-
Notifications
You must be signed in to change notification settings - Fork 0
/
conf.go
423 lines (379 loc) · 16.3 KB
/
conf.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
package requestorserver
import (
"crypto/tls"
"fmt"
"regexp"
"strconv"
"strings"
"github.com/go-errors/errors"
irma "github.com/markuskreukniet/irmago-measurements"
"github.com/markuskreukniet/irmago-measurements/internal/common"
"github.com/markuskreukniet/irmago-measurements/server"
)
type Configuration struct {
*server.Configuration `mapstructure:",squash"`
// Disclosing, signing or issuance permissions that apply to all requestors
Permissions `mapstructure:",squash"`
SkipPrivateKeysCheck bool `json:"skip_private_keys_check" mapstructure:"skip_private_keys_check"`
// Whether or not incoming session requests should be authenticated. If false, anyone
// can submit session requests. If true, the request is first authenticated against the
// server configuration before the server accepts it.
DisableRequestorAuthentication bool `json:"no_auth" mapstructure:"no_auth"`
// Address to listen at
ListenAddress string `json:"listen_addr" mapstructure:"listen_addr"`
// Port to listen at
Port int `json:"port" mapstructure:"port"`
// TLS configuration
TlsCertificate string `json:"tls_cert" mapstructure:"tls_cert"`
TlsCertificateFile string `json:"tls_cert_file" mapstructure:"tls_cert_file"`
TlsPrivateKey string `json:"tls_privkey" mapstructure:"tls_privkey"`
TlsPrivateKeyFile string `json:"tls_privkey_file" mapstructure:"tls_privkey_file"`
// If specified, start a separate server for the IRMA app at his port
ClientPort int `json:"client_port" mapstructure:"client_port"`
// If clientport is specified, the server for the IRMA app listens at this address
ClientListenAddress string `json:"client_listen_addr" mapstructure:"client_listen_addr"`
// TLS configuration for irmaclient HTTP API
ClientTlsCertificate string `json:"client_tls_cert" mapstructure:"client_tls_cert"`
ClientTlsCertificateFile string `json:"client_tls_cert_file" mapstructure:"client_tls_cert_file"`
ClientTlsPrivateKey string `json:"client_tls_privkey" mapstructure:"client_tls_privkey"`
ClientTlsPrivateKeyFile string `json:"client_tls_privkey_file" mapstructure:"client_tls_privkey_file"`
// Requestor-specific permission and authentication configuration
Requestors map[string]Requestor `json:"requestors"`
// Max age in seconds of a session request JWT (using iat field)
MaxRequestAge int `json:"max_request_age" mapstructure:"max_request_age"`
// Host files under this path as static files (leave empty to disable)
StaticPath string `json:"static_path" mapstructure:"static_path"`
// Host static files under this URL prefix
StaticPrefix string `json:"static_prefix" mapstructure:"static_prefix"`
}
// Permissions specify which attributes or credential a requestor may verify or issue.
type Permissions struct {
Disclosing []string `json:"disclose_perms" mapstructure:"disclose_perms"`
Signing []string `json:"sign_perms" mapstructure:"sign_perms"`
Issuing []string `json:"issue_perms" mapstructure:"issue_perms"`
Revoking []string `json:"revoke_perms" mapstructure:"revoke_perms"`
}
// Requestor contains all configuration (disclosure or verification permissions and authentication)
// for a requestor.
type Requestor struct {
Permissions `mapstructure:",squash"`
AuthenticationMethod AuthenticationMethod `json:"auth_method" mapstructure:"auth_method"`
AuthenticationKey string `json:"key" mapstructure:"key"`
AuthenticationKeyFile string `json:"key_file" mapstructure:"key_file"`
}
// CanIssue returns whether or not the specified requestor may issue the specified credentials.
