fix(keygen): correctly load token for validation

- Use PlantUML
- Update README

.env.dist

@@ -0,0 +1,2 @@
+GPG_SIGNING_KEY=
+ARCH_TARGETS='amd64 arm arm64 386'

.gitignore

@@ -3,3 +3,7 @@
 /bin
 /testdata
 /release
+/out
+/.mktools
+/tools
+/.env

Jenkinsfile

@@ -0,0 +1,37 @@
+@Library('cadoles') _
+
+pipeline {
+    agent {
+        dockerfile {
+            filename 'Dockerfile'
+            dir 'misc/ci'
+        }
+    }
+
+    stages {
+        stage('Lint') {
+            steps {
+                script {
+                    catchError(buildResult: 'UNSTABLE', stageResult: 'FAILURE') {
+                        sh 'make lint'
+                    }
+                }
+            }
+        }
+        stage('Test') {
+            steps {
+                script {
+                    sh 'make test'
+                }
+            }
+        }
+    }
+
+    post {
+        always {
+            script {
+                cleanWs()
+            }
+        }
+    }
+}

Makefile

@@ -1,35 +1,56 @@
-test:
+SHELL := /bin/bash
+
+test: go-test keygen-test
+
+go-test:
 	go clean -testcache
 	go test -cover -v ./...
 
 watch:
-	modd	
+	go run -mod=readonly github.com/cortesi/modd/cmd/modd@latest
 
-release:
+release: tidy .env
-	script/release
+	( set -o allexport && source .env && set +o allexport && script/release )
 
-deps:
+.env:
-	GO111MODULE=off go get -u golang.org/x/tools/cmd/godoc
+	cp .env.dist .env
-	GO111MODULE=off go get -u github.com/cortesi/modd/cmd/modd
-	GO111MODULE=off go get -u github.com/golangci/golangci-lint/cmd/golangci-lint
-	GO111MODULE=off go get -u github.com/lmika/goseq
 
 tidy:
 	go mod tidy
 
 lint:
-	golangci-lint run --tests=false --enable-all
+	go run github.com/golangci/golangci-lint/cmd/golangci-lint@v1.49.0 run --tests=false --enable-all
-
-sequence-diagram: sd-advertise sd-update sd-ping
-
-sd-%:
-	goseq doc/sequence-diagram/$*.seq > doc/sequence-diagram/$*.svg
-
-doc:
-	@echo "open your browser to http://localhost:6060/pkg/forge.cadoles.com/wpetit/go-http-peering to see the documentation"
-	godoc -http=:6060
 
 bin/keygen:
-	go build -o bin/keygen ./cmd/keygen
+	CGO_ENABLED=0 go build -o bin/keygen ./cmd/keygen
 
 .PHONY: test lint doc sequence-diagram bin/keygen release
+
+gitea-release: .mktools tools/gitea-release/bin/gitea-release.sh release
+	GITEA_RELEASE_PROJECT="go-http-peering" \
+		GITEA_RELEASE_ORG="Cadoles" \
+		GITEA_RELEASE_BASE_URL="https://forge.cadoles.com" \
+		GITEA_RELEASE_VERSION="$(MKT_PROJECT_VERSION)" \
+		GITEA_RELEASE_NAME="$(MKT_PROJECT_VERSION)" \
+		GITEA_RELEASE_COMMITISH_TARGET="$(GIT_VERSION)" \
+		GITEA_RELEASE_IS_DRAFT="false" \
+		GITEA_RELEASE_BODY="" \
+		GITEA_RELEASE_ATTACHMENTS="$$(find release -type f -name '*.tar.gz')" \
+		tools/gitea-release/bin/gitea-release.sh
+
+keygen-test: tools/bash_unit/bin/bash_unit
+	tools/bash_unit/bin/bash_unit misc/bash_unit/keygen_test.sh
+
+tools/bash_unit/bin/bash_unit:
+	mkdir -p tools/bash_unit/bin
+	cd tools/bash_unit/bin && bash <(curl -s https://raw.githubusercontent.com/pgrange/bash_unit/master/install.sh)
+
+.PHONY: mktools
+mktools:
+	rm -rf .mktools
+	curl -k -q https://forge.cadoles.com/Cadoles/mktools/raw/branch/master/install.sh | $(SHELL)
+
+.mktools:
+	$(MAKE) mktools
+
+-include .mktools/*.mk

README.md

@@ -2,23 +2,21 @@
 
 Librairie implémentant un protocole d'authentification par "appairage" d'un serveur et client HTTP basé sur [JWT](https://jwt.io/).
 
-[Documentation](https://godoc.org/forge.cadoles.com/wpetit/go-http-peering)
+[Documentation](https://godoc.org/forge.cadoles.com/Cadoles/go-http-peering)
 
 ## Séquences
 
 ### Annonce du client
 
-![advertise](./doc/sequence-diagram/advertise.svg)
+![advertise](./doc/sequence-diagram/advertising.png)
 
 ### Mise à jour des attributs
 
-![update](./doc/sequence-diagram/update.svg)
+![update](./doc/sequence-diagram/update.png)
 
 ### Ping
 
-![ping](./doc/sequence-diagram/ping.svg)
+![ping](./doc/sequence-diagram/ping.png)
-
-**Statut** Instable
 
 ## Licence
 

chi/mount.go

@@ -3,8 +3,8 @@ package chi
 import (
 	"crypto/rsa"
 
-	peering "forge.cadoles.com/wpetit/go-http-peering"
+	peering "forge.cadoles.com/Cadoles/go-http-peering"
-	"forge.cadoles.com/wpetit/go-http-peering/server"
+	"forge.cadoles.com/Cadoles/go-http-peering/server"
 	"github.com/go-chi/chi"
 )
 

chi/mount_test.go

@@ -3,9 +3,9 @@ package chi
 import (
 	"testing"
 
-	peering "forge.cadoles.com/wpetit/go-http-peering"
+	peering "forge.cadoles.com/Cadoles/go-http-peering"
-	peeringCrypto "forge.cadoles.com/wpetit/go-http-peering/crypto"
+	peeringCrypto "forge.cadoles.com/Cadoles/go-http-peering/crypto"
-	"forge.cadoles.com/wpetit/go-http-peering/memory"
+	"forge.cadoles.com/Cadoles/go-http-peering/memory"
 	"github.com/go-chi/chi"
 )
 

client/client.go

@@ -9,11 +9,11 @@ import (
 	"net/http"
 	"time"
 
-	"github.com/dgrijalva/jwt-go"
+	jwt "github.com/dgrijalva/jwt-go"
 
-	peering "forge.cadoles.com/wpetit/go-http-peering"
+	peering "forge.cadoles.com/Cadoles/go-http-peering"
-	"forge.cadoles.com/wpetit/go-http-peering/crypto"
+	"forge.cadoles.com/Cadoles/go-http-peering/crypto"
-	"forge.cadoles.com/wpetit/go-http-peering/server"
+	"forge.cadoles.com/Cadoles/go-http-peering/server"
 )
 
 var (
@@ -153,8 +153,8 @@ func (c *Client) addClientToken(r *http.Request, body []byte) error {
 
 	token := jwt.NewWithClaims(jwt.SigningMethodRS256, peering.ClientTokenClaims{
 		StandardClaims: jwt.StandardClaims{
-			NotBefore: time.Now().Unix(),
+			NotBefore: time.Now().Add(time.Minute * -1).Unix(),
-			ExpiresAt: time.Now().Add(time.Minute * 10).Unix(),
+			ExpiresAt: time.Now().Add(time.Minute * 5).Unix(),
 		},
 		BodySum: bodySum,
 	})

client/client_test.go

@@ -5,9 +5,9 @@ import (
 	"crypto/rsa"
 	"testing"
 
