Merge branch 'master' of ssh://forge.cadoles.com:4242/Cadoles/go-http-peering

- Set NotBefore timestamp one minute in the past to prevent false
negative checks
- Set NotAfter timestamp 5 minutes to the future

Makefile

@@ -26,7 +26,7 @@ sd-%:
 	goseq doc/sequence-diagram/$*.seq > doc/sequence-diagram/$*.svg
 
 doc:
-	@echo "open your browser to http://localhost:6060/pkg/forge.cadoles.com/wpetit/go-http-peering to see the documentation"
+	@echo "open your browser to http://localhost:6060/pkg/forge.cadoles.com/Cadoles/go-http-peering to see the documentation"
 	godoc -http=:6060
 
 bin/keygen:

README.md

@@ -2,7 +2,7 @@
 
 Librairie implémentant un protocole d'authentification par "appairage" d'un serveur et client HTTP basé sur [JWT](https://jwt.io/).
 
-[Documentation](https://godoc.org/forge.cadoles.com/wpetit/go-http-peering)
+[Documentation](https://godoc.org/forge.cadoles.com/Cadoles/go-http-peering)
 
 ## Séquences
 

chi/mount.go

@@ -3,8 +3,8 @@ package chi
 import (
 	"crypto/rsa"
 
-	peering "forge.cadoles.com/wpetit/go-http-peering"
-	"forge.cadoles.com/wpetit/go-http-peering/server"
+	peering "forge.cadoles.com/Cadoles/go-http-peering"
+	"forge.cadoles.com/Cadoles/go-http-peering/server"
 	"github.com/go-chi/chi"
 )
 

chi/mount_test.go

@@ -3,9 +3,9 @@ package chi
 import (
 	"testing"
 
-	peering "forge.cadoles.com/wpetit/go-http-peering"
-	peeringCrypto "forge.cadoles.com/wpetit/go-http-peering/crypto"
-	"forge.cadoles.com/wpetit/go-http-peering/memory"
+	peering "forge.cadoles.com/Cadoles/go-http-peering"
+	peeringCrypto "forge.cadoles.com/Cadoles/go-http-peering/crypto"
+	"forge.cadoles.com/Cadoles/go-http-peering/memory"
 	"github.com/go-chi/chi"
 )
 

client/client.go

@@ -9,11 +9,11 @@ import (
 	"net/http"
 	"time"
 
-	"github.com/dgrijalva/jwt-go"
+	jwt "github.com/dgrijalva/jwt-go"
 
-	peering "forge.cadoles.com/wpetit/go-http-peering"
-	"forge.cadoles.com/wpetit/go-http-peering/crypto"
-	"forge.cadoles.com/wpetit/go-http-peering/server"
+	peering "forge.cadoles.com/Cadoles/go-http-peering"
+	"forge.cadoles.com/Cadoles/go-http-peering/crypto"
+	"forge.cadoles.com/Cadoles/go-http-peering/server"
 )
 
 var (
@@ -153,8 +153,8 @@ func (c *Client) addClientToken(r *http.Request, body []byte) error {
 
 	token := jwt.NewWithClaims(jwt.SigningMethodRS256, peering.ClientTokenClaims{
 		StandardClaims: jwt.StandardClaims{
-			NotBefore: time.Now().Unix(),
-			ExpiresAt: time.Now().Add(time.Minute * 10).Unix(),
+			NotBefore: time.Now().Add(time.Minute * -1).Unix(),
+			ExpiresAt: time.Now().Add(time.Minute * 5).Unix(),
 		},
 		BodySum: bodySum,
 	})

client/client_test.go

@@ -5,9 +5,9 @@ import (
 	"crypto/rsa"
 	"testing"
 
-	peeringCrypto "forge.cadoles.com/wpetit/go-http-peering/crypto"
+	peeringCrypto "forge.cadoles.com/Cadoles/go-http-peering/crypto"
 
-	peering "forge.cadoles.com/wpetit/go-http-peering"
+	peering "forge.cadoles.com/Cadoles/go-http-peering"
 )
 
 func TestClientPeerID(t *testing.T) {

cmd/keygen/create_key.go

@@ -3,7 +3,7 @@ package main
 import (
 	"fmt"
 
-	"forge.cadoles.com/wpetit/go-http-peering/crypto"
+	"forge.cadoles.com/Cadoles/go-http-peering/crypto"
 )
 
 func createKey() {

cmd/keygen/create_token.go

@@ -3,9 +3,9 @@ package main
 import (
 	"fmt"
 
-	"forge.cadoles.com/wpetit/go-http-peering/crypto"
+	"forge.cadoles.com/Cadoles/go-http-peering/crypto"
 
-	peering "forge.cadoles.com/wpetit/go-http-peering"
+	peering "forge.cadoles.com/Cadoles/go-http-peering"
 )
 
 func createToken() {

cmd/keygen/get_public_key.go

@@ -3,7 +3,7 @@ package main
 import (
 	"fmt"
 
-	"forge.cadoles.com/wpetit/go-http-peering/crypto"
+	"forge.cadoles.com/Cadoles/go-http-peering/crypto"
 )
 
 func getPublicKey() {

cmd/keygen/util.go

@@ -12,7 +12,7 @@ import (
 	"os"
 	"syscall"
 
