rpdata
/
api
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
GraphQL API and utilities for the rpdata project
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
298 Commits
6 Branches
38 Tags
5.6 MiB
Tree: a606b79736
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'a606b79736'
${ noResults }
api/services/auth.go

336 lines
8.9 KiB
Raw Normal View History

A lot of delete and failed scream tests.
5 years ago
allow tag/untag of open stories.
4 years ago
A lot of delete and failed scream tests.
5 years ago
  1. package services
  3. import (
  4. "context"
  5. "crypto/rand"
  6. "encoding/base64"
  7. "errors"
  8. "fmt"
  9. "git.aiterp.net/rpdata/api/models"
  10. "git.aiterp.net/rpdata/api/repositories"
  11. "github.com/dgrijalva/jwt-go"
  12. "log"
  13. "net/http"
  14. "reflect"
  15. "strings"
  16. "time"
  17. )
  19. var contextKey = &struct{ data string }{"Token Context Key"}
  21. // ErrNoKid is returned if the key id is missing from the jwt token header,
  22. var ErrNoKid = errors.New("missing \"kid\" field in token")
  24. // ErrKeyNotFound is returned if the key wasn't found.
  25. var ErrKeyNotFound = errors.New("key not found")
  27. // ErrInvalidClaims is returned by parseClaims if the claims cannot be parsed
  28. var ErrInvalidClaims = errors.New("invalid claims in token")
  30. // ErrExpired is returned by parseClaims if the expiry date is in the past
  31. var ErrExpired = errors.New("claims have already expired")
  33. // ErrWrongUser is returned by CheckToken if the key cannot represent this user
  34. var ErrWrongUser = errors.New("key is not valid for this user")
  36. // ErrDeletedUser is returned by CheckToken if the key can represent this user, but the user doesn't exist.
  37. var ErrDeletedUser = errors.New("user was not found")
  39. // ErrUnauthenticated is returned when the user is not authenticated
  40. var ErrUnauthenticated = errors.New("you are not authenticated")
  42. // ErrUnauthorized is returned when the user doesn't have access to this resource
  43. var ErrUnauthorized = errors.New("you are not authorized to perform this action")
  45. // ErrInvalidOperation is returned for operations that should never be allowed
  46. var ErrInvalidOperation = errors.New("no permission exists for this operation")
  48. // AuthService is a service for handling the 'orizations and 'entications.
  49. type AuthService struct {
  50. keys repositories.KeyRepository
  51. users repositories.UserRepository
  52. }
  54. // FindKey finds a key by id.
  55. func (s *AuthService) FindKey(ctx context.Context, id string) (*models.Key, error) {
  56. return s.keys.Find(ctx, id)
  57. }
  59. // FindKey finds a key by id.
  60. func (s *AuthService) FindUser(ctx context.Context, id string) (*models.User, error) {
  61. return s.users.Find(ctx, id)
  62. }
  64. // CreateKey generates a new key for the user and name. This
  65. // does not allow generating wildcard keys, they have to be
  66. // manually inserted into the DB.
  67. func (s *AuthService) CreateKey(ctx context.Context, name, user string) (*models.Key, error) {
  68. if user == "*" {
  69. return nil, errors.New("auth: wildcard keys not allowed")
  70. }
  72. secret, err := s.generateSecret()
  73. if err != nil {
  74. return nil, err
  75. }
  77. key := &models.Key{
  78. Name: name,
  79. User: user,
  80. Secret: secret,
  81. }
  83. key, err = s.keys.Insert(ctx, *key)
  84. if err != nil {
  85. return nil, err
  86. }
  88. return key, nil
  89. }
  91. // CheckPermission does some magic.
