Move the jwt directory to signal.

ionorg · cloudwebrtc · Jun 18, 2021 · Apr 3, 2021 · Apr 11, 2021 · Apr 27, 2021
commit 7bacfbcadb71900570ce3bc69d24fc53f0016f1a
diff --git a/configs/sig.toml b/configs/sig.toml
@@ -22,7 +22,6 @@ allow_all_origins = true
 enabled = false 
 key_type = "HMAC"  # this selects the Signing method https://godoc.org/github.com/dgrijalva/jwt-go#SigningMethod
 key = "1q2dGu5pzikcrECJgW3ADfXX3EsmoD99SYvSVCpDsJrAqxou5tUNbHPvkEFI4bTS"
-allowed_services = ["sfu","biz"]
 
 [signal.svc]
 services = ["sfu","biz","avp"]
diff --git a/examples/webserver/main.go b/examples/webserver/main.go
@@ -18,8 +18,9 @@ type result struct {
 }
 
 type claims struct {
-	UID string `json:"uid"`
-	SID string `json:"sid"`
+	UID      string   `json:"uid"`
+	SID      string   `json:"sid"`
+	Services []string `json:"services"`
 	jwt.StandardClaims
 }
 
@@ -88,8 +89,9 @@ func sign(w http.ResponseWriter, r *http.Request) {
 	sid := values[0]
 
 	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims{
-		UID: uid,
-		SID: sid,
+		UID:      uid,
+		SID:      sid,
+		Services: []string{"sfu", "biz"},
 	})
 	tokenString, err := token.SignedString([]byte(key))
 	if err != nil {

diff --git a/pkg/jwt/jwt.go → pkg/node/signal/jwt.go b/pkg/jwt/jwt.go → pkg/node/signal/jwt.go
@@ -1,4 +1,4 @@
-package jwt
+package signal
 
 import (
 	"context"
@@ -11,10 +11,9 @@ import (
 
 // AuthConfig auth config
 type AuthConfig struct {
-	Enabled         bool     `mapstructure:"enabled"`
-	Key             string   `mapstructure:"key"`
-	KeyType         string   `mapstructure:"key_type"`
-	AllowedServices []string `mapstructure:"allowed_services"`
+	Enabled bool   `mapstructure:"enabled"`
+	Key     string `mapstructure:"key"`
+	KeyType string `mapstructure:"key_type"`
 }
 
 // KeyFunc auth key types
@@ -28,13 +27,14 @@ func (a AuthConfig) KeyFunc(t *jwt.Token) (interface{}, error) {
 }
 
 // claims custom claims type for jwt
-type CustomClaims struct {
-	UID string `json:"uid"`
-	SID string `json:"sid"`
-	*jwt.StandardClaims
+type claims struct {
+	UID      string   `json:"uid"`
+	SID      string   `json:"sid"`
+	Services []string `json:"services"`
+	jwt.StandardClaims
 }
 
-func GetClaim(ctx context.Context, ac *AuthConfig) (*CustomClaims, error) {
+func getClaim(ctx context.Context, ac *AuthConfig) (*claims, error) {
 	md, ok := metadata.FromIncomingContext(ctx)
 	if !ok {
 		return nil, status.Errorf(codes.Unauthenticated, "valid JWT token required")
@@ -45,9 +45,9 @@ func GetClaim(ctx context.Context, ac *AuthConfig) (*CustomClaims, error) {
 		return nil, status.Errorf(codes.Unauthenticated, "valid JWT token required")
 	}
 
-	jwtToken, err := jwt.ParseWithClaims(token[0], &CustomClaims{}, ac.KeyFunc)
+	jwtToken, err := jwt.ParseWithClaims(token[0], &claims{}, ac.KeyFunc)
 
-	if claims, ok := jwtToken.Claims.(*CustomClaims); ok && jwtToken.Valid {
+	if claims, ok := jwtToken.Claims.(*claims); ok && jwtToken.Valid {
 		return claims, nil
 	}
 

diff --git a/pkg/node/signal/signal.go b/pkg/node/signal/signal.go
@@ -11,7 +11,6 @@ import (
 	nrpc "github.com/cloudwebrtc/nats-grpc/pkg/rpc"
 	"github.com/nats-io/nats.go"
 	log "github.com/pion/ion-log"
-	"github.com/pion/ion/pkg/jwt"
 	"github.com/pion/ion/pkg/util"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/codes"
@@ -24,9 +23,9 @@ type svcConf struct {
 }
 
 type signalConf struct {
-	GRPC grpcConf       `mapstructure:"grpc"`
-	JWT  jwt.AuthConfig `mapstructure:"jwt"`
-	SVC  svcConf        `mapstructure:"svc"`
+	GRPC grpcConf   `mapstructure:"grpc"`
+	JWT  AuthConfig `mapstructure:"jwt"`
+	SVC  svcConf    `mapstructure:"svc"`
 }
 
 // signalConf represents signal server configuration
@@ -139,17 +138,30 @@ func (s *Signal) Director(ctx context.Context, fullMethodName string) (context.C
 	//Authenticate here.
 	authConfig := &s.conf.Signal.JWT
 	if authConfig.Enabled {
-		claims, err := jwt.GetClaim(ctx, authConfig)
+		claims, err := getClaim(ctx, authConfig)
 		if err != nil {
 			return ctx, nil, status.Errorf(codes.Unauthenticated, fmt.Sprintf("Failed to Get Claims JWT : %v", err))
 		}
-		log.Infof("UID: %s, SID: %v", claims.UID, claims.SID)
+
+		log.Infof("claims: UID: %s, SID: %v, Services: %v", claims.UID, claims.SID, claims.Services)
+
+		allowed := false
+		for _, svc := range claims.Services {
+			if strings.Contains(fullMethodName, "/"+svc+".") {
+				allowed = true
+				break
+			}
+		}
+
+		if !allowed {
+			return ctx, nil, status.Errorf(codes.Unauthenticated, fmt.Sprintf("Service %v access denied!", fullMethodName))
+		}
 	}
 
 	//Find node id by existing node.
 	s.rwlock.RLock()
 	for svc, nid := range s.svc {
-		if strings.Contains(fullMethodName, svc) {
+		if strings.HasPrefix(fullMethodName, "/"+svc) {
 			cli := nrpc.NewClient(s.nc, nid)
 			return ctx, cli, nil
 		}
@@ -159,7 +171,7 @@ func (s *Signal) Director(ctx context.Context, fullMethodName string) (context.C
 	//Find service in neighbor nodes.
 	svcConf := s.conf.Signal.SVC
 	for _, svc := range svcConf.Services {
-		if strings.Contains(fullMethodName, svc) {
+		if strings.HasPrefix(fullMethodName, "/"+svc+".") {
 			resp, err := s.ndc.Get(svc, map[string]interface{}{})
 			if err != nil || len(resp.Nodes) == 0 {
 				log.Errorf("failed to Get service [%v]: %v", svc, err)