-	"forge.cadoles.com/wpetit/go-http-peering/crypto"
+	"forge.cadoles.com/Cadoles/go-http-peering/crypto"
 
 	"golang.org/x/crypto/ssh/terminal"
 )

crypto/rsa.go

@@ -5,7 +5,7 @@ import (
 	"crypto/rsa"
 	"time"
 
-	peering "forge.cadoles.com/wpetit/go-http-peering"
+	peering "forge.cadoles.com/Cadoles/go-http-peering"
 
 	jwt "github.com/dgrijalva/jwt-go"
 )

go.mod

@@ -1,4 +1,4 @@
-module forge.cadoles.com/wpetit/go-http-peering
+module forge.cadoles.com/Cadoles/go-http-peering
 
 require (
 	github.com/davecgh/go-spew v1.1.1
@@ -8,3 +8,5 @@ require (
 	golang.org/x/crypto v0.0.0-20190219172222-a4c6cb3142f2
 	golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223 // indirect
 )
+
+go 1.13

memory/store.go

@@ -4,7 +4,7 @@ import (
 	"sync"
 	"time"
 
-	peering "forge.cadoles.com/wpetit/go-http-peering"
+	peering "forge.cadoles.com/Cadoles/go-http-peering"
 )
 
 type Store struct {

server/handler.go

@@ -7,8 +7,8 @@ import (
 	"net/http"
 	"time"
 
-	peering "forge.cadoles.com/wpetit/go-http-peering"
-	peeringCrypto "forge.cadoles.com/wpetit/go-http-peering/crypto"
+	peering "forge.cadoles.com/Cadoles/go-http-peering"
+	peeringCrypto "forge.cadoles.com/Cadoles/go-http-peering/crypto"
 )
 
 var (

server/middleware.go

@@ -10,9 +10,9 @@ import (
 	"io/ioutil"
 	"time"
 
-	peeringCrypto "forge.cadoles.com/wpetit/go-http-peering/crypto"
+	peeringCrypto "forge.cadoles.com/Cadoles/go-http-peering/crypto"
 
-	peering "forge.cadoles.com/wpetit/go-http-peering"
+	peering "forge.cadoles.com/Cadoles/go-http-peering"
 	jwt "github.com/dgrijalva/jwt-go"
 
 	"net/http"
@@ -58,7 +58,13 @@ func Authenticate(store peering.Store, key *rsa.PublicKey, funcs ...OptionFunc)
 				return
 			}
 
-			clientClaims, err := assertClientToken(serverClaims.PeerID, store, clientToken)
+			clientClaims, err := assertClientToken(
+				serverClaims.PeerID,
+				store,
+				clientToken,
+				logger,
+				options.IgnoredClientTokenErrors...,
+			)
 			if err != nil {
 				logger.Printf("[ERROR] %s", err)
 				switch err {
@@ -78,10 +84,11 @@ func Authenticate(store peering.Store, key *rsa.PublicKey, funcs ...OptionFunc)
 						return
 					}
 					sendError(w, http.StatusForbidden)
+					return
 				default:
 					sendError(w, http.StatusInternalServerError)
+					return
 				}
-				return
 			}
 
 			match, body, err := assertBodySum(r.Body, clientClaims.BodySum)
@@ -145,7 +152,7 @@ func assertServerToken(key *rsa.PublicKey, serverToken string) (*peering.ServerT
 	return claims, nil
 }
 
-func assertClientToken(peerID peering.PeerID, store peering.Store, clientToken string) (*peering.ClientTokenClaims, error) {
+func assertClientToken(peerID peering.PeerID, store peering.Store, clientToken string, logger Logger, ignoredValidationErrors ...uint32) (*peering.ClientTokenClaims, error) {
 	fn := func(token *jwt.Token) (interface{}, error) {
 		peer, err := store.Get(peerID)
 		if err != nil {
@@ -163,22 +170,35 @@ func assertClientToken(peerID peering.PeerID, store peering.Store, clientToken s
 		}
 		return publicKey, nil
 	}
+
+	getPeeringClaims := func(token *jwt.Token) (*peering.ClientTokenClaims, error) {
+		claims, ok := token.Claims.(*peering.ClientTokenClaims)
+		if !ok {
+			return nil, ErrInvalidClaims
+		}
+		return claims, nil
+	}
+
 	token, err := jwt.ParseWithClaims(clientToken, &peering.ClientTokenClaims{}, fn)
 	if err != nil {
 		validationError, ok := err.(*jwt.ValidationError)
 		if ok {
+			for _, c := range ignoredValidationErrors {
+				if validationError.Errors&c != 0 {
+					logger.Printf("ignoring token validation error: '%s'", validationError.Inner)
+					return getPeeringClaims(token)
+				}
+			}
 			return nil, validationError.Inner
 		}
 		return nil, err
 	}
+
 	if !token.Valid {
 		return nil, ErrInvalidClaims
 	}
-	claims, ok := token.Claims.(*peering.ClientTokenClaims)
-	if !ok {
-		return nil, ErrInvalidClaims
-	}
-	return claims, nil
+
+	return getPeeringClaims(token)
 }
 
 func assertBodySum(rc io.ReadCloser, bodySum []byte) (bool, []byte, error) {
@@ -200,6 +220,15 @@ func sendError(w http.ResponseWriter, status int) {
 	http.Error(w, http.StatusText(status), status)
 }
 
