-
Notifications
You must be signed in to change notification settings - Fork 7
/
Copy pathpath_verify.go
114 lines (101 loc) · 3.23 KB
/
path_verify.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
// Copyright © 2018 Immutability, LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package main
import (
"context"
"crypto/ecdsa"
"fmt"
"regexp"
"strings"
jwt "github.com/dgrijalva/jwt-go"
"github.com/ethereum/go-ethereum/common/hexutil"
"github.com/ethereum/go-ethereum/crypto"
"github.com/hashicorp/vault/sdk/framework"
"github.com/hashicorp/vault/sdk/logical"
)
func verifyPaths(b *PluginBackend) []*framework.Path {
return []*framework.Path{
&framework.Path{
Pattern: "verify",
HelpSynopsis: "Verify that this claim (JWT) is good.",
HelpDescription: `
Validate that this trustee made a claim.
`,
Fields: map[string]*framework.FieldSchema{
"token": &framework.FieldSchema{
Type: framework.TypeString,
Description: "The JWT to verify.",
},
},
ExistenceCheck: b.pathExistenceCheck,
Callbacks: map[logical.Operation]framework.OperationFunc{
logical.CreateOperation: b.pathVerifyClaim,
},
},
}
}
func (b *PluginBackend) pathVerifyClaim(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
_, err := b.configured(ctx, req)
if err != nil {
return nil, err
}
rawToken := data.Get("token").(string)
claims, _, err := b.verifyClaim(ctx, rawToken)
if err == nil {
return &logical.Response{
Data: claims,
}, nil
}
return nil, fmt.Errorf("Error verifying token")
}
func (b *PluginBackend) verifyClaim(ctx context.Context, rawToken string) (jwt.MapClaims, *ecdsa.PublicKey, error) {
tokenWithoutWhitespace := regexp.MustCompile(`\s*$`).ReplaceAll([]byte(rawToken), []byte{})
token := string(tokenWithoutWhitespace)
jwtToken, _, err := new(jwt.Parser).ParseUnverified(token, jwt.MapClaims{})
if err != nil || jwtToken == nil {
return nil, nil, fmt.Errorf("cannot parse token")
}
unverifiedJwt := jwtToken.Claims.(jwt.MapClaims)
if unverifiedJwt == nil {
return nil, nil, fmt.Errorf("cannot get claims")
}
ethereumAddress := unverifiedJwt["iss"].(string)
jti := unverifiedJwt["jti"].(string)
signatureRaw := unverifiedJwt["eth"].(string)
hash := hashKeccak256(jti)
signature, err := hexutil.Decode(signatureRaw)
if err != nil {
return nil, nil, err
}
pubkey, err := crypto.SigToPub(hash, signature)
if err != nil {
return nil, nil, err
}
address := crypto.PubkeyToAddress(*pubkey)
if strings.ToLower(ethereumAddress) == strings.ToLower(address.Hex()) {
validateJwt, err := jwt.Parse(token, func(t *jwt.Token) (interface{}, error) {
return pubkey, nil
})
if err != nil {
return nil, nil, fmt.Errorf(err.Error())
}
claims := validateJwt.Claims.(jwt.MapClaims)
err = claims.Valid()
if err != nil {
return nil, nil, err
}
return claims, pubkey, nil
}
return nil, nil, fmt.Errorf("Error verifying token")
}