2024-02-18 21:37:17 +00:00
|
|
|
package jwt
|
|
|
|
|
|
|
|
import (
|
|
|
|
"crypto/rsa"
|
|
|
|
"crypto/sha256"
|
|
|
|
"encoding/hex"
|
|
|
|
"time"
|
|
|
|
|
2024-02-27 11:04:05 +00:00
|
|
|
"code.tjo.space/mentos1386/zdravko/database/models"
|
2024-02-18 21:37:17 +00:00
|
|
|
"github.com/golang-jwt/jwt/v5"
|
2024-02-18 22:11:42 +00:00
|
|
|
"github.com/pkg/errors"
|
2024-02-18 21:37:17 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
func JwtPublicKeyID(key *rsa.PublicKey) string {
|
|
|
|
hash := sha256.Sum256(key.N.Bytes())
|
|
|
|
return hex.EncodeToString(hash[:])
|
|
|
|
}
|
|
|
|
|
2024-02-19 09:09:30 +00:00
|
|
|
func JwtPrivateKey(privateKey string) (*rsa.PrivateKey, error) {
|
|
|
|
key, err := jwt.ParseRSAPrivateKeyFromPEM([]byte(privateKey))
|
2024-02-18 22:11:42 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, errors.Wrap(err, "failed to parse private key")
|
|
|
|
}
|
|
|
|
return key, nil
|
2024-02-18 21:37:17 +00:00
|
|
|
}
|
|
|
|
|
2024-02-19 09:09:30 +00:00
|
|
|
func JwtPublicKey(publicKey string) (*rsa.PublicKey, error) {
|
|
|
|
key, err := jwt.ParseRSAPublicKeyFromPEM([]byte(publicKey))
|
2024-02-18 22:11:42 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, errors.Wrap(err, "failed to parse public key")
|
|
|
|
}
|
|
|
|
return key, nil
|
2024-02-18 21:37:17 +00:00
|
|
|
}
|
|
|
|
|
2024-02-19 09:09:30 +00:00
|
|
|
type Claims struct {
|
|
|
|
jwt.RegisteredClaims
|
|
|
|
Permissions []string `json:"permissions"`
|
|
|
|
}
|
2024-02-18 21:37:17 +00:00
|
|
|
|
2024-02-19 09:09:30 +00:00
|
|
|
func NewTokenForUser(privateKey string, publicKey string, email string) (string, error) {
|
|
|
|
// Create claims with multiple fields populated
|
|
|
|
claims := Claims{
|
|
|
|
jwt.RegisteredClaims{
|
|
|
|
ExpiresAt: jwt.NewNumericDate(time.Now().Add(12 * 30 * 24 * time.Hour)),
|
|
|
|
IssuedAt: jwt.NewNumericDate(time.Now()),
|
|
|
|
NotBefore: jwt.NewNumericDate(time.Now()),
|
|
|
|
Issuer: "zdravko",
|
|
|
|
Subject: "user:" + email,
|
|
|
|
},
|
|
|
|
// Ref: https://docs.temporal.io/self-hosted-guide/security#authorization
|
|
|
|
[]string{"temporal-system:admin", "default:admin"},
|
2024-02-18 21:37:17 +00:00
|
|
|
}
|
|
|
|
|
2024-02-19 09:09:30 +00:00
|
|
|
return NewToken(privateKey, publicKey, claims)
|
|
|
|
}
|
|
|
|
|
|
|
|
func NewTokenForServer(privateKey string, publicKey string) (string, error) {
|
|
|
|
// Create claims with multiple fields populated
|
|
|
|
claims := Claims{
|
|
|
|
jwt.RegisteredClaims{
|
|
|
|
ExpiresAt: jwt.NewNumericDate(time.Now().Add(12 * 30 * 24 * time.Hour)),
|
|
|
|
IssuedAt: jwt.NewNumericDate(time.Now()),
|
|
|
|
