Moving JWT keys to ENVVARS
This commit is contained in:
Matthew Dillon
parent
9a48e8ef3a
commit
25f08a8eda
4 changed files with 55 additions and 31 deletions
32
api/auth.go
32
api/auth.go
|
|
@ -2,10 +2,8 @@ package api
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"errors"
|
"errors"
|
||||||
"fmt"
|
|
||||||
"io/ioutil"
|
|
||||||
"log"
|
|
||||||
"net/http"
|
"net/http"
|
||||||
|
"os"
|
||||||
"strings"
|
"strings"
|
||||||
|
|
||||||
"github.com/dgrijalva/jwt-go"
|
"github.com/dgrijalva/jwt-go"
|
||||||
|
|
@ -26,27 +24,19 @@ var (
|
||||||
errAccessDenied = errors.New("insufficient privileges")
|
errAccessDenied = errors.New("insufficient privileges")
|
||||||
)
|
)
|
||||||
|
|
||||||
func SetupCerts(p string) error {
|
func SetupCerts() error {
|
||||||
var err error
|
signkey := os.Getenv("PRIVATE_KEY")
|
||||||
if err != nil {
|
if signkey == "" {
|
||||||
log.Fatalf("Path error: ", err)
|
return errors.New("please set PRIVATE_KEY")
|
||||||
}
|
}
|
||||||
|
signKey = []byte(signkey)
|
||||||
|
|
||||||
// openssl genrsa -out app.rsa keysize
|
verifykey := os.Getenv("PUBLIC_KEY")
|
||||||
privKeyPath := fmt.Sprintf("%vapp.rsa", p)
|
if verifykey == "" {
|
||||||
signKey, err = ioutil.ReadFile(privKeyPath)
|
return errors.New("please set PUBLIC_KEY")
|
||||||
if err != nil {
|
|
||||||
log.Fatalf("Error reading private key: ", err)
|
|
||||||
return err
|
|
||||||
}
|
}
|
||||||
|
verifyKey = []byte(verifykey)
|
||||||
|
|
||||||
// openssl rsa -in app.rsa -pubout > app.rsa.pub
|
|
||||||
pubKeyPath := fmt.Sprintf("%vapp.rsa.pub", p)
|
|
||||||
verifyKey, err = ioutil.ReadFile(pubKeyPath)
|
|
||||||
if err != nil {
|
|
||||||
log.Fatalf("Error reading public key: ", err)
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -68,7 +58,7 @@ func (h authHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
||||||
|
|
||||||
// Validate the token
|
// Validate the token
|
||||||
token, err := jwt.Parse(s[1], func(token *jwt.Token) (interface{}, error) {
|
token, err := jwt.Parse(s[1], func(token *jwt.Token) (interface{}, error) {
|
||||||
return verifyKey, nil
|
return []byte(verifyKey), nil
|
||||||
})
|
})
|
||||||
|
|
||||||
// Branch out into the possible error from signing
|
// Branch out into the possible error from signing
|
||||||
|
|
|
||||||
|
|
@ -15,6 +15,44 @@ import (
|
||||||
)
|
)
|
||||||
|
|
||||||
func init() {
|
func init() {
|
||||||
|
