Compare commits

..

No commits in common. "9b38bdbca9e30046be0efee03e2e40f5978ff4c2" and "3981025fa4a81eea3f2d5838ac7a870ea3e6f072" have entirely different histories.

11 changed files with 114 additions and 255 deletions

View file

@ -1,4 +1,3 @@
// common contains common functionality for blasphem.
package common
import (
@ -6,7 +5,6 @@ import (
)
const (
// AppName is the name of the application.
AppName = "blasphem"
)
@ -15,7 +13,6 @@ type cmdOptions interface {
Execute() error
}
// RunE is a convenience function for use with cobra.
func RunE(c cmdOptions) func(cmd *cobra.Command, args []string) error {
return func(cmd *cobra.Command, args []string) error {
err := c.Options(cmd, args)

View file

@ -1,9 +1,12 @@
package auth
import (
"crypto/rand"
"encoding/hex"
"errors"
"net/http"
"github.com/google/uuid"
"github.com/labstack/echo/v4"
"github.com/rs/zerolog/log"
@ -25,7 +28,7 @@ var (
type Authenticator struct {
store AuthStore
flows FlowStore
sessions AccessSessionStore
sessions SessionStore
providers map[string]provider.AuthProvider
}
@ -111,10 +114,26 @@ func (a *Authenticator) Check(f *Flow, req *http.Request, rm map[string]interfac
user, success := p.ValidateCreds(req, rm)
if success {
log.Info().Interface("user", user.UserData()).Msg("Login success")
log.Info().Interface("user", user.ProviderUserData()).Msg("Login success")
return user, nil
}
}
return nil, ErrInvalidAuth
}
func genUUID() string {
// must be addressable
u := uuid.New()
return hex.EncodeToString(u[:])
}
func genHex(l int) string {
b := make([]byte, l)
if _, err := rand.Read(b); err != nil {
panic(err)
}
return hex.EncodeToString(b)
}

View file

@ -9,7 +9,6 @@ import (
"github.com/labstack/echo/v4"
"dynatron.me/x/blasphem/internal/common"
"dynatron.me/x/blasphem/internal/generate"
"dynatron.me/x/blasphem/pkg/auth/provider"
)
@ -101,7 +100,7 @@ func (a *Authenticator) NewFlow(r *FlowRequest) *Flow {
flow := &Flow{
Type: TypeForm,
ID: FlowID(generate.UUID()),
ID: FlowID(genUUID()),
StepID: stepPtr(StepInit),
Schema: sch,
Handler: r.Handler,
@ -149,7 +148,7 @@ func (f *Flow) progress(a *Authenticator, c echo.Context) error {
var finishedFlow struct {
ID FlowID `json:"flow_id"`
Handler []*string `json:"handler"`
Result AccessTokenID `json:"result"`
Result TokenID `json:"result"`
Title string `json:"title"`
Type FlowType `json:"type"`
Version int `json:"version"`
@ -160,7 +159,7 @@ func (f *Flow) progress(a *Authenticator, c echo.Context) error {
finishedFlow.Type = TypeCreateEntry
finishedFlow.Title = common.AppName
finishedFlow.Version = 1
finishedFlow.Result = a.NewAccessToken(c.Request(), user, f)
finishedFlow.Result = a.NewToken(c.Request(), user, f)
f.redirect(c)

View file

@ -23,8 +23,8 @@ type HAUser struct {
provider.AuthProvider `json:"-"`
}
func (hau *HAUser) UserData() provider.ProviderUser {
return &UserData{
func (hau *HAUser) UserData() interface{} {
return UserData{
Username: hau.Username,
}
}
@ -33,10 +33,6 @@ type UserData struct {
Username string `json:"username"`
}
func (ud *UserData) UserData() provider.ProviderUser {
return ud
}
const HomeAssistant = "homeassistant"
func (h *HAUser) ProviderUserData() interface{} { return h.UserData() }

