auth

Paddy 2015-05-17 Parent:8ecb60d29b0d Child:5d52b9d83184

auth/profile.go

Make client use our auth(n/z) scheme. Our auth(n/z) scheme can be loosely defined as "encrypted tokens that nginx transforms into headers" and "scopes for bypassing ACL". Our Go client, which is what we'll be using to have services communicate with each other, follows this paradigm now by auto-injecting the headers we'll need to identify ourselves. This will work behind our firewall, but will be useless for the rest of the world, which will need to go through the nginx bastion that can strip the headers and replace them with the headers appropriate to the token attached to the request. This did involve setting a static client ID as the client for our email_verification listener. Ideally, this would cause Client registration (using that ID) when the listener starts up, ignoring ErrClientAlreadyExists. I don't want to have to write the code that will allow us to bypass the Client ACL properly right now, though, so we're just going to have to remember to manually create that Client. Or not. I don't think it will do any harm (outside the OAuth flow) to be using a Client ID that doesn't actually point to a Client. I just think it'd be good for record-keeping purposes.

Download raw file

View source Diff to previous Annotate

1 package auth

3 import (

4 "encoding/json"

5 "errors"

6 "log"

7 "net/http"

8 "regexp"

9 "strings"

10 "time"

12 "code.secondbit.org/uuid.hg"

13 "github.com/gorilla/mux"

14 )

16 const (

17 // MinPassphraseLength is the minimum length, in bytes, of a passphrase, exclusive.

18 MinPassphraseLength = 6

19 // MaxPassphraseLength is the maximum length, in bytes, of a passphrase, exclusive.

20 MaxPassphraseLength = 64

21 // CurPassphraseScheme is the current passphrase scheme. Incrememnt it when we use a different passphrase scheme

22 CurPassphraseScheme = 1

23 // MaxNameLength is the maximum length, in bytes, of a name, exclusive.

24 MaxNameLength = 64

25 // MaxEmailLength is the maximum length, in bytes, of an email address, exclusive.

26 MaxEmailLength = 64

27 )

29 var (

30 // ErrNoProfileStore is returned when a Context tries to act on a profileStore without setting one first.

31 ErrNoProfileStore = errors.New("no profileStore was specified for the Context")

32 // ErrProfileAlreadyExists is returned when a Profile is added to a profileStore, but another Profile with

33 // the same ID already exists in the profileStore.

34 ErrProfileAlreadyExists = errors.New("profile already exists in profileStore")

35 // ErrProfileNotFound is returned when a Profile is requested but not found in the profileStore.

36 ErrProfileNotFound = errors.New("profile not found in profileStore")

37 // ErrLoginAlreadyExists is returned when a Login is added to a profileStore, but another Login with the same

38 // Type and Value already exists in the profileStore.

39 ErrLoginAlreadyExists = errors.New("login already exists in profileStore")

40 // ErrLoginNotFound is returned when a Login is requested but not found in the profileStore.

41 ErrLoginNotFound = errors.New("login not found in profileStore")

42 // ErrLoginVerificationInvalid is returned when a Login is verified with the wrong verification code.

43 ErrLoginVerificationInvalid = errors.New("login verification code incorrect")

45 // ErrMissingPassphrase is returned when a ProfileChange is validated but does not contain a

46 // Passphrase, and requires one.

47 ErrMissingPassphrase = errors.New("missing passphrase")

48 // ErrMissingPassphraseReset is returned when a ProfileChange is validated but does not contain

49 // a PassphraseReset, and requires one.

50 ErrMissingPassphraseReset = errors.New("missing passphrase reset")

51 // ErrMissingPassphraseResetCreated is returned when a ProfileChange is validated but does not

52 // contain a PassphraseResetCreated, and requires one.

53 ErrMissingPassphraseResetCreated = errors.New("missing passphrase reset created timestamp")

54 // ErrPassphraseTooShort is returned when a ProfileChange is validated and contains a Passphrase,

55 // but the Passphrase is shorter than MinPassphraseLength.

