mirror of
https://github.com/strukturag/nextcloud-spreed-signaling
synced 2024-05-18 13:36:34 +02:00
Merge pull request #212 from strukturag/token-in-future
Return dedicated error if proxy receives token that is not valid yet
This commit is contained in:
commit
7bfba499ba
7
Makefile
7
Makefile
|
@ -9,6 +9,7 @@ GOVERSION := $(shell "$(GO)" env GOVERSION | sed "s|go||" )
|
||||||
BINDIR := "$(CURDIR)/bin"
|
BINDIR := "$(CURDIR)/bin"
|
||||||
VERSION := $(shell "$(CURDIR)/scripts/get-version.sh")
|
VERSION := $(shell "$(CURDIR)/scripts/get-version.sh")
|
||||||
TARVERSION := $(shell "$(CURDIR)/scripts/get-version.sh" --tar)
|
TARVERSION := $(shell "$(CURDIR)/scripts/get-version.sh" --tar)
|
||||||
|
PACKAGENAME := github.com/strukturag/nextcloud-spreed-signaling
|
||||||
ifneq ($(VERSION),)
|
ifneq ($(VERSION),)
|
||||||
INTERNALLDFLAGS := -X main.version=$(VERSION)
|
INTERNALLDFLAGS := -X main.version=$(VERSION)
|
||||||
else
|
else
|
||||||
|
@ -73,9 +74,15 @@ fmt: hook
|
||||||
|
|
||||||
vet: common
|
vet: common
|
||||||
$(GO) vet .
|
$(GO) vet .
|
||||||
|
$(GO) vet $(PACKAGENAME)/client
|
||||||
|
$(GO) vet $(PACKAGENAME)/proxy
|
||||||
|
$(GO) vet $(PACKAGENAME)/server
|
||||||
|
|
||||||
test: vet common
|
test: vet common
|
||||||
$(GO) test -v -timeout $(TIMEOUT) $(TESTARGS) .
|
$(GO) test -v -timeout $(TIMEOUT) $(TESTARGS) .
|
||||||
|
$(GO) test -v -timeout $(TIMEOUT) $(TESTARGS) $(PACKAGENAME)/client
|
||||||
|
$(GO) test -v -timeout $(TIMEOUT) $(TESTARGS) $(PACKAGENAME)/proxy
|
||||||
|
$(GO) test -v -timeout $(TIMEOUT) $(TESTARGS) $(PACKAGENAME)/server
|
||||||
|
|
||||||
cover: vet common
|
cover: vet common
|
||||||
rm -f cover.out && \
|
rm -f cover.out && \
|
||||||
|
|
|
@ -73,6 +73,7 @@ var (
|
||||||
TimeoutCreatingSubscriber = signaling.NewError("timeout", "Timeout creating subscriber.")
|
TimeoutCreatingSubscriber = signaling.NewError("timeout", "Timeout creating subscriber.")
|
||||||
TokenAuthFailed = signaling.NewError("auth_failed", "The token could not be authenticated.")
|
TokenAuthFailed = signaling.NewError("auth_failed", "The token could not be authenticated.")
|
||||||
TokenExpired = signaling.NewError("token_expired", "The token is expired.")
|
TokenExpired = signaling.NewError("token_expired", "The token is expired.")
|
||||||
|
TokenNotValidYet = signaling.NewError("token_not_valid_yet", "The token is not valid yet.")
|
||||||
UnknownClient = signaling.NewError("unknown_client", "Unknown client id given.")
|
UnknownClient = signaling.NewError("unknown_client", "Unknown client id given.")
|
||||||
UnsupportedCommand = signaling.NewError("bad_request", "Unsupported command received.")
|
UnsupportedCommand = signaling.NewError("bad_request", "Unsupported command received.")
|
||||||
UnsupportedMessage = signaling.NewError("bad_request", "Unsupported message received.")