// (In case of combined issuance/disclosure sessions, this method does not check whether or not
// the identity provider is allowed to verify the attributes being verified; use CanVerifyOrSign
// for that).
func (conf *Configuration) CanIssue(requestor string, creds []*irma.CredentialRequest) (bool, string) {
permissions := append(conf.Requestors[requestor].Issuing, conf.Issuing...)
if len(permissions) == 0 { // requestor is not present in the permissions
return false, ""
}
for _, cred := range creds {
id := cred.CredentialTypeID
if contains(permissions, "*") ||
contains(permissions, id.Root()+".*") ||
contains(permissions, id.IssuerIdentifier().String()+".*") ||
contains(permissions, id.String()) {
continue
} else {
return false, id.String()
}
}
return true, ""
}
// CanVerifyOrSign returns whether or not the specified requestor may use the selected attributes
// in any of the supported session types.
func (conf *Configuration) CanVerifyOrSign(requestor string, action irma.Action, disjunctions irma.AttributeConDisCon) (bool, string) {
var permissions []string
switch action {
case irma.ActionDisclosing:
permissions = append(conf.Requestors[requestor].Disclosing, conf.Disclosing...)
case irma.ActionIssuing:
permissions = append(conf.Requestors[requestor].Disclosing, conf.Disclosing...)
case irma.ActionSigning:
permissions = append(conf.Requestors[requestor].Signing, conf.Signing...)
}
if len(permissions) == 0 { // requestor is not present in the permissions
return false, ""
}
err := disjunctions.Iterate(func(attr *irma.AttributeRequest) error {
if contains(permissions, "*") ||
contains(permissions, attr.Type.Root()+".*") ||
contains(permissions, attr.Type.CredentialTypeIdentifier().IssuerIdentifier().String()+".*") ||
contains(permissions, attr.Type.CredentialTypeIdentifier().String()+".*") ||
contains(permissions, attr.Type.String()) {
return nil
} else {
return errors.New(attr.Type.String())
}
})
if err != nil {
return false, err.Error()
}
return true, ""
}
func (conf *Configuration) CanRevoke(requestor string, cred irma.CredentialTypeIdentifier) (bool, string) {
permissions := append(conf.Requestors[requestor].Revoking, conf.Revoking...)
if len(permissions) == 0 { // requestor is not present in the permissions
return false, ""
}
_, err := conf.IrmaConfiguration.Revocation.Keys.PrivateKeyLatest(cred.IssuerIdentifier())
if err != nil {
return false, err.Error()
}
if contains(permissions, "*") ||
contains(permissions, cred.Root()+".*") ||
contains(permissions, cred.IssuerIdentifier().String()+".*") ||
contains(permissions, cred.String()) {
return true, ""
}
return false, cred.String()
}
func (conf *Configuration) initialize() error {
if conf.DisableRequestorAuthentication {
authenticators = map[AuthenticationMethod]Authenticator{AuthenticationMethodNone: NilAuthenticator{}}
conf.Logger.Warn("Authentication of incoming session requests disabled: anyone who can reach this server can use it")
havekeys := conf.HavePrivateKeys()
if len(conf.Permissions.Issuing) > 0 && havekeys {
if conf.separateClientServer() || !conf.Production {
conf.Logger.Warn("Issuance enabled and private keys installed: anyone who can reach this server can use it to issue attributes")
} else {
return errors.New("If issuing is enabled in production mode, requestor authentication must be enabled, or client_listen_addr and client_port must be used")
}
}
} else {
if len(conf.Requestors) == 0 {
revServer := false
for _, s := range conf.RevocationSettings {
if s.Server {
revServer = true
}
}
if !revServer {
return errors.New("No requestors configured; either configure one or more requestors or disable requestor authentication")
}
}
authenticators = map[AuthenticationMethod]Authenticator{
AuthenticationMethodHmac: &HmacAuthenticator{hmackeys: map[string]interface{}{}, maxRequestAge: conf.MaxRequestAge},
AuthenticationMethodPublicKey: &PublicKeyAuthenticator{publickeys: map[string]interface{}{}, maxRequestAge: conf.MaxRequestAge},
AuthenticationMethodToken: &PresharedKeyAuthenticator{presharedkeys: map[string]string{}},
}
// Initialize authenticators