-	peeringCrypto "forge.cadoles.com/wpetit/go-http-peering/crypto"
+	peeringCrypto "forge.cadoles.com/Cadoles/go-http-peering/crypto"
 
-	peering "forge.cadoles.com/wpetit/go-http-peering"
+	peering "forge.cadoles.com/Cadoles/go-http-peering"
 )
 
 func TestClientPeerID(t *testing.T) {

cmd/keygen/create_key.go

@@ -3,21 +3,22 @@ package main
 import (
 	"fmt"
 
-	"forge.cadoles.com/wpetit/go-http-peering/crypto"
+	"forge.cadoles.com/Cadoles/go-http-peering/crypto"
+	"github.com/pkg/errors"
 )
 
 func createKey() {
 	passphrase, err := getPassphrase()
 	if err != nil {
-		handleError(err)
+		handleError(errors.WithStack(err))
 	}
 	key, err := crypto.CreateRSAKey(keySize)
 	if err != nil {
-		handleError(err)
+		handleError(errors.WithStack(err))
 	}
 	privatePEM, err := crypto.EncodePrivateKeyToEncryptedPEM(key, passphrase)
 	if err != nil {
-		handleError(err)
+		handleError(errors.WithStack(err))
 	}
 	fmt.Print(string(privatePEM))
 }

cmd/keygen/create_token.go

@@ -3,19 +3,20 @@ package main
 import (
 	"fmt"
 
-	"forge.cadoles.com/wpetit/go-http-peering/crypto"
+	"forge.cadoles.com/Cadoles/go-http-peering/crypto"
+	"github.com/pkg/errors"
 
-	peering "forge.cadoles.com/wpetit/go-http-peering"
+	peering "forge.cadoles.com/Cadoles/go-http-peering"
 )
 
 func createToken() {
 	privateKey, err := loadPrivateKey()
 	if err != nil {
-		handleError(err)
+		handleError(errors.WithStack(err))
 	}
 	token, err := crypto.CreateServerToken(privateKey, tokenIssuer, peering.PeerID(tokenPeerID))
 	if err != nil {
-		handleError(err)
+		handleError(errors.WithStack(err))
 	}
 	fmt.Println(token)
 }

cmd/keygen/get_public_key.go

@@ -3,17 +3,18 @@ package main
 import (
 	"fmt"
 
-	"forge.cadoles.com/wpetit/go-http-peering/crypto"
+	"forge.cadoles.com/Cadoles/go-http-peering/crypto"
+	"github.com/pkg/errors"
 )
 
 func getPublicKey() {
 	privateKey, err := loadPrivateKey()
 	if err != nil {
-		handleError(err)
+		handleError(errors.WithStack(err))
 	}
 	publicPEM, err := crypto.EncodePublicKeyToPEM(privateKey.Public())
 	if err != nil {
-		handleError(err)
+		handleError(errors.WithStack(err))
 	}
 	fmt.Print(string(publicPEM))
 }

cmd/keygen/main.go

@@ -11,8 +11,10 @@ var (
 	createKeyCmd    = false
 	getPublicKeyCmd = false
 	createTokenCmd  = false
+	verifyTokenCmd  = false
 	debug           = false
 	keyFile         string
+	tokenFile       string
 	tokenIssuer     string
 	tokenPeerID     = uuid.New()
 	keySize         = 2048
@@ -28,12 +30,17 @@ func init() {
 		&createTokenCmd, "create-token", createTokenCmd,
 		"Create a new signed authentication token",
 	)
+	flag.BoolVar(
+		&verifyTokenCmd, "verify-token", verifyTokenCmd,
+		"Verify a token generated with the given key",
+	)
 	flag.BoolVar(
 		&getPublicKeyCmd, "get-public-key", getPublicKeyCmd,
 		"Get the PEM encoded public key associated with the private key",
 	)
 	flag.BoolVar(&debug, "debug", debug, "Debug mode")
 	flag.StringVar(&keyFile, "key", keyFile, "Path to the encrypted PEM encoded key")
+	flag.StringVar(&tokenFile, "token", tokenFile, "Path to the token to verify")
 	flag.StringVar(&tokenIssuer, "token-issuer", tokenIssuer, "Token issuer")
 	flag.StringVar(&tokenPeerID, "token-peer-id", tokenPeerID, "Token peer ID")
 	flag.IntVar(&keySize, "key-size", keySize, "Size of the private key")
@@ -48,6 +55,8 @@ func main() {
 		getPublicKey()
 	case createTokenCmd:
 		createToken()
+	case verifyTokenCmd:
+		verifyToken()
 	default:
 		flag.Usage()
 	}

cmd/keygen/util.go

@@ -2,17 +2,15 @@ package main
 
 import (
 	"bytes"
-	"crypto/rand"
 	"crypto/rsa"
-	"crypto/x509"
-	"encoding/pem"
-	"errors"
 	"fmt"
 	"io/ioutil"
 	"os"
+	"strings"
 	"syscall"
 
-	"forge.cadoles.com/wpetit/go-http-peering/crypto"
+	"forge.cadoles.com/Cadoles/go-http-peering/crypto"
+	"github.com/pkg/errors"
 
 	"golang.org/x/crypto/ssh/terminal"
 )
@@ -29,14 +27,14 @@ func askPassphrase() ([]byte, error) {
 	fmt.Print("Passphrase: ")
 	passphrase, err := terminal.ReadPassword(syscall.Stdin)
 	if err != nil {
-		return nil, err
+		return nil, errors.WithStack(err)
 	}
 	fmt.Println()
 
 	fmt.Print("Confirm passphrase: ")
 	passphraseConfirmation, err := terminal.ReadPassword(syscall.Stdin)
 	if err != nil {
-		return nil, err
+		return nil, errors.WithStack(err)
 	}
 	fmt.Println()
 
@@ -47,50 +45,43 @@ func askPassphrase() ([]byte, error) {
 	return passphrase, nil
 }
 
-func privateKeyToEncryptedPEM(key *rsa.PrivateKey, passphrase []byte) ([]byte, error) {
-
-	if passphrase == nil {
-		return nil, errors.New("passphrase cannot be empty")
-	}
-
-	// Convert it to pem
-	block := &pem.Block{
-		Type:  "RSA PRIVATE KEY",
-		Bytes: x509.MarshalPKCS1PrivateKey(key),
-	}
-
-	block, err := x509.EncryptPEMBlock(rand.Reader, block.Type, block.Bytes, passphrase, x509.PEMCipherAES256)
-	if err != nil {
-		return nil, err
-	}
-
-	return pem.EncodeToMemory(block), nil
-}
-
 func loadPrivateKey() (*rsa.PrivateKey, error) {
 	if keyFile == "" {
 		return nil, errors.New("you must specify a key file to load")
 	}
 	pem, err := ioutil.ReadFile(keyFile)
 	if err != nil {
-		return nil, err
+		return nil, errors.WithStack(err)
 	}
 	passphrase, err := getPassphrase()
 	if err != nil {
-		return nil, err
+		return nil, errors.WithStack(err)
 	}
 	privateKey, err := crypto.DecodePEMEncryptedPrivateKey(pem, passphrase)
 	if err != nil {
-		return nil, err
+		return nil, errors.WithStack(err)
 	}
 	return privateKey, nil
 }
 
