mirror of
https://github.com/binwiederhier/ntfy.git
synced 2024-06-29 19:40:45 +12:00
328 lines
8 KiB
Go
328 lines
8 KiB
Go
package auth
|
|
|
|
import (
|
|
"database/sql"
|
|
_ "github.com/mattn/go-sqlite3" // SQLite driver
|
|
"golang.org/x/crypto/bcrypt"
|
|
"regexp"
|
|
)
|
|
|
|
const (
|
|
bcryptCost = 11
|
|
)
|
|
|
|
// Auther-related queries
|
|
const (
|
|
createAuthTablesQueries = `
|
|
BEGIN;
|
|
CREATE TABLE IF NOT EXISTS user (
|
|
user TEXT NOT NULL PRIMARY KEY,
|
|
pass TEXT NOT NULL,
|
|
role TEXT NOT NULL
|
|
);
|
|
CREATE TABLE IF NOT EXISTS access (
|
|
user TEXT NOT NULL,
|
|
topic TEXT NOT NULL,
|
|
read INT NOT NULL,
|
|
write INT NOT NULL,
|
|
PRIMARY KEY (topic, user)
|
|
);
|
|
CREATE TABLE IF NOT EXISTS schema_version (
|
|
id INT PRIMARY KEY,
|
|
version INT NOT NULL
|
|
);
|
|
COMMIT;
|
|
`
|
|
selectUserQuery = `SELECT pass, role FROM user WHERE user = ?`
|
|
selectTopicPermsQuery = `
|
|
SELECT read, write
|
|
FROM access
|
|
WHERE user IN ('*', ?) AND topic = ?
|
|
ORDER BY user DESC
|
|
`
|
|
)
|
|
|
|
// Manager-related queries
|
|
const (
|
|
insertUserQuery = `INSERT INTO user (user, pass, role) VALUES (?, ?, ?)`
|
|
selectUsernamesQuery = `SELECT user FROM user ORDER BY role, user`
|
|
updateUserPassQuery = `UPDATE user SET pass = ? WHERE user = ?`
|
|
updateUserRoleQuery = `UPDATE user SET role = ? WHERE user = ?`
|
|
deleteUserQuery = `DELETE FROM user WHERE user = ?`
|
|
|
|
upsertUserAccessQuery = `
|
|
INSERT INTO access (user, topic, read, write)
|
|
VALUES (?, ?, ?, ?)
|
|
ON CONFLICT (user, topic) DO UPDATE SET read=excluded.read, write=excluded.write
|
|
`
|
|
selectUserAccessQuery = `SELECT topic, read, write FROM access WHERE user = ?`
|
|
deleteAllAccessQuery = `DELETE FROM access`
|
|
deleteUserAccessQuery = `DELETE FROM access WHERE user = ?`
|
|
deleteTopicAccessQuery = `DELETE FROM access WHERE user = ? AND topic = ?`
|
|
)
|
|
|
|
type SQLiteAuth struct {
|
|
db *sql.DB
|
|
defaultRead bool
|
|
defaultWrite bool
|
|
}
|
|
|
|
var (
|
|
allowedUsernameRegex = regexp.MustCompile(`^[-_.@a-zA-Z0-9]+$`)
|
|
)
|
|
|
|
var _ Auther = (*SQLiteAuth)(nil)
|
|
var _ Manager = (*SQLiteAuth)(nil)
|
|
|
|
func NewSQLiteAuth(filename string, defaultRead, defaultWrite bool) (*SQLiteAuth, error) {
|
|
db, err := sql.Open("sqlite3", filename)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
if err := setupNewAuthDB(db); err != nil {
|
|
return nil, err
|
|
}
|
|
return &SQLiteAuth{
|
|
db: db,
|
|
defaultRead: defaultRead,
|
|
defaultWrite: defaultWrite,
|
|
}, nil
|
|
}
|
|
|
|
func setupNewAuthDB(db *sql.DB) error {
|
|
if _, err := db.Exec(createAuthTablesQueries); err != nil {
|
|
return err
|
|
}
|
|
// FIXME schema version
|
|
return nil
|
|
}
|
|
|
|
func (a *SQLiteAuth) Authenticate(username, password string) (*User, error) {
|
|
if username == Everyone {
|
|
return nil, ErrUnauthenticated
|
|
}
|
|
user, err := a.User(username)
|
|
if err != nil {
|
|
bcrypt.CompareHashAndPassword([]byte("$2a$11$eX15DeF27FwAgXt9wqJF0uAUMz74XywJcGBH3kP93pzKYv6ATk2ka"),
|
|
[]byte("intentional slow-down to avoid timing attacks"))
|
|
return nil, ErrUnauthenticated
|
|
}
|
|
if err := bcrypt.CompareHashAndPassword([]byte(user.Hash), []byte(password)); err != nil {
|
|
return nil, ErrUnauthenticated
|
|
}
|
|
return user, nil
|
|
}
|
|
|
|
func (a *SQLiteAuth) Authorize(user *User, topic string, perm Permission) error {
|
|
if user != nil && user.Role == RoleAdmin {
|
|
return nil // Admin can do everything
|
|
}
|
|
// Select the read/write permissions for this user/topic combo. The query may return two
|
|
// rows (one for everyone, and one for the user), but prioritizes the user. The value for
|
|
// user.Name may be empty (= everyone).
