auth
auth/session.go
Wire up the postgres database for authd. Have authd use the AUTH_PG_DB environment variable to detect support for the postgres *Stores, and if postgres is supported, use it. If postgres isn't supported, fall back on the in-memory store. Also create-if-not-exists the test scopes, instead of panicking when the scope already exists.
| paddy@70 | 1 package auth |
| paddy@70 | 2 |
| paddy@70 | 3 import ( |
| paddy@132 | 4 "crypto/rand" |
| paddy@98 | 5 "crypto/sha256" |
| paddy@132 | 6 "encoding/base64" |
| paddy@98 | 7 "encoding/hex" |
| paddy@119 | 8 "encoding/json" |
| paddy@70 | 9 "errors" |
| paddy@98 | 10 "log" |
| paddy@98 | 11 "net/http" |
| paddy@89 | 12 "sort" |
| paddy@135 | 13 "strings" |
| paddy@70 | 14 "time" |
| paddy@70 | 15 |
| paddy@107 | 16 "code.secondbit.org/pass.hg" |
| paddy@107 | 17 "code.secondbit.org/uuid.hg" |
| paddy@98 | 18 "github.com/gorilla/mux" |
| paddy@98 | 19 ) |
| paddy@98 | 20 |
| paddy@98 | 21 const ( |
| paddy@132 | 22 authCookieName = "auth" |
| paddy@98 | 23 loginTemplateName = "login" |
| paddy@70 | 24 ) |
| paddy@70 | 25 |
| paddy@119 | 26 func init() { |
| paddy@119 | 27 RegisterGrantType("password", GrantType{ |
| paddy@119 | 28 Validate: credentialsValidate, |
| paddy@119 | 29 Invalidate: nil, |
| paddy@119 | 30 IssuesRefresh: true, |
| paddy@119 | 31 ReturnToken: RenderJSONToken, |
| paddy@124 | 32 AuditString: credentialsAuditString, |
| paddy@119 | 33 }) |
| paddy@119 | 34 } |
| paddy@119 | 35 |
| paddy@70 | 36 var ( |
| paddy@70 | 37 // ErrNoSessionStore is returned when a Context tries to act on a sessionStore without setting on first. |
| paddy@70 | 38 ErrNoSessionStore = errors.New("no sessionStore was specified for the Context") |
| paddy@70 | 39 // ErrSessionNotFound is returned when a Session is requested but not found in the sessionStore. |
| paddy@70 | 40 ErrSessionNotFound = errors.New("session not found in sessionStore") |
| paddy@70 | 41 // ErrInvalidSession is returned when a Session is specified but is not valid. |
| paddy@70 | 42 ErrInvalidSession = errors.New("session is not valid") |
| paddy@77 | 43 // ErrSessionAlreadyExists is returned when a sessionStore tries to store a Session with an ID that already exists in the sessionStore. |
| paddy@77 | 44 ErrSessionAlreadyExists = errors.New("session already exists") |
| paddy@132 | 45 // ErrCSRFAttempt is returned when a CSRF attempt is detected. |
| paddy@132 | 46 ErrCSRFAttempt = errors.New("CSRF attempt") |
| paddy@98 | 47 |
| paddy@98 | 48 passphraseSchemes = map[int]passphraseScheme{ |
| paddy@98 | 49 1: { |
| paddy@98 | 50 check: pbkdf2sha256check, |
| paddy@98 | 51 create: pbkdf2sha256create, |
| paddy@98 | 52 calculateIterations: pbkdf2sha256calc, |
| paddy@98 | 53 }, |
| paddy@98 | 54 } |
| paddy@70 | 55 ) |
| paddy@70 | 56 |
| paddy@98 | 57 type passphraseScheme struct { |
| paddy@98 | 58 check func(profile Profile, passphrase string) (bool, error) |
| paddy@103 | 59 create func(passphrase string, iterations int) (result, salt string, err error) |
| paddy@98 | 60 calculateIterations func() (int, error) |
| paddy@98 | 61 } |
| paddy@98 | 62 |
| paddy@70 | 63 // Session represents a user's authenticated session, associating it with a profile |
