netmaker/logic/jwts.go

package logic

import (
	"errors"
	"fmt"
	"time"

	"github.com/golang-jwt/jwt/v4"

	"github.com/gravitl/netmaker/logger"
	"github.com/gravitl/netmaker/models"
	"github.com/gravitl/netmaker/servercfg"
)

var jwtSecretKey []byte

// SetJWTSecret - sets the jwt secret on server startup
func SetJWTSecret() {
	currentSecret, jwtErr := FetchJWTSecret()
	if jwtErr != nil {
		newValue, err := GenerateCryptoString(64)
		if err != nil {
			logger.FatalLog("something went wrong when generating JWT signature")
		}
		jwtSecretKey = []byte(newValue) // 512 bit random password
		if err := StoreJWTSecret(string(jwtSecretKey)); err != nil {
			logger.FatalLog("something went wrong when configuring JWT authentication")
		}
	} else {
		jwtSecretKey = []byte(currentSecret)
	}
}

// CreateJWT func will used to create the JWT while signing in and signing out
func CreateJWT(uuid string, macAddress string, network string) (response string, err error) {
	expirationTime := time.Now().Add(5 * time.Minute)
	claims := &models.Claims{
		ID:         uuid,
		Network:    network,
		MacAddress: macAddress,
		RegisteredClaims: jwt.RegisteredClaims{
			Issuer:    "Netmaker",
			Subject:   fmt.Sprintf("node|%s", uuid),
			IssuedAt:  jwt.NewNumericDate(time.Now()),
			ExpiresAt: jwt.NewNumericDate(expirationTime),
		},
	}

	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
	tokenString, err := token.SignedString(jwtSecretKey)
	if err == nil {
		return tokenString, nil
	}
	return "", err
}

// CreateProUserJWT - creates a user jwt token
func CreateProUserJWT(username string, networks, groups []string, isadmin bool) (response string, err error) {
	expirationTime := time.Now().Add(60 * 12 * time.Minute)
	claims := &models.UserClaims{
		UserName: username,
		Networks: networks,
		IsAdmin:  isadmin,
		Groups:   groups,
		RegisteredClaims: jwt.RegisteredClaims{
			Issuer:    "Netmaker",
			Subject:   fmt.Sprintf("user|%s", username),
			IssuedAt:  jwt.NewNumericDate(time.Now()),
			ExpiresAt: jwt.NewNumericDate(expirationTime),
		},
	}

	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
	tokenString, err := token.SignedString(jwtSecretKey)
	if err == nil {
		return tokenString, nil
	}
	return "", err
}

// CreateUserJWT - creates a user jwt token
func CreateUserJWT(username string, networks []string, isadmin bool) (response string, err error) {
	expirationTime := time.Now().Add(60 * 12 * time.Minute)
	claims := &models.UserClaims{
		UserName: username,
		Networks: networks,
		IsAdmin:  isadmin,
		RegisteredClaims: jwt.RegisteredClaims{
			Issuer:    "Netmaker",
			Subject:   fmt.Sprintf("user|%s", username),
			IssuedAt:  jwt.NewNumericDate(time.Now()),
			ExpiresAt: jwt.NewNumericDate(expirationTime),
		},
	}

	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
	tokenString, err := token.SignedString(jwtSecretKey)
	if err == nil {
		return tokenString, nil
	}
	return "", err
}

// VerifyUserToken func will used to Verify the JWT Token while using APIS
func VerifyUserToken(tokenString string) (username string, networks []string, isadmin bool, err error) {
	claims := &models.UserClaims{}

	if tokenString == servercfg.GetMasterKey() && servercfg.GetMasterKey() != "" {
		return "masteradministrator", nil, true, nil
	}

	token, err := jwt.ParseWithClaims(tokenString, claims, func(token *jwt.Token) (interface{}, error) {
		return jwtSecretKey, nil
	})

	if token != nil && token.Valid {
		var user *models.User
		// check that user exists
		user, err = GetUser(claims.UserName)
		if err != nil {
			return "", nil, false, err
		}

		if user.UserName != "" {
			return claims.UserName, claims.Networks, claims.IsAdmin, nil
		}
		err = errors.New("user does not exist")
	}
	return "", nil, false, err
}

// VerifyToken - [nodes] Only
func VerifyToken(tokenString string) (nodeID string, mac string, network string, err error) {
	claims := &models.Claims{}