View file

@ -23,7 +23,8 @@ func Register(providerName string, f func(storage.Store) (AuthProvider, error))
}
type ProviderUser interface {
UserData() ProviderUser
AuthProviderMetadata
ProviderUserData() interface{}
}
type AuthProviderBase struct {

View file

@ -15,8 +15,8 @@ type User struct {
provider.AuthProvider `json:"-"`
}
func (hau *User) UserData() provider.ProviderUser {
return &UserData{
func (hau *User) UserData() interface{} {
return UserData{
UserID: hau.UserID,
}
}
@ -25,12 +25,10 @@ type UserData struct {
UserID string `json:"user_id"`
}
func (ud *UserData) UserData() provider.ProviderUser {
return ud
}
const TrustedNetworks = "trusted_networks"
func (h *User) ProviderUserData() interface{} { return h.UserData() }
type TrustedNetworksProvider struct {
provider.AuthProviderBase `json:"-"`
}

View file

@ -2,97 +2,28 @@ package auth
import (
"encoding/json"
"fmt"
"net/http"
"strconv"
"strings"
"time"
"github.com/labstack/echo/v4"
"dynatron.me/x/blasphem/internal/generate"
"dynatron.me/x/blasphem/pkg/auth/provider"
)
/*
{
"id": "18912b07b66e48558a44c058bf90f1d4",
"user_id": "1bd642b0ed9f410280f622d1d358102b",
"client_id": "https://oauth-redirect.googleusercontent.com/",
"client_name": null,
"client_icon": null,
"token_type": "normal",
"created_at": "2021-12-13T04:34:47.169033+00:00",
"access_token_expiration": 1800.0,
"token": "f93f87557ca616508c675f05b85921d07fdf764efc34c74a81daeebd71ab899a6e8cd5dec94d0ae36499ff281f2efcf715c763ad73eabadd2f586b827057043d",
"jwt_key": "f4507c01fe19b1d99c4b628cadc8208f7838dbdda0a9a051fd029cefdf6f619b0728d6b0a4d3d96ee68614b035054952faa14c48ae36bd212e28d602864f6d1c",
"last_used_at": "2021-12-13T04:34:47.169738+00:00",
"last_used_ip": "108.177.68.93",
"credential_id": "5daeb186d2a943328cbb984f135974cb",
"version": "2021.12.0"
},
*/
type (
TokenType string
TokenTimestamp time.Time
RefreshTokenID string
ExpSeconds float64
)
func (f ExpSeconds) MarshalJSON() ([]byte, error) {
if float64(f) == float64(int(f)) {
return []byte(strconv.FormatFloat(float64(f), 'f', 1, 32)), nil
}
return []byte(strconv.FormatFloat(float64(f), 'f', -1, 32)), nil
}
const PytTimeFormat = "2006-01-02T15:04:05.999999-07:00"
func (t *TokenTimestamp) MarshalJSON() ([]byte, error) {
rv := fmt.Sprintf("%q", time.Time(*t).Format(PytTimeFormat))
return []byte(rv), nil
}
func (t *TokenTimestamp) UnmarshalJSON(b []byte) error {
s := strings.Trim(string(b), `"`)
tm, err := time.Parse(PytTimeFormat, s)
*t = TokenTimestamp(tm)
return err
}
type RefreshToken struct {
ID RefreshTokenID `json:"id"`
UserID UserID `json:"user_id"`
ClientID *ClientID `json:"client_id"`
ClientName *string `json:"client_name"`
ClientIcon *string `json:"client_icon"`
TokenType TokenType `json:"token_type"`
CreatedAt *TokenTimestamp `json:"created_at"`
AccessTokenExpiration ExpSeconds `json:"access_token_expiration"`
Token string `json:"token"`
JWTKey string `json:"jwt_key"`
