mirror of
https://github.com/opencloud-eu/opencloud.git
synced 2026-01-24 05:51:33 -05:00
1ad0637254
Bumps [github.com/nats-io/nats-server/v2](https://github.com/nats-io/nats-server) from 2.9.4 to 2.9.17. - [Release notes](https://github.com/nats-io/nats-server/releases) - [Changelog](https://github.com/nats-io/nats-server/blob/main/.goreleaser.yml) - [Commits](https://github.com/nats-io/nats-server/compare/v2.9.4...v2.9.17) --- updated-dependencies: - dependency-name: github.com/nats-io/nats-server/v2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
165 lines
3.9 KiB
Go
165 lines
3.9 KiB
Go
/*
|
|
* Copyright 2020-2022 The NATS Authors
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
* you may not use this file except in compliance with the License.
|
|
* You may obtain a copy of the License at
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
* See the License for the specific language governing permissions and
|
|
* limitations under the License.
|
|
*/
|
|
|
|
package jwt
|
|
|
|
import (
|
|
"encoding/json"
|
|
"errors"
|
|
"fmt"
|
|
"strings"
|
|
|
|
"github.com/nats-io/nkeys"
|
|
)
|
|
|
|
const libVersion = 2
|
|
|
|
type identifier struct {
|
|
Type ClaimType `json:"type,omitempty"`
|
|
GenericFields `json:"nats,omitempty"`
|
|
}
|
|
|
|
func (i *identifier) Kind() ClaimType {
|
|
if i.Type != "" {
|
|
return i.Type
|
|
}
|
|
return i.GenericFields.Type
|
|
}
|
|
|
|
func (i *identifier) Version() int {
|
|
if i.Type != "" {
|
|
return 1
|
|
}
|
|
return i.GenericFields.Version
|
|
}
|
|
|
|
type v1ClaimsDataDeletedFields struct {
|
|
Tags TagList `json:"tags,omitempty"`
|
|
Type ClaimType `json:"type,omitempty"`
|
|
IssuerAccount string `json:"issuer_account,omitempty"`
|
|
}
|
|
|
|
// Decode takes a JWT string decodes it and validates it
|
|
// and return the embedded Claims. If the token header
|
|
// doesn't match the expected algorithm, or the claim is
|
|
// not valid or verification fails an error is returned.
|
|
func Decode(token string) (Claims, error) {
|
|
// must have 3 chunks
|
|
chunks := strings.Split(token, ".")
|
|
if len(chunks) != 3 {
|
|
return nil, errors.New("expected 3 chunks")
|
|
}
|
|
|
|
// header
|
|
if _, err := parseHeaders(chunks[0]); err != nil {
|
|
return nil, err
|
|
}
|
|
// claim
|
|
data, err := decodeString(chunks[1])
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
ver, claim, err := loadClaims(data)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
// sig
|
|
sig, err := decodeString(chunks[2])
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
if ver <= 1 {
|
|
if !claim.verify(chunks[1], sig) {
|
|
return nil, errors.New("claim failed V1 signature verification")
|
|
}
|
|
} else {
|
|
if !claim.verify(token[:len(chunks[0])+len(chunks[1])+1], sig) {
|
|
return nil, errors.New("claim failed V2 signature verification")
|
|
}
|
|
}
|
|
|
|
prefixes := claim.ExpectedPrefixes()
|
|
if prefixes != nil {
|
|
ok := false
|
|
issuer := claim.Claims().Issuer
|
|
for _, p := range prefixes {
|
|
switch p {
|
|
case nkeys.PrefixByteAccount:
|
|
if nkeys.IsValidPublicAccountKey(issuer) {
|
|
ok = true
|
|
}
|
|
case nkeys.PrefixByteOperator:
|
|
if nkeys.IsValidPublicOperatorKey(issuer) {
|
|
ok = true
|
|
}
|
|
case nkeys.PrefixByteUser:
|
|
if nkeys.IsValidPublicUserKey(issuer) {
|
|
ok = true
|
|
}
|
|
case nkeys.PrefixByteServer:
|
|
if nkeys.IsValidPublicServerKey(issuer) {
|
|
ok = true
|
|
}
|
|
}
|
|
}
|
|
if !ok {
|
|
return nil, fmt.Errorf("unable to validate expected prefixes - %v", prefixes)
|
|
}
|
|
}
|
|
return claim, nil
|
|
}
|
|
|
|
func loadClaims(data []byte) (int, Claims, error) {
|
|
var id identifier
|
|
if err := json.Unmarshal(data, &id); err != nil {
|
|
return -1, nil, err
|
|
}
|
|
|
|
if id.Version() > libVersion {
|
|
return -1, nil, errors.New("JWT was generated by a newer version ")
|
|
}
|
|
|
|
var claim Claims
|
|
var err error
|
|
switch id.Kind() {
|
|
case OperatorClaim:
|
|
claim, err = loadOperator(data, id.Version())
|
|
case AccountClaim:
|
|
claim, err = loadAccount(data, id.Version())
|
|
case UserClaim:
|
|
claim, err = loadUser(data, id.Version())
|
|
case ActivationClaim:
|
|
claim, err = loadActivation(data, id.Version())
|
|
case AuthorizationRequestClaim:
|
|
claim, err = loadAuthorizationRequest(data, id.Version())
|
|
case AuthorizationResponseClaim:
|
|
claim, err = loadAuthorizationResponse(data, id.Version())
|
|
case "cluster":
|
|
return -1, nil, errors.New("ClusterClaims are not supported")
|
|
case "server":
|
|
return -1, nil, errors.New("ServerClaims are not supported")
|
|
default:
|
|
var gc GenericClaims
|
|
if err := json.Unmarshal(data, &gc); err != nil {
|
|
return -1, nil, err
|
|
}
|
|
return -1, &gc, nil
|
|
}
|
|
|
|
return id.Version(), claim, err
|
|
}
|