+func loadToken() (string, error) {
+	if tokenFile == "" {
+		return "", errors.New("you must specify a token file to load")
+	}
+
+	token, err := os.ReadFile(tokenFile)
+	if err != nil {
+		return "", errors.WithStack(err)
+	}
+
+	return strings.TrimSpace(string(token)), nil
+}
+
 func handleError(err error) {
 	if !debug {
-		fmt.Println(err)
+		fmt.Printf("%+v\n", errors.WithStack(err))
 	} else {
-		panic(err)
+		panic(fmt.Sprintf("%+v", errors.WithStack(err)))
 	}
 	os.Exit(1)
 }

cmd/keygen/verify_token.go

@@ -0,0 +1,55 @@
+package main
+
+import (
+	"encoding/json"
+	"fmt"
+
+	peering "forge.cadoles.com/Cadoles/go-http-peering"
+	"github.com/dgrijalva/jwt-go"
+	"github.com/pkg/errors"
+)
+
+func verifyToken() {
+	rawToken, err := loadToken()
+	if err != nil {
+		handleError(errors.WithStack(err))
+	}
+
+	privateKey, err := loadPrivateKey()
+	if err != nil {
+		handleError(errors.WithStack(err))
+	}
+
+	fn := func(token *jwt.Token) (interface{}, error) {
+		return &privateKey.PublicKey, nil
+	}
+
+	token, err := jwt.ParseWithClaims(rawToken, &peering.ServerTokenClaims{}, fn)
+	if err != nil {
+		validationError, ok := err.(*jwt.ValidationError)
+		if ok {
+			handleError(errors.WithStack(validationError.Inner))
+		}
+
+		handleError(errors.WithStack(err))
+	}
+
+	if !token.Valid {
+		handleError(errors.New("token is invalid"))
+	}
+
+	claims, ok := token.Claims.(*peering.ServerTokenClaims)
+	if !ok {
+		handleError(errors.New("unexpected token claims"))
+	}
+
+	data, err := json.MarshalIndent(claims, "", "  ")
+	if err != nil {
+		handleError(errors.WithStack(err))
+	}
+
+	fmt.Println("Token OK.")
+	fmt.Println("Claims:")
+	fmt.Println(string(data))
+
+}

crypto/pem.go

@@ -6,15 +6,16 @@ import (
 	"crypto/rsa"
 	"crypto/x509"
 	"encoding/pem"
-	"errors"
 
 	jwt "github.com/dgrijalva/jwt-go"
+	"github.com/pkg/errors"
+	"golang.org/x/crypto/ssh"
 )
 
 func EncodePublicKeyToPEM(key crypto.PublicKey) ([]byte, error) {
 	pub, err := x509.MarshalPKIXPublicKey(key)
 	if err != nil {
-		return nil, err
+		return nil, errors.WithStack(err)
 	}
 	data := pem.EncodeToMemory(&pem.Block{
 		Type:  "PUBLIC KEY",
@@ -28,27 +29,23 @@ func DecodePEMToPublicKey(pem []byte) (crypto.PublicKey, error) {
 }
 
 func DecodePEMEncryptedPrivateKey(key []byte, passphrase []byte) (*rsa.PrivateKey, error) {
-	var err error
+	var (
+		rawKey interface{}
+		err    error
+	)
 
-	// Parse PEM block
+	if len(passphrase) == 0 {
-	var block *pem.Block
+		rawKey, err = ssh.ParseRawPrivateKey(key)
-	if block, _ = pem.Decode(key); block == nil {
+	} else {
-		return nil, errors.New("invalid PEM block")
+		rawKey, err = ssh.ParseRawPrivateKeyWithPassphrase(key, passphrase)
 	}
-
-	decryptedBlock, err := x509.DecryptPEMBlock(block, passphrase)
 	if err != nil {
-		return nil, err
+		return nil, errors.WithStack(err)
-	}
-
-	var parsedKey interface{}
-	if parsedKey, err = x509.ParsePKCS1PrivateKey(decryptedBlock); err != nil {
-		return nil, err
 	}
 
 	var privateKey *rsa.PrivateKey
 	var ok bool
-	if privateKey, ok = parsedKey.(*rsa.PrivateKey); !ok {
+	if privateKey, ok = rawKey.(*rsa.PrivateKey); !ok {
 		return nil, errors.New("invalid RSA private key")
 	}
 
@@ -56,21 +53,21 @@ func DecodePEMEncryptedPrivateKey(key []byte, passphrase []byte) (*rsa.PrivateKe
 }
 
 func EncodePrivateKeyToEncryptedPEM(key *rsa.PrivateKey, passphrase []byte) ([]byte, error) {
-	if passphrase == nil {
-		return nil, errors.New("passphrase cannot be empty")
-	}
-
 	block := &pem.Block{
 		Type:  "RSA PRIVATE KEY",
 		Bytes: x509.MarshalPKCS1PrivateKey(key),
 	}
 
-	block, err := x509.EncryptPEMBlock(
+	if len(passphrase) != 0 {
+		encryptedBlock, err := x509.EncryptPEMBlock(
 			rand.Reader, block.Type,
 			block.Bytes, passphrase, x509.PEMCipherAES256,
 		)
 		if err != nil {
-		return nil, err
+			return nil, errors.WithStack(err)
+		}
+
+		block = encryptedBlock
 	}
 
 	return pem.EncodeToMemory(block), nil

crypto/rsa.go

@@ -5,15 +5,16 @@ import (
 	"crypto/rsa"
 	"time"
 
-	peering "forge.cadoles.com/wpetit/go-http-peering"
+	peering "forge.cadoles.com/Cadoles/go-http-peering"
 
 	jwt "github.com/dgrijalva/jwt-go"
+	"github.com/pkg/errors"
 )
 
 func CreateRSAKey(bits int) (*rsa.PrivateKey, error) {
 	key, err := rsa.GenerateKey(rand.Reader, bits)
 	if err != nil {
-		return nil, err
+		return nil, errors.WithStack(err)
 	}
 	return key, nil
 }
@@ -28,7 +29,7 @@ func CreateServerToken(privateKey *rsa.PrivateKey, issuer string, peerID peering
 	})
 	tokenStr, err := token.SignedString(privateKey)
 	if err != nil {
-		return "", err
+		return "", errors.WithStack(err)
 	}
 	return tokenStr, nil
 }

doc/sequence-diagram/advertise.seq

@@ -1,2 +0,0 @@
-Client -> Server: POST /advertise\nX-Server-Token: <JWT_TOKEN>\n\n{"Attributes": <PEER_ATTRIBUTES>, "PublicKey": <PUBLIC_KEY> }
-Server -> Client: 201 Created

