feat: add auth config to manager (#2161)

Fix GHSA-hpc8-7wpm-889w. Signed-off-by: Gaius <[email protected]>
dragonflyoss · Jun 28, 2023 · e9da69d · e9da69d
1 parent d1d8eb4
commit e9da69d
Show file tree

Hide file tree

Showing 9 changed files with 190 additions and 12 deletions.
diff --git a/deploy/docker-compose/template/manager.template.yaml b/deploy/docker-compose/template/manager.template.yaml
@@ -32,6 +32,21 @@ server:
   # In macos(just for testing), default value is /Users/$USER/.dragonfly/plugins.
   pluginDir: ''
 
+auth:
+  jwt:
+    # Realm name to display to the user, default value is Dragonfly.
+    realm: "Dragonfly"
+    # Key is secret key used for signing, default value is
+    # encoded base64 of dragonfly.
+    # Please change the key in production.
+    key: "ZHJhZ29uZmx5Cg=="
+    # Timeout is duration that a jwt token is valid,
+    # default duration is two days.
+    timeout: 48h
+    # MaxRefresh field allows clients to refresh their token
+    # until MaxRefresh has passed, default duration is two days.
+    maxRefresh: 48h
+
 # Database info used for server.
 database:
   # Database type, supported types include mysql, mariadb and postgres.

diff --git a/deploy/helm-charts b/deploy/helm-charts
diff --git a/manager/config/config.go b/manager/config/config.go
@@ -37,6 +37,9 @@ type Config struct {
 	// Server configuration.
 	Server ServerConfig `yaml:"server" mapstructure:"server"`
 
+	// Auth configuration.
+	Auth AuthConfig `yaml:"auth" mapstructure:"auth"`
+
 	// Database configuration.
 	Database DatabaseConfig `yaml:"database" mapstructure:"database"`
 
@@ -79,6 +82,25 @@ type ServerConfig struct {
 	REST RestConfig `yaml:"rest" mapstructure:"rest"`
 }
 
+type AuthConfig struct {
+	// JWT configuration.
+	JWT JWTConfig `yaml:"jwt" mapstructure:"jwt"`
+}
+
+type JWTConfig struct {
+	// Realm name to display to the user, default value is Dragonfly.
+	Realm string `yaml:"realm" mapstructure:"realm"`
+
+	// Key is secret key used for signing. Please change the key in production
+	Key string `yaml:"key" mapstructure:"key"`
+
+	// Timeout is duration that a jwt token is valid, default duration is two days.
+	Timeout time.Duration `yaml:"timeout" mapstructure:"timeout"`
+
+	// MaxRefresh field allows clients to refresh their token until MaxRefresh has passed, default duration is two days.
+	MaxRefresh time.Duration `yaml:"maxRefresh" mapstructure:"maxRefresh"`
+}
+
 type DatabaseConfig struct {
 	// Database type.
 	Type string `yaml:"type" mapstructure:"type"`
@@ -324,6 +346,13 @@ func New() *Config {
 				Addr: DefaultRESTAddr,
 			},
 		},
+		Auth: AuthConfig{
+			JWT: JWTConfig{
+				Realm:      DefaultJWTRealm,
+				Timeout:    DefaultJWTTimeout,
+				MaxRefresh: DefaultJWTMaxRefresh,
+			},
+		},
 		Database: DatabaseConfig{
 			Type: DatabaseTypeMysql,
 			Mysql: MysqlConfig{
@@ -391,6 +420,22 @@ func (cfg *Config) Validate() error {
 		return errors.New("grpc requires parameter listenIP")
 	}
 
+	if cfg.Auth.JWT.Realm == "" {
+		return errors.New("jwt requires parameter realm")
+	}
+
+	if cfg.Auth.JWT.Key == "" {
+		return errors.New("jwt requires parameter key")
+	}
+
+	if cfg.Auth.JWT.Timeout == 0 {
+		return errors.New("jwt requires parameter timeout")
+	}
+
+	if cfg.Auth.JWT.MaxRefresh == 0 {
+		return errors.New("jwt requires parameter maxRefresh")
+	}
+
 	if cfg.Database.Type == "" {
 		return errors.New("database requires parameter type")
 	}