for name, requestor := range conf.Requestors {
authenticator, ok := authenticators[requestor.AuthenticationMethod]
if !ok {
return errors.Errorf("Requestor %s has unsupported authentication type %s (supported methods: %s, %s, %s)",
name, requestor.AuthenticationMethod, AuthenticationMethodToken, AuthenticationMethodHmac, AuthenticationMethodPublicKey)
}
if err := authenticator.Initialize(name, requestor); err != nil {
return err
}
}
}
if conf.Port <= 0 || conf.Port > 65535 {
return errors.Errorf("Port must be between 1 and 65535 (was %d)", conf.Port)
}
if conf.ClientPort != 0 && conf.ClientPort == conf.Port {
return errors.New("If client_port is given it must be different from port")
}
if conf.ClientPort < 0 || conf.ClientPort > 65535 {
return errors.Errorf("client_port must be between 0 and 65535 (was %d)", conf.ClientPort)
}
if conf.ClientListenAddress != "" && conf.ClientPort == 0 {
return errors.New("client_listen_addr must be combined with a nonzero client_port")
}
tlsConf, err := conf.tlsConfig()
if err != nil {
return errors.WrapPrefix(err, "Failed to read TLS configuration", 0)
}
clientTlsConf, err := conf.clientTlsConfig()
if err != nil {
return errors.WrapPrefix(err, "Failed to read client TLS configuration", 0)
}
if err := conf.validatePermissions(); err != nil {
return err
}
if conf.StaticPath != "" {
if err := common.AssertPathExists(conf.StaticPath); err != nil {
return errors.WrapPrefix(err, "Invalid static_path", 0)
}
if conf.StaticPrefix[0] != '/' {
return errors.New("static_prefix must start with a slash, was " + conf.StaticPrefix)
}
if len(conf.StaticPrefix) > 1 && !strings.HasSuffix(conf.StaticPrefix, "/") {
conf.StaticPrefix = conf.StaticPrefix + "/"
}
}
if conf.URL != "" {
if !strings.HasSuffix(conf.URL, "/") {
conf.URL = conf.URL + "/"
}
if !strings.HasSuffix(conf.URL, "irma/") {
conf.URL = conf.URL + "irma/"
}
// replace "port" in url with actual port
port := conf.ClientPort
if port == 0 {
port = conf.Port
}
replace := "$1:" + strconv.Itoa(port)
conf.URL = string(regexp.MustCompile("(https?://[^/]*):port").ReplaceAll([]byte(conf.URL), []byte(replace)))
separateClientServer := conf.separateClientServer()
if (separateClientServer && clientTlsConf != nil) || (!separateClientServer && tlsConf != nil) {
if strings.HasPrefix(conf.URL, "http://") {
conf.URL = "https://" + conf.URL[len("http://"):]
}
}
}
if len(conf.StaticSessions) != 0 && conf.JwtRSAPrivateKey == nil {
conf.Logger.Warn("Static sessions enabled and no JWT private key installed. Ensure that POSTs to the callback URLs of static sessions are trustworthy by keeping the callback URLs secret and by using HTTPS.")
}
return nil
}
func (conf *Configuration) validatePermissions() error {
if conf.DisableRequestorAuthentication && len(conf.Requestors) != 0 {
return errors.New("Requestors must not be configured when requestor authentication is disabled")
}
errs := conf.validatePermissionSet("Global", conf.Permissions)
for name, requestor := range conf.Requestors {
errs = append(errs, conf.validatePermissionSet("Requestor "+name, requestor.Permissions)...)
}
if len(errs) != 0 {
return errors.New("Errors encountered in permissions:\n" + strings.Join(errs, "\n"))
}
return nil
}
func (conf *Configuration) validatePermissionSet(requestor string, requestorperms Permissions) []string {
var errs []string
perms := map[string][]string{
"issuing": requestorperms.Issuing,
"signing": requestorperms.Signing,
"disclosing": requestorperms.Disclosing,
"revoking": requestorperms.Revoking,
}
permissionlength := map[string]int{"issuing": 3, "signing": 4, "disclosing": 4, "revoking": 3}
for typ, typeperms := range perms {
for _, permission := range typeperms {
switch strings.Count(permission, "*") {
case 0: // ok, nop
case 1:
if permission[len(permission)-1] != '*' {
errs = append(errs, fmt.Sprintf("%s %s permission '%s' contains asterisk not at end of line", requestor, typ, permission))
}
default:
errs = append(errs, fmt.Sprintf("%s %s permission '%s' contains too many asterisks (at most 1 permitted)", requestor, typ, permission))
}
parts := strings.Split(permission, ".")
