Compare commits

..

No commits in common. "86abb0b61856b40a85559f54708d0483ac731524" and "c618197c547f8c67ce05e1f6832d776a7285f66d" have entirely different histories.

10 changed files with 157 additions and 341 deletions

View file

@ -15,13 +15,6 @@ type cmdOptions interface {
Execute() error
}
func AppNamePtr() *string {
s := AppName
return &s
}
func IntPtr(i int) *int { return &i }
// RunE is a convenience function for use with cobra.
func RunE(c cmdOptions) func(cmd *cobra.Command, args []string) error {
return func(cmd *cobra.Command, args []string) error {

View file

@ -11,7 +11,6 @@ import (
type (
// PyTimeStamp is a timestamp that marshals to python-style timestamp strings (long nano).
PyTimestamp time.Time
ClientID string
)
const PytTimeFormat = "2006-01-02T15:04:05.999999-07:00"

View file

@ -24,7 +24,7 @@ var (
type Authenticator struct {
store AuthStore
flows *AuthFlowManager
flows FlowStore
sessions AccessSessionStore
providers map[string]provider.AuthProvider
}
@ -58,7 +58,7 @@ func (a *Authenticator) InitAuth(s storage.Store) error {
a.providers[nProv.ProviderType()] = nProv
}
a.flows = NewAuthFlowManager()
a.flows = make(FlowStore)
a.sessions.init()
@ -91,14 +91,19 @@ func (a *Authenticator) ProvidersHandler(c echo.Context) error {
return c.JSON(http.StatusOK, providers)
}
func (a *Authenticator) Check(f *LoginFlow, req *http.Request, rm map[string]interface{}) (provider.ProviderUser, error) {
func (a *Authenticator) Check(f *Flow, req *http.Request, rm map[string]interface{}) (provider.ProviderUser, error) {
cID, hasCID := rm["client_id"]
cIDStr, cidIsStr := cID.(string)
if !hasCID || !cidIsStr || cIDStr == "" || cIDStr != string(f.ClientID) {
if !hasCID || !cidIsStr || cIDStr == "" || cIDStr != string(f.request.ClientID) {
return nil, ErrInvalidAuth
}
p := a.Provider(f.Handler.String())
for _, h := range f.Handler {
if h == nil {
return nil, ErrInvalidHandler
}
p := a.Provider(*h)
if p == nil {
return nil, ErrInvalidAuth
}
@ -109,6 +114,7 @@ func (a *Authenticator) Check(f *LoginFlow, req *http.Request, rm map[string]int
log.Info().Interface("user", user.UserData()).Msg("Login success")
return user, nil
}
}
return nil, ErrInvalidAuth
}

