(peerID)
 		if err != nil {
@@ -163,22 +170,35 @@ func assertClientToken(peerID peering.PeerID, store peering.Store, clientToken s
 		}
 		return publicKey, nil
 	}
-	token, err := jwt.ParseWithClaims(clientToken, &peering.ClientTokenClaims{}, fn)
-	if err != nil {
-		validationError, ok := err.(*jwt.ValidationError)
-		if ok {
-			return nil, validationError.Inner
-		}
-		return nil, err
-	}
-	if !token.Valid {
-		return nil, ErrInvalidClaims
-	}
+
+	getPeeringClaims := func(token *jwt.Token) (*peering.ClientTokenClaims, error) {
 		claims, ok := token.Claims.(*peering.ClientTokenClaims)
 		if !ok {
 			return nil, ErrInvalidClaims
 		}
 		return claims, nil
+	}
+
+	token, err := jwt.ParseWithClaims(clientToken, &peering.ClientTokenClaims{}, fn)
+	if err != nil {
+		validationError, ok := err.(*jwt.ValidationError)
+		if ok {
+			for _, c := range ignoredValidationErrors {
+				if validationError.Errors&c != 0 {
+					logger.Printf("ignoring token validation error: '%s'", validationError.Inner)
+					return getPeeringClaims(token)
+				}
+			}
+			return nil, validationError.Inner
+		}
+		return nil, err
+	}
+
+	if !token.Valid {
+		return nil, ErrInvalidClaims
+	}
+
+	return getPeeringClaims(token)
 }
 
 func assertBodySum(rc io.ReadCloser, bodySum []byte) (bool, []byte, error) {
@@ -200,6 +220,15 @@ func sendError(w http.ResponseWriter, status int) {
 	http.Error(w, http.StatusText(status), status)
 }
 
+func filterIgnoredValidationError(err *jwt.ValidationError, ignored ...uint32) error {
+	for _, c := range ignored {
+		if err.Errors&c != 0 {
+			return nil
+		}
+	}
+	return err
+}
+
 func compareChecksum(body []byte, sum []byte) (bool, error) {
 	sha := sha256.New()
 	_, err := sha.Write(body)

server/option.go

@@ -14,6 +14,7 @@ type Options struct {
 	PeerAttributes           []string
 	ErrorHandler             ErrorHandler
 	Logger                   Logger
+	IgnoredClientTokenErrors []uint32
 }
 
 type OptionFunc func(*Options)
@@ -38,12 +39,19 @@ func WithErrorHandler(handler ErrorHandler) OptionFunc {
 	}
 }
 
+func WithIgnoredClientTokenErrors(codes ...uint32) OptionFunc {
+	return func(options *Options) {
+		options.IgnoredClientTokenErrors = codes
+	}
+}
+
 func defaultOptions() *Options {
 	logger := log.New(os.Stdout, "[go-http-peering] ", log.LstdFlags|log.Lshortfile)
 	return &Options{
 		PeerAttributes:           []string{"Label"},
 		ErrorHandler:             DefaultErrorHandler,
 		Logger:                   logger,
+		IgnoredClientTokenErrors: make([]uint32, 0),
 	}
 }