Added authentication helpers

ewoutp · ewoutp · commit 0c69695d6e1c · 2018-06-29T08:02:25.000+02:00
diff --git a/auth.go b/auth.go
@@ -0,0 +1,95 @@
+//
+// DISCLAIMER
+//
+// Copyright 2018 ArangoDB GmbH, Cologne, Germany
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// Copyright holder is ArangoDB GmbH, Cologne, Germany
+//
+// Author Ewout Prangsma
+//
+
+package main
+
+import (
+	"fmt"
+	"io/ioutil"
+	"strings"
+
+	"github.com/spf13/cobra"
+
+	service "github.com/arangodb-helper/arangodb/service"
+)
+
+var (
+	cmdAuth = &cobra.Command{
+		Use:   "auth",
+		Short: "ArangoDB authentication helper commands",
+		Run:   cmdShowUsage,
+	}
+	cmdAuthHeader = &cobra.Command{
+		Use:   "header",
+		Short: "Create a full HTTP Authorization header for accessing an ArangoDB server",
+		Run:   cmdAuthHeaderRun,
+	}
+	cmdAuthToken = &cobra.Command{
+		Use:   "token",
+		Short: "Create a JWT authentication token for accessing an ArangoDB server",
+		Run:   cmdAuthTokenRun,
+	}
+	authOptions struct {
+		jwtSecretFile string
+	}
+)
+
+func init() {
+	cmdMain.AddCommand(cmdAuth)
+	cmdAuth.AddCommand(cmdAuthHeader)
+	cmdAuth.AddCommand(cmdAuthToken)
+
+	pf := cmdAuth.PersistentFlags()
+	pf.StringVar(&authOptions.jwtSecretFile, "auth.jwt-secret", "", "name of a plain text file containing a JWT secret used for server authentication")
+}
+
+// mustAuthCreateJWTToken creates a the JWT token based on authentication options.
+// On error the process is exited with a non-zero exit code.
+func mustAuthCreateJWTToken() string {
+	authOptions.jwtSecretFile = mustExpand(authOptions.jwtSecretFile)
+
+	if authOptions.jwtSecretFile == "" {
+		log.Fatal().Msg("A JWT secret file is required. Set --auth.jwt-secret option.")
+	}
+	content, err := ioutil.ReadFile(authOptions.jwtSecretFile)
+	if err != nil {
+		log.Fatal().Err(err).Msgf("Failed to read JWT secret file '%s'", authOptions.jwtSecretFile)
+	}
+	jwtSecret := strings.TrimSpace(string(content))
+	token, err := service.CreateJwtToken(jwtSecret)
+	if err != nil {
+		log.Fatal().Err(err).Msg("Failed to create JWT token")
+	}
+	return token
+}
+
+// cmdAuthHeaderRun prints a JWT authorization header on stdout and exits.
+func cmdAuthHeaderRun(cmd *cobra.Command, args []string) {
+	token := mustAuthCreateJWTToken()
+	fmt.Printf("%s: %s%s\n", service.AuthorizationHeader, service.BearerPrefix, token)
+}
+
+// cmdAuthTokenRun prints a JWT authorization token on stdout and exits.
+func cmdAuthTokenRun(cmd *cobra.Command, args []string) {
+	token := mustAuthCreateJWTToken()
+	fmt.Println(token)
+}
diff --git a/service/authentication.go b/service/authentication.go
@@ -28,12 +28,16 @@ import (
 	jwt "github.com/dgrijalva/jwt-go"
 )
 
-// addJwtHeader calculates a JWT authorization header based on the given secret
-// and adds it to the given request.
-// If the secret is empty, nothing is done.
-func addJwtHeader(req *http.Request, jwtSecret string) error {
+const (
+	AuthorizationHeader = "Authorization"
+	BearerPrefix        = "bearer "
+)
+
+// CreateJwtToken calculates a JWT authorization token based on the given secret.
+// If the secret is empty, an empty token is returned.
+func CreateJwtToken(jwtSecret string) (string, error) {
 	if jwtSecret == "" {
-		return nil
+		return "", nil
 	}
 	// Create a new token object, specifying signing method and the claims
 	// you would like it to contain.
@@ -44,11 +48,26 @@ func addJwtHeader(req *http.Request, jwtSecret string) error {
 
 	// Sign and get the complete encoded token as a string using the secret
 	signedToken, err := token.SignedString([]byte(jwtSecret))
+	if err != nil {
+		return "", maskAny(err)
+	}
+
+	return signedToken, nil
+}
+
+// addJwtHeader calculates a JWT authorization header based on the given secret
+// and adds it to the given request.
+// If the secret is empty, nothing is done.
+func addJwtHeader(req *http.Request, jwtSecret string) error {
+	if jwtSecret == "" {
+		return nil
+	}
+	signedToken, err := CreateJwtToken(jwtSecret)
 	if err != nil {
 		return maskAny(err)
 	}
 
-	req.Header.Set("Authorization", "bearer "+signedToken)
+	req.Header.Set(AuthorizationHeader, BearerPrefix+signedToken)
 	return nil
 }
 
@@ -60,6 +79,6 @@ func addBearerTokenHeader(req *http.Request, bearerToken string) error {
 		return nil
 	}
 
-	req.Header.Set("Authorization", "bearer "+bearerToken)
+	req.Header.Set(AuthorizationHeader, BearerPrefix+bearerToken)
 	return nil
 }