View file

@ -3,95 +3,132 @@ package auth
import (
"net/http"
"strings"
"time"
"github.com/jinzhu/copier"
"github.com/labstack/echo/v4"
"dynatron.me/x/blasphem/internal/common"
"dynatron.me/x/blasphem/internal/generate"
"dynatron.me/x/blasphem/pkg/auth/provider"
"dynatron.me/x/blasphem/pkg/flow"
)
type AuthFlowManager struct {
*flow.FlowManager
}
type FlowStore map[FlowID]*Flow
type LoginFlow struct {
flow.FlowHandler
ClientID common.ClientID
FlowContext
}
type FlowContext struct {
IPAddr string
CredentialOnly bool
RedirectURI string
}
type LoginFlowRequest struct {
ClientID common.ClientID `json:"client_id"`
type FlowRequest struct {
ClientID ClientID `json:"client_id"`
Handler []*string `json:"handler"`
RedirectURI string `json:"redirect_uri"`
Type *string `json:"type"`
ip string `json:"-"`
}
func (r *LoginFlowRequest) FlowContext() FlowContext {
return FlowContext{
IPAddr: r.ip,
RedirectURI: r.RedirectURI,
CredentialOnly: r.Type != nil && *r.Type == "link_user",
type FlowType string
const (
TypeForm FlowType = "form"
TypeCreateEntry FlowType = "create_entry"
)
type FlowID string
type Step string
const (
StepInit Step = "init"
)
type Flow struct {
Type FlowType `json:"type"`
ID FlowID `json:"flow_id"`
Handler []*string `json:"handler"`
StepID *Step `json:"step_id,omitempty"`
Schema []provider.FlowSchemaItem `json:"data_schema"`
Errors interface{} `json:"errors"`
DescPlace *string `json:"description_placeholders"`
LastStep *string `json:"last_step"`
request *FlowRequest
ctime time.Time
}
func (f *Flow) touch() {
f.ctime = time.Now()
}
func (fs FlowStore) register(f *Flow) {
fs.cull()
fs[f.ID] = f
}
func (fs FlowStore) Remove(f *Flow) {
delete(fs, f.ID)
}
const cullAge = time.Minute * 30
func (fs FlowStore) cull() {
for k, v := range fs {
if time.Now().Sub(v.ctime) > cullAge {
delete(fs, k)
}
}
}
func NewAuthFlowManager() *AuthFlowManager {
return &AuthFlowManager{FlowManager: flow.NewFlowManager()}
}
func (afm *AuthFlowManager) NewLoginFlow(req *LoginFlowRequest, prov provider.AuthProvider) *LoginFlow {
lf := &LoginFlow{
FlowHandler: flow.NewFlowHandlerBase(prov, prov.ProviderType()),
ClientID: req.ClientID,
FlowContext: req.FlowContext(),
func (fs FlowStore) Get(id FlowID) *Flow {
f, ok := fs[id]
if ok {
return f
}
afm.Register(lf)
return lf
return nil
}
func (a *Authenticator) NewFlow(r *LoginFlowRequest) *flow.Result {
var prov provider.AuthProvider
func (a *Authenticator) NewFlow(r *FlowRequest) *Flow {
var sch []provider.FlowSchemaItem
for _, h := range r.Handler {
if h == nil {
break
}
prov = a.Provider(*h)
if prov != nil {
if hand := a.Provider(*h); hand != nil {
sch = hand.FlowSchema()
break
}
}
if prov == nil {
if sch == nil {
return nil
}
flow := a.flows.NewLoginFlow(r, prov)
flow := &Flow{
Type: TypeForm,
ID: FlowID(generate.UUID()),
StepID: stepPtr(StepInit),
Schema: sch,
Handler: r.Handler,
Errors: []string{},
request: r,
}
flow.touch()
return flow.ShowForm(nil)
a.flows.register(flow)
return flow
}
func (f *LoginFlow) redirect(c echo.Context) {
c.Request().Header.Set("Location", f.RedirectURI)
func stepPtr(s Step) *Step { return &s }
func (f *Flow) redirect(c echo.Context) {
c.Request().Header.Set("Location", f.request.RedirectURI)
}
func (f *LoginFlow) progress(a *Authenticator, c echo.Context) error {
switch f.Step() {
case flow.StepInit:
func (f *Flow) progress(a *Authenticator, c echo.Context) error {
if f.StepID == nil {
c.Logger().Error("stepID is nil")
return c.String(http.StatusInternalServerError, "No Step ID")
}
switch *f.StepID {
case StepInit:
rm := make(map[string]interface{})
err := c.Bind(&rm)
@ -99,21 +136,31 @@ func (f *LoginFlow) progress(a *Authenticator, c echo.Context) error {
return c.String(http.StatusBadRequest, err.Error())
}
err = f.Schema.CheckRequired(rm)
if err != nil {
return c.JSON(http.StatusBadRequest, f.ShowForm([]string{err.Error()}))
for _, si := range f.Schema {
if si.Required {
if _, ok := rm[si.Name]; !ok {
return c.String(http.StatusBadRequest, "missing required param "+si.Name)
}
}
}
user, err := a.Check(f, c.Request(), rm)
switch err {
case nil:
finishedFlow := flow.Result{}
var finishedFlow struct {
ID FlowID `json:"flow_id"`
Handler []*string `json:"handler"`
Result AccessTokenID `json:"result"`
Title string `json:"title"`
Type FlowType `json:"type"`
Version int `json:"version"`
}
a.flows.Remove(f)
copier.Copy(&finishedFlow, f)
finishedFlow.Type = flow.TypeCreateEntry
finishedFlow.Title = common.AppNamePtr()
finishedFlow.Version = common.IntPtr(1)
finishedFlow.Result = a.NewAccessToken(c.Request(), user)
finishedFlow.Type = TypeCreateEntry
finishedFlow.Title = common.AppName
finishedFlow.Version = 1
finishedFlow.Result = a.NewAccessToken(c.Request(), user, f)
f.redirect(c)
@ -123,26 +170,24 @@ func (f *LoginFlow) progress(a *Authenticator, c echo.Context) error {
case ErrInvalidAuth:
fallthrough
default:
return c.JSON(http.StatusOK, f.ShowForm(map[string]interface{}{
f.Errors = map[string]interface{}{
"base": "invalid_auth",
}))
}
return c.JSON(http.StatusOK, f)
}
default:
return c.JSON(http.StatusOK, f.ShowForm(map[string]interface{}{
"base": "unknown_flow_step",
}))
return c.String(http.StatusBadRequest, "unknown flow step")
}
}
func (a *Authenticator) LoginFlowDeleteHandler(c echo.Context) error {
flowID := flow.FlowID(c.Param("flow_id"))
flowID := c.Param("flow_id")
if flowID == "" {
return c.String(http.StatusBadRequest, "empty flow ID")
}
a.flows.Delete(flowID)
delete(a.flows, FlowID(flowID))
return c.String(http.StatusOK, "deleted")
}
@ -157,14 +202,12 @@ func setJSON(c echo.Context) {
func (a *Authenticator) BeginLoginFlowHandler(c echo.Context) error {
setJSON(c)
var flowReq LoginFlowRequest
var flowReq FlowRequest
err := c.Bind(&flowReq)
if err != nil {
return c.String(http.StatusBadRequest, err.Error())
}
flowReq.ip = c.Request().RemoteAddr
resp := a.NewFlow(&flowReq)
if resp == nil {
@ -179,10 +222,16 @@ func (a *Authenticator) LoginFlowHandler(c echo.Context) error {
flowID := c.Param("flow_id")
flow := a.flows.Get(flow.FlowID(flowID))
flow := a.flows.Get(FlowID(flowID))
if flow == nil {
return c.String(http.StatusNotFound, "no such flow")
}
return flow.(*LoginFlow).progress(a, c)
if time.Now().Sub(flow.ctime) > cullAge {
a.flows.Remove(flow)
return c.String(http.StatusGone, "flow timed out")
}
return flow.progress(a, c)
}

