auth

Paddy 2015-03-18 Parent:23c1a07c8a61 Child:06fb735031bb

145:e660a38fa936 Go to Latest

auth/profile.go

Implement UpdateProfileHandler. Implement a handler that will allow users to update their Profiles through the API.

Download raw file

View source Diff to previous Annotate

1 package auth

3 import (

4 "encoding/json"

5 "errors"

6 "net/http"

7 "regexp"

8 "strings"

9 "time"

11 "code.secondbit.org/uuid.hg"

12 "github.com/extemporalgenome/slug"

13 "github.com/gorilla/mux"

14 )

16 const (

17 // MinPassphraseLength is the minimum length, in bytes, of a passphrase, exclusive.

18 MinPassphraseLength = 6

19 // MaxPassphraseLength is the maximum length, in bytes, of a passphrase, exclusive.

20 MaxPassphraseLength = 64

21 // CurPassphraseScheme is the current passphrase scheme. Incrememnt it when we use a different passphrase scheme

22 CurPassphraseScheme = 1

23 // MaxNameLength is the maximum length, in bytes, of a name, exclusive.

24 MaxNameLength = 64

25 // MaxUsernameLength is the maximum length, in bytes, of a username, exclusive.

26 MaxUsernameLength = 16

27 // MaxEmailLength is the maximum length, in bytes, of an email address, exclusive.

28 MaxEmailLength = 64

29 )

31 var (

32 // ErrNoProfileStore is returned when a Context tries to act on a profileStore without setting one first.

33 ErrNoProfileStore = errors.New("no profileStore was specified for the Context")

34 // ErrProfileAlreadyExists is returned when a Profile is added to a profileStore, but another Profile with

35 // the same ID already exists in the profileStore.

36 ErrProfileAlreadyExists = errors.New("profile already exists in profileStore")

37 // ErrProfileNotFound is returned when a Profile is requested but not found in the profileStore.

38 ErrProfileNotFound = errors.New("profile not found in profileStore")

39 // ErrLoginAlreadyExists is returned when a Login is added to a profileStore, but another Login with the same

40 // Type and Value already exists in the profileStore.

41 ErrLoginAlreadyExists = errors.New("login already exists in profileStore")

42 // ErrLoginNotFound is returned when a Login is requested but not found in the profileStore.

43 ErrLoginNotFound = errors.New("login not found in profileStore")

45 // ErrMissingPassphrase is returned when a ProfileChange is validated but does not contain a

46 // Passphrase, and requires one.

47 ErrMissingPassphrase = errors.New("missing passphrase")

48 // ErrMissingPassphraseReset is returned when a ProfileChange is validated but does not contain

49 // a PassphraseReset, and requires one.

50 ErrMissingPassphraseReset = errors.New("missing passphrase reset")

51 // ErrMissingPassphraseResetCreated is returned when a ProfileChange is validated but does not

52 // contain a PassphraseResetCreated, and requires one.

53 ErrMissingPassphraseResetCreated = errors.New("missing passphrase reset created timestamp")

54 // ErrPassphraseTooShort is returned when a ProfileChange is validated and contains a Passphrase,

55 // but the Passphrase is shorter than MinPassphraseLength.

56 ErrPassphraseTooShort = errors.New("passphrase too short")

57 // ErrPassphraseTooLong is returned when a ProfileChange is validated and contains a Passphrase,

58 // but the Passphrase is longer than MaxPassphraseLength.

59 ErrPassphraseTooLong = errors.New("passphrase too long")

61 // ErrProfileCompromised is returned when a user tries to log in with a profile that is suspected

62 // of being compromised.

63 ErrProfileCompromised = errors.New("profile compromised")

64 // ErrProfileLocked is returned when a user tries to log in with a profile that is locked for a certain

65 // duration, to prevent brute force attacks.

66 ErrProfileLocked = errors.New("profile locked")

67 )

69 // Profile represents a single user of the service,

70 // including their authentication information, but not

71 // including their username or email.