doc/sequence-diagram/advertise.svg

@@ -1,36 +0,0 @@
-<?xml version="1.0"?>
-<!-- Generated by SVGo -->
-<svg width="589" height="212"
-     xmlns="http://www.w3.org/2000/svg"
-     xmlns:xlink="http://www.w3.org/1999/xlink">
-<defs>
-<style>
-@font-face {
-  font-family: 'DejaVuSans';
-  src: url('https://fontlibrary.org/assets/fonts/dejavu-sans/f5ec8426554a3a67ebcdd39f9c3fee83/49c0f03ec2fa354df7002bcb6331e106/DejaVuSansBook.ttf') format('truetype');
-  font-weight: normal;
-  font-style: normal;
-}
-</style>
-</defs>
-<line x1="45" y1="24" x2="45" y2="188" style="stroke-dasharray:8,8;stroke-width:2px;stroke:black;" />
-<rect x="8" y="8" width="75" height="32" style="fill:white;stroke-width:2px;stroke:black;" />
-<text x="24" y="29" style="fill:black;font-family:DejaVuSans,sans-serif;font-size:16px;" >Client</text>
-<rect x="8" y="172" width="75" height="32" style="fill:white;stroke-width:2px;stroke:black;" />
-<text x="24" y="193" style="fill:black;font-family:DejaVuSans,sans-serif;font-size:16px;" >Client</text>
-<line x1="539" y1="24" x2="539" y2="188" style="stroke-dasharray:8,8;stroke-width:2px;stroke:black;" />
-<rect x="497" y="8" width="84" height="32" style="fill:white;stroke-width:2px;stroke:black;" />
-<text x="513" y="29" style="fill:black;font-family:DejaVuSans,sans-serif;font-size:16px;" >Server</text>
-<rect x="497" y="172" width="84" height="32" style="fill:white;stroke-width:2px;stroke:black;" />
-<text x="513" y="193" style="fill:black;font-family:DejaVuSans,sans-serif;font-size:16px;" >Server</text>
-<rect x="61" y="56" width="462" height="62" style="fill:white;stroke:white;" />
-<text x="237" y="68" style="font-family:DejaVuSans,sans-serif;font-size:14px;" >POST /advertise</text>
-<text x="184" y="84" style="font-family:DejaVuSans,sans-serif;font-size:14px;" >X-Server-Token: &lt;JWT_TOKEN&gt;</text>
-<text x="61" y="116" style="font-family:DejaVuSans,sans-serif;font-size:14px;" >{&#34;Attributes&#34;: &lt;PEER_ATTRIBUTES&gt;, &#34;PublicKey&#34;: &lt;PUBLIC_KEY&gt; }</text>
-<line x1="45" y1="122" x2="539" y2="122" style="stroke:black;stroke-width:2px;" />
-<polyline points="530,117 539,122 530,127" style="fill:black;stroke-width:2px;stroke:black;" />
-<rect x="249" y="138" width="87" height="14" style="fill:white;stroke:white;" />
-<text x="249" y="150" style="font-family:DejaVuSans,sans-serif;font-size:14px;" >201 Created</text>
-<line x1="539" y1="156" x2="45" y2="156" style="stroke:black;stroke-width:2px;" />
-<polyline points="54,151 45,156 54,161" style="fill:black;stroke-width:2px;stroke:black;" />
-</svg>

doc/sequence-diagram/advertising.plantuml

@@ -0,0 +1,15 @@
+@startuml
+Client -> Server: POST /advertise\nX-Server-Token: <JWT_TOKEN>\n\n{"Attributes": <PEER_ATTRIBUTES>, "PublicKey": <PUBLIC_KEY> }
+Server -> Server: Validate server token
+alt Success
+    Server -> Server: Create peer with public key and attributes
+    Server -> Server: Update last contact for peer ID
+    Server -> Client: 201 Created
+else Invalid server token
+    Server -> Client: 401 Unauthorized
+else Malformed advertising request
+    Server -> Client: 400 Bad request
+else Unexpected error
+    Server -> Client: 500 Server error
+end
+@enduml

doc/sequence-diagram/ping.plantuml

@@ -0,0 +1,17 @@
+@startuml
+Client -> Server: POST /ping\nX-Server-Token: <JWT_TOKEN>\nX-Client-Token: <JWT_TOKEN>
+Server -> Server: Validate client/server tokens
+alt Success
+    Server -> Server: Update last contact for peer ID
+    Server -> Client: 204 No Content
+else Invalid client or server token
+    Server -> Client: 400 Bad request
+else Peer not found
+    Server -> Client: 401 Unauthorized
+else Peer rejected
+    Server -> Client: 403 Forbidden
+else Unexpected error
+    Server -> Client: 500 Server error
+end
+
+@enduml

doc/sequence-diagram/ping.seq

@@ -1,2 +0,0 @@
-Client -> Server: POST /ping\nX-Server-Token: <JWT_TOKEN>\nX-Client-Token: <JWT_TOKEN>
-Server -> Client: 204 No Content

doc/sequence-diagram/ping.svg

@@ -1,36 +0,0 @@
-<?xml version="1.0"?>
-<!-- Generated by SVGo -->
-<svg width="343" height="196"
-     xmlns="http://www.w3.org/2000/svg"
-     xmlns:xlink="http://www.w3.org/1999/xlink">
-<defs>
-<style>
-@font-face {
-  font-family: 'DejaVuSans';
-  src: url('https://fontlibrary.org/assets/fonts/dejavu-sans/f5ec8426554a3a67ebcdd39f9c3fee83/49c0f03ec2fa354df7002bcb6331e106/DejaVuSansBook.ttf') format('truetype');
-  font-weight: normal;
-  font-style: normal;
-}
-</style>
-</defs>
-<line x1="45" y1="24" x2="45" y2="172" style="stroke-dasharray:8,8;stroke-width:2px;stroke:black;" />
-<rect x="8" y="8" width="75" height="32" style="fill:white;stroke-width:2px;stroke:black;" />
-<text x="24" y="29" style="fill:black;font-family:DejaVuSans,sans-serif;font-size:16px;" >Client</text>
-<rect x="8" y="156" width="75" height="32" style="fill:white;stroke-width:2px;stroke:black;" />
-<text x="24" y="177" style="fill:black;font-family:DejaVuSans,sans-serif;font-size:16px;" >Client</text>
-<line x1="293" y1="24" x2="293" y2="172" style="stroke-dasharray:8,8;stroke-width:2px;stroke:black;" />
-<rect x="251" y="8" width="84" height="32" style="fill:white;stroke-width:2px;stroke:black;" />
-<text x="267" y="29" style="fill:black;font-family:DejaVuSans,sans-serif;font-size:16px;" >Server</text>
-<rect x="251" y="156" width="84" height="32" style="fill:white;stroke-width:2px;stroke:black;" />
-<text x="267" y="177" style="fill:black;font-family:DejaVuSans,sans-serif;font-size:16px;" >Server</text>
-<rect x="61" y="56" width="216" height="46" style="fill:white;stroke:white;" />
-<text x="130" y="68" style="font-family:DejaVuSans,sans-serif;font-size:14px;" >POST /ping</text>
-<text x="61" y="84" style="font-family:DejaVuSans,sans-serif;font-size:14px;" >X-Server-Token: &lt;JWT_TOKEN&gt;</text>
-<text x="63" y="100" style="font-family:DejaVuSans,sans-serif;font-size:14px;" >X-Client-Token: &lt;JWT_TOKEN&gt;</text>
-<line x1="45" y1="106" x2="293" y2="106" style="stroke:black;stroke-width:2px;" />
-<polyline points="284,101 293,106 284,111" style="fill:black;stroke-width:2px;stroke:black;" />
-<rect x="114" y="122" width="111" height="14" style="fill:white;stroke:white;" />
-<text x="114" y="134" style="font-family:DejaVuSans,sans-serif;font-size:14px;" >204 No Content</text>
-<line x1="293" y1="140" x2="45" y2="140" style="stroke:black;stroke-width:2px;" />
-<polyline points="54,135 45,140 54,145" style="fill:black;stroke-width:2px;stroke:black;" />
-</svg>