View file

@ -9,7 +9,6 @@ import (
"golang.org/x/crypto/bcrypt"
"dynatron.me/x/blasphem/pkg/auth/provider"
"dynatron.me/x/blasphem/pkg/flow"
"dynatron.me/x/blasphem/pkg/storage"
)
@ -25,7 +24,7 @@ type HAUser struct {
}
func (hau *HAUser) UserData() provider.ProviderUser {
return &UserData{ // strip secret
return &UserData{
Username: hau.Username,
}
}
@ -45,7 +44,6 @@ func (h *HAUser) ProviderUserData() interface{} { return h.UserData() }
type HomeAssistantProvider struct {
provider.AuthProviderBase `json:"-"`
Users []HAUser `json:"users"`
userMap map[string]*HAUser
}
func NewHAProvider(s storage.Store) (provider.AuthProvider, error) {
@ -61,25 +59,13 @@ func NewHAProvider(s storage.Store) (provider.AuthProvider, error) {
return hap, err
}
hap.userMap = make(map[string]*HAUser)
for i, u := range hap.Users {
for i := range hap.Users {
hap.Users[i].AuthProvider = hap
hap.userMap[u.Username] = &hap.Users[i]
}
return hap, nil
}
func (hap *HomeAssistantProvider) Lookup(pu provider.ProviderUser) provider.ProviderUser {
u, has := hap.userMap[pu.(*HAUser).Username]
if !has {
return nil
}
return u
}
func (hap *HomeAssistantProvider) hashPass(p string) ([]byte, error) {
return bcrypt.GenerateFromPassword([]byte(p), bcrypt.DefaultCost)
}
@ -124,11 +110,11 @@ func (hap *HomeAssistantProvider) ValidateCreds(r *http.Request, rm map[string]i
}
func (hap *HomeAssistantProvider) NewCredData() interface{} {
return &HAUser{}
return &UserData{}
}
func (hap *HomeAssistantProvider) FlowSchema() flow.Schema {
return []flow.SchemaItem{
func (hap *HomeAssistantProvider) FlowSchema() []provider.FlowSchemaItem {
return []provider.FlowSchemaItem{
{
Type: "string",
Name: "username",