| paddy@70 | 64 // and some audit data. |
| paddy@70 | 65 type Session struct { |
| paddy@70 | 66 ID string |
| paddy@70 | 67 IP string |
| paddy@70 | 68 UserAgent string |
| paddy@70 | 69 ProfileID uuid.ID |
| paddy@98 | 70 Login string |
| paddy@70 | 71 Created time.Time |
| paddy@132 | 72 Expires time.Time |
| paddy@70 | 73 Active bool |
| paddy@132 | 74 CSRFToken string |
| paddy@70 | 75 } |
| paddy@70 | 76 |
| paddy@89 | 77 type sortedSessions []Session |
| paddy@89 | 78 |
| paddy@89 | 79 func (s sortedSessions) Len() int { |
| paddy@89 | 80 return len(s) |
| paddy@89 | 81 } |
| paddy@89 | 82 |
| paddy@89 | 83 func (s sortedSessions) Less(i, j int) bool { |
| paddy@89 | 84 return s[i].Created.After(s[j].Created) |
| paddy@89 | 85 } |
| paddy@89 | 86 |
| paddy@89 | 87 func (s sortedSessions) Swap(i, j int) { |
| paddy@89 | 88 s[i], s[j] = s[j], s[i] |
| paddy@89 | 89 } |
| paddy@89 | 90 |
| paddy@70 | 91 type sessionStore interface { |
| paddy@70 | 92 createSession(session Session) error |
| paddy@70 | 93 getSession(id string) (Session, error) |
| paddy@70 | 94 removeSession(id string) error |
| paddy@70 | 95 listSessions(profile uuid.ID, before time.Time, num int64) ([]Session, error) |
| paddy@70 | 96 } |
| paddy@77 | 97 |
| paddy@77 | 98 func (m *memstore) createSession(session Session) error { |
| paddy@77 | 99 m.sessionLock.Lock() |
| paddy@77 | 100 defer m.sessionLock.Unlock() |
| paddy@77 | 101 if _, ok := m.sessions[session.ID]; ok { |
| paddy@77 | 102 return ErrSessionAlreadyExists |
| paddy@77 | 103 } |
| paddy@77 | 104 m.sessions[session.ID] = session |
| paddy@77 | 105 return nil |
| paddy@77 | 106 } |
| paddy@77 | 107 |
| paddy@77 | 108 func (m *memstore) getSession(id string) (Session, error) { |
| paddy@77 | 109 m.sessionLock.RLock() |
| paddy@77 | 110 defer m.sessionLock.RUnlock() |
| paddy@77 | 111 if _, ok := m.sessions[id]; !ok { |
| paddy@77 | 112 return Session{}, ErrSessionNotFound |
| paddy@77 | 113 } |
| paddy@77 | 114 return m.sessions[id], nil |
| paddy@77 | 115 } |
| paddy@77 | 116 |
| paddy@77 | 117 func (m *memstore) removeSession(id string) error { |
| paddy@77 | 118 m.sessionLock.Lock() |
| paddy@77 | 119 defer m.sessionLock.Unlock() |
| paddy@77 | 120 if _, ok := m.sessions[id]; !ok { |
| paddy@77 | 121 return ErrSessionNotFound |
| paddy@77 | 122 } |
| paddy@77 | 123 delete(m.sessions, id) |
| paddy@77 | 124 return nil |
| paddy@77 | 125 } |
| paddy@77 | 126 |
| paddy@77 | 127 func (m *memstore) listSessions(profile uuid.ID, before time.Time, num int64) ([]Session, error) { |
| paddy@77 | 128 m.sessionLock.RLock() |
| paddy@77 | 129 defer m.sessionLock.RUnlock() |
| paddy@77 | 130 res := []Session{} |
| paddy@77 | 131 for _, session := range m.sessions { |
| paddy@77 | 132 if int64(len(res)) >= num { |
| paddy@77 | 133 break |
| paddy@77 | 134 } |
| paddy@77 | 135 if profile != nil && !profile.Equal(session.ProfileID) { |
| paddy@77 | 136 continue |
| paddy@77 | 137 } |
| paddy@77 | 138 if !before.IsZero() && session.Created.After(before) { |
| paddy@77 | 139 continue |
| paddy@77 | 140 } |
| paddy@77 | 141 res = append(res, session) |
| paddy@77 | 142 } |
| paddy@89 | 143 sorted := sortedSessions(res) |