|
UnsupportedMessage = signaling.NewError("bad_request", "Unsupported message received.")
|
||||||
|
@ -357,7 +358,9 @@ func (s *ProxyServer) Stop() {
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
s.mcu.Stop()
|
if s.mcu != nil {
|
||||||
|
s.mcu.Stop()
|
||||||
|
}
|
||||||
s.tokens.Close()
|
s.tokens.Close()
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -863,8 +866,15 @@ func (s *ProxyServer) NewSession(hello *signaling.HelloProxyClientMessage) (*Pro
|
||||||
reason = "unsupported-issuer"
|
reason = "unsupported-issuer"
|
||||||
return nil, fmt.Errorf("No key found for issuer")
|
return nil, fmt.Errorf("No key found for issuer")
|
||||||
}
|
}
|
||||||
|
|
||||||
return tokenKey.key, nil
|
return tokenKey.key, nil
|
||||||
})
|
})
|
||||||
|
if err, ok := err.(*jwt.ValidationError); ok {
|
||||||
|
if err.Errors&jwt.ValidationErrorIssuedAt == jwt.ValidationErrorIssuedAt {
|
||||||
|
statsTokenErrorsTotal.WithLabelValues("not-valid-yet").Inc()
|
||||||
|
return nil, TokenNotValidYet
|
||||||
|
}
|
||||||
|
}
|
||||||
if err != nil {
|
if err != nil {
|
||||||
statsTokenErrorsTotal.WithLabelValues(reason).Inc()
|
statsTokenErrorsTotal.WithLabelValues(reason).Inc()
|
||||||
return nil, TokenAuthFailed
|
return nil, TokenAuthFailed
|
||||||
|
|
127
proxy/proxy_server_test.go
Normal file
127
proxy/proxy_server_test.go
Normal file
|
@ -0,0 +1,127 @@
|
||||||
|
/**
|
||||||
|
* Standalone signaling server for the Nextcloud Spreed app.
|
||||||
|
* Copyright (C) 2022 struktur AG
|
||||||
|
*
|
||||||
|
* @author Joachim Bauch <bauch@struktur.de>
|
||||||
|
*
|
||||||
|
* @license GNU AGPL version 3 or any later version
|
||||||
|
*
|
||||||
|
* This program is free software: you can redistribute it and/or modify
|
||||||
|
* it under the terms of the GNU Affero General Public License as published by
|
||||||
|
* the Free Software Foundation, either version 3 of the License, or
|
||||||
|
* (at your option) any later version.
|
||||||
|
*
|
||||||
|
* This program is distributed in the hope that it will be useful,
|
||||||
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
* GNU Affero General Public License for more details.
|
||||||
|
*
|
||||||
|
* You should have received a copy of the GNU Affero General Public License
|
||||||
|
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
*/
|
||||||
|
package main
|
||||||
|
|
||||||
|
import (
|
||||||
|
"crypto/rand"
|
||||||
|
"crypto/rsa"
|
||||||
|
"crypto/x509"
|
||||||
|
"encoding/pem"
|
||||||
|
"io/ioutil"
|
||||||
|
"os"
|
||||||
|
"testing"
|
||||||
|
"time"
|
||||||
|
|
||||||
|
"github.com/dlintw/goconf"
|
||||||
|
"github.com/golang-jwt/jwt"
|
||||||
|
"github.com/gorilla/mux"
|
||||||
|
signaling "github.com/strukturag/nextcloud-spreed-signaling"
|
||||||
|
)
|
||||||
|
|
||||||
|
const (
|
||||||
|
KeypairSizeForTest = 2048
|
||||||
|
TokenIdForTest = "foo"
|
||||||
|
)
|
||||||
|
|
||||||
|
func newProxyServerForTest(t *testing.T) (*ProxyServer, *rsa.PrivateKey, func()) {
|
||||||
|
tempdir, err := ioutil.TempDir("", "test")
