feat(lib): Create Auth tokens using inst.Access()

qri-io · Mar 4, 2021 · 3be7af2 · 3be7af2
1 parent 12397c4
commit 3be7af2
Show file tree

Hide file tree

Showing 11 changed files with 285 additions and 23 deletions.
diff --git a/auth/key/key.go b/auth/key/key.go
@@ -6,7 +6,6 @@ import (
  logger "github.com/ipfs/go-log"
  "github.com/libp2p/go-libp2p-core/crypto"
  peer "github.com/libp2p/go-libp2p-core/peer"
- "github.com/multiformats/go-multihash"
 )
 
 var log = logger.Logger("key")
@@ -38,15 +37,9 @@ func IDFromPubKey(pubKey crypto.PubKey) (string, error) {
  return "", fmt.Errorf("identity: public key is required")
  }
 
- pubkeybytes, err := pubKey.Bytes()
+ id, err := peer.IDFromPublicKey(pubKey)
  if err != nil {
- return "", fmt.Errorf("getting pubkey bytes: %s", err.Error())
- }
-
- mh, err := multihash.Sum(pubkeybytes, multihash.SHA2_256, 32)
- if err != nil {
- return "", fmt.Errorf("summing pubkey: %s", err.Error())
+ return "", err
  }
-
- return mh.B58String(), nil
+ return id.Pretty(), err
 }
diff --git a/auth/token/token.go b/auth/token/token.go
@@ -13,7 +13,9 @@ import (
 
  jwt "github.com/dgrijalva/jwt-go"
  "github.com/libp2p/go-libp2p-core/crypto"
+ "github.com/libp2p/go-libp2p-core/peer"
  "github.com/qri-io/qfs"
+ "github.com/qri-io/qri/auth/key"
  "github.com/qri-io/qri/profile"
 )
 
@@ -36,6 +38,7 @@ type Token = jwt.Token
 // Claims is a JWT Claims object
 type Claims struct {
  *jwt.StandardClaims
+ // TODO(b5): this needs to be replaced with a profileID
  Username string `json:"username"`
 }
 
@@ -44,6 +47,83 @@ func Parse(tokenString string, tokens Source) (*Token, error) {
  return jwt.Parse(tokenString, tokens.VerificationKey)
 }
 
+// NewPrivKeyAuthToken creates a JWT token string suitable for making requests
+// authenticated as the given private key
+func NewPrivKeyAuthToken(pk crypto.PrivKey, ttl time.Duration) (string, error) {
+ signingMethod, err := jwtSigningMethod(pk)
+ if err != nil {
+ return "", err
+ }
+
+ t := jwt.New(signingMethod)
+
+ id, err := key.IDFromPrivKey(pk)
+ if err != nil {
+ return "", err
+ }
+
+ rawPrivBytes, err := pk.Raw()
+ if err != nil {
+ return "", err
+ }
+ signKey, err := x509.ParsePKCS1PrivateKey(rawPrivBytes)
+ if err != nil {
+ return "", err
+ }
+
+ var exp int64
+ if ttl != time.Duration(0) {
+ exp = Timestamp().Add(ttl).In(time.UTC).Unix()
+ }
+
+ // set our claims
+ t.Claims = &Claims{
+ StandardClaims: &jwt.StandardClaims{
+ Issuer: id,
+ Subject: id,
+ // set the expire time
+ // see http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-20#section-4.1.4
+ ExpiresAt: exp,
+ },
+ }
+
+ // Creat token string
+ return t.SignedString(signKey)
+}
+
+// ParseAuthToken will parse, validate and return a token
+func ParseAuthToken(tokenString string, keystore key.Store) (*Token, error) {
+ claims := &Claims{}
+ return jwt.ParseWithClaims(tokenString, claims, func(t *Token) (interface{}, error) {
+ pid, err := peer.Decode(claims.Issuer)
+ if err != nil {
+ return nil, err
+ }
+ pubKey := keystore.PubKey(pid)
+ if pubKey == nil {
+ for _, pid := range keystore.IDsWithKeys() {
+ fmt.Printf("key %s has a pid\n", pid)
+ }
+ return nil, fmt.Errorf("cannot verify key. missing public key for id %s", claims.Issuer)
+ }
+ rawPubBytes, err := pubKey.Raw()
+ if err != nil {
+ return nil, err
+ }
+
+ verifyKeyiface, err := x509.ParsePKIXPublicKey(rawPubBytes)
+ if err != nil {
+ return nil, err
+ }
+
+ verifyKey, ok := verifyKeyiface.(*rsa.PublicKey)
+ if !ok {
+ return nil, fmt.Errorf("public key is not an RSA key. got type: %T", verifyKeyiface)
+ }
+ return verifyKey, nil
+ })
+}
+
 // Source creates tokens, and provides a verification key for all tokens
 // it creates
 //
@@ -69,17 +149,11 @@ var _ Source = (*pkSource)(nil)
 // NewPrivKeySource creates an authentication interface backed by a single
 // private key. Intended for a node running as remote, or providing a public API
 func NewPrivKeySource(privKey crypto.PrivKey) (Source, error) {
- methodStr := ""
- keyType := privKey.Type().String()
- switch keyType {
- case "RSA":
- methodStr = "RS256"
- default:
- return nil, fmt.Errorf("unsupported key type for token creation: %q", keyType)
+ signingMethod, err := jwtSigningMethod(privKey)
+ if err != nil {
+ return nil, err
  }
 
