mirror of
https://github.com/bolkedebruin/rdpgw.git
synced 2025-08-18 06:23:49 +02:00
Add tokeninfo endpoint
This commit is contained in:
parent
188f077da1
commit
22d796c5cf
3 changed files with 113 additions and 0 deletions
|
@ -145,6 +145,69 @@ func GenerateUserToken(ctx context.Context, userName string) (string, error) {
|
|||
return token, err
|
||||
}
|
||||
|
||||
func UserInfo(ctx context.Context, token string) (jwt.Claims, error) {
|
||||
standard := jwt.Claims{}
|
||||
if len(UserEncryptionKey) > 0 && len(UserSigningKey) > 0 {
|
||||
enc, err := jwt.ParseSignedAndEncrypted(token)
|
||||
if err != nil {
|
||||
log.Printf("Cannot get token %s", err)
|
||||
return standard, errors.New("cannot get token")
|
||||
}
|
||||
token, err := enc.Decrypt(UserEncryptionKey)
|
||||
if err != nil {
|
||||
log.Printf("Cannot decrypt token %s", err)
|
||||
return standard, errors.New("cannot decrypt token")
|
||||
}
|
||||
if _, err := verifyAlg(token.Headers, string(jose.HS256)); err != nil {
|
||||
log.Printf("signature validation failure: %s", err)
|
||||
return standard, errors.New("signature validation failure")
|
||||
}
|
||||
if err = token.Claims(UserSigningKey, &standard); err != nil {
|
||||
log.Printf("cannot verify signature %s", err)
|
||||
return standard, errors.New("cannot verify signature")
|
||||
}
|
||||
} else if len(UserSigningKey) == 0 {
|
||||
token, err := jwt.ParseEncrypted(token)
|
||||
if err != nil {
|
||||
log.Printf("Cannot get token %s", err)
|
||||
return standard, errors.New("cannot get token")
|
||||
}
|
||||
err = token.Claims(UserEncryptionKey, &standard)
|
||||
if err != nil {
|
||||
log.Printf("Cannot decrypt token %s", err)
|
||||
return standard, errors.New("cannot decrypt token")
|
||||
}
|
||||
} else {
|
||||
token, err := jwt.ParseSigned(token)
|
||||
if err != nil {
|
||||
log.Printf("Cannot get token %s", err)
|
||||
return standard, errors.New("cannot get token")
|
||||
}
|
||||
if _, err := verifyAlg(token.Headers, string(jose.HS256)); err != nil {
|
||||
log.Printf("signature validation failure: %s", err)
|
||||
return standard, errors.New("signature validation failure")
|
||||
}
|
||||
err = token.Claims(UserSigningKey, &standard)
|
||||
if err = token.Claims(UserSigningKey, &standard); err != nil {
|
||||
log.Printf("cannot verify signature %s", err)
|
||||
return standard, errors.New("cannot verify signature")
|
||||
}
|
||||
}
|
||||
|
||||
// go-jose doesnt verify the expiry
|
||||
err := standard.Validate(jwt.Expected{
|
||||
Issuer: "rdpgw",
|
||||
Time: time.Now(),
|
||||
})
|
||||
|
||||
if err != nil {
|
||||
log.Printf("token validation failed due to %s", err)
|
||||
return standard, fmt.Errorf("token validation failed due to %s", err)
|
||||
}
|
||||
|
||||
return standard, nil
|
||||
}
|
||||
|
||||
func getSessionInfo(ctx context.Context) *protocol.SessionInfo {
|
||||
s, ok := ctx.Value("SessionInfo").(*protocol.SessionInfo)
|
||||
if !ok {
|
||||
|
@ -153,3 +216,12 @@ func getSessionInfo(ctx context.Context) *protocol.SessionInfo {
|
|||
}
|
||||
return s
|
||||
}
|
||||
|
||||
func verifyAlg(headers []jose.Header, alg string) (bool, error) {
|
||||
for _, header := range headers {
|
||||
if header.Algorithm != alg {
|
||||
return false, fmt.Errorf("invalid signing method %s", header.Algorithm)
|
||||
}
|
||||
}
|
||||
return true, nil
|
||||
}
|
Loading…
Add table
Add a link
Reference in a new issue