  92. func (s *AuthService) CheckPermission(ctx context.Context, op string, obj interface{}) error {
  93. token := s.TokenFromContext(ctx)
  94. if token == nil {
  95. return ErrUnauthenticated
  96. }
  98. if v := reflect.ValueOf(obj); v.Kind() == reflect.Struct {
  99. ptr := reflect.PtrTo(v.Type())
  100. ptrValue := reflect.New(ptr.Elem())
  101. ptrValue.Elem().Set(v)
  103. obj = ptrValue.Interface()
  104. }
  106. var authorized = false
  108. switch v := obj.(type) {
  109. case *models.Channel:
  110. authorized = token.Permitted("channel." + op)
  111. case *models.Character:
  112. authorized = token.PermittedUser(v.Author, "member", "character."+op)
  113. case *models.Chapter:
  114. authorized = token.PermittedUser(v.Author, "member", "chapter."+op)
  115. case *models.Comment:
  116. if op == "add" && v.Author != token.UserID {
  117. return ErrInvalidOperation
  118. }
  120. authorized = token.PermittedUser(v.Author, "member", "comment."+op)
  121. case *models.File:
  122. authorized = token.PermittedUser(v.Author, "member", "file."+op)
  123. case *models.Log:
  124. authorized = token.Permitted("log." + op)
  125. case *models.Post:
  126. authorized = token.Permitted("post." + op)
  127. case *models.Story:
  128. if op == "tag" && v.Open {
  129. authorized = true
  130. break
  131. }
  133. authorized = token.PermittedUser(v.Author, "member", "story."+op)
  134. case *models.User:
  135. authorized = token.Permitted("user." + op)
  136. default:
  137. log.Panicf("Invalid model %T: %#+v", v, v)
  138. }
  140. if !authorized {
  141. return ErrUnauthorized
  142. }
  144. return nil
  145. }
  147. // TokenFromContext gets the token from context.
  148. func (s *AuthService) TokenFromContext(ctx context.Context) *models.Token {
  149. token, ok := ctx.Value(contextKey).(*models.Token)
  150. if !ok {
  151. return nil
  152. }
  154. return token
  155. }
  157. // RequestWithToken either returns the request, or the request with a new context that
  158. // has the token.
  159. func (s *AuthService) RequestWithToken(r *http.Request) *http.Request {
  160. header := r.Header.Get("Authorization")
  161. if header == "" {
  162. return r
  163. }
  165. if !strings.HasPrefix(header, "Bearer ") {
  166. return r
  167. }
  169. token, err := s.CheckToken(r.Context(), header[7:])
  170. if err != nil {
  171. return r
  172. }
  174. return r.WithContext(context.WithValue(r.Context(), contextKey, &token))
  175. }
  177. // CheckToken reads the token string and returns a token if everything is kosher.
  178. func (s *AuthService) CheckToken(ctx context.Context, tokenString string) (token models.Token, err error) {
  179. var key *models.Key
  181. jwtToken, err := jwt.Parse(tokenString, func(jwtToken *jwt.Token) (interface{}, error) {
  182. if _, ok := jwtToken.Method.(*jwt.SigningMethodHMAC); !ok {
  183. return nil, fmt.Errorf("unexpected signing method: %v", jwtToken.Header["alg"])
  184. }
  186. kid, ok := jwtToken.Header["kid"].(string)
  187. if !ok {
  188. return nil, ErrNoKid
  189. }
  191. key, err = s.FindKey(ctx, kid)
  192. if err != nil || key.ID == "" {
  193. return nil, ErrKeyNotFound
  194. }
  196. return []byte(key.Secret), nil
  197. })
  198. if err != nil {
  199. return models.Token{}, err
  200. }
  202. userid, permissions, err := s.parseClaims(jwtToken.Claims)
  203. if err != nil {
  204. return models.Token{}, err
  205. }
  207. if !key.ValidForUser(userid) {
  208. return models.Token{}, ErrWrongUser
  209. }
  211. user, err := s.ensureUser(ctx, userid)
  212. if err != nil {
  213. return models.Token{}, ErrDeletedUser
  214. }
  216. acceptedPermissions := make([]string, 0, len(user.Permissions))
  217. if len(permissions) > 0 {
  218. for _, permission := range permissions {
  219. found := false
  221. for _, userPermission := range user.Permissions {
  222. if permission == userPermission {
  223. found = true
  224. break
  225. }
  226. }
  228. if found {
  229. acceptedPermissions = append(acceptedPermissions, permission)
  230. }
  231. }
  232. } else {
  233. acceptedPermissions = append(acceptedPermissions, user.Permissions...)