- signingMethod := jwt.GetSigningMethod(methodStr)
-
  rawPrivBytes, err := privKey.Raw()
  if err != nil {
  return nil, err
@@ -304,3 +378,13 @@ func (st *qfsStore) save(ctx context.Context) error {
  st.path = path
  return nil
 }
+
+func jwtSigningMethod(pk crypto.PrivKey) (jwt.SigningMethod, error) {
+ keyType := pk.Type().String()
+ switch keyType {
+ case "RSA":
+ return jwt.GetSigningMethod("RS256"), nil
+ default:
+ return nil, fmt.Errorf("unsupported key type for token creation: %q", keyType)
+ }
+}
diff --git a/auth/token/token_test.go b/auth/token/token_test.go
@@ -6,6 +6,7 @@ import (
  "time"
 
  "github.com/qri-io/qfs"
+ "github.com/qri-io/qri/auth/key"
  testkeys "github.com/qri-io/qri/auth/key/test"
  "github.com/qri-io/qri/auth/token"
  token_spec "github.com/qri-io/qri/auth/token/spec"
@@ -64,3 +65,26 @@ func TestTokenStore(t *testing.T) {
  return ts
  })
 }
+
+func TestNewPrivKeyAuthToken(t *testing.T) {
+ // create a token from a private key
+ kd := testkeys.GetKeyData(0)
+ str, err := token.NewPrivKeyAuthToken(kd.PrivKey, 0)
+ if err != nil {
+ t.Fatal(err)
+ }
+
+ // prove we can parse a token with a store that only has a public key
+ ks, err := key.NewMemStore()
+ if err != nil {
+ t.Fatal(err)
+ }
+ if err := ks.AddPubKey(kd.KeyID, kd.PrivKey.GetPublic()); err != nil {
+ t.Fatal(err)
+ }
+
+ _, err = token.ParseAuthToken(str, ks)
+ if err != nil {
+ t.Fatal(err)
+ }
+}
diff --git a/lib/access.go b/lib/access.go
@@ -0,0 +1,90 @@
+package lib
+
+import (
+ "context"
+ "fmt"
+ "time"
+
+ "github.com/qri-io/qri/auth/token"
+ "github.com/qri-io/qri/profile"
+)
+
+// AccessMethods is a group of methods for access control & user authentication
+type AccessMethods struct {
+ d dispatcher
+}
+
+// Name returns the name of this method group
+func (m AccessMethods) Name() string {
+ return "access"
+}
+
+// Access returns the authentication that Instance has registered
+func (inst *Instance) Access() AccessMethods {
+ return AccessMethods{d: inst}
+}
+
+// CreateAuthTokenParams are input parameters for Access().CreateAuthToken
+type CreateAuthTokenParams struct {
+ GranteeUsername string
+ GranteeProfileID string
+ TTL time.Duration
+}
+
+// SetNonZeroDefaults uses default token time-to-live if one isn't set
+func (p *CreateAuthTokenParams) SetNonZeroDefaults() {
+ if p.TTL == 0 {
+ p.TTL = token.DefaultTokenTTL
+ }
+}
+
+// Valid checks if the profile in question is valid
+func (p *CreateAuthTokenParams) Valid() error {
+ if p.GranteeUsername == "" && p.GranteeProfileID == "" {
+ return fmt.Errorf("either grantee username or profile is required")
+ }
+ return nil
+}
+
+// CreateAuthToken constructs a JWT string token suitable for making OAuth
+// requests as the grantee user. Creating an access token requires a stored
+// private key for the grantee.
+// Callers can provide either GranteeUsername OR GranteeProfileID
+func (m AccessMethods) CreateAuthToken(ctx context.Context, p *CreateAuthTokenParams) (string, error) {
+ res, err := m.d.Dispatch(ctx, dispatchMethodName(m, "createauthtoken"), p)
+ if s, ok := res.(string); ok {
+ return s, err
+ }
+ return "", err
+}
+
+// accessImpl is the backing implementation for AccessMethods
+type accessImpl struct{}
+
+func (accessImpl) CreateAuthToken(scp scope, p *CreateAuthTokenParams) (string, error) {
+ var (
+ grantee *profile.Profile
+ err error
+ )
+
+ if p.GranteeProfileID != "" {
+ id, err := profile.IDB58Decode(p.GranteeProfileID)
+ if err != nil {
+ return "", err
+ }
+ if grantee, err = scp.Profiles().GetProfile(id); err != nil {
+ return "", err
+ }
+ } else if p.GranteeUsername != "" {
+ if grantee, err = profile.ResolveUsername(scp.Profiles(), p.GranteeUsername); err != nil {
+ return "", err
+ }
+ }
+
+ pk := grantee.PrivKey
+ if pk == nil {
+ return "", fmt.Errorf("cannot create token for %q (id: %s), private key is required", grantee.Peername, grantee.ID.String())
+ }
+
+ return token.NewPrivKeyAuthToken(pk, p.TTL)
+}
diff --git a/lib/access_test.go b/lib/access_test.go
@@ -0,0 +1,30 @@
+package lib
+
+import (
+ "context"
+ "testing"
+
+ "github.com/qri-io/qri/auth/token"
+)
+
+func TestAccessCreateAuthToken(t *testing.T) {
+ ctx, cancel := context.WithCancel(context.Background())
+ defer cancel()
+ inst, cleanup := NewMemTestInstance(ctx, t)
+ defer cleanup()
+
+ // create an authentication token using the owner profile
+ p := &CreateAuthTokenParams{
+ GranteeUsername: inst.cfg.Profile.Peername,
+ }
+ s, err := inst.Access().CreateAuthToken(ctx, p)
+ if err != nil {
+ t.Fatal(err)
+ }
+
+ // prove we can parse & validate that token
+ _, err = token.ParseAuthToken(s, inst.keystore)
+ if err != nil {
+ t.Fatal(err)
+ }
+}
diff --git a/lib/dispatch.go b/lib/dispatch.go
@@ -134,6 +134,7 @@ func (inst *Instance) RegisterMethods() {
  // TODO(dustmop): Change registerOne to take both the MethodSet and the Impl, validate
  // that their signatures agree.
  inst.registerOne("fsi", &FSIImpl{}, reg)
+ inst.registerOne("access", accessImpl{}, reg)
  inst.regMethods = &regMethodSet{reg: reg}
 }
 

