| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657 |
- package management
- import (
- "fmt"
- "github.com/go-jose/go-jose/v4"
- "github.com/go-jose/go-jose/v4/jwt"
- )
- type managementTokenClaims struct {
- Tunnel tunnel `json:"tun"`
- Actor actor `json:"actor"`
- }
- // VerifyTunnel compares the tun claim isn't empty
- func (c *managementTokenClaims) verify() bool {
- return c.Tunnel.verify() && c.Actor.verify()
- }
- type tunnel struct {
- ID string `json:"id"`
- AccountTag string `json:"account_tag"`
- }
- // verify compares the tun claim isn't empty
- func (t *tunnel) verify() bool {
- return t.AccountTag != "" && t.ID != ""
- }
- type actor struct {
- ID string `json:"id"`
- Support bool `json:"support"`
- }
- // verify checks the ID claim isn't empty
- func (t *actor) verify() bool {
- return t.ID != ""
- }
- func parseToken(token string) (*managementTokenClaims, error) {
- jwt, err := jwt.ParseSigned(token, []jose.SignatureAlgorithm{jose.ES256})
- if err != nil {
- return nil, fmt.Errorf("malformed jwt: %v", err)
- }
- var claims managementTokenClaims
- // This is actually safe because we verify the token in the edge before it reaches cloudflared
- err = jwt.UnsafeClaimsWithoutVerification(&claims)
- if err != nil {
- return nil, fmt.Errorf("malformed jwt: %v", err)
- }
- if !claims.verify() {
- return nil, fmt.Errorf("invalid management token format provided")
- }
- return &claims, nil
- }
|
