Feature/jwt keyfile (#7863)

* Added jwt-keyfile option and warning for old option. * CHANGELOG * Add trimming to --auth.jwt-secret-keyfile * Adjust some comments.
2019-01-02 14:38:38 +01:00 · 2019-01-02 14:38:38 +01:00 · 5c53ebceb0
parent 98ff9621bf
commit 5c53ebceb0
3 changed files with 66 additions and 35 deletions
--- a/2
+++ b/2
@ -1,6 +1,8 @@
 devel
 -----

+* Added --server.jwt-secret-keyfile option.
+
 * speed up data-modification operations in exclusive transactions in the RocksDB
  storage engine

--- a/arangod/GeneralServer/AuthenticationFeature.cpp
+++ b/arangod/GeneralServer/AuthenticationFeature.cpp
@ -30,6 +30,8 @@
 #include "ProgramOptions/ProgramOptions.h"
 #include "Random/RandomGenerator.h"
 #include "RestServer/QueryRegistryFeature.h"
+#include "Basics/FileUtils.h"
+#include "Basics/StringUtils.h"

 #if USE_ENTERPRISE
 #include "Enterprise/Ldap/LdapAuthenticationHandler.h"
@ -101,13 +103,39 @@ void AuthenticationFeature::collectOptions(std::shared_ptr<ProgramOptions> optio
                     new BooleanParameter(&_authenticationUnixSockets));
 #endif

+  // Maybe deprecate this option in devel
  options->addOption("--server.jwt-secret",
                     "secret to use when doing jwt authentication",
                     new StringParameter(&_jwtSecretProgramOption));
+
+  options->addOption("--server.jwt-secret-keyfile",
+                     "file containing jwt secret to use when doing jwt authentication.",
+                     new StringParameter(&_jwtSecretKeyfileProgramOption));
 }

 void AuthenticationFeature::validateOptions(std::shared_ptr<ProgramOptions>) {
-  if (!_jwtSecretProgramOption.empty()) {
+  if (!_jwtSecretKeyfileProgramOption.empty()) {
+
+    try {
+      // Note that the secret is trimmed for whitespace, because whitespace
+      // at the end of a file can easily happen. We do not base64-encode,
+      // though, so the bytes count as given. Zero bytes might be a problem
+      // here.
+      _jwtSecretProgramOption = basics::StringUtils::trim(
+          basics::FileUtils::slurp(_jwtSecretKeyfileProgramOption),
+          " \t\n\r");
+    } catch (std::exception const& ex) {
+      LOG_TOPIC(FATAL, Logger::STARTUP)
+          << "unable to read content of jwt-secret file '"
+          << _jwtSecretKeyfileProgramOption << "': " << ex.what()
+          << ". please make sure the file/directory is readable for the "
+             "arangod process and user";
+      FATAL_ERROR_EXIT();
+    }
+
+  } else if (!_jwtSecretProgramOption.empty()) {
+    LOG_TOPIC(WARN, arangodb::Logger::FIXME)
+      << "--server.jwt-secret is insecure. Use --server.jwt-secret-keyfile instead.";
    if (_jwtSecretProgramOption.length() > _maxSecretLength) {
      LOG_TOPIC(FATAL, arangodb::Logger::FIXME)
          << "Given JWT secret too long. Max length is " << _maxSecretLength;
--- a/arangod/GeneralServer/AuthenticationFeature.h
+++ b/arangod/GeneralServer/AuthenticationFeature.h
@ -79,6 +79,7 @@ class AuthenticationFeature final : public application_features::ApplicationFeat
  double _authenticationTimeout;

  std::string _jwtSecretProgramOption;
+  std::string _jwtSecretKeyfileProgramOption;

  static AuthenticationFeature* INSTANCE;
 };