diff --git a/lib/lib.go b/lib/lib.go
@@ -361,7 +361,7 @@ func NewInstance(ctx context.Context, repoPath string, opts ...Option) (qri *Ins
  // If configuration does not have a path assigned, but the repo has a path and
  // is stored on the filesystem, add that path to the configuration.
  if cfg.Repo.Type == "fs" && cfg.Path() == "" {
- cfg.SetPath(filepath.Join(repoPath, "config.yal"))
+ cfg.SetPath(filepath.Join(repoPath, "config.yaml"))
  }
 
  inst := &Instance{

diff --git a/lib/lib_test.go b/lib/lib_test.go
@@ -355,3 +355,34 @@ func TestNewInstanceWithAccessControlPolicy(t *testing.T) {
  t.Errorf("expected no policy enforce error, got: %s", err)
  }
 }
+
+// NewMemTestInstance creates an in-memory instance
+// TODO(b5): currently "NewInstance" hard-requires a repo-path, even if we can
+// provide a configuration that specifies entirely in-memory stores. We should
+// make it possible to create fully in-memory Instances using NewInstance,
+// but for now I'm working around it with a temp directory & cleanup function
+func NewMemTestInstance(ctx context.Context, t *testing.T) (inst *Instance, cleanup func()) {
+ t.Helper()
+ tmpPath, err := ioutil.TempDir("", "qri_test_mem_instance")
+ if err != nil {
+ t.Fatal(err)
+ }
+
+ cfg := testcfg.DefaultConfigForTesting()
+ cfg.Filesystems = []qfs.Config{
+ {Type: "mem"},
+ {Type: "local"},
+ }
+ cfg.Repo.Type = "mem"
+ if err := cfg.WriteToFile(filepath.Join(tmpPath, "config.yaml")); err != nil {
+ t.Fatal(err)
+ }
+
+ // TODO(b5): I'd like to be able to do this:
+ // if inst, err = NewInstance(ctx, "", OptConfig(cfg)); err != nil {
+ if inst, err = NewInstance(ctx, tmpPath); err != nil {
+ t.Fatal(err)
+ }
+
+ return inst, func() { os.RemoveAll(tmpPath) }
+}
diff --git a/lib/scope.go b/lib/scope.go
@@ -9,6 +9,7 @@ import (
  "github.com/qri-io/qri/dsref"
  "github.com/qri-io/qri/event"
  "github.com/qri-io/qri/fsi"
+ "github.com/qri-io/qri/profile"
  "github.com/qri-io/qri/repo"
 )
 
@@ -53,6 +54,11 @@ func (s *scope) Dscache() *dscache.Dscache {
  return s.inst.Dscache()
 }
 
+// Profiles accesses the profile store
+func (s *scope) Profiles() profile.Store {
+ return s.inst.profiles
+}
+
 // ParseAndResolveRef parses a reference and resolves it
 func (s *scope) ParseAndResolveRef(ctx context.Context, refStr, source string) (dsref.Ref, string, error) {
  return s.inst.ParseAndResolveRef(ctx, refStr, source)