doc/sequence-diagram/update.plantuml

@@ -0,0 +1,19 @@
+@startuml
+Client -> Server: POST /update\nX-Server-Token: <JWT_TOKEN>\nX-Client-Token: <JWT_TOKEN>\n\n{"Attributes": <PEER_ATTRIBUTES>}
+Server -> Server: Validate client/server tokens
+alt Success
+    Server -> Server: Save attributes
+    Server -> Server: Update last contact for peer ID
+    Server -> Client: 200 OK {""}
+else Invalid client or server token
+    Server -> Client: 400 Bad request
+else Malformed update request
+    Server -> Client: 400 Bad request
+else Peer not found
+    Server -> Client: 401 Unauthorized
+else Peer rejected
+    Server -> Client: 403 Forbidden
+else Unexpected error
+    Server -> Client: 500 Server error
+end
+@enduml

doc/sequence-diagram/update.seq

@@ -1,2 +0,0 @@
-Client -> Server: POST /update\nX-Server-Token: <JWT_TOKEN>\nX-Client-Token: <JWT_TOKEN>\n\n{"Attributes": <PEER_ATTRIBUTES>}
-Server -> Client: 204 No Content

doc/sequence-diagram/update.svg

@@ -1,37 +0,0 @@
-<?xml version="1.0"?>
-<!-- Generated by SVGo -->
-<svg width="386" height="228"
-     xmlns="http://www.w3.org/2000/svg"
-     xmlns:xlink="http://www.w3.org/1999/xlink">
-<defs>
-<style>
-@font-face {
-  font-family: 'DejaVuSans';
-  src: url('https://fontlibrary.org/assets/fonts/dejavu-sans/f5ec8426554a3a67ebcdd39f9c3fee83/49c0f03ec2fa354df7002bcb6331e106/DejaVuSansBook.ttf') format('truetype');
-  font-weight: normal;
-  font-style: normal;
-}
-</style>
-</defs>
-<line x1="45" y1="24" x2="45" y2="204" style="stroke-dasharray:8,8;stroke-width:2px;stroke:black;" />
-<rect x="8" y="8" width="75" height="32" style="fill:white;stroke-width:2px;stroke:black;" />
-<text x="24" y="29" style="fill:black;font-family:DejaVuSans,sans-serif;font-size:16px;" >Client</text>
-<rect x="8" y="188" width="75" height="32" style="fill:white;stroke-width:2px;stroke:black;" />
-<text x="24" y="209" style="fill:black;font-family:DejaVuSans,sans-serif;font-size:16px;" >Client</text>
-<line x1="336" y1="24" x2="336" y2="204" style="stroke-dasharray:8,8;stroke-width:2px;stroke:black;" />
-<rect x="294" y="8" width="84" height="32" style="fill:white;stroke-width:2px;stroke:black;" />
-<text x="310" y="29" style="fill:black;font-family:DejaVuSans,sans-serif;font-size:16px;" >Server</text>
-<rect x="294" y="188" width="84" height="32" style="fill:white;stroke-width:2px;stroke:black;" />
-<text x="310" y="209" style="fill:black;font-family:DejaVuSans,sans-serif;font-size:16px;" >Server</text>
-<rect x="61" y="56" width="259" height="78" style="fill:white;stroke:white;" />
-<text x="142" y="68" style="font-family:DejaVuSans,sans-serif;font-size:14px;" >POST /update</text>
-<text x="82" y="84" style="font-family:DejaVuSans,sans-serif;font-size:14px;" >X-Server-Token: &lt;JWT_TOKEN&gt;</text>
-<text x="84" y="100" style="font-family:DejaVuSans,sans-serif;font-size:14px;" >X-Client-Token: &lt;JWT_TOKEN&gt;</text>
-<text x="61" y="132" style="font-family:DejaVuSans,sans-serif;font-size:14px;" >{&#34;Attributes&#34;: &lt;PEER_ATTRIBUTES&gt;}</text>
-<line x1="45" y1="138" x2="336" y2="138" style="stroke:black;stroke-width:2px;" />
-<polyline points="327,133 336,138 327,143" style="fill:black;stroke-width:2px;stroke:black;" />
-<rect x="136" y="154" width="111" height="14" style="fill:white;stroke:white;" />
-<text x="136" y="166" style="font-family:DejaVuSans,sans-serif;font-size:14px;" >204 No Content</text>
-<line x1="336" y1="172" x2="45" y2="172" style="stroke:black;stroke-width:2px;" />
-<polyline points="54,167 45,172 54,177" style="fill:black;stroke-width:2px;stroke:black;" />
-</svg>

go.mod

@@ -1,10 +1,17 @@
-module forge.cadoles.com/wpetit/go-http-peering
+module forge.cadoles.com/Cadoles/go-http-peering
 
 require (
-	github.com/davecgh/go-spew v1.1.1
 	github.com/dgrijalva/jwt-go v3.2.0+incompatible
 	github.com/go-chi/chi v3.3.3+incompatible
 	github.com/pborman/uuid v1.2.0
-	golang.org/x/crypto v0.0.0-20190219172222-a4c6cb3142f2
+	golang.org/x/crypto v0.0.0-20220829220503-c86fa9a7ed90
-	golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223 // indirect
 )
+
+require (
+	github.com/google/uuid v1.0.0 // indirect
+	github.com/pkg/errors v0.9.1
+	golang.org/x/sys v0.0.0-20220829200755-d48e67d00261 // indirect
+	golang.org/x/term v0.0.0-20220722155259-a9ba230a4035 // indirect
+)
+
+go 1.18

go.sum

@@ -1,5 +1,3 @@
-github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
-github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/dgrijalva/jwt-go v3.2.0+incompatible h1:7qlOGliEKZXTDg6OTjfoBKDXWrumCAMpl/TFQ4/5kLM=
 github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
 github.com/go-chi/chi v3.3.3+incompatible h1:KHkmBEMNkwKuK4FdQL7N2wOeB9jnIx7jR5wsuSBEFI8=
@@ -8,7 +6,11 @@ github.com/google/uuid v1.0.0 h1:b4Gk+7WdP/d3HZH8EJsZpvV7EtDOgaZLtnaNGIu1adA=
 github.com/google/uuid v1.0.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/pborman/uuid v1.2.0 h1:J7Q5mO4ysT1dv8hyrUGHb9+ooztCXu1D8MY8DZYsu3g=
 github.com/pborman/uuid v1.2.0/go.mod h1:X/NO0urCmaxf9VXbdlT7C2Yzkj2IKimNn4k+gtPdI/k=
-golang.org/x/crypto v0.0.0-20190219172222-a4c6cb3142f2 h1:NwxKRvbkH5MsNkvOtPZi3/3kmI8CAzs3mtv+GLQMkNo=
+github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
-golang.org/x/crypto v0.0.0-20190219172222-a4c6cb3142f2/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
+github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
-golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223 h1:DH4skfRX4EBpamg7iV4ZlCpblAHI6s6TDM39bFZumv8=
+golang.org/x/crypto v0.0.0-20220829220503-c86fa9a7ed90 h1:Y/gsMcFOcR+6S6f3YeMKl5g+dZMEWqcz5Czj/GWYbkM=
-golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/crypto v0.0.0-20220829220503-c86fa9a7ed90/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
+golang.org/x/sys v0.0.0-20220829200755-d48e67d00261 h1:v6hYoSR9T5oet+pMXwUWkbiVqx/63mlHjefrHmxwfeY=
+golang.org/x/sys v0.0.0-20220829200755-d48e67d00261/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/term v0.0.0-20220722155259-a9ba230a4035 h1:Q5284mrmYTpACcm+eAKjKJH48BBwSyfJqmmGDTtT8Vc=
+golang.org/x/term v0.0.0-20220722155259-a9ba230a4035/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=

memory/store.go

@@ -4,7 +4,7 @@ import (
 	"sync"
 	"time"
 
