frp/pkg/auth/token.go

// Copyright 2020 guylewin, guy@lewin.co.il
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package auth

import (
	"fmt"
	"slices"
	"time"

	v1 "github.com/fatedier/frp/pkg/config/v1"
	"github.com/fatedier/frp/pkg/msg"
	"github.com/fatedier/frp/pkg/util/util"
)

type TokenAuthSetterVerifier struct {
	additionalAuthScopes []v1.AuthScope
	token                string
}

func NewTokenAuth(additionalAuthScopes []v1.AuthScope, token string) *TokenAuthSetterVerifier {
	return &TokenAuthSetterVerifier{
		additionalAuthScopes: additionalAuthScopes,
		token:                token,
	}
}

func (auth *TokenAuthSetterVerifier) SetLogin(loginMsg *msg.Login) error {
	loginMsg.PrivilegeKey = util.GetAuthKey(auth.token, loginMsg.Timestamp)
	return nil
}

func (auth *TokenAuthSetterVerifier) SetPing(pingMsg *msg.Ping) error {
	if !slices.Contains(auth.additionalAuthScopes, v1.AuthScopeHeartBeats) {
		return nil
	}

	pingMsg.Timestamp = time.Now().Unix()
	pingMsg.PrivilegeKey = util.GetAuthKey(auth.token, pingMsg.Timestamp)
	return nil
}

func (auth *TokenAuthSetterVerifier) SetNewWorkConn(newWorkConnMsg *msg.NewWorkConn) error {
	if !slices.Contains(auth.additionalAuthScopes, v1.AuthScopeNewWorkConns) {
		return nil
	}

	newWorkConnMsg.Timestamp = time.Now().Unix()
	newWorkConnMsg.PrivilegeKey = util.GetAuthKey(auth.token, newWorkConnMsg.Timestamp)
	return nil
}

func (auth *TokenAuthSetterVerifier) VerifyLogin(m *msg.Login) error {
	if !util.ConstantTimeEqString(util.GetAuthKey(auth.token, m.Timestamp), m.PrivilegeKey) {
		return fmt.Errorf("token in login doesn't match token from configuration")
	}
	return nil
}

func (auth *TokenAuthSetterVerifier) VerifyPing(m *msg.Ping) error {
	if !slices.Contains(auth.additionalAuthScopes, v1.AuthScopeHeartBeats) {
		return nil
	}

	if !util.ConstantTimeEqString(util.GetAuthKey(auth.token, m.Timestamp), m.PrivilegeKey) {
		return fmt.Errorf("token in heartbeat doesn't match token from configuration")
	}
	return nil
}

func (auth *TokenAuthSetterVerifier) VerifyNewWorkConn(m *msg.NewWorkConn) error {
	if !slices.Contains(auth.additionalAuthScopes, v1.AuthScopeNewWorkConns) {
		return nil
	}

	if !util.ConstantTimeEqString(util.GetAuthKey(auth.token, m.Timestamp), m.PrivilegeKey) {
		return fmt.Errorf("token in NewWorkConn doesn't match token from configuration")
	}
	return nil
}
feat: add multiple authentication methods, token and oidc. token is the current token comparison, and oidc generates oidc token using client-credentials flow. in addition - add ping verification using the same method 2020-03-01 10:57:01 +08:00			`// Copyright 2020 guylewin, guy@lewin.co.il`
			`//`
			`// Licensed under the Apache License, Version 2.0 (the "License");`
			`// you may not use this file except in compliance with the License.`
			`// You may obtain a copy of the License at`
			`//`
			`// http://www.apache.org/licenses/LICENSE-2.0`
			`//`
			`// Unless required by applicable law or agreed to in writing, software`
			`// distributed under the License is distributed on an "AS IS" BASIS,`
			`// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`// See the License for the specific language governing permissions and`
			`// limitations under the License.`

			`package auth`

			`import (`
			`"fmt"`
use std slices package (#4008) 2024-02-20 12:01:41 +08:00			`"slices"`
feat: add multiple authentication methods, token and oidc. token is the current token comparison, and oidc generates oidc token using client-credentials flow. in addition - add ping verification using the same method 2020-03-01 10:57:01 +08:00			`"time"`

support yaml/json/toml configuration format, make ini deprecated (#3599) 2023-09-06 10:18:02 +08:00			`v1 "github.com/fatedier/frp/pkg/config/v1"`
rename models to pkg (#2005) 2020-09-23 13:49:14 +08:00			`"github.com/fatedier/frp/pkg/msg"`
			`"github.com/fatedier/frp/pkg/util/util"`
feat: add multiple authentication methods, token and oidc. token is the current token comparison, and oidc generates oidc token using client-credentials flow. in addition - add ping verification using the same method 2020-03-01 10:57:01 +08:00			`)`

