added user, exp, and allowed_paths

Author: fceller

auth.go

@@ -51,6 +51,8 @@ var (
 	authOptions struct {
 		jwtSecretFile string
 		user          string
+		paths         []string
+                exp           int64
 	}
 )
 
@@ -62,6 +64,8 @@ func init() {
 	pf := cmdAuth.PersistentFlags()
 	pf.StringVar(&authOptions.jwtSecretFile, "auth.jwt-secret", "", "name of a plain text file containing a JWT secret used for server authentication")
 	pf.StringVar(&authOptions.user, "auth.user", "", "name of a user to authenticate as. If empty, 'super-user' authentication is used")
+	pf.StringSliceVar(&authOptions.paths, "auth.paths", nil, "a list of allowed pathes. The path must not include the '_db/DBNAME' prefix.")
+	pf.Int64Var(&authOptions.exp, "auth.exp", 0, "an expiry date in seconds since epoche")
 }
 
 // mustAuthCreateJWTToken creates a the JWT token based on authentication options.
@@ -77,7 +81,7 @@ func mustAuthCreateJWTToken() string {
 		log.Fatal().Err(err).Msgf("Failed to read JWT secret file '%s'", authOptions.jwtSecretFile)
 	}
 	jwtSecret := strings.TrimSpace(string(content))
-	token, err := service.CreateJwtToken(jwtSecret, authOptions.user)
+	token, err := service.CreateJwtToken(jwtSecret, authOptions.user, "", authOptions.paths, authOptions.exp)
 	if err != nil {
 		log.Fatal().Err(err).Msg("Failed to create JWT token")
 	}

service/authentication.go

@@ -35,19 +35,29 @@ const (
 
 // CreateJwtToken calculates a JWT authorization token based on the given secret.
 // If the secret is empty, an empty token is returned.
-func CreateJwtToken(jwtSecret, user string) (string, error) {
+func CreateJwtToken(jwtSecret, user string, serverId string, paths []string, exp int64) (string, error) {
 	if jwtSecret == "" {
 		return "", nil
 	}
+        if serverId == "" {
+	        serverId = "foo"
+	}
+
 	// Create a new token object, specifying signing method and the claims
 	// you would like it to contain.
 	claims := jwt.MapClaims{
 		"iss":       "arangodb",
-		"server_id": "foo",
+		"server_id": serverId,
 	}
 	if user != "" {
 		claims["preferred_username"] = user
 	}
+	if paths != nil {
+		claims["allowed_paths"] = paths
+	}
+	if exp > 0 {
+		claims["exp"] = exp
+	}
 	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
 
 	// Sign and get the complete encoded token as a string using the secret
@@ -66,7 +76,7 @@ func addJwtHeader(req *http.Request, jwtSecret string) error {
 	if jwtSecret == "" {
 		return nil
 	}
-	signedToken, err := CreateJwtToken(jwtSecret, "")
+	signedToken, err := CreateJwtToken(jwtSecret, "", "", nil, 0)
 	if err != nil {
 		return maskAny(err)
 	}