-	peering "forge.cadoles.com/wpetit/go-http-peering"
+	peering "forge.cadoles.com/Cadoles/go-http-peering"
 )
 
 type Store struct {

misc/bash_unit/keygen_test.sh

@@ -0,0 +1,49 @@
+#!/bin/bash
+
+KEYGEN_BIN=${KEYGEN_BIN:-go run ../../cmd/keygen}
+
+test_create_key_without_passphrase() {
+    local workspace=$(mktemp -d)
+
+    # Generate a new private key without passphrase
+    local key_path="${workspace}/private.key"
+    KEY_PASSPHRASE= $KEYGEN_BIN -create-key > "${key_path}"
+}
+
+test_create_key_with_passphrase() {
+    local workspace=$(mktemp -d)
+
+    # Generate a new private key with passphrase
+    local key_path="${workspace}/private.key"
+    KEY_PASSPHRASE=foobar $KEYGEN_BIN -create-key > "${key_path}"
+}
+
+test_verify_token_without_passphrase() {
+    local workspace=$(mktemp -d)
+    
+    # Generate a new private key without passphrase
+    local key_path="${workspace}/private.key"
+    KEY_PASSPHRASE= $KEYGEN_BIN -create-key > "${key_path}"
+
+    # Generate a new token
+    local token_path="${workspace}/token.jwt"
+    KEY_PASSPHRASE= $KEYGEN_BIN -create-token -key "${key_path}" > "${token_path}"
+
+    # Verify token
+    KEY_PASSPHRASE= $KEYGEN_BIN -verify-token -key "${key_path}" -token "${token_path}"  1>/dev/null
+}
+
+test_verify_token_with_passphrase() {
+    local workspace=$(mktemp -d)
+    
+    # Generate a new private key with passphrase
+    local key_path="${workspace}/private.key"
+    KEY_PASSPHRASE=foobar $KEYGEN_BIN -create-key > "${key_path}"
+
+    # Generate a new token
+    local token_path="${workspace}/token.jwt"
+    KEY_PASSPHRASE=foobar $KEYGEN_BIN -create-token -key "${key_path}" > "${token_path}"
+
+    # Verify token
+    KEY_PASSPHRASE=foobar $KEYGEN_BIN -verify-token -key "${key_path}" -token "${token_path}" 1>/dev/null
+}

misc/ci/Dockerfile

@@ -0,0 +1,5 @@
+FROM golang:1.19
+
+RUN apt-get update && apt-get install -y make upx-ucl curl ca-certificates bash jq
+
+RUN curl -k https://forge.cadoles.com/Cadoles/Jenkins/raw/branch/master/resources/com/cadoles/common/add-letsencrypt-ca.sh | bash

modd.conf

@@ -3,7 +3,3 @@
     prep: make test
     prep: make bin/keygen
 }
-
-doc/sequence-diagram/*.seq {
-    prep: make sequence-diagram
-}

script/release

@@ -3,7 +3,9 @@
 set -eo pipefail
 
 OS_TARGETS=(linux)
-ARCH_TARGETS=${ARCH_TARGETS:-amd64}
+ARCH_TARGETS=${ARCH_TARGETS:-amd64 mipsle}
+
+export GOMIPS=softfloat
 
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null && pwd )"
 
@@ -29,10 +31,16 @@ function build {
     -o "$destdir/$name" \
     "$srcdir"
 
-  if [ ! -z "$(which upx)" ]; then
+  # Disable UPX compression for MIPS archs
+  # See https://github.com/upx/upx/issues/339
+  if [ ! -z "$(which upx)" ] && [[ ! "$arch" =~ "mips" ]]; then
     upx --best "$destdir/$name"
   fi
 
+  if [ ! -z "${GPG_SIGNING_KEY}" ]; then
+    echo "signing '$destdir/$name' with gpg key '$GPG_SIGNING_KEY'..."
+    gpg --sign --default-key "${GPG_SIGNING_KEY}" --armor --detach-sign --output "$destdir/$name.sig" "$destdir/$name"
+  fi
 }
 
 function copy {

server/handler.go

@@ -3,12 +3,12 @@ package server
 import (
 	"crypto/rsa"
 	"encoding/json"
-	"errors"
 	"net/http"
 	"time"
 
-	peering "forge.cadoles.com/wpetit/go-http-peering"
+	peering "forge.cadoles.com/Cadoles/go-http-peering"
-	peeringCrypto "forge.cadoles.com/wpetit/go-http-peering/crypto"
+	peeringCrypto "forge.cadoles.com/Cadoles/go-http-peering/crypto"
+	"github.com/pkg/errors"
 )
 
 var (
@@ -34,7 +34,7 @@ func AdvertiseHandler(store peering.Store, key *rsa.PublicKey, funcs ...OptionFu
 
 		serverClaims, err := assertServerToken(key, serverToken)
 		if err != nil {
-			logger.Printf("[ERROR] %s", err)
+			logger.Printf("[ERROR] %+v", errors.WithStack(err))
 			sendError(w, http.StatusUnauthorized)
 			return
 		}
@@ -43,27 +43,26 @@ func AdvertiseHandler(store peering.Store, key *rsa.PublicKey, funcs ...OptionFu
 
 		decoder := json.NewDecoder(r.Body)
 		if err := decoder.Decode(advertising); err != nil {
-			logger.Printf("[ERROR] %s", err)
+			logger.Printf("[ERROR] %+v", errors.WithStack(err))
 			options.ErrorHandler(w, r, ErrInvalidAdvertisingRequest)
 			return
 		}
 
 		if _, err := peeringCrypto.DecodePEMToPublicKey(advertising.PublicKey); err != nil {
-			logger.Printf("[ERROR] %s", err)
+			logger.Printf("[ERROR] %+v", errors.WithStack(err))
 			options.ErrorHandler(w, r, ErrInvalidAdvertisingRequest)
 			return
 		}
 
 		peer, err := store.Get(serverClaims.PeerID)
-
 		if err == nil {
-			logger.Printf("[ERROR] %s", ErrPeerIDAlreadyInUse)
+			logger.Printf("[ERROR] %+v", errors.WithStack(ErrPeerIDAlreadyInUse))
 			options.ErrorHandler(w, r, ErrPeerIDAlreadyInUse)
 			return
 		}
 
 		if err != peering.ErrPeerNotFound {
-			logger.Printf("[ERROR] %s", err)
+			logger.Printf("[ERROR] %+v", errors.WithStack(err))
 			options.ErrorHandler(w, r, err)
 			return
 		}
@@ -72,25 +71,25 @@ func AdvertiseHandler(store peering.Store, key *rsa.PublicKey, funcs ...OptionFu
 
 		peer, err = store.Create(serverClaims.PeerID, attrs)
 		if err != nil {
-			logger.Printf("[ERROR] %s", err)
+			logger.Printf("[ERROR] %+v", errors.WithStack(err))
 			options.ErrorHandler(w, r, err)
 			return
 		}
 
 		if err := store.UpdateLastContact(peer.ID, r.RemoteAddr, time.Now()); err != nil {
-			logger.Printf("[ERROR] %s", err)
+			logger.Printf("[ERROR] %+v", errors.WithStack(err))
 			options.ErrorHandler(w, r, err)
 			return
 		}
 