	// this may be a stupid way of serving up a master key
	// TODO: look into a different method. Encryption?
	if tokenString == servercfg.GetMasterKey() && servercfg.GetMasterKey() != "" {
		return "mastermac", "", "", nil
	}

	token, err := jwt.ParseWithClaims(tokenString, claims, func(token *jwt.Token) (interface{}, error) {
		return jwtSecretKey, nil
	})

	if token != nil {
		return claims.ID, claims.MacAddress, claims.Network, nil
	}
	return "", "", "", err
}
refactored logic 2021-10-27 00:27:29 +08:00			`package logic`
first commit 2021-03-26 00:17:52 +08:00
			`import (`
user security bug fixed 2021-08-10 04:18:24 +08:00			`"errors"`
added jwt fix 2022-02-15 22:51:21 +08:00			`"fmt"`
user security bug fixed 2021-08-10 04:18:24 +08:00			`"time"`
code linting 2021-10-09 03:07:12 +08:00
removing vulnerability 2021-08-10 05:57:40 +08:00			`"github.com/golang-jwt/jwt/v4"`
Fixes+Chores: avoid de-referencing nil ptrs + lint - Avoid referencing conditions we know are false/true - Avoid using name of imported package as variable - Avoid broken (see list item 1) if else statement in `ipservice.go` by refactoring to switch statement - When assigning a pointer value to a variable along with an error, check that error before referencing that pointer. Thus avoiding de-referencing a nil and causing a panic. * This item is the most important * - Standard gofmt package sorting + linting; This includes fixing comment starts for go doc - Explicit non-handling of unhandled errors where appropriate (assigning errs to _ to reduce linter screaming) - Export ErrExpired in `netcache` package so that we can properly reference it using `errors.Is` instead of using `strings.Contains` against an `error.Error()` value 2022-12-07 12:11:20 +08:00
added jwt fix 2022-02-15 22:51:21 +08:00			`"github.com/gravitl/netmaker/logger"`
user security bug fixed 2021-08-10 04:18:24 +08:00			`"github.com/gravitl/netmaker/models"`
			`"github.com/gravitl/netmaker/servercfg"`
first commit 2021-03-26 00:17:52 +08:00			`)`

added jwt fix 2022-02-15 22:51:21 +08:00			`var jwtSecretKey []byte`

			`// SetJWTSecret - sets the jwt secret on server startup`
			`func SetJWTSecret() {`
			`currentSecret, jwtErr := FetchJWTSecret()`
			`if jwtErr != nil {`
hotfix 2 2022-02-16 10:50:47 +08:00			`newValue, err := GenerateCryptoString(64)`
			`if err != nil {`
			`logger.FatalLog("something went wrong when generating JWT signature")`
			`}`
			`jwtSecretKey = []byte(newValue) // 512 bit random password`
added jwt fix 2022-02-15 22:51:21 +08:00			`if err := StoreJWTSecret(string(jwtSecretKey)); err != nil {`
			`logger.FatalLog("something went wrong when configuring JWT authentication")`
			`}`
			`} else {`
			`jwtSecretKey = []byte(currentSecret)`
			`}`
			`}`
first commit 2021-03-26 00:17:52 +08:00
			`// CreateJWT func will used to create the JWT while signing in and signing out`
restructuring continued 2022-01-11 06:52:21 +08:00			`func CreateJWT(uuid string, macAddress string, network string) (response string, err error) {`
user security bug fixed 2021-08-10 04:18:24 +08:00			`expirationTime := time.Now().Add(5 * time.Minute)`
			`claims := &models.Claims{`
restructuring continued 2022-01-11 06:52:21 +08:00			`ID: uuid,`
user security bug fixed 2021-08-10 04:18:24 +08:00			`Network: network,`
restructuring continued 2022-01-11 06:52:21 +08:00			`MacAddress: macAddress,`
switch to jwt.RegisterdClaims 2022-06-27 22:47:28 +08:00			`RegisteredClaims: jwt.RegisteredClaims{`
added jwt fix 2022-02-15 22:51:21 +08:00			`Issuer: "Netmaker",`
			`Subject: fmt.Sprintf("node\|%s", uuid),`
switch to jwt.RegisterdClaims 2022-06-27 22:47:28 +08:00			`IssuedAt: jwt.NewNumericDate(time.Now()),`
			`ExpiresAt: jwt.NewNumericDate(expirationTime),`
user security bug fixed 2021-08-10 04:18:24 +08:00			`},`
			`}`
first commit 2021-03-26 00:17:52 +08:00
user security bug fixed 2021-08-10 04:18:24 +08:00			`token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)`
			`tokenString, err := token.SignedString(jwtSecretKey)`
			`if err == nil {`
			`return tokenString, nil`
			`}`
			`return "", err`
first commit 2021-03-26 00:17:52 +08:00			`}`

