rpdata
/
api
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
GraphQL API and utilities for the rpdata project
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
262 Commits
6 Branches
38 Tags
5.6 MiB
Tree: e690e7ab97
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'e690e7ab97'
${ noResults }
api/services/auth.go

331 lines
8.9 KiB
Raw Normal View History

A lot of delete and failed scream tests.
5 years ago
  1. package services
  3. import (
  4. "context"
  5. "crypto/rand"
  6. "encoding/base64"
  7. "errors"
  8. "fmt"
  9. "git.aiterp.net/rpdata/api/models"
  10. "git.aiterp.net/rpdata/api/repositories"
  11. "github.com/dgrijalva/jwt-go"
  12. "log"
  13. "net/http"
  14. "reflect"
  15. "strings"
  16. "time"
  17. )
  19. var contextKey = &struct{ data string }{"Token Context Key"}
  21. // ErrNoKid is returned if the key id is missing from the jwt token header,
  22. var ErrNoKid = errors.New("missing \"kid\" field in token")
  24. // ErrKeyNotFound is returned if the key wasn't found.
  25. var ErrKeyNotFound = errors.New("key not found")
  27. // ErrInvalidClaims is returned by parseClaims if the claims cannot be parsed
  28. var ErrInvalidClaims = errors.New("invalid claims in token")
  30. // ErrExpired is returned by parseClaims if the expiry date is in the past
  31. var ErrExpired = errors.New("claims have already expired")
  33. // ErrWrongUser is returned by CheckToken if the key cannot represent this user
  34. var ErrWrongUser = errors.New("key is not valid for this user")
  36. // ErrDeletedUser is returned by CheckToken if the key can represent this user, but the user doesn't exist.
  37. var ErrDeletedUser = errors.New("user was not found")
  39. // ErrUnauthenticated is returned when the user is not authenticated
  40. var ErrUnauthenticated = errors.New("you are not authenticated")
  42. // ErrUnauthorized is returned when the user doesn't have access to this resource
  43. var ErrUnauthorized = errors.New("you are not authorized to perform this action")
  45. // ErrInvalidOperation is returned for operations that should never be allowed
  46. var ErrInvalidOperation = errors.New("no permission exists for this operation")
  48. // AuthService is a service for handling the 'orizations and 'entications.
  49. type AuthService struct {
  50. keys repositories.KeyRepository
  51. users repositories.UserRepository
  52. }
  54. // FindKey finds a key by id.
  55. func (s *AuthService) FindKey(ctx context.Context, id string) (*models.Key, error) {
  56. return s.keys.Find(ctx, id)
  57. }
  59. // FindKey finds a key by id.
  60. func (s *AuthService) FindUser(ctx context.Context, id string) (*models.User, error) {
  61. return s.users.Find(ctx, id)
  62. }
  64. // CreateKey generates a new key for the user and name. This
  65. // does not allow generating wildcard keys, they have to be
  66. // manually inserted into the DB.
  67. func (s *AuthService) CreateKey(ctx context.Context, name, user string) (*models.Key, error) {
  68. if user == "*" {
  69. return nil, errors.New("auth: wildcard keys not allowed")
  70. }
  72. secret, err := s.generateSecret()
  73. if err != nil {
  74. return nil, err
  75. }
  77. key := &models.Key{
  78. Name: name,
  79. User: user,
  80. Secret: secret,
  81. }
  83. key, err = s.keys.Insert(ctx, *key)
  84. if err != nil {
  85. return nil, err
  86. }
  88. return key, nil
  89. }
  91. // CheckPermission does some magic.