72 type Profile struct {

73 ID uuid.ID `json:"id,omitempty"`

74 Name string `json:"name,omitempty"`

75 Passphrase string `json:"-"`

76 Iterations int `json:"-"`

77 Salt string `json:"-"`

78 PassphraseScheme int `json:"-"`

79 Compromised bool `json:"-"`

80 LockedUntil time.Time `json:"-"`

81 PassphraseReset string `json:"-"`

82 PassphraseResetCreated time.Time `json:"-"`

83 Created time.Time `json:"created,omitempty"`

84 LastSeen time.Time `json:"last_seen,omitempty"`

85 }

87 // ApplyChange applies the properties of the passed ProfileChange

88 // to the Profile it is called on.

89 func (p *Profile) ApplyChange(change ProfileChange) {

90 if change.Name != nil {

91 p.Name = *change.Name

92 }

93 if change.Passphrase != nil {

94 p.Passphrase = *change.Passphrase

95 }

96 if change.Iterations != nil {

97 p.Iterations = *change.Iterations

98 }

99 if change.Salt != nil {

100 p.Salt = *change.Salt

101 }

102 if change.PassphraseScheme != nil {

103 p.PassphraseScheme = *change.PassphraseScheme

104 }

105 if change.Compromised != nil {

106 p.Compromised = *change.Compromised

107 }

108 if change.LockedUntil != nil {

109 p.LockedUntil = *change.LockedUntil

110 }

111 if change.PassphraseReset != nil {

112 p.PassphraseReset = *change.PassphraseReset

113 }

114 if change.PassphraseResetCreated != nil {

115 p.PassphraseResetCreated = *change.PassphraseResetCreated

116 }

117 if change.LastSeen != nil {

118 p.LastSeen = *change.LastSeen

119 }

120 }

121

122 // ApplyBulkChange applies the properties of the passed BulkProfileChange

123 // to the Profile it is called on.

124 func (p *Profile) ApplyBulkChange(change BulkProfileChange) {

125 if change.Compromised != nil {

126 p.Compromised = *change.Compromised

127 }

128 }

129

130 // ProfileChange represents a single atomic change to a Profile's mutable data.

131 type ProfileChange struct {

132 Name *string

133 Passphrase *string

134 Iterations *int

135 Salt *string

136 PassphraseScheme *int

137 Compromised *bool

138 LockedUntil *time.Time

139 PassphraseReset *string

140 PassphraseResetCreated *time.Time

141 LastSeen *time.Time

142 }

143

144 // Validate checks the ProfileChange it is called on

145 // and asserts its internal validity, or lack thereof.

146 // A descriptive error will be returned in the case of

147 // an invalid change.

148 func (c ProfileChange) Validate() error {

149 if c.Name == nil && c.Passphrase == nil && c.Iterations == nil && c.Salt == nil && c.PassphraseScheme == nil && c.Compromised == nil && c.LockedUntil == nil && c.PassphraseReset == nil && c.PassphraseResetCreated == nil && c.LastSeen == nil {

150 return ErrEmptyChange

151 }

152 if c.PassphraseScheme != nil && c.Passphrase == nil {

153 return ErrMissingPassphrase

154 }

155 if c.PassphraseReset != nil && c.PassphraseResetCreated == nil {

156 return ErrMissingPassphraseResetCreated

157 }

158 if c.PassphraseReset == nil && c.PassphraseResetCreated != nil {

159 return ErrMissingPassphraseReset

160 }

161 if c.Salt != nil && c.Passphrase == nil {

162 return ErrMissingPassphrase

163 }

164 if c.Iterations != nil && c.Passphrase == nil {

165 return ErrMissingPassphrase

166 }

167 return nil

168 }

169

170 // BulkProfileChange represents a single atomic change to many Profiles' mutable data.

171 // It is a subset of a ProfileChange, as it doesn't make sense to mutate some of the

172 // ProfileChange values across many Profiles all at once.

173 type BulkProfileChange struct {

174 Compromised *bool

175 }

176

177 // Validate checks the BulkProfileChange it is called on

178 // and asserts its internal validity, or lack thereof.

179 // A descriptive error will be returned in the case of an

180 // invalid change.

181 func (b BulkProfileChange) Validate() error {

182 if b.Compromised == nil {

183 return ErrEmptyChange

184 }

185 return nil

186 }

187

188 // Login represents a single human-friendly identifier for

189 // a given Profile that can be used to log into that Profile.

190 // Each Profile may only have one Login for each Type.