56 ErrPassphraseTooShort = errors.New("passphrase too short")

57 // ErrPassphraseTooLong is returned when a ProfileChange is validated and contains a Passphrase,

58 // but the Passphrase is longer than MaxPassphraseLength.

59 ErrPassphraseTooLong = errors.New("passphrase too long")

61 // ErrProfileCompromised is returned when a user tries to log in with a profile that is suspected

62 // of being compromised.

63 ErrProfileCompromised = errors.New("profile compromised")

64 // ErrProfileLocked is returned when a user tries to log in with a profile that is locked for a certain

65 // duration, to prevent brute force attacks.

66 ErrProfileLocked = errors.New("profile locked")

68 ScopeLoginAdmin = Scope{ID: "login_admin", Name: "Administer Logins", Description: "Read and write logins, bypassing ACL."}

69 )

71 // Profile represents a single user of the service,

72 // including their authentication information.

73 type Profile struct {

74 ID uuid.ID `json:"id,omitempty"`

75 Name string `json:"name,omitempty"`

76 Passphrase string `json:"-"`

77 Iterations int `json:"-"`

78 Salt string `json:"-"`

79 PassphraseScheme int `json:"-"`

80 Compromised bool `json:"-"`

81 LockedUntil time.Time `json:"-"`

82 PassphraseReset string `json:"-"`

83 PassphraseResetCreated time.Time `json:"-"`

84 Created time.Time `json:"created,omitempty"`

85 LastSeen time.Time `json:"last_seen,omitempty"`

86 }

88 // ApplyChange applies the properties of the passed ProfileChange

89 // to the Profile it is called on.

90 func (p *Profile) ApplyChange(change ProfileChange) {

91 if change.Name != nil {

92 p.Name = *change.Name

93 }

94 if change.Passphrase != nil {

95 p.Passphrase = *change.Passphrase

96 }

97 if change.Iterations != nil {

98 p.Iterations = *change.Iterations

99 }

100 if change.Salt != nil {

101 p.Salt = *change.Salt

102 }

103 if change.PassphraseScheme != nil {

104 p.PassphraseScheme = *change.PassphraseScheme

105 }

106 if change.Compromised != nil {

107 p.Compromised = *change.Compromised

108 }

109 if change.LockedUntil != nil {

110 p.LockedUntil = *change.LockedUntil

111 }

112 if change.PassphraseReset != nil {

113 p.PassphraseReset = *change.PassphraseReset

114 }

115 if change.PassphraseResetCreated != nil {

116 p.PassphraseResetCreated = *change.PassphraseResetCreated

117 }

118 if change.LastSeen != nil {

119 p.LastSeen = *change.LastSeen

120 }

121 }

122

123 // ApplyBulkChange applies the properties of the passed BulkProfileChange

124 // to the Profile it is called on.

125 func (p *Profile) ApplyBulkChange(change BulkProfileChange) {

126 if change.Compromised != nil {

127 p.Compromised = *change.Compromised

128 }

129 }

130

131 // ProfileChange represents a single atomic change to a Profile's mutable data.

132 type ProfileChange struct {

133 Name *string

134 Passphrase *string

135 Iterations *int

136 Salt *string

137 PassphraseScheme *int

138 Compromised *bool

139 LockedUntil *time.Time

140 PassphraseReset *string

141 PassphraseResetCreated *time.Time

142 LastSeen *time.Time

143 }

144

145 func (c ProfileChange) Empty() bool {

146 return (c.Name == nil && c.Passphrase == nil && c.Iterations == nil && c.Salt == nil && c.PassphraseScheme == nil && c.Compromised == nil && c.LockedUntil == nil && c.PassphraseReset == nil && c.PassphraseResetCreated == nil && c.LastSeen == nil)

147 }

148

149 // Validate checks the ProfileChange it is called on

150 // and asserts its internal validity, or lack thereof.

151 // A descriptive error will be returned in the case of

152 // an invalid change.

153 func (c ProfileChange) Validate() error {

154 if c.Empty() {

155 return ErrEmptyChange

156 }

157 if c.PassphraseScheme != nil && c.Passphrase == nil {

158 return ErrMissingPassphrase