+func filterIgnoredValidationError(err *jwt.ValidationError, ignored ...uint32) error {
+	for _, c := range ignored {
+		if err.Errors&c != 0 {
+			return nil
+		}
+	}
+	return err
+}
+
 func compareChecksum(body []byte, sum []byte) (bool, error) {
 	sha := sha256.New()
 	_, err := sha.Write(body)

server/option.go

@@ -11,9 +11,10 @@ type Logger interface {
 }
 
 type Options struct {
-	PeerAttributes []string
-	ErrorHandler   ErrorHandler
-	Logger         Logger
+	PeerAttributes           []string
+	ErrorHandler             ErrorHandler
+	Logger                   Logger
+	IgnoredClientTokenErrors []uint32
 }
 
 type OptionFunc func(*Options)
@@ -38,12 +39,19 @@ func WithErrorHandler(handler ErrorHandler) OptionFunc {
 	}
 }
 
+func WithIgnoredClientTokenErrors(codes ...uint32) OptionFunc {
+	return func(options *Options) {
+		options.IgnoredClientTokenErrors = codes
+	}
+}
+
 func defaultOptions() *Options {
 	logger := log.New(os.Stdout, "[go-http-peering] ", log.LstdFlags|log.Lshortfile)
 	return &Options{
-		PeerAttributes: []string{"Label"},
-		ErrorHandler:   DefaultErrorHandler,
-		Logger:         logger,
+		PeerAttributes:           []string{"Label"},
+		ErrorHandler:             DefaultErrorHandler,
+		Logger:                   logger,
+		IgnoredClientTokenErrors: make([]uint32, 0),
 	}
 }
 

test/advertise_test.go

@@ -5,13 +5,13 @@ import (
 	"testing"
 	"time"
 
-	"forge.cadoles.com/wpetit/go-http-peering/client"
-	peeringCrypto "forge.cadoles.com/wpetit/go-http-peering/crypto"
-	"forge.cadoles.com/wpetit/go-http-peering/memory"
-	"forge.cadoles.com/wpetit/go-http-peering/server"
+	"forge.cadoles.com/Cadoles/go-http-peering/client"
+	peeringCrypto "forge.cadoles.com/Cadoles/go-http-peering/crypto"
+	"forge.cadoles.com/Cadoles/go-http-peering/memory"
+	"forge.cadoles.com/Cadoles/go-http-peering/server"
 
-	peering "forge.cadoles.com/wpetit/go-http-peering"
-	"forge.cadoles.com/wpetit/go-http-peering/crypto"
+	peering "forge.cadoles.com/Cadoles/go-http-peering"
+	"forge.cadoles.com/Cadoles/go-http-peering/crypto"
 )
 
 func TestAdvertise(t *testing.T) {

test/ping_test.go

@@ -3,11 +3,11 @@ package test
 import (
 	"testing"
 
-	peering "forge.cadoles.com/wpetit/go-http-peering"
-	"forge.cadoles.com/wpetit/go-http-peering/client"
-	peeringCrypto "forge.cadoles.com/wpetit/go-http-peering/crypto"
-	"forge.cadoles.com/wpetit/go-http-peering/memory"
-	"forge.cadoles.com/wpetit/go-http-peering/server"
+	peering "forge.cadoles.com/Cadoles/go-http-peering"
+	"forge.cadoles.com/Cadoles/go-http-peering/client"
+	peeringCrypto "forge.cadoles.com/Cadoles/go-http-peering/crypto"
+	"forge.cadoles.com/Cadoles/go-http-peering/memory"
+	"forge.cadoles.com/Cadoles/go-http-peering/server"
 )
 
 func TestPing(t *testing.T) {

test/update_test.go

@@ -5,12 +5,12 @@ import (
 	"testing"
 	"time"
 
-	peering "forge.cadoles.com/wpetit/go-http-peering"
-	"forge.cadoles.com/wpetit/go-http-peering/client"
-	"forge.cadoles.com/wpetit/go-http-peering/crypto"
-	peeringCrypto "forge.cadoles.com/wpetit/go-http-peering/crypto"
-	"forge.cadoles.com/wpetit/go-http-peering/memory"
-	"forge.cadoles.com/wpetit/go-http-peering/server"
+	peering "forge.cadoles.com/Cadoles/go-http-peering"
+	"forge.cadoles.com/Cadoles/go-http-peering/client"
+	"forge.cadoles.com/Cadoles/go-http-peering/crypto"
+	peeringCrypto "forge.cadoles.com/Cadoles/go-http-peering/crypto"
+	"forge.cadoles.com/Cadoles/go-http-peering/memory"
+	"forge.cadoles.com/Cadoles/go-http-peering/server"
 )
 
 func TestUpdate(t *testing.T) {