 		if err := store.UpdateLastContact(peer.ID, r.RemoteAddr, time.Now()); err != nil {
-			logger.Printf("[ERROR] %s", err)
+			logger.Printf("[ERROR] %+v", errors.WithStack(err))
 			options.ErrorHandler(w, r, err)
 			return
 		}
 
 		if err := store.UpdatePublicKey(peer.ID, advertising.PublicKey); err != nil {
-			logger.Printf("[ERROR] %s", err)
+			logger.Printf("[ERROR] %+v", errors.WithStack(err))
 			options.ErrorHandler(w, r, err)
 			return
 		}
@@ -117,39 +116,39 @@ func UpdateHandler(store peering.Store, funcs ...OptionFunc) http.HandlerFunc {
 
 		peerID, err := GetPeerID(r)
 		if err != nil {
-			logger.Printf("[ERROR] %s", err)
+			logger.Printf("[ERROR] %+v", errors.WithStack(err))
 			options.ErrorHandler(w, r, err)
 			return
 		}
 
 		peer, err := store.Get(peerID)
 		if err != nil {
-			logger.Printf("[ERROR] %s", err)
+			logger.Printf("[ERROR] %+v", errors.WithStack(err))
 			options.ErrorHandler(w, r, err)
 			return
 		}
 
 		if peer == nil {
-			logger.Printf("[ERROR] %s", ErrUnauthorized)
+			logger.Printf("[ERROR] %+v", errors.WithStack(ErrUnauthorized))
 			options.ErrorHandler(w, r, ErrUnauthorized)
 			return
 		}
 
 		if peer.Status == peering.StatusRejected {
-			logger.Printf("[ERROR] %s", ErrPeerRejected)
+			logger.Printf("[ERROR] %+v", errors.WithStack(ErrPeerRejected))
 			options.ErrorHandler(w, r, ErrPeerRejected)
 			return
 		}
 
 		if err := store.UpdateLastContact(peer.ID, r.RemoteAddr, time.Now()); err != nil {
-			logger.Printf("[ERROR] %s", err)
+			logger.Printf("[ERROR] %+v", errors.WithStack(err))
 			options.ErrorHandler(w, r, err)
 			return
 		}
 
 		attrs := filterAttributes(options.PeerAttributes, update.Attributes)
 		if err := store.UpdateAttributes(peer.ID, attrs); err != nil {
-			logger.Printf("[ERROR] %s", err)
+			logger.Printf("[ERROR] %+v", errors.WithStack(err))
 			options.ErrorHandler(w, r, err)
 			return
 		}
@@ -176,32 +175,32 @@ func PingHandler(store peering.Store, funcs ...OptionFunc) http.HandlerFunc {
 
 		peerID, err := GetPeerID(r)
 		if err != nil {
-			logger.Printf("[ERROR] %s", err)
+			logger.Printf("[ERROR] %+v", errors.WithStack(err))
 			options.ErrorHandler(w, r, err)
 			return
 		}
 
 		peer, err := store.Get(peerID)
 		if err != nil {
-			logger.Printf("[ERROR] %s", err)
+			logger.Printf("[ERROR] %+v", errors.WithStack(err))
 			options.ErrorHandler(w, r, err)
 			return
 		}
 
 		if peer == nil {
-			logger.Printf("[ERROR] %s", ErrUnauthorized)
+			logger.Printf("[ERROR] %+v", errors.WithStack(ErrUnauthorized))
 			options.ErrorHandler(w, r, ErrUnauthorized)
 			return
 		}
 
 		if peer.Status == peering.StatusRejected {
-			logger.Printf("[ERROR] %s", ErrPeerRejected)
+			logger.Printf("[ERROR] %+v", errors.WithStack(ErrPeerRejected))
 			options.ErrorHandler(w, r, ErrPeerRejected)
 			return
 		}
 
 		if err := store.UpdateLastContact(peer.ID, r.RemoteAddr, time.Now()); err != nil {
-			logger.Printf("[ERROR] %s", err)
+			logger.Printf("[ERROR] %+v", errors.WithStack(err))
 			options.ErrorHandler(w, r, err)
 			return
 		}

server/middleware.go

@@ -5,17 +5,16 @@ import (
 	"context"
 	"crypto/rsa"
 	"crypto/sha256"
-	"errors"
 	"io"
 	"io/ioutil"
+	"net/http"
 	"time"
 
-	peeringCrypto "forge.cadoles.com/wpetit/go-http-peering/crypto"
+	peeringCrypto "forge.cadoles.com/Cadoles/go-http-peering/crypto"
 
-	peering "forge.cadoles.com/wpetit/go-http-peering"
+	peering "forge.cadoles.com/Cadoles/go-http-peering"
 	jwt "github.com/dgrijalva/jwt-go"
-
+	"github.com/pkg/errors"
-	"net/http"
 )
 
 const (
@@ -38,7 +37,6 @@ func Authenticate(store peering.Store, key *rsa.PublicKey, funcs ...OptionFunc)
 
 	middleware := func(next http.Handler) http.Handler {
 		fn := func(w http.ResponseWriter, r *http.Request) {
-
 			serverToken := r.Header.Get(ServerTokenHeader)
 			if serverToken == "" {
 				sendError(w, http.StatusUnauthorized)
@@ -53,52 +51,60 @@ func Authenticate(store peering.Store, key *rsa.PublicKey, funcs ...OptionFunc)
 
 			serverClaims, err := assertServerToken(key, serverToken)
 			if err != nil {
-				logger.Printf("[ERROR] %s", err)
+				logger.Printf("[ERROR] %+v", errors.WithStack(err))
 				sendError(w, http.StatusUnauthorized)
 				return
 			}
 
-			clientClaims, err := assertClientToken(serverClaims.PeerID, store, clientToken)
+			clientClaims, err := assertClientToken(
+				serverClaims.PeerID,
+				store,
+				clientToken,
+				logger,
+				options.IgnoredClientTokenErrors...,
+			)
 			if err != nil {
-				logger.Printf("[ERROR] %s", err)
+				logger.Printf("[ERROR] %+v", errors.WithStack(err))
 				switch err {
 				case peering.ErrPeerNotFound:
 					sendError(w, http.StatusUnauthorized)
 				case ErrNotPeered:
 					if err := store.UpdateLastContact(serverClaims.PeerID, r.RemoteAddr, time.Now()); err != nil {
-						logger.Printf("[ERROR] %s", err)
+						logger.Printf("[ERROR] %+v", errors.WithStack(err))
 						sendError(w, http.StatusInternalServerError)
 						return
 					}
 					sendError(w, http.StatusUnauthorized)
+					return
 				case ErrPeerRejected:
 					if err := store.UpdateLastContact(serverClaims.PeerID, r.RemoteAddr, time.Now()); err != nil {
-						logger.Printf("[ERROR] %s", err)
+						logger.Printf("[ERROR] %+v", errors.WithStack(err))
 						sendError(w, http.StatusInternalServerError)
 						return
 					}
 					sendError(w, http.StatusForbidden)
+					return
 				default:
 					sendError(w, http.StatusInternalServerError)
-				}
 					return
 				}
+			}
 
 			match, body, err := assertBodySum(r.Body, clientClaims.BodySum)
 			if err != nil {
-				logger.Printf("[ERROR] %s", err)
+				logger.Printf("[ERROR] %+v", errors.WithStack(err))
 				sendError(w, http.StatusInternalServerError)
 				return
 			}
 
 			if !match {
-				logger.Printf("[ERROR] %s", ErrInvalidChecksum)
+				logger.Printf("[ERROR] %+v", errors.WithStack(ErrInvalidChecksum))
 				sendError(w, http.StatusBadRequest)
 				return
 			}
 
 			if err := store.UpdateLastContact(serverClaims.PeerID, r.RemoteAddr, time.Now()); err != nil {
-				logger.Printf("[ERROR] %s", err)
+				logger.Printf("[ERROR] %+v", errors.WithStack(err))
 				sendError(w, http.StatusInternalServerError)
 				return
 			}
@@ -108,7 +114,6 @@ func Authenticate(store peering.Store, key *rsa.PublicKey, funcs ...OptionFunc)
 			r.Body = ioutil.NopCloser(bytes.NewBuffer(body))
 
 			next.ServeHTTP(w, r)
-
 		}
 		return http.HandlerFunc(fn)
 	}
@@ -145,7 +150,7 @@ func assertServerToken(key *rsa.PublicKey, serverToken string) (*peering.ServerT
 	return claims, nil
 }
 
