From 0b5b0bf43c9c576173b7b005d73184ff433cffbf Mon Sep 17 00:00:00 2001
From: feiniks <36756310+feiniks@users.noreply.github.com>
Date: Sat, 11 Feb 2023 10:54:50 +0800
Subject: [PATCH] Delete seafile_auth_token option (#594)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: 杨赫然 <heran.yang@seafile.com>
---
 notification-server/server.go | 30 ++++++++++++++++----
 server/notif-mgr.c            | 53 ++++++++++++++++++++++++++++++++---
 server/notif-mgr.h            |  2 +-
 server/seafile-session.c      | 10 ++-----
 4 files changed, 76 insertions(+), 19 deletions(-)

diff --git a/notification-server/server.go b/notification-server/server.go
index 89f9b89..a60163a 100644
--- a/notification-server/server.go
+++ b/notification-server/server.go
@@ -10,7 +10,9 @@ import (
 	"os"
 	"path/filepath"
 	"strings"
+	"time"
 
+	"github.com/dgrijalva/jwt-go"
 	_ "github.com/go-sql-driver/mysql"
 	"github.com/gorilla/mux"
 	"github.com/gorilla/websocket"
@@ -21,7 +23,6 @@ import (
 var configDir string
 var logFile, absLogFile string
 var privateKey string
-var notifToken string
 var host string
 var port uint32
 
@@ -69,10 +70,6 @@ func loadNotifConfig() {
 		privateKey = key.String()
 	}
 
-	if key, err := section.GetKey("seafile_auth_token"); err == nil {
-		notifToken = key.String()
-	}
-
 	level, err := log.ParseLevel(logLevel)
 	if err != nil {
 		log.Info("use the default log level: info")
@@ -230,7 +227,7 @@ func eventCB(rsp http.ResponseWriter, r *http.Request) *appError {
 	msg := Message{}
 
 	token := r.Header.Get("Seafile-Repo-Token")
-	if token != notifToken {
+	if !checkAuthToken(token) {
 		return &appError{Error: nil,
 			Message: "Notification token not match",
 			Code:    http.StatusBadRequest,
@@ -257,6 +254,27 @@ func eventCB(rsp http.ResponseWriter, r *http.Request) *appError {
 	return nil
 }
 
+func checkAuthToken(tokenString string) bool {
+	if len(tokenString) == 0 {
+		return false
+	}
+	claims := new(myClaims)
+	token, err := jwt.ParseWithClaims(tokenString, claims, func(token *jwt.Token) (interface{}, error) {
+		return []byte(privateKey), nil
+	})
+	if err != nil {
+		return false
+	}
+
+	if !token.Valid {
+		return false
+	}
+
+	now := time.Now()
+
+	return claims.Exp > now.Unix()
+}
+
 func newUpgrader() *websocket.Upgrader {
 	upgrader := &websocket.Upgrader{
 		ReadBufferSize:  4096,
diff --git a/server/notif-mgr.c b/server/notif-mgr.c
index 4adc926..6f8a5bb 100644
--- a/server/notif-mgr.c
+++ b/server/notif-mgr.c
@@ -4,6 +4,7 @@
 #include <jansson.h>
 
 #include <timer.h>
+#include <jwt.h>
 
 #include "seafile-session.h"
 #include "http-tx-mgr.h"
@@ -15,10 +16,10 @@
 #include "log.h"
 
 #define NOTIF_TIMEOUT_SEC 1
+#define JWT_TOKEN_EXPIRE_TIME 300 /* 5 minutes */
 
 struct _NotifPriv {
     char *notif_url;
-    char *notif_token;
 
     ConnectionPool *connection_pool;
 };
@@ -30,7 +31,7 @@ typedef struct Event {
 } Event;
 
 NotifManager *
-seaf_notif_manager_new (struct _SeafileSession *seaf, char *url, char *token)
+seaf_notif_manager_new (struct _SeafileSession *seaf, char *url)
 {
     NotifManager *mgr = g_new0 (NotifManager, 1);
     mgr->seaf = seaf;
@@ -45,12 +46,48 @@ seaf_notif_manager_new (struct _SeafileSession *seaf, char *url, char *token)
     }
 
     priv->notif_url = url;
-    priv->notif_token = token;
     mgr->priv = priv;
 