if parts[len(parts)-1] == "*" {
if len(parts) > permissionlength[typ] {
errs = append(errs, fmt.Sprintf("%s %s permission '%s' should have at most %d parts", requestor, typ, permission, permissionlength[typ]))
}
} else {
if len(parts) != permissionlength[typ] {
errs = append(errs, fmt.Sprintf("%s %s permission '%s' should have %d parts", requestor, typ, permission, permissionlength[typ]))
}
}
if len(parts) > 0 && parts[0] != "*" {
if conf.IrmaConfiguration.SchemeManagers[irma.NewSchemeManagerIdentifier(parts[0])] == nil {
errs = append(errs, fmt.Sprintf("%s %s permission '%s': unknown scheme", requestor, typ, permission))
continue // no sense in checking if issuer, credtype or attr type are known; they won't be
}
}
if len(parts) > 1 && parts[1] != "*" {
id := irma.NewIssuerIdentifier(strings.Join(parts[:2], "."))
if conf.IrmaConfiguration.Issuers[id] == nil {
errs = append(errs, fmt.Sprintf("%s %s permission '%s': unknown issuer", requestor, typ, permission))
continue
}
}
if len(parts) > 2 && parts[2] != "*" {
id := irma.NewCredentialTypeIdentifier(strings.Join(parts[:3], "."))
credtype := conf.IrmaConfiguration.CredentialTypes[id]
if credtype == nil {
errs = append(errs, fmt.Sprintf("%s %s permission '%s': unknown credential type", requestor, typ, permission))
continue
}
if (typ == "issuing" || typ == "revoking") && !conf.SkipPrivateKeysCheck {
sk, err := conf.IrmaConfiguration.PrivateKeyLatest(credtype.IssuerIdentifier())
if err != nil {
errs = append(errs, fmt.Sprintf("%s %s permission '%s': failed to load private key: %s", requestor, typ, permission, err))
continue
}
if sk == nil {
errs = append(errs, fmt.Sprintf("%s %s permission '%s': private key not installed", requestor, typ, permission))
continue
}
if typ == "revoking" {
if _, err = sk.RevocationKey(); err != nil {
errs = append(errs, fmt.Sprintf("%s %s permission '%s': private key does not support revocation (add revocation key material to it using \"irma issuer revocation keypair\")", requestor, typ, permission))
continue
}
}
}
}
if len(parts) > 3 && parts[3] != "*" {
id := irma.NewAttributeTypeIdentifier(strings.Join(parts[:4], "."))
if conf.IrmaConfiguration.AttributeTypes[id] == nil {
errs = append(errs, fmt.Sprintf("%s %s permission '%s': unknown attribute type", requestor, typ, permission))
continue
}
}
}
}
return errs
}
func (conf *Configuration) clientTlsConfig() (*tls.Config, error) {
return conf.readTlsConf(conf.ClientTlsCertificate, conf.ClientTlsCertificateFile, conf.ClientTlsPrivateKey, conf.ClientTlsPrivateKeyFile)
}
func (conf *Configuration) tlsConfig() (*tls.Config, error) {
return conf.readTlsConf(conf.TlsCertificate, conf.TlsCertificateFile, conf.TlsPrivateKey, conf.TlsPrivateKeyFile)
}
func (conf *Configuration) readTlsConf(cert, certfile, key, keyfile string) (*tls.Config, error) {
if cert == "" && certfile == "" && key == "" && keyfile == "" {
return nil, nil
}
var certbts, keybts []byte
var err error
if certbts, err = common.ReadKey(cert, certfile); err != nil {
return nil, err
}
if keybts, err = common.ReadKey(key, keyfile); err != nil {
return nil, err
}
cer, err := tls.X509KeyPair(certbts, keybts)
if err != nil {
return nil, err
}
return &tls.Config{
Certificates: []tls.Certificate{cer},
MinVersion: tls.VersionTLS12,
// Safe according to https://safecurves.cr.yp.to/; fairly widely supported according to
// https://en.wikipedia.org/wiki/Comparison_of_TLS_implementations#Supported_elliptic_curves
CurvePreferences: []tls.CurveID{tls.X25519},
PreferServerCipherSuites: true,
CipherSuites: []uint16{
tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
},
}, nil
}
func (conf *Configuration) separateClientServer() bool {
return conf.ClientPort != 0
}
// Return true iff query equals an element of strings.
func contains(strings []string, query string) bool {
for _, s := range strings {
if s == query {
return true
}
}
return false
}