| paddy@89 | 144 sort.Sort(sorted) |
| paddy@89 | 145 res = []Session(sorted) |
| paddy@77 | 146 return res, nil |
| paddy@77 | 147 } |
| paddy@98 | 148 |
| paddy@98 | 149 // RegisterSessionHandlers adds handlers to the passed router to handle the session endpoints, like login and logout. |
| paddy@98 | 150 func RegisterSessionHandlers(r *mux.Router, context Context) { |
| paddy@98 | 151 r.Handle("/login", wrap(context, CreateSessionHandler)) |
| paddy@128 | 152 // BUG(paddy): We need to implement a handler for listing sessions active on a profile. |
| paddy@128 | 153 // BUG(paddy): We need to implement a handler for terminating sessions. |
| paddy@98 | 154 } |
| paddy@98 | 155 |
| paddy@132 | 156 func checkCSRF(r *http.Request, s Session) error { |
| paddy@132 | 157 if r.PostFormValue("csrftoken") != s.CSRFToken { |
| paddy@132 | 158 return ErrCSRFAttempt |
| paddy@132 | 159 } |
| paddy@132 | 160 return nil |
| paddy@132 | 161 } |
| paddy@132 | 162 |
| paddy@98 | 163 func checkCookie(r *http.Request, context Context) (Session, error) { |
| paddy@98 | 164 cookie, err := r.Cookie(authCookieName) |
| paddy@98 | 165 if err == http.ErrNoCookie { |
| paddy@98 | 166 return Session{}, ErrNoSession |
| paddy@98 | 167 } else if err != nil { |
| paddy@98 | 168 log.Println(err) |
| paddy@98 | 169 return Session{}, err |
| paddy@98 | 170 } |
| paddy@98 | 171 sess, err := context.GetSession(cookie.Value) |
| paddy@98 | 172 if err == ErrSessionNotFound { |
| paddy@98 | 173 return Session{}, ErrInvalidSession |
| paddy@98 | 174 } else if err != nil { |
| paddy@98 | 175 return Session{}, err |
| paddy@98 | 176 } |
| paddy@98 | 177 if !sess.Active { |
| paddy@98 | 178 return Session{}, ErrInvalidSession |
| paddy@98 | 179 } |
| paddy@132 | 180 if time.Now().After(sess.Expires) { |
| paddy@132 | 181 return Session{}, ErrInvalidSession |
| paddy@132 | 182 } |
| paddy@98 | 183 return sess, nil |
| paddy@98 | 184 } |
| paddy@98 | 185 |
| paddy@98 | 186 func buildLoginRedirect(r *http.Request, context Context) string { |
| paddy@98 | 187 if context.loginURI == nil { |
| paddy@98 | 188 return "" |
| paddy@98 | 189 } |
| paddy@98 | 190 uri := *context.loginURI |
| paddy@98 | 191 q := uri.Query() |
| paddy@98 | 192 q.Set("from", r.URL.String()) |
| paddy@98 | 193 uri.RawQuery = q.Encode() |
| paddy@98 | 194 return uri.String() |
| paddy@98 | 195 } |
| paddy@98 | 196 |
| paddy@98 | 197 func pbkdf2sha256check(profile Profile, passphrase string) (bool, error) { |
| paddy@98 | 198 realPass, err := hex.DecodeString(profile.Passphrase) |
| paddy@98 | 199 if err != nil { |
| paddy@98 | 200 return false, err |
| paddy@98 | 201 } |
| paddy@103 | 202 realSalt, err := hex.DecodeString(profile.Salt) |
| paddy@103 | 203 if err != nil { |
| paddy@103 | 204 return false, err |
| paddy@103 | 205 } |
| paddy@103 | 206 candidate := pass.Check(sha256.New, profile.Iterations, []byte(passphrase), []byte(realSalt)) |
| paddy@98 | 207 if !pass.Compare(candidate, realPass) { |
| paddy@98 | 208 return false, ErrIncorrectAuth |
| paddy@98 | 209 } |
| paddy@98 | 210 return true, nil |
| paddy@98 | 211 } |
| paddy@98 | 212 |
| paddy@103 | 213 func pbkdf2sha256create(passphrase string, iters int) (result, salt string, err error) { |