|
|
username := Everyone
|
|
if user != nil {
|
|
username = user.Name
|
|
}
|
|
rows, err := a.db.Query(selectTopicPermsQuery, username, topic)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
defer rows.Close()
|
|
if !rows.Next() {
|
|
return a.resolvePerms(a.defaultRead, a.defaultWrite, perm)
|
|
}
|
|
var read, write bool
|
|
if err := rows.Scan(&read, &write); err != nil {
|
|
return err
|
|
} else if err := rows.Err(); err != nil {
|
|
return err
|
|
}
|
|
return a.resolvePerms(read, write, perm)
|
|
}
|
|
|
|
func (a *SQLiteAuth) resolvePerms(read, write bool, perm Permission) error {
|
|
if perm == PermissionRead && read {
|
|
return nil
|
|
} else if perm == PermissionWrite && write {
|
|
return nil
|
|
}
|
|
return ErrUnauthorized
|
|
}
|
|
|
|
func (a *SQLiteAuth) AddUser(username, password string, role Role) error {
|
|
if !allowedUsernameRegex.MatchString(username) || (role != RoleAdmin && role != RoleUser) {
|
|
return ErrInvalidArgument
|
|
}
|
|
hash, err := bcrypt.GenerateFromPassword([]byte(password), bcryptCost)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
if _, err = a.db.Exec(insertUserQuery, username, hash, role); err != nil {
|
|
return err
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func (a *SQLiteAuth) RemoveUser(username string) error {
|
|
if !allowedUsernameRegex.MatchString(username) || username == Everyone {
|
|
return ErrInvalidArgument
|
|
}
|
|
if _, err := a.db.Exec(deleteUserQuery, username); err != nil {
|
|
return err
|
|
}
|
|
if _, err := a.db.Exec(deleteUserAccessQuery, username); err != nil {
|
|
return err
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func (a *SQLiteAuth) Users() ([]*User, error) {
|
|
rows, err := a.db.Query(selectUsernamesQuery)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
defer rows.Close()
|
|
usernames := make([]string, 0)
|
|
for rows.Next() {
|
|
var username string
|
|
if err := rows.Scan(&username); err != nil {
|
|
return nil, err
|
|
} else if err := rows.Err(); err != nil {
|
|
return nil, err
|
|
}
|
|
usernames = append(usernames, username)
|
|
}
|
|
rows.Close()
|
|
users := make([]*User, 0)
|
|
for _, username := range usernames {
|
|
user, err := a.User(username)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
users = append(users, user)
|
|
}
|
|
everyone, err := a.everyoneUser()
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
users = append(users, everyone)
|
|
return users, nil
|
|
}
|
|
|
|
func (a *SQLiteAuth) User(username string) (*User, error) {
|
|
if username == Everyone {
|
|
return a.everyoneUser()
|
|
}
|
|
rows, err := a.db.Query(selectUserQuery, username)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
defer rows.Close()
|
|
var hash, role string
|
|
if !rows.Next() {
|
|
return nil, ErrNotFound
|
|
}
|
|
if err := rows.Scan(&hash, &role); err != nil {
|
|
return nil, err
|
|
} else if err := rows.Err(); err != nil {
|
|
return nil, err
|
|
}
|
|
grants, err := a.readGrants(username)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return &User{
|
|
Name: username,
|
|
Hash: hash,
|
|
Role: Role(role),
|
|
Grants: grants,
|
|
}, nil
|
|
}
|
|
|
|
func (a *SQLiteAuth) everyoneUser() (*User, error) {
|
|
grants, err := a.readGrants(Everyone)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return &User{
|
|
Name: Everyone,
|
|
Hash: "",
|
|
Role: RoleAnonymous,
|
|
Grants: grants,
|
|
}, nil
|
|
}
|
|
|
|
func (a *SQLiteAuth) readGrants(username string) ([]Grant, error) {
|
|
rows, err := a.db.Query(selectUserAccessQuery, username)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
defer rows.Close()
|
|
grants := make([]Grant, 0)
|
|
for rows.Next() {
|
|
var topic string
|
|
var read, write bool
|
|
if err := rows.Scan(&topic, &read, &write); err != nil {
|
|
return nil, err
|
|
} else if err := rows.Err(); err != nil {
|
|
return nil, err
|
|
}
|
|
grants = append(grants, Grant{
|
|
Topic: topic,
|
|
Read: read,
|
|
Write: write,
|
|
})
|
|
}
|
|
return grants, nil
|
|
}
|
|
|
|
func (a *SQLiteAuth) ChangePassword(username, password string) error {
|
|
hash, err := bcrypt.GenerateFromPassword([]byte(password), bcryptCost)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
if _, err := a.db.Exec(updateUserPassQuery, hash, username); err != nil {
|
|
return err
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func (a *SQLiteAuth) ChangeRole(username string, role Role) error {
|
|
if !allowedUsernameRegex.MatchString(username) || (role != RoleAdmin && role != RoleUser) {
|
|
return ErrInvalidArgument
|
|
}
|
|
if _, err := a.db.Exec(updateUserRoleQuery, string(role), username); err != nil {
|
|
return err
|
|
}
|
|
if role == RoleAdmin {
|
|
if _, err := a.db.Exec(deleteUserAccessQuery, username); err != nil {
|
|
return err
|
|
}
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func (a *SQLiteAuth) DefaultAccess() (read bool, write bool) {
|
|
return a.defaultRead, a.defaultWrite
|
|
}
|
|
|
|
func (a *SQLiteAuth) AllowAccess(username string, topic string, read bool, write bool) error {
|
|
if _, err := a.db.Exec(upsertUserAccessQuery, username, topic, read, write); err != nil {
|
|
return err
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func (a *SQLiteAuth) ResetAccess(username string, topic string) error {
|
|
if username == "" && topic == "" {
|
|
_, err := a.db.Exec(deleteAllAccessQuery, username)
|
|
return err
|
|
} else if topic == "" {
|
|
_, err := a.db.Exec(deleteUserAccessQuery, username)
|
|
return err
|
|
}
|
|
_, err := a.db.Exec(deleteTopicAccessQuery, username, topic)
|
|
return err
|
|
}
|