|
||||||
|
if err != nil {
|
||||||
|
t.Fatalf("could not create temporary folder: %s", err)
|
||||||
|
}
|
||||||
|
var server *ProxyServer
|
||||||
|
shutdown := func() {
|
||||||
|
if server != nil {
|
||||||
|
server.Stop()
|
||||||
|
}
|
||||||
|
os.RemoveAll(tempdir)
|
||||||
|
}
|
||||||
|
|
||||||
|
r := mux.NewRouter()
|
||||||
|
key, err := rsa.GenerateKey(rand.Reader, KeypairSizeForTest)
|
||||||
|
if err != nil {
|
||||||
|
t.Fatalf("could not generate key: %s", err)
|
||||||
|
}
|
||||||
|
priv := &pem.Block{
|
||||||
|
Type: "RSA PRIVATE KEY",
|
||||||
|
Bytes: x509.MarshalPKCS1PrivateKey(key),
|
||||||
|
}
|
||||||
|
privkey, err := ioutil.TempFile(tempdir, "privkey*.pem")
|
||||||
|
if err != nil {
|
||||||
|
t.Fatalf("could not create temporary file for private key: %s", err)
|
||||||
|
}
|
||||||
|
if err := pem.Encode(privkey, priv); err != nil {
|
||||||
|
t.Fatalf("could not encode private key: %s", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
pubData, err := x509.MarshalPKIXPublicKey(&key.PublicKey)
|
||||||
|
if err != nil {
|
||||||
|
t.Fatalf("could not marshal public key: %s", err)
|
||||||
|
}
|
||||||
|
pub := &pem.Block{
|
||||||
|
Type: "RSA PUBLIC KEY",
|
||||||
|
Bytes: pubData,
|
||||||
|
}
|
||||||
|
pubkey, err := ioutil.TempFile(tempdir, "pubkey*.pem")
|
||||||
|
if err != nil {
|
||||||
|
t.Fatalf("could not create temporary file for public key: %s", err)
|
||||||
|
}
|
||||||
|
if err := pem.Encode(pubkey, pub); err != nil {
|
||||||
|
t.Fatalf("could not encode public key: %s", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
config := goconf.NewConfigFile()
|
||||||
|
config.AddOption("tokens", TokenIdForTest, pubkey.Name())
|
||||||
|
|
||||||
|
if server, err = NewProxyServer(r, "0.0", config); err != nil {
|
||||||
|
t.Fatalf("could not create server: %s", err)
|
||||||
|
}
|
||||||
|
return server, key, shutdown
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestTokenInFuture(t *testing.T) {
|
||||||
|
server, key, shutdown := newProxyServerForTest(t)
|
||||||
|
defer shutdown()
|
||||||
|
|
||||||
|
claims := &signaling.TokenClaims{
|
||||||
|
StandardClaims: jwt.StandardClaims{
|
||||||
|
IssuedAt: time.Now().Add(time.Hour).Unix(),
|
||||||
|
Issuer: TokenIdForTest,
|
||||||
|
},
|
||||||
|
}
|
||||||
|
token := jwt.NewWithClaims(jwt.SigningMethodRS256, claims)
|
||||||
|
tokenString, err := token.SignedString(key)
|
||||||
|
if err != nil {
|
||||||
|
t.Fatalf("could not create token: %s", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
hello := &signaling.HelloProxyClientMessage{
|
||||||
|
Version: "1.0",
|
||||||
|
Token: tokenString,
|
||||||
|
}
|
||||||
|
session, err := server.NewSession(hello)
|
||||||
|
if session != nil {
|
||||||
|
defer session.Close()
|
||||||
|
t.Errorf("should not have created session")
|
||||||
|
} else if err != TokenNotValidYet {
|
||||||
|
t.Errorf("could have failed with TokenNotValidYet, got %s", err)
|
||||||
|
}
|
||||||
|
}
|
Loading…
Reference in a new issue