| paddy@103 | 214 passBytes, saltBytes, err := pass.Create(sha256.New, iters, []byte(passphrase)) |
| paddy@103 | 215 if err != nil { |
| paddy@103 | 216 return "", "", err |
| paddy@103 | 217 } |
| paddy@103 | 218 result = hex.EncodeToString(passBytes) |
| paddy@103 | 219 salt = hex.EncodeToString(saltBytes) |
| paddy@103 | 220 return result, salt, err |
| paddy@98 | 221 } |
| paddy@98 | 222 |
| paddy@98 | 223 func pbkdf2sha256calc() (int, error) { |
| paddy@98 | 224 return pass.CalculateIterations(sha256.New) |
| paddy@98 | 225 } |
| paddy@98 | 226 |
| paddy@139 | 227 func isAuthError(err error) bool { |
| paddy@139 | 228 return err == ErrIncorrectAuth || err == ErrProfileCompromised || err == ErrProfileLocked || err == ErrInvalidPassphraseScheme |
| paddy@139 | 229 } |
| paddy@139 | 230 |
| paddy@98 | 231 func authenticate(user, passphrase string, context Context) (Profile, error) { |
| paddy@98 | 232 profile, err := context.GetProfileByLogin(user) |
| paddy@98 | 233 if err != nil { |
| paddy@98 | 234 if err == ErrProfileNotFound || err == ErrLoginNotFound { |
| paddy@98 | 235 return Profile{}, ErrIncorrectAuth |
| paddy@98 | 236 } |
| paddy@98 | 237 return Profile{}, err |
| paddy@98 | 238 } |
| paddy@98 | 239 if profile.Compromised { |
| paddy@98 | 240 return Profile{}, ErrProfileCompromised |
| paddy@98 | 241 } |
| paddy@98 | 242 if !profile.LockedUntil.IsZero() && profile.LockedUntil.After(time.Now()) { |
| paddy@98 | 243 return profile, ErrProfileLocked |
| paddy@98 | 244 } |
| paddy@98 | 245 scheme, ok := passphraseSchemes[profile.PassphraseScheme] |
| paddy@98 | 246 if !ok { |
| paddy@98 | 247 return Profile{}, ErrInvalidPassphraseScheme |
| paddy@98 | 248 } |
| paddy@98 | 249 result, err := scheme.check(profile, passphrase) |
| paddy@98 | 250 if !result { |
| paddy@98 | 251 return Profile{}, err |
| paddy@98 | 252 } |
| paddy@98 | 253 return profile, nil |
| paddy@98 | 254 } |
| paddy@98 | 255 |
| paddy@98 | 256 // CreateSessionHandler allows the user to log into their account and create their session. |
| paddy@98 | 257 func CreateSessionHandler(w http.ResponseWriter, r *http.Request, context Context) { |
| paddy@98 | 258 errors := []error{} |
| paddy@98 | 259 if r.Method == "POST" { |
| paddy@98 | 260 profile, err := authenticate(r.PostFormValue("login"), r.PostFormValue("passphrase"), context) |
| paddy@98 | 261 if err == nil { |
| paddy@98 | 262 ip := r.Header.Get("X-Forwarded-For") |
| paddy@98 | 263 if ip == "" { |
| paddy@98 | 264 ip = r.RemoteAddr |
| paddy@98 | 265 } |
| paddy@132 | 266 sessionID := make([]byte, 32) |
| paddy@132 | 267 csrfToken := make([]byte, 32) |
| paddy@132 | 268 _, err = rand.Read(sessionID) |
| paddy@132 | 269 if err != nil { |
| paddy@132 | 270 log.Println("Error reading CSPRNG for session ID:", err) |
| paddy@132 | 271 w.WriteHeader(http.StatusInternalServerError) |
| paddy@132 | 272 w.Write([]byte("Internal error")) |
| paddy@132 | 273 return |
| paddy@132 | 274 } |
| paddy@132 | 275 _, err = rand.Read(csrfToken) |
| paddy@132 | 276 if err != nil { |
| paddy@132 | 277 log.Println("Error reading CSPRNG for CSRF token:", err) |
