Added initial jwt-secret support

Author: ewoutp

main.go

@@ -3,6 +3,7 @@ package main
 import (
 	"context"
 	"fmt"
+	"io/ioutil"
 	"os"
 	"os/signal"
 	"path/filepath"
@@ -47,6 +48,7 @@ var (
 	verbose              bool
 	serverThreads        int
 	allPortOffsetsUnique bool
+	jwtSecretFile        string
 	dockerEndpoint       string
 	dockerImage          string
 	dockerUser           string
@@ -79,6 +81,7 @@ func init() {
 	f.BoolVar(&dockerNetHost, "dockerNetHost", false, "Run containers with --net=host")
 	f.BoolVar(&dockerPrivileged, "dockerPrivileged", false, "Run containers with --privileged")
 	f.BoolVar(&allPortOffsetsUnique, "uniquePortOffsets", false, "If set, all peers will get a unique port offset. If false (default) only portOffset+peerAddress pairs will be unique.")
+	f.StringVar(&jwtSecretFile, "jwtSecretFile", "", "name of a plain text file containing a JWT secret used for server authentication")
 }
 
 // handleSignal listens for termination signals and stops this process onup termination.
@@ -191,6 +194,16 @@ func cmdMainRun(cmd *cobra.Command, args []string) {
 		log.Fatalf("Cannot create data directory %s because %v, giving up.", dataDir, err)
 	}
 
+	// Read jwtSecret (if any)
+	var jwtSecret string
+	if jwtSecretFile != "" {
+		content, err := ioutil.ReadFile(jwtSecretFile)
+		if err != nil {
+			log.Fatalf("Failed to read JWT secret file '%s': %v", jwtSecretFile, err)
+		}
+		jwtSecret = strings.TrimSpace(string(content))
+	}
+
 	// Interrupt signal:
 	sigChannel := make(chan os.Signal)
 	rootCtx, cancel := context.WithCancel(context.Background())
@@ -213,6 +226,7 @@ func cmdMainRun(cmd *cobra.Command, args []string) {
 		Verbose:              verbose,
 		ServerThreads:        serverThreads,
 		AllPortOffsetsUnique: allPortOffsetsUnique,
+		JwtSecret:            jwtSecret,
 		RunningInDocker:      os.Getenv("RUNNING_IN_DOCKER") == "true",
 		DockerContainer:      dockerContainer,
 		DockerEndpoint:       dockerEndpoint,

service/arangodb.go

@@ -34,6 +34,7 @@ type ServiceConfig struct {
 	Verbose              bool
 	ServerThreads        int  // If set to something other than 0, this will be added to the commandline of each server with `--server.threads`...
 	AllPortOffsetsUnique bool // If set, all peers will get a unique port offset. If false (default) only portOffset+peerAddress pairs will be unique.
+	JwtSecret            string
 
 	DockerContainer  string // Name of the container running this process
 	DockerEndpoint   string // Where to reach the docker daemon
@@ -136,14 +137,32 @@ func slasher(s string) string {
 	return strings.Replace(s, "\\", "/", -1)
 }
 
-func testInstance(ctx context.Context, address string, port int) (up, cancelled bool) {
+func (s *Service) testInstance(ctx context.Context, address string, port int) (up, cancelled bool) {
 	instanceUp := make(chan bool)
 	go func() {
 		client := &http.Client{Timeout: time.Second * 10}
-		for i := 0; i < 300; i++ {
+
+		makeRequest := func() error {
 			url := fmt.Sprintf("http://%s:%d/_api/version", address, port)
-			r, e := client.Get(url)
-			if e == nil && r != nil && r.StatusCode == 200 {
+			req, err := http.NewRequest("GET", url, nil)
+			if err != nil {
+				return maskAny(err)
+			}
+			if err := addJwtHeader(req, s.JwtSecret); err != nil {
+				return maskAny(err)
+			}
+			resp, err := client.Do(req)
+			if err != nil {
+				return maskAny(err)
+			}
+			if resp.StatusCode != 200 {
+				return maskAny(fmt.Errorf("Invalid status %d", resp.StatusCode))
+			}
+			return nil
+		}
+
+		for i := 0; i < 300; i++ {
+			if err := makeRequest(); err == nil {
 				instanceUp <- true
 				break
 			}
@@ -204,15 +223,20 @@ func (s *Service) makeBaseArgs(myHostDir, myContainerDir string, myAddress strin
 			threads = "16"
 			v8Contexts = "4"
 		}
-		config := configFile{
-			&configSection{
-				Name: "server",
-				Settings: map[string]string{
-					"endpoint":       fmt.Sprintf("tcp://0.0.0.0:%s", myPort),
-					"threads":        threads,
-					"authentication": "false",
-				},
+		serverSection := &configSection{
+			Name: "server",
+			Settings: map[string]string{
+				"endpoint":       fmt.Sprintf("tcp://0.0.0.0:%s", myPort),
+				"threads":        threads,
+				"authentication": "false",
 			},
+		}
+		if s.JwtSecret != "" {
+			serverSection.Settings["authentication"] = "true"
+			serverSection.Settings["jwt-secret"] = s.JwtSecret
+		}
+		config := configFile{
+			serverSection,
 			&configSection{
 				Name: "log",
 				Settings: map[string]string{
@@ -226,6 +250,7 @@ func (s *Service) makeBaseArgs(myHostDir, myContainerDir string, myAddress strin
 				},
 			},
 		}
+
 		out, e := os.Create(hostConfFileName)
 		if e != nil {
 			s.log.Fatalf("Could not create configuration file %s, error: %#v", hostConfFileName, e)
@@ -354,7 +379,7 @@ func (s *Service) startRunning(runner Runner) {
 		if p != nil {
 			s.log.Infof("%s seems to be running already, checking port %d...", mode, myPort)
 			ctx, cancel := context.WithTimeout(context.Background(), time.Second*10)
-			up, _ := testInstance(ctx, myHost, myPort)
+			up, _ := s.testInstance(ctx, myHost, myPort)
 			cancel()
 			if up {
 				s.log.Infof("%s is already running on %d. No need to start anything.", mode, myPort)
@@ -395,7 +420,7 @@ func (s *Service) startRunning(runner Runner) {
 			*processVar = p
 			ctx, cancel := context.WithCancel(s.ctx)
 			go func() {
-				if up, cancelled := testInstance(ctx, myHost, s.MasterPort+portOffset+serverPortOffset); !cancelled {
+				if up, cancelled := s.testInstance(ctx, myHost, s.MasterPort+portOffset+serverPortOffset); !cancelled {
 					if up {
 						s.log.Infof("%s up and running.", mode)
 					} else {

service/jwt.go

@@ -0,0 +1,31 @@
+package service
+
+import (
+	"net/http"
+
+	jwt "github.com/dgrijalva/jwt-go"
+)
+
+// addJwtHeader calculates a JWT authorization header based on the given secret
+// and adds it to the given request.
+// If the secret is empty, nothing is done.
+func addJwtHeader(req *http.Request, jwtSecret string) error {
+	if jwtSecret == "" {
+		return nil
+	}
+	// Create a new token object, specifying signing method and the claims
+	// you would like it to contain.
+	token := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.MapClaims{
+		"iss":       "arangodb",
+		"server_id": "foo",
+	})
+
+	// Sign and get the complete encoded token as a string using the secret
+	signedToken, err := token.SignedString([]byte(jwtSecret))
+	if err != nil {
+		return maskAny(err)
+	}
+
+	req.Header.Set("Authorization", "bearer "+signedToken)
+	return nil
+}