From 4b92e0024b0eb8d43b4c79cef1c56fabdb7b6bee Mon Sep 17 00:00:00 2001 From: Oleg Kovalov Date: Wed, 27 Nov 2024 19:21:38 +0100 Subject: [PATCH] review suggestions --- api/rpc/perms/permissions.go | 21 ++++++++++++++++++++- api/rpc_test.go | 14 +++++++------- cmd/rpc.go | 2 +- 3 files changed, 28 insertions(+), 9 deletions(-) diff --git a/api/rpc/perms/permissions.go b/api/rpc/perms/permissions.go index 71ba05ec11..60ba33c534 100644 --- a/api/rpc/perms/permissions.go +++ b/api/rpc/perms/permissions.go @@ -32,7 +32,26 @@ func (j *JWTPayload) MarshalBinary() (data []byte, err error) { // NewTokenWithPerms generates and signs a new JWT token with the given secret // and given permissions. -func NewTokenWithPerms(signer jwt.Signer, perms []auth.Permission, ttl time.Duration) ([]byte, error) { +func NewTokenWithPerms(signer jwt.Signer, perms []auth.Permission) ([]byte, error) { + nonce := make([]byte, 32) + if _, err := rand.Read(nonce); err != nil { + return nil, err + } + + p := &JWTPayload{ + Allow: perms, + Nonce: nonce, + } + token, err := jwt.NewBuilder(signer).Build(p) + if err != nil { + return nil, err + } + return token.Bytes(), nil +} + +// NewTokenWithTTL generates and signs a new JWT token with the given secret +// and given permissions and TTL. +func NewTokenWithTTL(signer jwt.Signer, perms []auth.Permission, ttl time.Duration) ([]byte, error) { nonce := make([]byte, 32) if _, err := rand.Read(nonce); err != nil { return nil, err diff --git a/api/rpc_test.go b/api/rpc_test.go index a0f80ec2a3..343514632a 100644 --- a/api/rpc_test.go +++ b/api/rpc_test.go @@ -59,7 +59,7 @@ func TestRPCCallsUnderlyingNode(t *testing.T) { nd, server := setupNodeWithAuthedRPC(t, signer, verifier) url := nd.RPCServer.ListenAddr() - adminToken, err := perms.NewTokenWithPerms(signer, perms.AllPerms, time.Minute) + adminToken, err := perms.NewTokenWithPerms(signer, perms.AllPerms) require.NoError(t, err) // we need to run this a few times to prevent the race where the server is not yet started @@ -105,7 +105,7 @@ func TestRPCCallsTokenExpired(t *testing.T) { nd, _ := setupNodeWithAuthedRPC(t, signer, verifier) url := nd.RPCServer.ListenAddr() - adminToken, err := perms.NewTokenWithPerms(signer, perms.AllPerms, time.Millisecond) + adminToken, err := perms.NewTokenWithTTL(signer, perms.AllPerms, time.Millisecond) require.NoError(t, err) // we need to run this a few times to prevent the race where the server is not yet started @@ -122,7 +122,7 @@ func TestRPCCallsTokenExpired(t *testing.T) { require.NoError(t, err) _, err = rpcClient.State.Balance(ctx) - require.Error(t, err, err) + require.ErrorContains(t, err, "request failed, http status 401 Unauthorized") } // api contains all modules that are made available as the node's @@ -179,13 +179,13 @@ func TestAuthedRPC(t *testing.T) { url := nd.RPCServer.ListenAddr() // create permissioned tokens - publicToken, err := perms.NewTokenWithPerms(signer, perms.DefaultPerms, time.Minute) + publicToken, err := perms.NewTokenWithPerms(signer, perms.DefaultPerms) require.NoError(t, err) - readToken, err := perms.NewTokenWithPerms(signer, perms.ReadPerms, time.Minute) + readToken, err := perms.NewTokenWithPerms(signer, perms.ReadPerms) require.NoError(t, err) - rwToken, err := perms.NewTokenWithPerms(signer, perms.ReadWritePerms, time.Minute) + rwToken, err := perms.NewTokenWithPerms(signer, perms.ReadWritePerms) require.NoError(t, err) - adminToken, err := perms.NewTokenWithPerms(signer, perms.AllPerms, time.Minute) + adminToken, err := perms.NewTokenWithPerms(signer, perms.AllPerms) require.NoError(t, err) tests := []struct { diff --git a/cmd/rpc.go b/cmd/rpc.go index ec4991c916..66a3ee6df0 100644 --- a/cmd/rpc.go +++ b/cmd/rpc.go @@ -128,7 +128,7 @@ func getToken(path string) (string, error) { fmt.Printf("error getting the JWT secret: %v", err) return "", err } - return buildJWTToken(key.Body, perms.AllPerms, time.Minute) + return buildJWTToken(key.Body, perms.AllPerms, 0) } type rpcClientKey struct{}