View file

@ -3,7 +3,6 @@ package provider
import (
"net/http"
"dynatron.me/x/blasphem/pkg/flow"
"dynatron.me/x/blasphem/pkg/storage"
)
@ -14,10 +13,9 @@ var Providers = make(map[string]Constructor)
type AuthProvider interface { // TODO: this should include stepping
AuthProviderMetadata
ProviderBase() AuthProviderBase
FlowSchema() flow.Schema
FlowSchema() []FlowSchemaItem
NewCredData() interface{}
ValidateCreds(r *http.Request, reqMap map[string]interface{}) (user ProviderUser, success bool)
Lookup(ProviderUser) ProviderUser
}
func Register(providerName string, f func(storage.Store) (AuthProvider, error)) {
@ -25,7 +23,6 @@ func Register(providerName string, f func(storage.Store) (AuthProvider, error))
}
type ProviderUser interface {
// TODO: make sure this is sane with all the ProviderUser and UserData type stuff
UserData() ProviderUser
}
@ -45,3 +42,9 @@ func (bp *AuthProviderBase) ProviderName() string { return bp.Name }
func (bp *AuthProviderBase) ProviderID() *string { return bp.ID }
func (bp *AuthProviderBase) ProviderType() string { return bp.Type }
func (bp *AuthProviderBase) ProviderBase() AuthProviderBase { return *bp }
type FlowSchemaItem struct {
Type string `json:"type"`
Name string `json:"name"`
Required bool `json:"required"`
}

View file

@ -6,7 +6,6 @@ import (
"net/http"
"dynatron.me/x/blasphem/pkg/auth/provider"
"dynatron.me/x/blasphem/pkg/flow"
"dynatron.me/x/blasphem/pkg/storage"
)
@ -47,10 +46,6 @@ func New(s storage.Store) (provider.AuthProvider, error) {
return hap, nil
}
func (tnp *TrustedNetworksProvider) Lookup(pu provider.ProviderUser) provider.ProviderUser {
return pu
}
func (hap *TrustedNetworksProvider) ValidateCreds(r *http.Request, rm map[string]interface{}) (provider.ProviderUser, bool) {
/*
if req.RemoteAddr in allowed then do the thing
@ -62,8 +57,8 @@ func (hap *TrustedNetworksProvider) NewCredData() interface{} {
return &UserData{}
}
func (hap *TrustedNetworksProvider) FlowSchema() flow.Schema {
return []flow.SchemaItem{
func (hap *TrustedNetworksProvider) FlowSchema() []provider.FlowSchemaItem {
return []provider.FlowSchemaItem{
{
Type: "string",
Name: "username",

View file

@ -124,14 +124,16 @@ func (a *Authenticator) verifyAndGetCredential(tr *TokenRequest, r *http.Request
return nil
}
cred := a.store.Credential(user)
cred := &Credential{
user: user,
}
return cred
}
const defaultExpiration = 15 * time.Minute
func (a *Authenticator) NewAccessToken(r *http.Request, user provider.ProviderUser) AccessTokenID {
func (a *Authenticator) NewAccessToken(r *http.Request, user provider.ProviderUser, f *Flow) AccessTokenID {
id := AccessTokenID(generate.UUID())
now := time.Now()
@ -156,7 +158,7 @@ const (
GTRefreshToken GrantType = "refresh_token"
)
type ClientID common.ClientID
type ClientID string
func (c *ClientID) IsValid() bool {
// TODO: || !indieauth.VerifyClientID(rq.ClientID)?

View file

@ -14,7 +14,6 @@ const (
type AuthStore interface {
User(UserID) *User
Credential(provider.ProviderUser) *Credential
}
type authStore struct {
@ -24,16 +23,6 @@ type authStore struct {
Refresh []RefreshToken `json:"refresh_tokens"`
userMap map[UserID]*User
providerUsers map[provider.ProviderUser]*Credential
}
func (as *authStore) Credential(p provider.ProviderUser) *Credential {
c, have := as.providerUsers[p]
if !have {
return nil
}
return c
}
func (a *Authenticator) newAuthStore(s storage.Store) (as *authStore, err error) {
@ -41,7 +30,6 @@ func (a *Authenticator) newAuthStore(s storage.Store) (as *authStore, err error)
err = s.Get(AuthStoreKey, as)
as.userMap = make(map[UserID]*User)
as.providerUsers = make(map[provider.ProviderUser]*Credential)
for _, u := range as.Users {
as.userMap[u.ID] = &u
@ -61,11 +49,7 @@ func (a *Authenticator) newAuthStore(s storage.Store) (as *authStore, err error)
return nil, err
}
c.user = prov.Lookup(pd.(provider.ProviderUser))
if c.user == nil {
return nil, fmt.Errorf("cannot find user in provider %s", prov.ProviderName())
}
as.providerUsers[c.user] = &c
c.user = pd.(provider.ProviderUser)
}
}

