jwt: Add JWT support for minio server.

Please read JWT.md before using this feature.
2025-11-20 01:50:24 -05:00 · 2016-01-21 16:28:15 -08:00
parent 9cb590d800
commit 0a9496462a
39 changed files with 3629 additions and 6 deletions
--- a/jwt.go
+++ b/jwt.go
@@ -0,0 +1,108 @@
+package main
+
+import (
+	"crypto/rsa"
+	"crypto/x509"
+	"encoding/pem"
+	"io/ioutil"
+	"time"
+
+	jwt "github.com/dgrijalva/jwt-go"
+	"golang.org/x/crypto/bcrypt"
+)
+
+// JWTAuthBackend - jwt auth backend
+type JWTAuthBackend struct {
+	privateKey *rsa.PrivateKey
+	PublicKey  *rsa.PublicKey
+}
+
+const (
+	jwtExpirationDelta = 10
+	expireOffset       = 3600
+)
+
+// InitJWT - init.
+func InitJWT() *JWTAuthBackend {
+	authBackendInstance := &JWTAuthBackend{
+		privateKey: getPrivateKey(),
+		PublicKey:  getPublicKey(),
+	}
+	return authBackendInstance
+}
+
+// GenerateToken -
+func (b *JWTAuthBackend) GenerateToken(userName string) (string, error) {
+	token := jwt.New(jwt.SigningMethodRS512)
+	token.Claims["exp"] = time.Now().Add(time.Hour * time.Duration(jwtExpirationDelta)).Unix()
+	token.Claims["iat"] = time.Now().Unix()
+	token.Claims["sub"] = userName
+	tokenString, err := token.SignedString(b.privateKey)
+	if err != nil {
+		return "", err
+	}
+	return tokenString, nil
+}
+
+// Authenticate -
+func (b *JWTAuthBackend) Authenticate(user *User) bool {
+	hashedPassword, _ := bcrypt.GenerateFromPassword([]byte("BYvgJM101sHngl2uzjXS/OBF/aMxAN06JrJ3qJlF"), 10)
+	testUser := User{
+		Username: "WLGDGYAQYIGI833EV05A",
+		Password: string(hashedPassword),
+	}
+	if user.Username == testUser.Username {
+		return bcrypt.CompareHashAndPassword([]byte(testUser.Password), []byte(user.Password)) == nil
+	}
+	return false
+}
+
+//
+func (b *JWTAuthBackend) getTokenRemainingValidity(timestamp interface{}) int {
+	if validity, ok := timestamp.(float64); ok {
+		tm := time.Unix(int64(validity), 0)
+		remainer := tm.Sub(time.Now())
+		if remainer > 0 {
+			return int(remainer.Seconds() + expireOffset)
+		}
+	}
+	return expireOffset
+}
+
+// Logout - logout
+func (b *JWTAuthBackend) Logout(tokenString string, token *jwt.Token) error {
+	b.getTokenRemainingValidity(token.Claims["exp"])
+	return nil
+}
+
+func getPrivateKey() *rsa.PrivateKey {
+	pemBytes, err := ioutil.ReadFile(mustGetPrivateKeyPath())
+	if err != nil {
+		panic(err)
+	}
+	data, _ := pem.Decode([]byte(pemBytes))
+	privateKeyImported, err := x509.ParsePKCS1PrivateKey(data.Bytes)
+	if err != nil {
+		panic(err)
+	}
+	return privateKeyImported
+}
+
+func getPublicKey() *rsa.PublicKey {
+	pemBytes, err := ioutil.ReadFile(mustGetPublicKeyPath())
+	if err != nil {
+		panic(err)
+	}
+	data, _ := pem.Decode([]byte(pemBytes))
+	publicKeyImported, err := x509.ParsePKIXPublicKey(data.Bytes)
+	if err != nil {
+		panic(err)
+	}
+
+	rsaPub, ok := publicKeyImported.(*rsa.PublicKey)
+	if !ok {
+		panic(err)
+	}
+
+	return rsaPub
+}