From 7fa384c47c7a97db7f667797bfc8e1ea78167f39 Mon Sep 17 00:00:00 2001 From: Greg Steuck Date: Wed, 28 Jul 2021 12:43:45 -0700 Subject: pkg/auth: move jwt to auth to be shared by syz-hub clients --- pkg/auth/auth.go | 4 +-- pkg/auth/auth_test.go | 6 ++-- pkg/auth/jwt.go | 76 +++++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 79 insertions(+), 7 deletions(-) create mode 100644 pkg/auth/jwt.go (limited to 'pkg') diff --git a/pkg/auth/auth.go b/pkg/auth/auth.go index bd542bc32..c662218ea 100644 --- a/pkg/auth/auth.go +++ b/pkg/auth/auth.go @@ -35,8 +35,6 @@ import ( "strconv" "strings" "time" - - "github.com/google/syzkaller/dashboard/dashapi" ) const ( @@ -117,7 +115,7 @@ func (auth *Endpoint) DetermineAuthSubj(now time.Time, authHeader []string) (str if err != nil { return "", err } - if claims.Audience != dashapi.DashboardAudience { + if claims.Audience != DashboardAudience { err := fmt.Errorf("unexpected audience %v %v", claims.Audience, claims) return "", err } diff --git a/pkg/auth/auth_test.go b/pkg/auth/auth_test.go index 13a9c5749..7e0a5184f 100644 --- a/pkg/auth/auth_test.go +++ b/pkg/auth/auth_test.go @@ -11,8 +11,6 @@ import ( "strings" "testing" "time" - - "github.com/google/syzkaller/dashboard/dashapi" ) func reponseFor(t *testing.T, claims jwtClaims) (*httptest.Server, Endpoint) { @@ -36,7 +34,7 @@ func TestBearerValid(t *testing.T) { magic := "ValidSubj" ts, dut := reponseFor(t, jwtClaims{ Subject: magic, - Audience: dashapi.DashboardAudience, + Audience: DashboardAudience, Expiration: tm.AddDate(0, 0, 1), }) defer ts.Close() @@ -70,7 +68,7 @@ func TestBearerExpired(t *testing.T) { ts, dut := reponseFor(t, jwtClaims{ Subject: "irrelevant", Expiration: tm.AddDate(0, 0, -1), - Audience: dashapi.DashboardAudience, + Audience: DashboardAudience, }) defer ts.Close() diff --git a/pkg/auth/jwt.go b/pkg/auth/jwt.go new file mode 100644 index 000000000..680c16281 --- /dev/null +++ b/pkg/auth/jwt.go @@ -0,0 +1,76 @@ +// Copyright 2021 syzkaller project authors. All rights reserved. +// Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file. + +package auth + +import ( + "encoding/base64" + "encoding/json" + "fmt" + "io" + "io/ioutil" + "net/http" + "strings" + "time" +) + +const ( + DashboardAudience = "https://syzkaller.appspot.com/api" +) + +type ExpiringToken struct { + Token string + Expiration time.Time +} + +// Returns the unverified expiration value from the given JWT token. +func extractJwtExpiration(token string) (time.Time, error) { + // https://datatracker.ietf.org/doc/html/rfc7519#section-3 + pieces := strings.Split(token, ".") + if len(pieces) != 3 { + return time.Time{}, fmt.Errorf("unexpected number of JWT components %v", len(pieces)) + } + decoded, err := base64.RawURLEncoding.DecodeString(pieces[1]) + if err != nil { + return time.Time{}, err + } + claims := struct { + Expiration int64 `json:"exp"` + }{-123456} // Hopefully a notably broken value. + if err = json.Unmarshal(decoded, &claims); err != nil { + return time.Time{}, err + } + return time.Unix(claims.Expiration, 0), nil +} + +// Queries the metadata server and returns the bearer token of the +// service account. The token is scoped for the official dashboard. +// The types of ctor and doer are the same as in http.NewRequest and +// http.DefaultClient.Do. +func RetrieveJwtToken(ctor func(method, url string, body io.Reader) (*http.Request, error), + doer func(req *http.Request) (*http.Response, error)) (*ExpiringToken, error) { + const v1meta = "http://metadata.google.internal/computeMetadata/v1" + req, err := ctor("GET", v1meta+"/instance/service-accounts/default/identity?audience="+DashboardAudience, nil) + if err != nil { + return nil, err + } + req.Header.Add("Metadata-Flavor", "Google") + resp, err := doer(req) + if err != nil { + return nil, err + } + defer resp.Body.Close() + data, err := ioutil.ReadAll(resp.Body) + if err != nil { + return nil, err + } + token := string(data) + if resp.StatusCode != http.StatusOK { + return nil, fmt.Errorf("failed metadata get %v: %s", resp.Status, token) + } + expiration, err := extractJwtExpiration(token) + if err != nil { + return nil, err + } + return &ExpiringToken{token, expiration}, nil +} -- cgit mrf-deployment