View file

@ -1,201 +0,0 @@
// flow is the data entry flow.
package flow
import (
"fmt"
"time"
"dynatron.me/x/blasphem/internal/generate"
)
type (
ResultType string
FlowID string
Step string
HandlerKey string
Errors interface{}
Context interface{}
FlowStore map[FlowID]Handler
FlowManager struct {
flows FlowStore
}
Result struct {
Type ResultType `json:"type"`
ID FlowID `json:"flow_id"`
Handler []*HandlerKey `json:"handler"`
Title *string `json:"title,omitempty"`
Data map[string]interface{} `json:"data,omitempty"`
StepID *Step `json:"step_id,omitempty"`
Schema []SchemaItem `json:"data_schema"`
Extra *string `json:"extra,omitempty"`
Required *bool `json:"required,omitempty"`
Errors interface{} `json:"errors"`
Description *string `json:"description,omitempty"`
DescPlace *string `json:"description_placeholders"`
URL *string `json:"url,omitempty"`
Reason *string `json:"reason,omitempty"`
Context *string `json:"context,omitempty"`
Result interface{} `json:"result,omitempty"`
LastStep *string `json:"last_step"`
Options map[string]interface{} `json:"options,omitempty"`
Version *int `json:"version,omitempty"`
}
SchemaItem struct {
Type string `json:"type"`
Name string `json:"name"`
Required bool `json:"required"`
}
Schema []SchemaItem
)
type (
Schemer interface {
FlowSchema() Schema
}
Handler interface {
Base() FlowHandler
FlowID() FlowID
flowCtime() time.Time
}
)
const (
StepInit Step = "init"
)
func (fs *Schema) CheckRequired(rm map[string]interface{}) error {
for _, si := range *fs {
if si.Required {
if _, ok := rm[si.Name]; !ok {
return fmt.Errorf("missing required param %s", si.Name)
}
}
}
return nil
}
func NewFlowManager() *FlowManager {
return &FlowManager{
flows: make(FlowStore),
}
}
func stepPtr(s Step) *Step { return &s }
type FlowHandler struct {
ID FlowID // ID is the FlowID
Handler HandlerKey // Handler key
Context Context // flow Context
Schema Schema
// curStep is the current step set by the flow manager
curStep Step
ctime time.Time
}
func (f *FlowHandler) Step() Step { return f.curStep }
func (f *FlowHandler) Base() FlowHandler { return *f }
func (f *FlowHandler) FlowID() FlowID {
return f.ID
}
func (f *FlowHandler) flowCtime() time.Time { return f.ctime }
func NewFlowHandlerBase(sch Schemer, hand string) FlowHandler {
return FlowHandler{
ID: FlowID(generate.UUID()),
Handler: HandlerKey(hand),
Schema: sch.FlowSchema(),
curStep: StepInit,
ctime: time.Now(),
}
}
func (hk *HandlerKey) String() string {
return string(*hk)
}
func (fm *FlowHandler) Handlers() []*HandlerKey {
return []*HandlerKey{&fm.Handler, nil}
}
func resultErrs(e Errors) Errors {
if e == nil {
return []string{}
}
return e
}
func (fm *FlowHandler) ShowForm(errs Errors) *Result {
res := &Result{
Type: TypeForm,
ID: fm.ID,
StepID: stepPtr(fm.curStep),
Schema: fm.Schema,
Handler: fm.Handlers(),
Errors: resultErrs(errs),
}
return res
}
func (fm *FlowManager) Delete(id FlowID) {
delete(fm.flows, id)
}
const (
TypeForm ResultType = "form"
TypeCreateEntry ResultType = "create_entry"
TypeAbort ResultType = "abort"
TypeExternalStep ResultType = "external"
TypeExternalStepDone ResultType = "external_done"
TypeShowProgress ResultType = "progress"
TypeShowProgressDone ResultType = "progress_done"
TypeMenu ResultType = "menu"
)
func (f *FlowHandler) touch() {
f.ctime = time.Now()
}
func (fm *FlowManager) Register(f Handler) {
fm.flows.cull()
fm.flows[f.FlowID()] = f
}
func (fs *FlowManager) Remove(f Handler) {
delete(fs.flows, f.FlowID())
}
const cullAge = time.Minute * 30
func (fs FlowStore) cull() {
for k, v := range fs {
if time.Now().Sub(v.flowCtime()) > cullAge {
delete(fs, k)
}
}
}
func (fs *FlowManager) Get(id FlowID) Handler {
f, ok := fs.flows[id]
if ok {
return f
}
return nil
}