mirror of
https://github.com/bolkedebruin/rdpgw.git
synced 2026-03-27 22:46:37 +00:00
Switch to jwt tokens and allow some extra rdp settings
This commit is contained in:
Bolke de Bruin
70
security/jwt.go
Normal file
70
security/jwt.go
Normal file
@@ -0,0 +1,70 @@
|
||||
package security
|
||||
|
||||
import (
|
||||
"errors"
|
||||
"fmt"
|
||||
"github.com/bolkedebruin/rdpgw/protocol"
|
||||
"github.com/dgrijalva/jwt-go/v4"
|
||||
"log"
|
||||
"time"
|
||||
)
|
||||
|
||||
var SigningKey []byte
|
||||
var ExpiryTime time.Duration = 5
|
||||
|
||||
type customClaims struct {
|
||||
RemoteServer string `json:"remoteServer"`
|
||||
jwt.StandardClaims
|
||||
}
|
||||
|
||||
func VerifyPAAToken(s *protocol.SessionInfo, tokenString string) (bool, error) {
|
||||
token, err := jwt.ParseWithClaims(tokenString, &customClaims{}, func(token *jwt.Token) (interface{}, error) {
|
||||
if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
|
||||
return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"])
|
||||
}
|
||||
|
||||
return SigningKey, nil
|
||||
})
|
||||
|
||||
if err != nil {
|
||||
return false, err
|
||||
}
|
||||
|
||||
if _, ok := token.Claims.(*customClaims); ok && token.Valid {
|
||||
return true, nil
|
||||
}
|
||||
|
||||
log.Printf("token validation failed: %s", err)
|
||||
return false, err
|
||||
}
|
||||
|
||||
func GeneratePAAToken(username string, server string) (string, error) {
|
||||
if len(SigningKey) < 32 {
|
||||
return "", errors.New("token signing key not long enough or not specified")
|
||||
}
|
||||
|
||||
exp := &jwt.Time{
|
||||
Time: time.Now().Add(time.Minute * 5),
|
||||
}
|
||||
now := &jwt.Time{
|
||||
Time: time.Now(),
|
||||
}
|
||||
|
||||
c := customClaims{
|
||||
RemoteServer: server,
|
||||
StandardClaims: jwt.StandardClaims{
|
||||
ExpiresAt: exp,
|
||||
IssuedAt: now,
|
||||
Issuer: "rdpgw",
|
||||
Subject: username,
|
||||
},
|
||||
}
|
||||
|
||||
token := jwt.NewWithClaims(jwt.SigningMethodHS512, c)
|
||||
if ss, err := token.SignedString(SigningKey); err != nil {
|
||||
log.Printf("Cannot sign PAA token %s", err)
|
||||
return "", err
|
||||
} else {
|
||||
return ss, nil
|
||||
}
|
||||
}
|
||||
@@ -1,21 +0,0 @@
|
||||
package security
|
||||
|
||||
import (
|
||||
"github.com/bolkedebruin/rdpgw/protocol"
|
||||
"github.com/patrickmn/go-cache"
|
||||
"log"
|
||||
)
|
||||
|
||||
type Config struct {
|
||||
Store *cache.Cache
|
||||
}
|
||||
|
||||
func (c *Config) VerifyPAAToken(s *protocol.SessionInfo, token string) (bool, error) {
|
||||
_, found := c.Store.Get(token)
|
||||
if !found {
|
||||
log.Printf("PAA Token %s not found", token)
|
||||
return false, nil
|
||||
}
|
||||
|
||||
return true, nil
|
||||
}
|
||||
Reference in New Issue
Block a user