LastUsedAt *TokenTimestamp `json:"last_used_at"`
LastUsedIP *string `json:"last_used_ip"`
CredentialID *CredID `json:"credential_id"`
Version *string `json:"version"`
}
type AccessSessionStore struct {
s map[AccessTokenID]*AccessToken
type SessionStore struct {
s map[TokenID]*Token
lastCull time.Time
}
type AccessTokenID string
type TokenID string
func (t *AccessTokenID) IsValid() bool {
func (t *TokenID) IsValid() bool {
// TODO: more validation than this
return *t != ""
}
type AccessToken struct { // TODO: jwt bro
ID AccessTokenID
type Token struct { // TODO: jwt bro
ID TokenID
Ctime time.Time
Expires time.Time
Addr string
@ -100,13 +31,13 @@ type AccessToken struct { // TODO: jwt bro
user provider.ProviderUser `json:"-"`
}
func (ss *AccessSessionStore) init() {
ss.s = make(map[AccessTokenID]*AccessToken)
func (ss *SessionStore) init() {
ss.s = make(map[TokenID]*Token)
}
const cullInterval = 5 * time.Minute
func (ss *AccessSessionStore) cull() {
func (ss *SessionStore) cull() {
if now := time.Now(); now.Sub(ss.lastCull) > cullInterval {
for k, v := range ss.s {
if now.After(v.Expires) {
@ -116,12 +47,12 @@ func (ss *AccessSessionStore) cull() {
}
}
func (ss *AccessSessionStore) register(t *AccessToken) {
func (ss *SessionStore) register(t *Token) {
ss.cull()
ss.s[t.ID] = t
}
func (ss *AccessSessionStore) verify(tr *TokenRequest, r *http.Request) (provider.ProviderUser, bool) {
func (ss *SessionStore) verify(tr *TokenRequest, r *http.Request) (provider.ProviderUser, bool) {
if t, hasToken := ss.s[tr.Code]; hasToken {
// TODO: JWT
if t.Expires.After(time.Now()) {
@ -144,11 +75,10 @@ type Credential struct {
}
func (cred *Credential) MarshalJSON() ([]byte, error) {
type CredAlias Credential // alias so ø method set and we don't recurse
type CredAlias Credential
nCd := (*CredAlias)(cred)
if cred.user != nil {
providerData := cred.user.UserData()
providerData := cred.user.ProviderUserData()
if providerData != nil {
b, err := json.Marshal(providerData)
if err != nil {
@ -158,7 +88,6 @@ func (cred *Credential) MarshalJSON() ([]byte, error) {
dr := json.RawMessage(b)
nCd.DataRaw = &dr
}
}
return json.Marshal(nCd)
}
@ -176,13 +105,13 @@ func (a *Authenticator) verifyAndGetCredential(tr *TokenRequest, r *http.Request
return cred
}
const defaultExpiration = 15 * time.Minute
const defaultExpiration = 2 * time.Hour
func (a *Authenticator) NewAccessToken(r *http.Request, user provider.ProviderUser, f *Flow) AccessTokenID {
id := AccessTokenID(generate.UUID())
func (a *Authenticator) NewToken(r *http.Request, user provider.ProviderUser, f *Flow) TokenID {
id := TokenID(genUUID())
now := time.Now()
t := &AccessToken{
t := &Token{
ID: id,
Ctime: now,
Expires: now.Add(defaultExpiration),
@ -212,7 +141,7 @@ func (c *ClientID) IsValid() bool {
type TokenRequest struct {
ClientID ClientID `form:"client_id"`
Code AccessTokenID `form:"code"`
Code TokenID `form:"code"`
GrantType GrantType `form:"grant_type"`
}