  92. func (s *AuthService) CheckPermission(ctx context.Context, op string, obj interface{}) error {
  93. token := s.TokenFromContext(ctx)
  94. if token == nil {
  95. return ErrUnauthenticated
  96. }
  98. if v := reflect.ValueOf(obj); v.Kind() == reflect.Struct {
  99. ptr := reflect.PtrTo(v.Type())
  100. ptrValue := reflect.New(ptr.Elem())
  101. ptrValue.Elem().Set(v)
  103. obj = ptrValue.Interface()
  104. }
  106. var authorized = false
  108. switch v := obj.(type) {
  109. case *models.Channel:
  110. authorized = token.Permitted("channel." + op)
  111. case *models.Character:
  112. authorized = token.PermittedUser(v.Author, "member", "character."+op)
  113. case *models.Chapter:
  114. authorized = token.PermittedUser(v.Author, "member", "chapter."+op)
  115. case *models.Comment:
  116. if op == "add" && v.Author != token.UserID {
  117. return ErrInvalidOperation
  118. }
  120. authorized = token.PermittedUser(v.Author, "member", "comment."+op)
  121. case *models.File:
  122. authorized = token.PermittedUser(v.Author, "member", "file."+op)
  123. case *models.Log:
  124. authorized = token.Permitted("log." + op)
  125. case *models.Post:
  126. authorized = token.Permitted("post." + op)
  127. case *models.Story:
  128. authorized = token.PermittedUser(v.Author, "member", "story."+op)
  129. case *models.User:
  130. authorized = token.Permitted("user." + op)
  131. default:
  132. log.Panicf("Invalid model %T: %#+v", v, v)
  133. }
  135. if !authorized {
  136. return ErrUnauthorized
  137. }
  139. return nil
  140. }
  142. // TokenFromContext gets the token from context.
  143. func (s *AuthService) TokenFromContext(ctx context.Context) *models.Token {
  144. token, ok := ctx.Value(contextKey).(*models.Token)
  145. if !ok {
  146. return nil
  147. }
  149. return token
  150. }
  152. // RequestWithToken either returns the request, or the request with a new context that
  153. // has the token.
  154. func (s *AuthService) RequestWithToken(r *http.Request) *http.Request {
  155. header := r.Header.Get("Authorization")
  156. if header == "" {
  157. return r
  158. }
  160. if !strings.HasPrefix(header, "Bearer ") {
  161. return r
  162. }
  164. token, err := s.CheckToken(r.Context(), header[7:])
  165. if err != nil {
  166. return r
  167. }
  169. return r.WithContext(context.WithValue(r.Context(), contextKey, &token))
  170. }
  172. // CheckToken reads the token string and returns a token if everything is kosher.
  173. func (s *AuthService) CheckToken(ctx context.Context, tokenString string) (token models.Token, err error) {
  174. var key *models.Key
  176. jwtToken, err := jwt.Parse(tokenString, func(jwtToken *jwt.Token) (interface{}, error) {
  177. if _, ok := jwtToken.Method.(*jwt.SigningMethodHMAC); !ok {
  178. return nil, fmt.Errorf("unexpected signing method: %v", jwtToken.Header["alg"])
  179. }
  181. kid, ok := jwtToken.Header["kid"].(string)
  182. if !ok {
  183. return nil, ErrNoKid
  184. }
  186. key, err = s.FindKey(ctx, kid)
  187. if err != nil || key.ID == "" {
  188. return nil, ErrKeyNotFound
  189. }
  191. return []byte(key.Secret), nil
  192. })
  193. if err != nil {
  194. return models.Token{}, err
  195. }
  197. userid, permissions, err := s.parseClaims(jwtToken.Claims)
  198. if err != nil {
  199. return models.Token{}, err
  200. }
  202. if !key.ValidForUser(userid) {
  203. return models.Token{}, ErrWrongUser
  204. }
  206. user, err := s.ensureUser(ctx, userid)
  207. if err != nil {
  208. return models.Token{}, ErrDeletedUser
  209. }
  211. acceptedPermissions := make([]string, 0, len(user.Permissions))
  212. if len(permissions) > 0 {
  213. for _, permission := range permissions {
  214. found := false
  216. for _, userPermission := range user.Permissions {
  217. if permission == userPermission {
  218. found = true
  219. break
  220. }
  221. }
  223. if found {
  224. acceptedPermissions = append(acceptedPermissions, permission)
  225. }
  226. }
  227. } else {
  228. acceptedPermissions = append(acceptedPermissions, user.Permissions...)