signKey = []byte(`-----BEGIN RSA PRIVATE KEY-----
|
||||||
|
MIIEowIBAAKCAQEAyXi+Q3rVv+NkBi3UWBXyylUN5SyHxQUtZvhbA6TwcF2fk3Io
|
||||||
|
Di3kipVWbfYAYijIxczACieCnadSynJpH4zNVJsRxp8DTG67Nx/K5n3TJyg5hLpa
|
||||||
|
PE+46lOS7E0O9JPT119zKCGHtHldpgjsPCXGHRXKZdFafSv8ktFhwvK5ZQO1NjH2
|
||||||
|
+NOsfhp2ubuQXL7O/45fC5wTCj0lLatdXtlTcIxJb7FUj3AsAC7TlKhtkKe+Syox
|
||||||
|
n1xNMQiYK1R24+goW44JO5uZDYP85ufgRn+DdOQF9DskmiQN9/REhH/5VQjEIYZ3
|
||||||
|
kjmKlNnjz3Jd1eOdtGALxTq3+neVawWMPBXOcQIDAQABAoIBAHMAYhKgrhxPTwwb
|
||||||
|
4ua4+JK4BCt5xLIYp3bscv9cigaJ2onOksCtP5Q/dEtmLYfaYehOXJwvO2aEWUTI
|
||||||
|
E+t3cslFjtsCb16UonbvxeDVl871LgfuW42rsBDJzcbmoY/IRhbdHB2fLhg9YtBg
|
||||||
|
rYATy8dUZejCnNVwY0bnD9e4t0zJ0lXUVy+dMvl69uNyP8f12LwvLGgCmAOWXh5p
|
||||||
|
NpGmT8/jRF9BrQvr9bhwxpV2JGsGEEyGvu+ayVR01AiyQ04kh9gZOJOVtsGa1fjx
|
||||||
|
AvgxzhkfLyAbCAgFTTUuhEbZoxXyCNBdOM0V3PXSbIbW+7gwLwXi71Czo08V050z
|
||||||
|
5SK9p2UCgYEA8JW+xIaAzYT+ZwPaJ/Ir1+WcisEI+AyCD1c5gblHrCmSwYHdKSX4
|
||||||
|
ZcX0QAcj+dzuF6SyQStoy1pIooUzadDZxXeyBoeOjGdyobqJpmaEHb9g594w2inS
|
||||||
|
AsEb4waxvrKlTuhFXnI2JbJrbMyjRBTKWZw4K/FT73IE8hQL9ivXYN8CgYEA1mFu
|
||||||
|
uLD95N/KOFtQ0JcLUelPZK7gYSdq21YHSbABeeesvabnn3hFEzDl5cXqKFJ/4Ltf
|
||||||
|
2QhpO4JGgHYNlrsfCvvivV5dRxFKfleoojL/0qlJxOqQVfulscT0XB3wUpoyP+Qr
|
||||||
|
8AdyvZwUfLWpSaYxDUB7w77U1VayP5JLuULKKq8CgYBOge8QnnullUKXRzCHXIVm
|
||||||
|
HG1q8fcFSr+eVe5UIKv8yEw1jTUoWlWmkGRWCH566NdhK8NndMzrnviY4DKY0yhd
|
||||||
|
QeP8MXwY4SENGZwVitqOAoeS4nS6nG8FqxJ4kRSrkAxVpYINgeOdhY18oYKdktM9
|
||||||
|
Trcdz9B+EI0Amf4VRNUxrQKBgQCTBXTagr9MhFF5vt44fy3LOhcxtGC7ID4/N8t9
|
||||||
|
tI/+m2yzD9DPY7rzg1hW8Rk6GAINDFOaUxNgNWLGXK/LDH8omEASoLGVuHz/Enza
|
||||||
|
5+DcBy9JNZhQ72jd9nWi6wFSlN8bRA8B6Qm+kVjXgfocQTZooS1/u9LYkEFkKZ92
|
||||||
|
6SAejwKBgH6V+dLUefC9w6N99VWpOAom9gE96imo1itTKxIB1WPdFsSDDe/CGXDG
|
||||||
|
W+l7ZiSjXaAfNF5UtuhO6yY0ob++Aa/d+l+Zo7CWn4SrmwTAp1CdRHxX3KxkqHNi
|
||||||
|
BsuYClbQh5Z9lOKn8FCNW3NyahJdYeWGhb/ZdeS0n+F6Ov4V+grc
|
||||||
|
-----END RSA PRIVATE KEY-----`)
|
||||||
|
|
||||||
|
verifyKey = []byte(`-----BEGIN PUBLIC KEY-----
|
||||||
|
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyXi+Q3rVv+NkBi3UWBXy
|
||||||
|
ylUN5SyHxQUtZvhbA6TwcF2fk3IoDi3kipVWbfYAYijIxczACieCnadSynJpH4zN
|
||||||
|
VJsRxp8DTG67Nx/K5n3TJyg5hLpaPE+46lOS7E0O9JPT119zKCGHtHldpgjsPCXG
|
||||||
|
HRXKZdFafSv8ktFhwvK5ZQO1NjH2+NOsfhp2ubuQXL7O/45fC5wTCj0lLatdXtlT
|
||||||
|
cIxJb7FUj3AsAC7TlKhtkKe+Syoxn1xNMQiYK1R24+goW44JO5uZDYP85ufgRn+D
|
||||||