     return mgr;
 }
 
+static char *
+gen_jwt_token ()
+{
+    char *jwt_token = NULL;
+    gint64 now = (gint64)time(NULL);
+
+    jwt_t *jwt = NULL;
+
+    if (!seaf->private_key) {
+        seaf_warning ("No private key is configured for generating jwt token\n");
+        return NULL;
+    }
+
+    int ret = jwt_new (&jwt);
+    if (ret != 0 || jwt == NULL) {
+        seaf_warning ("Failed to create jwt\n");
+        goto out;
+    }
+
+    ret = jwt_add_grant_int (jwt, "exp", now + JWT_TOKEN_EXPIRE_TIME);
+    if (ret != 0) {
+        seaf_warning ("Failed to expire time to jwt\n");
+        goto out;
+    }
+    ret = jwt_set_alg (jwt, JWT_ALG_HS256, (unsigned char *)seaf->private_key, strlen(seaf->private_key));
+    if (ret != 0) {
+        seaf_warning ("Failed to set alg\n");
+        goto out;
+    }
+
+    jwt_token = jwt_encode_str (jwt);
+
+out:
+    jwt_free (jwt);
+    return jwt_token;
+}
+
 static void*
 send_event (void *data)
 {
@@ -59,9 +96,16 @@ send_event (void *data)
     Connection *conn = NULL;
     int rsp_status;
     char *req_url = NULL;
+    char *jwt_token = NULL;
+
+    jwt_token = gen_jwt_token ();
+    if (!jwt_token) {
+        return event;
+    }
 
     conn = connection_pool_get_connection (priv->connection_pool);
     if (!conn) {
+        g_free (jwt_token);
         seaf_warning ("Failed to get connection: out of memory.\n");
         return event;
     }
@@ -70,7 +114,7 @@ send_event (void *data)
 
     int ret;
 
-    ret = http_post (conn, req_url, priv->notif_token, event->msg, strlen (event->msg),
+    ret = http_post (conn, req_url, jwt_token, event->msg, strlen (event->msg),
                      &rsp_status, NULL, NULL, TRUE, NOTIF_TIMEOUT_SEC);
     if (ret < 0) {
         goto out;
@@ -82,6 +126,7 @@ send_event (void *data)
     }
 
 out:
+    g_free (jwt_token);
     g_free (req_url);
     connection_pool_return_connection (priv->connection_pool, conn);
 
diff --git a/server/notif-mgr.h b/server/notif-mgr.h
index c07fbc3..b32f69a 100644
--- a/server/notif-mgr.h
+++ b/server/notif-mgr.h
@@ -10,7 +10,7 @@ struct _NotifManager {
 typedef struct _NotifManager NotifManager;
 
 NotifManager *
-seaf_notif_manager_new (struct _SeafileSession *seaf, char *url, char *token);
+seaf_notif_manager_new (struct _SeafileSession *seaf, char *url);
 
 void
 seaf_notif_manager_send_event (NotifManager *mgr,
diff --git a/server/seafile-session.c b/server/seafile-session.c
index 55d2460..bf586f5 100644
--- a/server/seafile-session.c
+++ b/server/seafile-session.c
@@ -47,7 +47,6 @@ seafile_session_new(const char *central_config_dir,
     gboolean notif_enabled = FALSE;
     char *notif_server = NULL;
     int notif_port = 8083;
-    char *notif_token = NULL;
     char *private_key = NULL;
 
     abs_ccnet_dir = ccnet_expand_path (ccnet_dir);
@@ -139,10 +138,6 @@ seafile_session_new(const char *central_config_dir,
                                              "notification", "port",
                                               NULL);
 
-        notif_token = g_key_file_get_string (config,
-                                             "notification", "seafile_auth_token",
-                                             NULL);
-
         private_key = g_key_file_get_string (config,
                                              "notification", "jwt_private_key",
                                              NULL);
@@ -230,10 +225,10 @@ seafile_session_new(const char *central_config_dir,
     if (!session->org_mgr)
         goto onerror;
 
-    if (notif_enabled && notif_server != NULL && notif_token != NULL) {
+    if (notif_enabled && notif_server != NULL) {
         char notif_url[128];
         g_sprintf (notif_url, "%s:%d", notif_server, notif_port);
-        session->notif_mgr = seaf_notif_manager_new (session, g_strdup (notif_url), notif_token);
+        session->notif_mgr = seaf_notif_manager_new (session, g_strdup (notif_url));
         if (!session->notif_mgr) {
             g_free (notif_url);
             goto onerror;
@@ -244,7 +239,6 @@ seafile_session_new(const char *central_config_dir,
 
 onerror:
     g_free (notif_server);
-    g_free (notif_token);
     g_free (private_key);
     free (abs_seafile_dir);
     free (abs_ccnet_dir);