From 25941e0500de02f539cc6629e549e7e0096cc2eb Mon Sep 17 00:00:00 2001 From: Chris Lu Date: Sat, 4 May 2019 08:42:25 -0700 Subject: [PATCH] master: add jwt expires_after_seconds --- weed/command/scaffold.go | 5 +++-- weed/security/guard.go | 9 +++++---- weed/security/jwt.go | 9 +++++---- weed/server/master_grpc_server_volume.go | 2 +- weed/server/master_server.go | 4 +++- weed/server/master_server_handlers.go | 2 +- weed/server/volume_server.go | 4 +++- 7 files changed, 21 insertions(+), 14 deletions(-) diff --git a/weed/command/scaffold.go b/weed/command/scaffold.go index 7655ab893..1f1d09ff0 100644 --- a/weed/command/scaffold.go +++ b/weed/command/scaffold.go @@ -262,10 +262,11 @@ directory = "/" # destination directory # /etc/seaweedfs/security.toml # this file is read by master, volume server, and filer -# the jwt signing key is read by master and volume server -# a jwt expires in 10 seconds +# the jwt signing key is read by master and volume server. +# a jwt defaults to expire after 10 seconds. [jwt.signing] key = "" +expires_after_seconds = 10 # seconds # all grpc tls authentications are mutual # the values for the following ca, cert, and key are paths to the PERM files. diff --git a/weed/security/guard.go b/weed/security/guard.go index 84a415253..d8427997e 100644 --- a/weed/security/guard.go +++ b/weed/security/guard.go @@ -41,14 +41,15 @@ https://github.com/pkieltyka/jwtauth/blob/master/jwtauth.go */ type Guard struct { - whiteList []string - SigningKey SigningKey + whiteList []string + SigningKey SigningKey + ExpiresAfterSec int isActive bool } -func NewGuard(whiteList []string, signingKey string) *Guard { - g := &Guard{whiteList: whiteList, SigningKey: SigningKey(signingKey)} +func NewGuard(whiteList []string, signingKey string, expiresAfterSec int) *Guard { + g := &Guard{whiteList: whiteList, SigningKey: SigningKey(signingKey), ExpiresAfterSec:expiresAfterSec} g.isActive = len(g.whiteList) != 0 || len(g.SigningKey) != 0 return g } diff --git a/weed/security/jwt.go b/weed/security/jwt.go index 45a77f093..0bd7fa974 100644 --- a/weed/security/jwt.go +++ b/weed/security/jwt.go @@ -18,16 +18,17 @@ type SeaweedFileIdClaims struct { jwt.StandardClaims } -func GenJwt(signingKey SigningKey, fileId string) EncodedJwt { +func GenJwt(signingKey SigningKey, expiresAfterSec int, fileId string) EncodedJwt { if len(signingKey) == 0 { return "" } claims := SeaweedFileIdClaims{ fileId, - jwt.StandardClaims{ - ExpiresAt: time.Now().Add(time.Second * 10).Unix(), - }, + jwt.StandardClaims{}, + } + if expiresAfterSec > 0 { + claims.ExpiresAt = time.Now().Add(time.Second * time.Duration(expiresAfterSec)).Unix() } t := jwt.NewWithClaims(jwt.SigningMethodHS256, claims) encoded, e := t.SignedString([]byte(signingKey)) diff --git a/weed/server/master_grpc_server_volume.go b/weed/server/master_grpc_server_volume.go index 2265cee3b..1d53b0367 100644 --- a/weed/server/master_grpc_server_volume.go +++ b/weed/server/master_grpc_server_volume.go @@ -94,7 +94,7 @@ func (ms *MasterServer) Assign(ctx context.Context, req *master_pb.AssignRequest Url: dn.Url(), PublicUrl: dn.PublicUrl, Count: count, - Auth: string(security.GenJwt(ms.guard.SigningKey, fid)), + Auth: string(security.GenJwt(ms.guard.SigningKey, ms.guard.ExpiresAfterSec, fid)), }, nil } diff --git a/weed/server/master_server.go b/weed/server/master_server.go index ef32809b0..e78bd58dc 100644 --- a/weed/server/master_server.go +++ b/weed/server/master_server.go @@ -54,6 +54,8 @@ func NewMasterServer(r *mux.Router, port int, metaFolder string, v := viper.GetViper() signingKey := v.GetString("jwt.signing.key") + v.SetDefault("jwt.signing.expires_after_seconds", 10) + expiresAfterSec := v.GetInt("jwt.signing.expires_after_seconds") var preallocateSize int64 if preallocate { @@ -75,7 +77,7 @@ func NewMasterServer(r *mux.Router, port int, metaFolder string, ms.vg = topology.NewDefaultVolumeGrowth() glog.V(0).Infoln("Volume Size Limit is", volumeSizeLimitMB, "MB") - ms.guard = security.NewGuard(whiteList, signingKey) + ms.guard = security.NewGuard(whiteList, signingKey, expiresAfterSec) if !disableHttp { handleStaticResources2(r) diff --git a/weed/server/master_server_handlers.go b/weed/server/master_server_handlers.go index 60b593013..1c5b11565 100644 --- a/weed/server/master_server_handlers.go +++ b/weed/server/master_server_handlers.go @@ -110,7 +110,7 @@ func (ms *MasterServer) dirAssignHandler(w http.ResponseWriter, r *http.Request) } func (ms *MasterServer) maybeAddJwtAuthorization(w http.ResponseWriter, fileId string) { - encodedJwt := security.GenJwt(ms.guard.SigningKey, fileId) + encodedJwt := security.GenJwt(ms.guard.SigningKey, ms.guard.ExpiresAfterSec, fileId) if encodedJwt == "" { return } diff --git a/weed/server/volume_server.go b/weed/server/volume_server.go index a4905c5c5..ff9f6c21f 100644 --- a/weed/server/volume_server.go +++ b/weed/server/volume_server.go @@ -40,6 +40,8 @@ func NewVolumeServer(adminMux, publicMux *http.ServeMux, ip string, v := viper.GetViper() signingKey := v.GetString("jwt.signing.key") + v.SetDefault("jwt.signing.expires_after_seconds", 10) + expiresAfterSec := v.GetInt("jwt.signing.expires_after_seconds") enableUiAccess := v.GetBool("access.ui") vs := &VolumeServer{ @@ -55,7 +57,7 @@ func NewVolumeServer(adminMux, publicMux *http.ServeMux, ip string, vs.MasterNodes = masterNodes vs.store = storage.NewStore(port, ip, publicUrl, folders, maxCounts, vs.needleMapKind) - vs.guard = security.NewGuard(whiteList, signingKey) + vs.guard = security.NewGuard(whiteList, signingKey, expiresAfterSec) handleStaticResources(adminMux) if signingKey == "" || enableUiAccess {