191 type Login struct {

192 Type string `json:"type,omitempty"`

193 Value string `json:"value,omitempty"`

194 ProfileID uuid.ID `json:"profile_id,omitempty"`

195 Created time.Time `json:"created,omitempty"`

196 LastUsed time.Time `json:"last_used,omitempty"`

197 }

198

199 type newProfileRequest struct {

200 Username string `json:"username"`

201 Email string `json:"email"`

202 Passphrase string `json:"passphrase"`

203 Name string `json:"name"`

204 }

205

206 func validateNewProfileRequest(req *newProfileRequest) []requestError {

207 errors := []requestError{}

208 req.Name = strings.TrimSpace(req.Name)

209 req.Email = strings.TrimSpace(req.Email)

210 req.Username = slug.SlugAscii(strings.TrimSpace(req.Username))

211 if len(req.Passphrase) < MinPassphraseLength {

212 errors = append(errors, requestError{

213 Slug: requestErrInsufficient,

214 Field: "/passphrase",

215 })

216 }

217 if len(req.Passphrase) > MaxPassphraseLength {

218 errors = append(errors, requestError{

219 Slug: requestErrOverflow,

220 Field: "/passphrase",

221 })

222 }

223 if len(req.Name) > MaxNameLength {

224 errors = append(errors, requestError{

225 Slug: requestErrOverflow,

226 Field: "/name",

227 })

228 }

229 if len(req.Username) > MaxUsernameLength {

230 errors = append(errors, requestError{

231 Slug: requestErrOverflow,

232 Field: "/username",

233 })

234 }

235 if req.Email == "" {

236 errors = append(errors, requestError{

237 Slug: requestErrMissing,

238 Field: "/email",

239 })

240 }

241 if len(req.Email) > MaxEmailLength {

242 errors = append(errors, requestError{

243 Slug: requestErrOverflow,

244 Field: "/email",

245 })

246 }

247 re := regexp.MustCompile(".+@.+\\..+")

248 if !re.Match([]byte(req.Email)) {

249 errors = append(errors, requestError{

250 Slug: requestErrInvalidFormat,

251 Field: "/email",

252 })

253 }

254 return errors

255 }

256

257 type profileStore interface {

258 getProfileByID(id uuid.ID) (Profile, error)

259 getProfileByLogin(value string) (Profile, error)

260 saveProfile(profile Profile) error

261 updateProfile(id uuid.ID, change ProfileChange) error

262 updateProfiles(ids []uuid.ID, change BulkProfileChange) error

263 deleteProfile(id uuid.ID) error

264

265 addLogin(login Login) error

266 removeLogin(value string, profile uuid.ID) error

267 recordLoginUse(value string, when time.Time) error

268 listLogins(profile uuid.ID, num, offset int) ([]Login, error)

269 }

270

271 func (m *memstore) getProfileByID(id uuid.ID) (Profile, error) {

272 m.profileLock.RLock()

273 defer m.profileLock.RUnlock()

274 p, ok := m.profiles[id.String()]

275 if !ok {

276 return Profile{}, ErrProfileNotFound

277 }

278 return p, nil

279 }

280

281 func (m *memstore) getProfileByLogin(value string) (Profile, error) {

282 m.loginLock.RLock()

283 defer m.loginLock.RUnlock()

284 login, ok := m.logins[value]

285 if !ok {

286 return Profile{}, ErrLoginNotFound

287 }

288 m.profileLock.RLock()

289 defer m.profileLock.RUnlock()

290 profile, ok := m.profiles[login.ProfileID.String()]

291 if !ok {

292 return Profile{}, ErrProfileNotFound

293 }

294 return profile, nil

295 }

296

297 func (m *memstore) saveProfile(profile Profile) error {

298 m.profileLock.Lock()

299 defer m.profileLock.Unlock()

300 _, ok := m.profiles[profile.ID.String()]

301 if ok {

302 return ErrProfileAlreadyExists

303 }

304 m.profiles[profile.ID.String()] = profile

305 return nil

306 }

307

308 func (m *memstore) updateProfile(id uuid.ID, change ProfileChange) error {

309 m.profileLock.Lock()

310 defer m.profileLock.Unlock()

311 p, ok := m.profiles[id.String()]

312 if !ok {

313 return ErrProfileNotFound

314 }

315 p.ApplyChange(change)

316 m.profiles[id.String()] = p

317 return nil

318 }

319

320 func (m *memstore) updateProfiles(ids []uuid.ID, change BulkProfileChange) error {