View file

@ -6,7 +6,6 @@ import (
"github.com/rs/zerolog/log"
"dynatron.me/x/blasphem/pkg/auth/provider"
"dynatron.me/x/blasphem/pkg/storage"
)
@ -20,9 +19,8 @@ type AuthStore interface {
type authStore struct {
Users []User `json:"users"`
Groups []Group `json:"groups"`
Groups interface{} `json:"groups"`
Credentials []Credential `json:"credentials"`
Refresh []RefreshToken `json:"refresh_tokens"`
userMap map[UserID]*User
}
@ -44,15 +42,13 @@ func (a *Authenticator) newAuthStore(s storage.Store) (as *authStore, err error)
return nil, fmt.Errorf("no such provider %s", c.AuthProviderType)
}
if c.DataRaw != nil {
pd := prov.NewCredData()
if c.DataRaw != nil {
err := json.Unmarshal(*c.DataRaw, pd)
if err != nil {
return nil, err
}
c.user = pd.(provider.ProviderUser)
}
}

View file

@ -8,11 +8,6 @@ type UserID string
type GroupID string
type CredID string
type Group struct {
ID GroupID `json:"id"`
Name string `json:"name"`
}
type User struct {
ID UserID `json:"id"`
GroupIDs []GroupID `json:"group_ids"`
@ -21,11 +16,11 @@ type User struct {
}
type UserMetadata struct {
Owner bool `json:"is_owner"`
Active bool `json:"is_active"`
Name string `json:"name"`
SystemGenerated bool `json:"system_generated"`
Owner bool `json:"is_owner"`
LocalOnly bool `json:"local_only"`
SystemGenerated bool `json:"system_generated"`
Name string `json:"name"`
}
func (u *User) allowedToAuth() error {

View file

@ -1,55 +0,0 @@
package storage
import (
"errors"
"sync"
)
var (
ErrNoSuchKey = errors.New("no such key in store")
ErrKeyExists = errors.New("key already exists")
)
// Item is an item in a datastore.
type Item interface {
// Item is lockable if updating data item directly.
sync.Locker
// Dirty sets the dirty flag for the item so it will be flushed.
Dirty()
// IsDirty gets the dirty flag for the item.
IsDirty() bool
// GetData gets the data for the item.
GetData() interface{}
// GetData sets the data for the item.
SetData(interface{})
// ItemKey gets the key of the item.
ItemKey() string
}
// Store represents a datastore.
type Store interface {
// GetItem loads the specified key from the store into data and returns the Item.
// If err is ErrKeyExists, Item will be the existing item.
GetItem(key string, data interface{}) (Item, error)
// Get is the same as GetItem, but only returns error.
Get(key string, data interface{}) error
// Put puts the specified key into the store. If the key already exists, it clobbers.
// Note that any existing items will then dangle.
Put(key string, version, minorVersion int, secretMode bool, data interface{}) (Item, error)
// FlushAll flushes the store to backing.
FlushAll() []error
// Flush flushes a single key to backing.
Flush(key string) error
// Shutdown is called to quiesce and shutdown the store.
Shutdown()
}