|
dOQF9DskmiQN9/REhH/5VQjEIYZ3kjmKlNnjz3Jd1eOdtGALxTq3+neVawWMPBXO
|
||||||
|
cQIDAQAB
|
||||||
|
-----END PUBLIC KEY-----`)
|
||||||
|
|
||||||
serveMux.Handle("/", http.StripPrefix("/api", Handler()))
|
serveMux.Handle("/", http.StripPrefix("/api", Handler()))
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -29,7 +67,6 @@ var (
|
||||||
|
|
||||||
func setup() {
|
func setup() {
|
||||||
store = datastore.NewMockDatastore()
|
store = datastore.NewMockDatastore()
|
||||||
SetupCerts("../keys/")
|
|
||||||
u, _ := apiClient.URL(router.GetToken, nil, nil)
|
u, _ := apiClient.URL(router.GetToken, nil, nil)
|
||||||
resp, _ := httpClient.PostForm(u.String(),
|
resp, _ := httpClient.PostForm(u.String(),
|
||||||
url.Values{"username": {"test_user"}, "password": {"password"}})
|
url.Values{"username": {"test_user"}, "password": {"password"}})
|
||||||
|
|
|
||||||
13
bactdb.go
13
bactdb.go
|
|
@ -27,11 +27,6 @@ func main() {
|
||||||
Usage: "HTTP service port",
|
Usage: "HTTP service port",
|
||||||
Value: 8901,
|
Value: 8901,
|
||||||
},
|
},
|
||||||
cli.StringFlag{
|
|
||||||
Name: "keys",
|
|
||||||
Usage: "path to keys",
|
|
||||||
Value: "keys/",
|
|
||||||
},
|
|
||||||
},
|
},
|
||||||
Action: cmdServe,
|
Action: cmdServe,
|
||||||
},
|
},
|
||||||
|
|
@ -58,15 +53,19 @@ func main() {
|
||||||
}
|
}
|
||||||
|
|
||||||
func cmdServe(c *cli.Context) {
|
func cmdServe(c *cli.Context) {
|
||||||
|
var err error
|
||||||
httpAddr := fmt.Sprintf(":%v", c.Int("port"))
|
httpAddr := fmt.Sprintf(":%v", c.Int("port"))
|
||||||
|
|
||||||
datastore.Connect()
|
datastore.Connect()
|
||||||
api.SetupCerts(c.String("keys"))
|
err = api.SetupCerts()
|
||||||
|
if err != nil {
|
||||||
|
log.Fatal("SetupCerts: ", err)
|
||||||
|
}
|
||||||
|
|
||||||
m := http.NewServeMux()
|
m := http.NewServeMux()
|
||||||
m.Handle("/api/", http.StripPrefix("/api", api.Handler()))
|
m.Handle("/api/", http.StripPrefix("/api", api.Handler()))
|
||||||
log.Print("Listening on ", httpAddr)
|
log.Print("Listening on ", httpAddr)
|
||||||
err := http.ListenAndServe(httpAddr, m)
|
err = http.ListenAndServe(httpAddr, m)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Fatal("ListenAndServe: ", err)
|
log.Fatal("ListenAndServe: ", err)
|
||||||
}
|
}
|
||||||
|
|
|
||||||
2
keys/.gitignore
vendored
2
keys/.gitignore
vendored
|
|
@ -1,2 +0,0 @@
|
||||||
*
|
|
||||||
!.gitignore
|
|
||||||
Reference in a new issue