auth.go 6.3 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230
  1. package apiclient
  2. import (
  3. "bytes"
  4. "encoding/json"
  5. "time"
  6. //"errors"
  7. "fmt"
  8. "io"
  9. "net/http"
  10. "net/http/httputil"
  11. "net/url"
  12. "github.com/crowdsecurity/crowdsec/pkg/models"
  13. "github.com/go-openapi/strfmt"
  14. "github.com/pkg/errors"
  15. log "github.com/sirupsen/logrus"
  16. //"google.golang.org/appengine/log"
  17. )
  18. type APIKeyTransport struct {
  19. APIKey string
  20. // Transport is the underlying HTTP transport to use when making requests.
  21. // It will default to http.DefaultTransport if nil.
  22. Transport http.RoundTripper
  23. URL *url.URL
  24. VersionPrefix string
  25. UserAgent string
  26. }
  27. // RoundTrip implements the RoundTripper interface.
  28. func (t *APIKeyTransport) RoundTrip(req *http.Request) (*http.Response, error) {
  29. if t.APIKey == "" {
  30. return nil, errors.New("APIKey is empty")
  31. }
  32. // We must make a copy of the Request so
  33. // that we don't modify the Request we were given. This is required by the
  34. // specification of http.RoundTripper.
  35. req = cloneRequest(req)
  36. req.Header.Add("X-Api-Key", t.APIKey)
  37. if t.UserAgent != "" {
  38. req.Header.Add("User-Agent", t.UserAgent)
  39. }
  40. log.Debugf("req-api: %s %s", req.Method, req.URL.String())
  41. if log.GetLevel() >= log.TraceLevel {
  42. dump, _ := httputil.DumpRequest(req, true)
  43. log.Tracef("auth-api request: %s", string(dump))
  44. }
  45. // Make the HTTP request.
  46. resp, err := t.transport().RoundTrip(req)
  47. if err != nil {
  48. log.Errorf("auth-api: auth with api key failed return nil response, error: %s", err)
  49. return resp, err
  50. }
  51. if log.GetLevel() >= log.TraceLevel {
  52. dump, _ := httputil.DumpResponse(resp, true)
  53. log.Tracef("auth-api response: %s", string(dump))
  54. }
  55. log.Debugf("resp-api: http %d", resp.StatusCode)
  56. return resp, err
  57. }
  58. func (t *APIKeyTransport) Client() *http.Client {
  59. return &http.Client{Transport: t}
  60. }
  61. func (t *APIKeyTransport) transport() http.RoundTripper {
  62. if t.Transport != nil {
  63. return t.Transport
  64. }
  65. return http.DefaultTransport
  66. }
  67. type JWTTransport struct {
  68. MachineID *string
  69. Password *strfmt.Password
  70. token string
  71. Expiration time.Time
  72. Scenarios []string
  73. URL *url.URL
  74. VersionPrefix string
  75. UserAgent string
  76. // Transport is the underlying HTTP transport to use when making requests.
  77. // It will default to http.DefaultTransport if nil.
  78. Transport http.RoundTripper
  79. UpdateScenario func() ([]string, error)
  80. }
  81. func (t *JWTTransport) refreshJwtToken() error {
  82. var err error
  83. if t.UpdateScenario != nil {
  84. t.Scenarios, err = t.UpdateScenario()
  85. if err != nil {
  86. return fmt.Errorf("can't update scenario list: %s", err)
  87. }
  88. log.Debugf("scenarios list updated for '%s'", *t.MachineID)
  89. }
  90. var auth = models.WatcherAuthRequest{
  91. MachineID: t.MachineID,
  92. Password: t.Password,
  93. Scenarios: t.Scenarios,
  94. }
  95. var response models.WatcherAuthResponse
  96. /*
  97. we don't use the main client, so let's build the body
  98. */
  99. var buf io.ReadWriter
  100. buf = &bytes.Buffer{}
  101. enc := json.NewEncoder(buf)
  102. enc.SetEscapeHTML(false)
  103. err = enc.Encode(auth)
  104. if err != nil {
  105. return errors.Wrap(err, "could not encode jwt auth body")
  106. }
  107. req, err := http.NewRequest("POST", fmt.Sprintf("%s%s/watchers/login", t.URL, t.VersionPrefix), buf)
  108. if err != nil {
  109. return errors.Wrap(err, "could not create request")