321 m.profileLock.Lock()

322 defer m.profileLock.Unlock()

323 for id, profile := range m.profiles {

324 for _, i := range ids {

325 if id == i.String() {

326 profile.ApplyBulkChange(change)

327 m.profiles[id] = profile

328 break

329 }

330 }

331 }

332 return nil

333 }

334

335 func (m *memstore) deleteProfile(id uuid.ID) error {

336 m.profileLock.Lock()

337 defer m.profileLock.Unlock()

338 _, ok := m.profiles[id.String()]

339 if !ok {

340 return ErrProfileNotFound

341 }

342 delete(m.profiles, id.String())

343 return nil

344 }

345

346 func (m *memstore) addLogin(login Login) error {

347 m.loginLock.Lock()

348 defer m.loginLock.Unlock()

349 _, ok := m.logins[login.Value]

350 if ok {

351 return ErrLoginAlreadyExists

352 }

353 m.logins[login.Value] = login

354 m.profileLoginLookup[login.ProfileID.String()] = append(m.profileLoginLookup[login.ProfileID.String()], login.Value)

355 return nil

356 }

357

358 func (m *memstore) removeLogin(value string, profile uuid.ID) error {

359 m.loginLock.Lock()

360 defer m.loginLock.Unlock()

361 l, ok := m.logins[value]

362 if !ok {

363 return ErrLoginNotFound

364 }

365 if !l.ProfileID.Equal(profile) {

366 return ErrLoginNotFound

367 }

368 delete(m.logins, value)

369 pos := -1

370 for p, id := range m.profileLoginLookup[profile.String()] {

371 if id == value {

372 pos = p

373 break

374 }

375 }

376 if pos >= 0 {

377 m.profileLoginLookup[profile.String()] = append(m.profileLoginLookup[profile.String()][:pos], m.profileLoginLookup[profile.String()][pos+1:]...)

378 }

379 return nil

380 }

381

382 func (m *memstore) recordLoginUse(value string, when time.Time) error {

383 m.loginLock.Lock()

384 defer m.loginLock.Unlock()

385 l, ok := m.logins[value]

386 if !ok {

387 return ErrLoginNotFound

388 }

389 l.LastUsed = when

390 m.logins[value] = l

391 return nil

392 }

393

394 func (m *memstore) listLogins(profile uuid.ID, num, offset int) ([]Login, error) {

395 m.loginLock.RLock()

396 defer m.loginLock.RUnlock()

397 ids, ok := m.profileLoginLookup[profile.String()]

398 if !ok {

399 return []Login{}, nil

400 }

401 if len(ids) > num+offset {

402 ids = ids[offset : num+offset]

403 } else if len(ids) > offset {

404 ids = ids[offset:]

405 } else {

406 return []Login{}, nil

407 }

408 logins := []Login{}

409 for _, id := range ids {

410 login, ok := m.logins[id]

411 if !ok {

412 continue

413 }

414 logins = append(logins, login)

415 }

416 return logins, nil

417 }

418

419 // RegisterProfileHandlers adds handlers to the passed router to handle the profile endpoints, like registration and user retrieval.

420 func RegisterProfileHandlers(r *mux.Router, context Context) {

421 r.Handle("/profiles", wrap(context, CreateProfileHandler)).Methods("POST")

422 // BUG(paddy): We need to implement a handler that will return information about a profile or set of profiles.

423 r.Handle("/profiles/{id}", wrap(context, UpdateProfileHandler)).Methods("PATCH")

424 // BUG(paddy): We need to implement a handler that will delete a profile. What happens to clients/tokens/grants/sessions when a profile is deleted?

425 // BUG(paddy): We need to implement a handler that will add a login to a profile.

426 // BUG(paddy): We need to implement a handler that will remove a login from a profile. What happens to sessions created with that login?

427 // BUG(paddy): We need to implement a handler that will list the logins attached to a profile.

428 }

429

430 // CreateProfileHandler is an HTTP handler for registering new profiles.

431 func CreateProfileHandler(w http.ResponseWriter, r *http.Request, context Context) {

432 scheme, ok := passphraseSchemes[CurPassphraseScheme]

433 if !ok {

434 encode(w, r, http.StatusInternalServerError, actOfGodResponse)

435 return

436 }