			`type TokenAuthSetterVerifier struct {`
support yaml/json/toml configuration format, make ini deprecated (#3599) 2023-09-06 10:18:02 +08:00			`additionalAuthScopes []v1.AuthScope`
			`token string`
feat: add multiple authentication methods, token and oidc. token is the current token comparison, and oidc generates oidc token using client-credentials flow. in addition - add ping verification using the same method 2020-03-01 10:57:01 +08:00			`}`

support yaml/json/toml configuration format, make ini deprecated (#3599) 2023-09-06 10:18:02 +08:00			`func NewTokenAuth(additionalAuthScopes []v1.AuthScope, token string) *TokenAuthSetterVerifier {`
feat: add multiple authentication methods, token and oidc. token is the current token comparison, and oidc generates oidc token using client-credentials flow. in addition - add ping verification using the same method 2020-03-01 10:57:01 +08:00			`return &TokenAuthSetterVerifier{`
support yaml/json/toml configuration format, make ini deprecated (#3599) 2023-09-06 10:18:02 +08:00			`additionalAuthScopes: additionalAuthScopes,`
			`token: token,`
feat: add multiple authentication methods, token and oidc. token is the current token comparison, and oidc generates oidc token using client-credentials flow. in addition - add ping verification using the same method 2020-03-01 10:57:01 +08:00			`}`
			`}`

support yaml/json/toml configuration format, make ini deprecated (#3599) 2023-09-06 10:18:02 +08:00			`func (auth TokenAuthSetterVerifier) SetLogin(loginMsg msg.Login) error {`
feat: add multiple authentication methods, token and oidc. token is the current token comparison, and oidc generates oidc token using client-credentials flow. in addition - add ping verification using the same method 2020-03-01 10:57:01 +08:00			`loginMsg.PrivilegeKey = util.GetAuthKey(auth.token, loginMsg.Timestamp)`
			`return nil`
			`}`

			`func (auth TokenAuthSetterVerifier) SetPing(pingMsg msg.Ping) error {`
use std slices package (#4008) 2024-02-20 12:01:41 +08:00			`if !slices.Contains(auth.additionalAuthScopes, v1.AuthScopeHeartBeats) {`
feat: add multiple authentication methods, token and oidc. token is the current token comparison, and oidc generates oidc token using client-credentials flow. in addition - add ping verification using the same method 2020-03-01 10:57:01 +08:00			`return nil`
			`}`

			`pingMsg.Timestamp = time.Now().Unix()`
			`pingMsg.PrivilegeKey = util.GetAuthKey(auth.token, pingMsg.Timestamp)`
			`return nil`
			`}`

			`func (auth TokenAuthSetterVerifier) SetNewWorkConn(newWorkConnMsg msg.NewWorkConn) error {`
use std slices package (#4008) 2024-02-20 12:01:41 +08:00			`if !slices.Contains(auth.additionalAuthScopes, v1.AuthScopeNewWorkConns) {`
feat: add multiple authentication methods, token and oidc. token is the current token comparison, and oidc generates oidc token using client-credentials flow. in addition - add ping verification using the same method 2020-03-01 10:57:01 +08:00			`return nil`
			`}`

			`newWorkConnMsg.Timestamp = time.Now().Unix()`
			`newWorkConnMsg.PrivilegeKey = util.GetAuthKey(auth.token, newWorkConnMsg.Timestamp)`
			`return nil`
			`}`

use constant time comparison (#3452) 2023-05-29 00:27:27 +08:00			`func (auth TokenAuthSetterVerifier) VerifyLogin(m msg.Login) error {`
			`if !util.ConstantTimeEqString(util.GetAuthKey(auth.token, m.Timestamp), m.PrivilegeKey) {`
feat: add multiple authentication methods, token and oidc. token is the current token comparison, and oidc generates oidc token using client-credentials flow. in addition - add ping verification using the same method 2020-03-01 10:57:01 +08:00			`return fmt.Errorf("token in login doesn't match token from configuration")`
			`}`
			`return nil`
			`}`

use constant time comparison (#3452) 2023-05-29 00:27:27 +08:00			`func (auth TokenAuthSetterVerifier) VerifyPing(m msg.Ping) error {`
use std slices package (#4008) 2024-02-20 12:01:41 +08:00			`if !slices.Contains(auth.additionalAuthScopes, v1.AuthScopeHeartBeats) {`
feat: add multiple authentication methods, token and oidc. token is the current token comparison, and oidc generates oidc token using client-credentials flow. in addition - add ping verification using the same method 2020-03-01 10:57:01 +08:00			`return nil`
			`}`

use constant time comparison (#3452) 2023-05-29 00:27:27 +08:00			`if !util.ConstantTimeEqString(util.GetAuthKey(auth.token, m.Timestamp), m.PrivilegeKey) {`
feat: add multiple authentication methods, token and oidc. token is the current token comparison, and oidc generates oidc token using client-credentials flow. in addition - add ping verification using the same method 2020-03-01 10:57:01 +08:00			`return fmt.Errorf("token in heartbeat doesn't match token from configuration")`
			`}`
			`return nil`
			`}`

use constant time comparison (#3452) 2023-05-29 00:27:27 +08:00			`func (auth TokenAuthSetterVerifier) VerifyNewWorkConn(m msg.NewWorkConn) error {`
use std slices package (#4008) 2024-02-20 12:01:41 +08:00			`if !slices.Contains(auth.additionalAuthScopes, v1.AuthScopeNewWorkConns) {`
feat: add multiple authentication methods, token and oidc. token is the current token comparison, and oidc generates oidc token using client-credentials flow. in addition - add ping verification using the same method 2020-03-01 10:57:01 +08:00			`return nil`
			`}`

use constant time comparison (#3452) 2023-05-29 00:27:27 +08:00			`if !util.ConstantTimeEqString(util.GetAuthKey(auth.token, m.Timestamp), m.PrivilegeKey) {`
feat: add multiple authentication methods, token and oidc. token is the current token comparison, and oidc generates oidc token using client-credentials flow. in addition - add ping verification using the same method 2020-03-01 10:57:01 +08:00			`return fmt.Errorf("token in NewWorkConn doesn't match token from configuration")`
			`}`
			`return nil`
			`}`