  110. }
  111. req.Header.Add("Content-Type", "application/json")
  112. client := &http.Client{}
  113. if t.UserAgent != "" {
  114. req.Header.Add("User-Agent", t.UserAgent)
  115. }
  116. if log.GetLevel() >= log.TraceLevel {
  117. dump, _ := httputil.DumpRequest(req, true)
  118. log.Tracef("auth-jwt request: %s", string(dump))
  119. }
  120. log.Debugf("auth-jwt(auth): %s %s", req.Method, req.URL.String())
  121. resp, err := client.Do(req)
  122. if err != nil {
  123. return errors.Wrap(err, "could not get jwt token")
  124. }
  125. log.Debugf("auth-jwt : http %d", resp.StatusCode)
  126. if log.GetLevel() >= log.TraceLevel {
  127. dump, _ := httputil.DumpResponse(resp, true)
  128. log.Tracef("auth-jwt response: %s", string(dump))
  129. }
  130. defer resp.Body.Close()
  131. if resp.StatusCode < 200 || resp.StatusCode >= 300 {
  132. log.Debugf("received response status %q when fetching %v", resp.Status, req.URL)
  133. err = CheckResponse(resp)
  134. if err != nil {
  135. return err
  136. }
  137. }
  138. if err := json.NewDecoder(resp.Body).Decode(&response); err != nil {
  139. return errors.Wrap(err, "unable to decode response")
  140. }
  141. if err := t.Expiration.UnmarshalText([]byte(response.Expire)); err != nil {
  142. return errors.Wrap(err, "unable to parse jwt expiration")
  143. }
  144. t.token = response.Token
  145. log.Debugf("token %s will expire on %s", t.token, t.Expiration.String())
  146. return nil
  147. }
  148. // RoundTrip implements the RoundTripper interface.
  149. func (t *JWTTransport) RoundTrip(req *http.Request) (*http.Response, error) {
  150. if t.token == "" || t.Expiration.Add(-time.Minute).Before(time.Now().UTC()) {
  151. if err := t.refreshJwtToken(); err != nil {
  152. return nil, err
  153. }
  154. }
  155. // We must make a copy of the Request so
  156. // that we don't modify the Request we were given. This is required by the
  157. // specification of http.RoundTripper.
  158. req = cloneRequest(req)
  159. req.Header.Add("Authorization", fmt.Sprintf("Bearer %s", t.token))
  160. log.Debugf("req-jwt: %s %s", req.Method, req.URL.String())
  161. if log.GetLevel() >= log.TraceLevel {
  162. dump, _ := httputil.DumpRequest(req, true)
  163. log.Tracef("req-jwt: %s", string(dump))
  164. }
  165. if t.UserAgent != "" {
  166. req.Header.Add("User-Agent", t.UserAgent)
  167. }
  168. // Make the HTTP request.
  169. resp, err := t.transport().RoundTrip(req)
  170. if log.GetLevel() >= log.TraceLevel {
  171. dump, _ := httputil.DumpResponse(resp, true)
  172. log.Tracef("resp-jwt: %s (err:%v)", string(dump), err)
  173. }
  174. if err != nil || resp.StatusCode == 401 {
  175. /*we had an error (network error for example, or 401 because token is refused), reset the token ?*/
  176. t.token = ""
  177. return resp, errors.Wrapf(err, "performing jwt auth")
  178. }
  179. log.Debugf("resp-jwt: %d", resp.StatusCode)
  180. return resp, nil
  181. }
  182. func (t *JWTTransport) Client() *http.Client {
  183. return &http.Client{Transport: t}
  184. }
  185. func (t *JWTTransport) transport() http.RoundTripper {
  186. if t.Transport != nil {
  187. return t.Transport
  188. }
  189. return http.DefaultTransport
  190. }
  191. // cloneRequest returns a clone of the provided *http.Request. The clone is a
  192. // shallow copy of the struct and its Header map.
  193. func cloneRequest(r *http.Request) *http.Request {
  194. // shallow copy of the struct
  195. r2 := new(http.Request)
  196. *r2 = *r
  197. // deep copy of the Header
  198. r2.Header = make(http.Header, len(r.Header))
  199. for k, s := range r.Header {
  200. r2.Header[k] = append([]string(nil), s...)
  201. }
  202. return r2
  203. }