initial commit 2022-09-14 03:25:56 +08:00			`// CreateProUserJWT - creates a user jwt token`
			`func CreateProUserJWT(username string, networks, groups []string, isadmin bool) (response string, err error) {`
			`expirationTime := time.Now().Add(60 * 12 * time.Minute)`
			`claims := &models.UserClaims{`
			`UserName: username,`
			`Networks: networks,`
			`IsAdmin: isadmin,`
			`Groups: groups,`
			`RegisteredClaims: jwt.RegisteredClaims{`
			`Issuer: "Netmaker",`
			`Subject: fmt.Sprintf("user\|%s", username),`
			`IssuedAt: jwt.NewNumericDate(time.Now()),`
			`ExpiresAt: jwt.NewNumericDate(expirationTime),`
			`},`
			`}`

			`token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)`
			`tokenString, err := token.SignedString(jwtSecretKey)`
			`if err == nil {`
			`return tokenString, nil`
			`}`
			`return "", err`
			`}`

code linting 2021-10-09 03:07:12 +08:00			`// CreateUserJWT - creates a user jwt token`
multitenancy working 2021-07-02 12:03:46 +08:00			`func CreateUserJWT(username string, networks []string, isadmin bool) (response string, err error) {`
removing vulnerability 2021-08-10 05:57:40 +08:00			`expirationTime := time.Now().Add(60 * 12 * time.Minute)`
user security bug fixed 2021-08-10 04:18:24 +08:00			`claims := &models.UserClaims{`
			`UserName: username,`
			`Networks: networks,`
			`IsAdmin: isadmin,`
switch to jwt.RegisterdClaims 2022-06-27 22:47:28 +08:00			`RegisteredClaims: jwt.RegisteredClaims{`
added jwt fix 2022-02-15 22:51:21 +08:00			`Issuer: "Netmaker",`
			`Subject: fmt.Sprintf("user\|%s", username),`
switch to jwt.RegisterdClaims 2022-06-27 22:47:28 +08:00			`IssuedAt: jwt.NewNumericDate(time.Now()),`
			`ExpiresAt: jwt.NewNumericDate(expirationTime),`
user security bug fixed 2021-08-10 04:18:24 +08:00			`},`
			`}`
first commit 2021-03-26 00:17:52 +08:00
user security bug fixed 2021-08-10 04:18:24 +08:00			`token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)`
			`tokenString, err := token.SignedString(jwtSecretKey)`
			`if err == nil {`
			`return tokenString, nil`
			`}`
			`return "", err`
first commit 2021-03-26 00:17:52 +08:00			`}`

Fixes+Chores: avoid de-referencing nil ptrs + lint - Avoid referencing conditions we know are false/true - Avoid using name of imported package as variable - Avoid broken (see list item 1) if else statement in `ipservice.go` by refactoring to switch statement - When assigning a pointer value to a variable along with an error, check that error before referencing that pointer. Thus avoiding de-referencing a nil and causing a panic. * This item is the most important * - Standard gofmt package sorting + linting; This includes fixing comment starts for go doc - Explicit non-handling of unhandled errors where appropriate (assigning errs to _ to reduce linter screaming) - Export ErrExpired in `netcache` package so that we can properly reference it using `errors.Is` instead of using `strings.Contains` against an `error.Error()` value 2022-12-07 12:11:20 +08:00			`// VerifyUserToken func will used to Verify the JWT Token while using APIS`
multitenancy working 2021-07-02 12:03:46 +08:00			`func VerifyUserToken(tokenString string) (username string, networks []string, isadmin bool, err error) {`
user security bug fixed 2021-08-10 04:18:24 +08:00			`claims := &models.UserClaims{}`
first commit 2021-03-26 00:17:52 +08:00
removed default master key and added warning log if not set 2022-02-14 22:58:50 +08:00			`if tokenString == servercfg.GetMasterKey() && servercfg.GetMasterKey() != "" {`
user security bug fixed 2021-08-10 04:18:24 +08:00			`return "masteradministrator", nil, true, nil`
			`}`
fixing runtime panic on user delete 2021-04-15 10:59:25 +08:00
user security bug fixed 2021-08-10 04:18:24 +08:00			`token, err := jwt.ParseWithClaims(tokenString, claims, func(token *jwt.Token) (interface{}, error) {`
			`return jwtSecretKey, nil`
			`})`
first commit 2021-03-26 00:17:52 +08:00
user security bug fixed 2021-08-10 04:18:24 +08:00			`if token != nil && token.Valid {`
Refactored user functions to use refrences rather than values 2022-12-21 04:10:40 +08:00			`var user *models.User`
user security bug fixed 2021-08-10 04:18:24 +08:00			`// check that user exists`
Fixes+Chores: avoid de-referencing nil ptrs + lint - Avoid referencing conditions we know are false/true - Avoid using name of imported package as variable - Avoid broken (see list item 1) if else statement in `ipservice.go` by refactoring to switch statement - When assigning a pointer value to a variable along with an error, check that error before referencing that pointer. Thus avoiding de-referencing a nil and causing a panic. * This item is the most important * - Standard gofmt package sorting + linting; This includes fixing comment starts for go doc - Explicit non-handling of unhandled errors where appropriate (assigning errs to _ to reduce linter screaming) - Export ErrExpired in `netcache` package so that we can properly reference it using `errors.Is` instead of using `strings.Contains` against an `error.Error()` value 2022-12-07 12:11:20 +08:00			`user, err = GetUser(claims.UserName)`
			`if err != nil {`
Fix: ignoring of returned error value 2022-12-07 16:28:06 +08:00			`return "", nil, false, err`
Fixes+Chores: avoid de-referencing nil ptrs + lint - Avoid referencing conditions we know are false/true - Avoid using name of imported package as variable - Avoid broken (see list item 1) if else statement in `ipservice.go` by refactoring to switch statement - When assigning a pointer value to a variable along with an error, check that error before referencing that pointer. Thus avoiding de-referencing a nil and causing a panic. * This item is the most important * - Standard gofmt package sorting + linting; This includes fixing comment starts for go doc - Explicit non-handling of unhandled errors where appropriate (assigning errs to _ to reduce linter screaming) - Export ErrExpired in `netcache` package so that we can properly reference it using `errors.Is` instead of using `strings.Contains` against an `error.Error()` value 2022-12-07 12:11:20 +08:00			`}`