NotBefore: jwt.NewNumericDate(time.Now()),
|
|
|
|
Issuer: "zdravko",
|
|
|
|
Subject: "server",
|
|
|
|
},
|
|
|
|
// Ref: https://docs.temporal.io/self-hosted-guide/security#authorization
|
|
|
|
[]string{"temporal-system:admin", "default:admin"},
|
2024-02-18 21:37:17 +00:00
|
|
|
}
|
|
|
|
|
2024-02-19 09:09:30 +00:00
|
|
|
return NewToken(privateKey, publicKey, claims)
|
|
|
|
}
|
|
|
|
|
2024-02-24 21:07:49 +00:00
|
|
|
func NewTokenForWorker(privateKey string, publicKey string, workerGroup *models.WorkerGroup) (string, error) {
|
2024-02-18 21:37:17 +00:00
|
|
|
// Create claims with multiple fields populated
|
2024-02-19 09:09:30 +00:00
|
|
|
claims := Claims{
|
2024-02-18 21:37:17 +00:00
|
|
|
jwt.RegisteredClaims{
|
|
|
|
ExpiresAt: jwt.NewNumericDate(time.Now().Add(12 * 30 * 24 * time.Hour)),
|
|
|
|
IssuedAt: jwt.NewNumericDate(time.Now()),
|
|
|
|
NotBefore: jwt.NewNumericDate(time.Now()),
|
|
|
|
Issuer: "zdravko",
|
2024-02-29 22:42:56 +00:00
|
|
|
Subject: "worker-group:" + workerGroup.Id,
|
2024-02-18 21:37:17 +00:00
|
|
|
},
|
2024-02-19 09:09:30 +00:00
|
|
|
// Ref: https://docs.temporal.io/self-hosted-guide/security#authorization
|
|
|
|
[]string{"default:read", "default:write", "default:worker"},
|
|
|
|
}
|
|
|
|
|
|
|
|
return NewToken(privateKey, publicKey, claims)
|
|
|
|
}
|
|
|
|
|
|
|
|
func NewToken(privateKey string, publicKey string, claims Claims) (string, error) {
|
|
|
|
privKey, err := JwtPrivateKey(privateKey)
|
|
|
|
if err != nil {
|
|
|
|
return "", err
|
|
|
|
}
|
|
|
|
|
|
|
|
pubKey, err := JwtPublicKey(publicKey)
|
|
|
|
if err != nil {
|
|
|
|
return "", err
|
2024-02-18 21:37:17 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
token := jwt.NewWithClaims(jwt.SigningMethodRS256, claims)
|
2024-02-19 09:09:30 +00:00
|
|
|
token.Header["kid"] = JwtPublicKeyID(pubKey)
|
2024-02-18 21:37:17 +00:00
|
|
|
|
2024-02-19 09:09:30 +00:00
|
|
|
signedToken, err := token.SignedString(privKey)
|
2024-02-18 21:37:17 +00:00
|
|
|
if err != nil {
|
|
|
|
return "", err
|
|
|
|
}
|
|
|
|
|
|
|
|
return signedToken, nil
|
|
|
|
}
|
2024-02-19 09:09:30 +00:00
|
|
|
|
|
|
|
func ParseToken(tokenString string, publicKey string) (*jwt.Token, *Claims, error) {
|
|
|
|
claims := &Claims{}
|
|
|
|
token, err := jwt.ParseWithClaims(tokenString, claims, func(token *jwt.Token) (interface{}, error) {
|
|
|
|
if _, ok := token.Method.(*jwt.SigningMethodRSA); !ok {
|
|
|
|
return nil, errors.New("unexpected signing method")
|
|
|
|
}
|
|
|
|
return JwtPublicKey(publicKey)
|
|
|
|
})
|
|
|
|
if err != nil {
|
|
|
|
return nil, nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
return token, claims, nil
|
|
|
|
}
|