| paddy@132 | 278 w.WriteHeader(http.StatusInternalServerError) |
| paddy@132 | 279 w.Write([]byte("internal error")) |
| paddy@132 | 280 return |
| paddy@132 | 281 } |
| paddy@98 | 282 session := Session{ |
| paddy@132 | 283 ID: base64.StdEncoding.EncodeToString(sessionID), |
| paddy@98 | 284 IP: ip, |
| paddy@98 | 285 UserAgent: r.UserAgent(), |
| paddy@98 | 286 ProfileID: profile.ID, |
| paddy@98 | 287 Login: r.PostFormValue("login"), |
| paddy@98 | 288 Created: time.Now(), |
| paddy@132 | 289 Expires: time.Now().Add(time.Hour), |
| paddy@98 | 290 Active: true, |
| paddy@132 | 291 CSRFToken: base64.StdEncoding.EncodeToString(csrfToken), |
| paddy@98 | 292 } |
| paddy@98 | 293 err = context.CreateSession(session) |
| paddy@98 | 294 if err != nil { |
| paddy@98 | 295 w.WriteHeader(http.StatusInternalServerError) |
| paddy@98 | 296 w.Write([]byte(err.Error())) |
| paddy@98 | 297 return |
| paddy@98 | 298 } |
| paddy@132 | 299 // BUG(paddy): We really need to do a security audit on our cookies. |
| paddy@98 | 300 cookie := http.Cookie{ |
| paddy@98 | 301 Name: authCookieName, |
| paddy@98 | 302 Value: session.ID, |
| paddy@132 | 303 Expires: session.Expires, |
| paddy@98 | 304 HttpOnly: true, |
| paddy@132 | 305 Secure: context.config.secureCookie, |
| paddy@98 | 306 } |
| paddy@98 | 307 http.SetCookie(w, &cookie) |
| paddy@98 | 308 redirectTo := r.URL.Query().Get("from") |
| paddy@98 | 309 if redirectTo == "" { |
| paddy@98 | 310 redirectTo = "/" |
| paddy@98 | 311 } |
| paddy@98 | 312 http.Redirect(w, r, redirectTo, http.StatusFound) |
| paddy@98 | 313 return |
| paddy@139 | 314 } else if !isAuthError(err) { |
| paddy@98 | 315 w.WriteHeader(http.StatusInternalServerError) |
| paddy@98 | 316 w.Write([]byte(err.Error())) |
| paddy@98 | 317 return |
| paddy@98 | 318 } else { |
| paddy@98 | 319 errors = append(errors, err) |
| paddy@98 | 320 } |
| paddy@98 | 321 } |
| paddy@98 | 322 context.Render(w, loginTemplateName, map[string]interface{}{ |
| paddy@98 | 323 "errors": errors, |
| paddy@98 | 324 }) |
| paddy@98 | 325 } |
| paddy@119 | 326 |
| paddy@135 | 327 func credentialsValidate(w http.ResponseWriter, r *http.Request, context Context) (scopes []string, profileID uuid.ID, valid bool) { |
| paddy@119 | 328 enc := json.NewEncoder(w) |
| paddy@119 | 329 username := r.PostFormValue("username") |
| paddy@119 | 330 password := r.PostFormValue("password") |
| paddy@135 | 331 scopes = strings.Split(r.PostFormValue("scope"), " ") |
| paddy@119 | 332 profile, err := authenticate(username, password, context) |
| paddy@119 | 333 if err != nil { |
| paddy@139 | 334 if isAuthError(err) { |
| paddy@119 | 335 w.WriteHeader(http.StatusBadRequest) |
| paddy@119 | 336 renderJSONError(enc, "invalid_grant") |
| paddy@119 | 337 return |
| paddy@119 | 338 } |
| paddy@119 | 339 w.WriteHeader(http.StatusInternalServerError) |
| paddy@119 | 340 w.Write([]byte(err.Error())) |
| paddy@119 | 341 return |
| paddy@119 | 342 } |
| paddy@119 | 343 profileID = profile.ID |
| paddy@119 | 344 valid = true |
| paddy@119 | 345 return |
| paddy@119 | 346 } |
| paddy@124 | 347 |
| paddy@124 | 348 func credentialsAuditString(r *http.Request) string { |
| paddy@124 | 349 return "credentials" |
| paddy@124 | 350 } |