			`if user.UserName != "" {`
user security bug fixed 2021-08-10 04:18:24 +08:00			`return claims.UserName, claims.Networks, claims.IsAdmin, nil`
			`}`
			`err = errors.New("user does not exist")`
			`}`
			`return "", nil, false, err`
first commit 2021-03-26 00:17:52 +08:00			`}`

remove references to grpc/comms net 2022-04-22 03:53:44 +08:00			`// VerifyToken - [nodes] Only`
restructuring continued 2022-01-11 06:52:21 +08:00			`func VerifyToken(tokenString string) (nodeID string, mac string, network string, err error) {`
user security bug fixed 2021-08-10 04:18:24 +08:00			`claims := &models.Claims{}`
first commit 2021-03-26 00:17:52 +08:00
Fixes+Chores: avoid de-referencing nil ptrs + lint - Avoid referencing conditions we know are false/true - Avoid using name of imported package as variable - Avoid broken (see list item 1) if else statement in `ipservice.go` by refactoring to switch statement - When assigning a pointer value to a variable along with an error, check that error before referencing that pointer. Thus avoiding de-referencing a nil and causing a panic. * This item is the most important * - Standard gofmt package sorting + linting; This includes fixing comment starts for go doc - Explicit non-handling of unhandled errors where appropriate (assigning errs to _ to reduce linter screaming) - Export ErrExpired in `netcache` package so that we can properly reference it using `errors.Is` instead of using `strings.Contains` against an `error.Error()` value 2022-12-07 12:11:20 +08:00			`// this may be a stupid way of serving up a master key`
			`// TODO: look into a different method. Encryption?`
removed default master key and added warning log if not set 2022-02-14 22:58:50 +08:00			`if tokenString == servercfg.GetMasterKey() && servercfg.GetMasterKey() != "" {`
restructuring continued 2022-01-11 06:52:21 +08:00			`return "mastermac", "", "", nil`
user security bug fixed 2021-08-10 04:18:24 +08:00			`}`
first commit 2021-03-26 00:17:52 +08:00
user security bug fixed 2021-08-10 04:18:24 +08:00			`token, err := jwt.ParseWithClaims(tokenString, claims, func(token *jwt.Token) (interface{}, error) {`
			`return jwtSecretKey, nil`
			`})`
first commit 2021-03-26 00:17:52 +08:00
user security bug fixed 2021-08-10 04:18:24 +08:00			`if token != nil {`
restructuring continued 2022-01-11 06:52:21 +08:00			`return claims.ID, claims.MacAddress, claims.Network, nil`
user security bug fixed 2021-08-10 04:18:24 +08:00			`}`
restructuring continued 2022-01-11 06:52:21 +08:00			`return "", "", "", err`
first commit 2021-03-26 00:17:52 +08:00			`}`