  229. }
  231. return models.Token{UserID: user.ID, Permissions: acceptedPermissions}, nil
  232. }
  234. // AllPermissions gets all permissions and their purpose
  235. func (s *AuthService) AllPermissions() map[string]string {
  236. return map[string]string{
  237. "member": "Can add/edit/remove own content",
  238. "user.edit": "Can edit non-owned users",
  239. "character.add": "Can add non-owned characters",
  240. "character.edit": "Can edit non-owned characters",
  241. "character.remove": "Can remove non-owned characters",
  242. "channel.add": "Can add channels",
  243. "channel.edit": "Can edit channels",
  244. "channel.remove": "Can remove channels",
  245. "comment.edit": "Can edit non-owned comments",
  246. "comment.remove": "Can remove non-owned comments",
  247. "log.add": "Can add logs",
  248. "log.edit": "Can edit logs",
  249. "log.remove": "Can remove logs",
  250. "post.add": "Can add posts",
  251. "post.edit": "Can edit posts",
  252. "post.move": "Can move posts",
  253. "post.remove": "Can remove posts",
  254. "story.add": "Can add non-owned stories",
  255. "story.edit": "Can edit non-owned stories",
  256. "story.remove": "Can remove non-owned stories",
  257. "story.unlisted": "Can view non-owned unlisted stories",
  258. "file.upload": "Can upload files",
  259. "file.list": "Can list non-owned files",
  260. "file.view": "Can view non-owned files",
  261. "file.edit": "Can edit non-owned files",
  262. "file.remove": "Can remove non-owned files",
  263. }
  264. }
  266. func (s *AuthService) parseClaims(jwtClaims jwt.Claims) (userid string, permissions []string, err error) {
  267. mapClaims, ok := jwtClaims.(jwt.MapClaims)
  268. if !ok {
  269. return "", nil, ErrInvalidClaims
  270. }
  272. if !mapClaims.VerifyExpiresAt(time.Now().Unix(), true) {
  273. return "", nil, ErrExpired
  274. }
  276. if userid, ok = mapClaims["user"].(string); !ok {
  277. return "", nil, ErrInvalidClaims
  278. }
  280. if claimedPermissions, ok := mapClaims["permissions"].([]interface{}); ok {
  281. for _, permission := range claimedPermissions {
  282. if permission, ok := permission.(string); ok {
  283. permissions = append(permissions, permission)
  284. }
  285. }
  287. if len(permissions) == 0 {
  288. return "", nil, ErrInvalidClaims
  289. }
  290. }
  292. return
  293. }
  295. func (s *AuthService) generateSecret() (string, error) {
  296. var data [64]byte
  298. _, err := rand.Read(data[:])
  299. if err != nil {
  300. return "", err
  301. }
  303. return base64.RawURLEncoding.EncodeToString(data[:]), nil
  304. }
  306. func (s *AuthService) ensureUser(ctx context.Context, id string) (*models.User, error) {
  307. user, err := s.users.Find(ctx, id)
  308. if err == repositories.ErrNotFound {
  309. user = &models.User{
  310. ID: id,
  311. Nick: "",
  312. Permissions: []string{
  313. "member",
  314. "log.edit",
  315. "post.edit",
  316. "post.move",
  317. "post.remove",
  318. "file.upload",
  319. },
  320. }
  322. user, err = s.users.Insert(ctx, *user)
  323. if err != nil {
  324. return nil, err
  325. }
  326. } else if err != nil {
  327. return nil, err
  328. }
  330. return user, err
  331. }