  234. }
  236. return models.Token{UserID: user.ID, Permissions: acceptedPermissions}, nil
  237. }
  239. // AllPermissions gets all permissions and their purpose
  240. func (s *AuthService) AllPermissions() map[string]string {
  241. return map[string]string{
  242. "member": "Can add/edit/remove own content",
  243. "user.edit": "Can edit non-owned users",
  244. "character.add": "Can add non-owned characters",
  245. "character.edit": "Can edit non-owned characters",
  246. "character.remove": "Can remove non-owned characters",
  247. "channel.add": "Can add channels",
  248. "channel.edit": "Can edit channels",
  249. "channel.remove": "Can remove channels",
  250. "comment.edit": "Can edit non-owned comments",
  251. "comment.remove": "Can remove non-owned comments",
  252. "log.add": "Can add logs",
  253. "log.edit": "Can edit logs",
  254. "log.remove": "Can remove logs",
  255. "post.add": "Can add posts",
  256. "post.edit": "Can edit posts",
  257. "post.move": "Can move posts",
  258. "post.remove": "Can remove posts",
  259. "story.add": "Can add non-owned stories",
  260. "story.edit": "Can edit non-owned stories",
  261. "story.remove": "Can remove non-owned stories",
  262. "story.unlisted": "Can view non-owned unlisted stories",
  263. "file.upload": "Can upload files",
  264. "file.list": "Can list non-owned files",
  265. "file.view": "Can view non-owned files",
  266. "file.edit": "Can edit non-owned files",
  267. "file.remove": "Can remove non-owned files",
  268. }
  269. }
  271. func (s *AuthService) parseClaims(jwtClaims jwt.Claims) (userid string, permissions []string, err error) {
  272. mapClaims, ok := jwtClaims.(jwt.MapClaims)
  273. if !ok {
  274. return "", nil, ErrInvalidClaims
  275. }
  277. if !mapClaims.VerifyExpiresAt(time.Now().Unix(), true) {
  278. return "", nil, ErrExpired
  279. }
  281. if userid, ok = mapClaims["user"].(string); !ok {
  282. return "", nil, ErrInvalidClaims
  283. }
  285. if claimedPermissions, ok := mapClaims["permissions"].([]interface{}); ok {
  286. for _, permission := range claimedPermissions {
  287. if permission, ok := permission.(string); ok {
  288. permissions = append(permissions, permission)
  289. }
  290. }
  292. if len(permissions) == 0 {
  293. return "", nil, ErrInvalidClaims
  294. }
  295. }
  297. return
  298. }
  300. func (s *AuthService) generateSecret() (string, error) {
  301. var data [64]byte
  303. _, err := rand.Read(data[:])
  304. if err != nil {
  305. return "", err
  306. }
  308. return base64.RawURLEncoding.EncodeToString(data[:]), nil
  309. }
  311. func (s *AuthService) ensureUser(ctx context.Context, id string) (*models.User, error) {
  312. user, err := s.users.Find(ctx, id)
  313. if err == repositories.ErrNotFound {
  314. user = &models.User{
  315. ID: id,
  316. Nick: "",
  317. Permissions: []string{
  318. "member",
  319. "log.edit",
  320. "post.edit",
  321. "post.move",
  322. "post.remove",
  323. "file.upload",
  324. },
  325. }
  327. user, err = s.users.Insert(ctx, *user)
  328. if err != nil {
  329. return nil, err
  330. }
  331. } else if err != nil {
  332. return nil, err
  333. }
  335. return user, err
  336. }