-func assertClientToken(peerID peering.PeerID, store peering.Store, clientToken string) (*peering.ClientTokenClaims, error) {
+func assertClientToken(peerID peering.PeerID, store peering.Store, clientToken string, logger Logger, ignoredValidationErrors ...uint32) (*peering.ClientTokenClaims, error) {
 	fn := func(token *jwt.Token) (interface{}, error) {
 		peer, err := store.Get(peerID)
 		if err != nil {
@@ -163,22 +168,35 @@ func assertClientToken(peerID peering.PeerID, store peering.Store, clientToken s
 		}
 		return publicKey, nil
 	}
-	token, err := jwt.ParseWithClaims(clientToken, &peering.ClientTokenClaims{}, fn)
+
-	if err != nil {
+	getPeeringClaims := func(token *jwt.Token) (*peering.ClientTokenClaims, error) {
-		validationError, ok := err.(*jwt.ValidationError)
-		if ok {
-			return nil, validationError.Inner
-		}
-		return nil, err
-	}
-	if !token.Valid {
-		return nil, ErrInvalidClaims
-	}
 		claims, ok := token.Claims.(*peering.ClientTokenClaims)
 		if !ok {
 			return nil, ErrInvalidClaims
 		}
 		return claims, nil
+	}
+
+	token, err := jwt.ParseWithClaims(clientToken, &peering.ClientTokenClaims{}, fn)
+	if err != nil {
+		validationError, ok := err.(*jwt.ValidationError)
+		if ok {
+			for _, c := range ignoredValidationErrors {
+				if validationError.Errors&c != 0 {
+					logger.Printf("ignoring token validation error: '%+v'", errors.WithStack(validationError.Inner))
+					return getPeeringClaims(token)
+				}
+			}
+			return nil, validationError.Inner
+		}
+		return nil, err
+	}
+
+	if !token.Valid {
+		return nil, ErrInvalidClaims
+	}
+
+	return getPeeringClaims(token)
 }
 
 func assertBodySum(rc io.ReadCloser, bodySum []byte) (bool, []byte, error) {
@@ -200,6 +218,15 @@ func sendError(w http.ResponseWriter, status int) {
 	http.Error(w, http.StatusText(status), status)
 }
 
+func filterIgnoredValidationError(err *jwt.ValidationError, ignored ...uint32) error {
+	for _, c := range ignored {
+		if err.Errors&c != 0 {
+			return nil
+		}
+	}
+	return err
+}
+
 func compareChecksum(body []byte, sum []byte) (bool, error) {
 	sha := sha256.New()
 	_, err := sha.Write(body)

server/option.go

@@ -14,6 +14,7 @@ type Options struct {
 	PeerAttributes           []string
 	ErrorHandler             ErrorHandler
 	Logger                   Logger
+	IgnoredClientTokenErrors []uint32
 }
 
 type OptionFunc func(*Options)
@@ -38,12 +39,19 @@ func WithErrorHandler(handler ErrorHandler) OptionFunc {
 	}
 }
 
+func WithIgnoredClientTokenErrors(codes ...uint32) OptionFunc {
+	return func(options *Options) {
+		options.IgnoredClientTokenErrors = codes
+	}
+}
+
 func defaultOptions() *Options {
 	logger := log.New(os.Stdout, "[go-http-peering] ", log.LstdFlags|log.Lshortfile)
 	return &Options{
 		PeerAttributes:           []string{"Label"},
 		ErrorHandler:             DefaultErrorHandler,
 		Logger:                   logger,
+		IgnoredClientTokenErrors: make([]uint32, 0),
 	}
 }
 

test/advertise_test.go

@@ -5,13 +5,13 @@ import (
 	"testing"
 	"time"
 
-	"forge.cadoles.com/wpetit/go-http-peering/client"
+	"forge.cadoles.com/Cadoles/go-http-peering/client"
-	peeringCrypto "forge.cadoles.com/wpetit/go-http-peering/crypto"
+	peeringCrypto "forge.cadoles.com/Cadoles/go-http-peering/crypto"
-	"forge.cadoles.com/wpetit/go-http-peering/memory"
+	"forge.cadoles.com/Cadoles/go-http-peering/memory"
-	"forge.cadoles.com/wpetit/go-http-peering/server"
+	"forge.cadoles.com/Cadoles/go-http-peering/server"
 
-	peering "forge.cadoles.com/wpetit/go-http-peering"
+	peering "forge.cadoles.com/Cadoles/go-http-peering"
-	"forge.cadoles.com/wpetit/go-http-peering/crypto"
+	"forge.cadoles.com/Cadoles/go-http-peering/crypto"
 )
 
 func TestAdvertise(t *testing.T) {

test/ping_test.go

@@ -3,11 +3,11 @@ package test
 import (
 	"testing"
 
-	peering "forge.cadoles.com/wpetit/go-http-peering"
+	peering "forge.cadoles.com/Cadoles/go-http-peering"
-	"forge.cadoles.com/wpetit/go-http-peering/client"
+	"forge.cadoles.com/Cadoles/go-http-peering/client"
-	peeringCrypto "forge.cadoles.com/wpetit/go-http-peering/crypto"
+	peeringCrypto "forge.cadoles.com/Cadoles/go-http-peering/crypto"
-	"forge.cadoles.com/wpetit/go-http-peering/memory"
+	"forge.cadoles.com/Cadoles/go-http-peering/memory"
-	"forge.cadoles.com/wpetit/go-http-peering/server"
+	"forge.cadoles.com/Cadoles/go-http-peering/server"
 )
 
 func TestPing(t *testing.T) {

test/update_test.go

@@ -5,12 +5,12 @@ import (
 	"testing"
 	"time"
 
-	peering "forge.cadoles.com/wpetit/go-http-peering"
+	peering "forge.cadoles.com/Cadoles/go-http-peering"
-	"forge.cadoles.com/wpetit/go-http-peering/client"
+	"forge.cadoles.com/Cadoles/go-http-peering/client"
-	"forge.cadoles.com/wpetit/go-http-peering/crypto"
+	"forge.cadoles.com/Cadoles/go-http-peering/crypto"
-	peeringCrypto "forge.cadoles.com/wpetit/go-http-peering/crypto"
+	peeringCrypto "forge.cadoles.com/Cadoles/go-http-peering/crypto"
-	"forge.cadoles.com/wpetit/go-http-peering/memory"
+	"forge.cadoles.com/Cadoles/go-http-peering/memory"
-	"forge.cadoles.com/wpetit/go-http-peering/server"
+	"forge.cadoles.com/Cadoles/go-http-peering/server"
 )
 
 func TestUpdate(t *testing.T) {