View file

@ -2,43 +2,55 @@ package storage
import (
"encoding/json"
"errors"
"fmt"
"io/fs"
"os"
"path"
"strings"
"sync"
"github.com/rs/zerolog/log"
)
var (
IndentStr = strings.Repeat(" ", 2)
IndentStr = strings.Repeat(" ", 4)
ErrNoSuchKey = errors.New("no such key in store")
)
const (
SecretMode fs.FileMode = 0600
DefaultMode fs.FileMode = 0644
SecretMode os.FileMode = 0600
DefaultMode os.FileMode = 0644
)
type Data interface {
}
type item struct {
sync.Mutex `json:"-"`
Version int `json:"version"`
MinorVersion *int `json:"minor_version,omitempty"`
Key string `json:"key"`
Data interface{} `json:"data"`
fmode fs.FileMode
fmode os.FileMode
dirty bool
}
func (i *item) Dirty() { i.Lock(); defer i.Unlock(); i.dirty = true }
func (i *item) IsDirty() bool { i.Lock(); defer i.Unlock(); return i.dirty }
func (i *item) GetData() interface{} { i.Lock(); defer i.Unlock(); return i.Data }
func (i *item) SetData(d interface{}) { i.Lock(); defer i.Unlock(); i.Data = d; i.dirty = true }
func (i *item) ItemKey() string { return i.Key /* key is immutable */ }
type Item interface {
Dirty()
IsDirty() bool
GetData() interface{}
SetData(interface{})
ItemKey() string
}
func (it *item) mode() fs.FileMode {
func (i *item) Dirty() { i.dirty = true }
func (i *item) IsDirty() bool { return i.dirty }
func (i *item) GetData() interface{} { return i.Data }
func (i *item) SetData(d interface{}) { i.Data = d; i.Dirty() }
func (i *item) ItemKey() string { return i.Key }
func (it *item) mode() os.FileMode {
if it.fmode != 0 {
return it.fmode
}
@ -47,36 +59,22 @@ func (it *item) mode() fs.FileMode {
}
type fsStore struct {
sync.RWMutex
fs fs.FS
fs.FS
storeRoot string
s map[string]*item
}
func (s *fsStore) get(key string) *item {
s.RLock()
defer s.RUnlock()
i, ok := s.s[key]
if !ok {
return nil
}
return i
}
func (s *fsStore) put(key string, it *item) {
s.Lock()
defer s.Unlock()
s.s[key] = it
type Store interface {
GetItem(key string, data interface{}) (Item, error)
Get(key string, data interface{}) error
Put(key string, version, minorVersion int, secretMode bool, data interface{}) (Item, error)
FlushAll() []error
Flush(key string) error
Shutdown()
}
func (s *fsStore) persist(it *item) error {
it.Lock()
defer it.Unlock()
f, err := os.OpenFile(path.Join(s.storeRoot, it.Key), os.O_WRONLY|os.O_CREATE|os.O_TRUNC, it.mode())
f, err := os.OpenFile(path.Join(s.storeRoot, it.Key), os.O_WRONLY|os.O_CREATE, it.mode())
if err != nil {
return err
}
@ -95,19 +93,19 @@ func (s *fsStore) persist(it *item) error {
}
func (s *fsStore) Dirty(key string) error {
it := s.get(key)
if it == nil {
it, has := s.s[key]
if !has {
return ErrNoSuchKey
}
it.Dirty()
it.dirty = true
return nil
}
func (s *fsStore) Flush(key string) error {
it := s.get(key)
if it == nil {
it, exists := s.s[key]
if !exists {
return ErrNoSuchKey
}
@ -115,9 +113,6 @@ func (s *fsStore) Flush(key string) error {
}
func (s *fsStore) FlushAll() []error {
s.RLock()
defer s.RUnlock()
var errs []error
for _, it := range s.s {
err := s.persist(it)
@ -172,26 +167,15 @@ func (s *fsStore) Get(key string, data interface{}) error {
}
func (s *fsStore) GetItem(key string, data interface{}) (Item, error) {
exists := s.get(key)
if exists != nil {
return exists, ErrKeyExists
}
f, err := s.fs.Open(key)
f, err := s.Open(key)
if err != nil {
return nil, err
}
defer f.Close()
fi, err := f.Stat()
if err != nil {
return nil, err
}
item := &item{
Data: data,
fmode: fi.Mode(),
}
d := json.NewDecoder(f)
err = d.Decode(item)
@ -203,7 +187,7 @@ func (s *fsStore) GetItem(key string, data interface{}) (Item, error) {
return nil, fmt.Errorf("key mismatch '%s' != '%s'", item.Key, key)
}
s.put(key, item)
s.s[key] = item
return item, nil
}
@ -213,7 +197,7 @@ func OpenFileStore(configRoot string) (*fsStore, error) {
stor := os.DirFS(storeRoot)
return &fsStore{
fs: stor,
FS: stor,
storeRoot: storeRoot,
s: make(map[string]*item),
}, nil