All the auth things are working now

2022-01-22 14:47:27 -05:00 · 2022-01-22 14:47:27 -05:00 · 86b20e8ccd
commit 86b20e8ccd
parent 2181227a6e
5 changed files with 194 additions and 20 deletions
--- a/server/auth_simple.go
+++ b/server/auth_simple.go
@ -1,9 +1,27 @@
 package server

+import (
+	"database/sql"
+	"fmt"
+	"golang.org/x/crypto/bcrypt"
+	"log"
+)
+
 /*
-sqlite> create table user (id int auto increment, user text, password text not null);
-sqlite> create table user_topic (user_id int not null, topic text not null, allow_write int, allow_read int);
-sqlite> create table topic (topic text primary key, allow_anonymous_write int, allow_anonymous_read int);
+
+SELECT * FROM user;
+SELECT * FROM topic;
+SELECT * FROM topic_user;
+
+INSERT INTO user VALUES('phil','$2a$06$.4W0LI5mcxzxhpjUvpTaNeu0MhRO0T7B.CYnmAkRnlztIy7PrSODu', 'admin');
+INSERT INTO user VALUES('ben','$2a$06$skJK/AecWCUmiCjr69ke.Ow/hFA616RdvJJPxnI221zyohsRlyXL.', 'user');
+INSERT INTO user VALUES('marian','$2a$06$N/BcXR0g6XUlmWttMqciWugR6xQKm2lVj31HLid6Mc4cnzpeOMgnq', 'user');
+
+INSERT INTO topic_user VALUES('alerts','ben',1,1);
+INSERT INTO topic_user VALUES('alerts','marian',1,0);
+
+INSERT INTO topic VALUES('announcements',1,0);
+
 */

 const (
@ -11,21 +29,169 @@ const (
 	permWrite = 2
 )

+const (
+	roleAdmin = "admin"
+	roleUser  = "user"
+	roleNone  = "none"
+)
+
+const (
+	createAuthTablesQueries = `
+		BEGIN;
+		CREATE TABLE IF NOT EXISTS user (
+			user TEXT NOT NULL PRIMARY KEY,
+			pass TEXT NOT NULL,
+			role TEXT NOT NULL
+		);
+		CREATE TABLE IF NOT EXISTS topic (
+			topic TEXT NOT NULL PRIMARY KEY,
+			anon_read INT NOT NULL,
+			anon_write INT NOT NULL			
+		);
+		CREATE TABLE IF NOT EXISTS topic_user (
+			topic TEXT NOT NULL,
+			user TEXT NOT NULL,		
+			read INT NOT NULL,
+			write INT NOT NULL,
+			PRIMARY KEY (topic, user)
+		);
+		CREATE TABLE IF NOT EXISTS schema_version (
+			id INT PRIMARY KEY,
+			version INT NOT NULL
+		);
+		COMMIT;
+	`
+	selectUserQuery           = `SELECT pass FROM user WHERE user = ?`
+	selectTopicPermsAnonQuery = `SELECT ?, anon_read, anon_write FROM topic WHERE topic = ?`
+	selectTopicPermsUserQuery = `
+		SELECT role, IFNULL(read, 0), IFNULL(write, 0)
+		FROM user
+		LEFT JOIN topic_user ON user.user = topic_user.user AND topic_user.topic = ?
+		WHERE user.user = ?
+	`
+)
+
 type auther interface {
-	Authenticate(user, pass string) bool
-	Authorize(user, topic string, perm int) bool
+	Authenticate(user, pass string) error
+	Authorize(user, topic string, perm int) error
 }

 type memAuther struct {
 }

-func (m memAuther) Authenticate(user, pass string) bool {
-	return user == "phil" && pass == "phil"
+func (m *memAuther) Authenticate(user, pass string) error {
+	if user == "phil" && pass == "phil" {
+		return nil
+	}
+	return errHTTPUnauthorized
 }

-func (m memAuther) Authorize(user, topic string, perm int) bool {
+func (m *memAuther) Authorize(user, topic string, perm int) error {
 	if perm == permRead {
-		return true
+		return nil
 	}
-	return user == "phil" && topic == "mytopic"
+	if user == "phil" && topic == "mytopic" {
+		return nil
+	}
+	return errHTTPUnauthorized
+}
+
+type sqliteAuther struct {
+	db           *sql.DB
+	defaultRead  bool
+	defaultWrite bool
+}
+
+var _ auther = (*sqliteAuther)(nil)
+
+func newSqliteAuther(filename string, defaultRead, defaultWrite bool) (*sqliteAuther, error) {
+	db, err := sql.Open("sqlite3", filename)
+	if err != nil {
+		return nil, err
+	}
+	if err := setupNewAuthDB(db); err != nil {
+		return nil, err
+	}
+	return &sqliteAuther{
+		db:           db,
+		defaultRead:  defaultRead,
+		defaultWrite: defaultWrite,
+	}, nil
+}
+
+func setupNewAuthDB(db *sql.DB) error {
+	if _, err := db.Exec(createAuthTablesQueries); err != nil {
+		return err
+	}
+	// FIXME schema version
+	return nil
+}
+
+func (a *sqliteAuther) Authenticate(user, pass string) error {
+	rows, err := a.db.Query(selectUserQuery, user)
+	if err != nil {
+		return err
+	}
+	defer rows.Close()
+	var hash string
+	if !rows.Next() {
+		return fmt.Errorf("user %s not found", user)
+	}
+	if err := rows.Scan(&hash); err != nil {
+		return err
+	} else if err := rows.Err(); err != nil {
+		return err
+	}
+	return bcrypt.CompareHashAndPassword([]byte(hash), []byte(pass))
+}
+
+func (a *sqliteAuther) Authorize(user, topic string, perm int) error {
+	if user == "" {
+		return a.authorizeAnon(topic, perm)
+	}
+	return a.authorizeUser(user, topic, perm)
+}
+
+func (a *sqliteAuther) authorizeAnon(topic string, perm int) error {
+	rows, err := a.db.Query(selectTopicPermsAnonQuery, roleNone, topic)
+	if err != nil {
+		return err
+	}
+	return a.checkPerms(rows, perm)
+}
+
+func (a *sqliteAuther) authorizeUser(user string, topic string, perm int) error {
+	rows, err := a.db.Query(selectTopicPermsUserQuery, topic, user)
+	if err != nil {
+		return err
+	}
+	return a.checkPerms(rows, perm)
+}
+
+func (a *sqliteAuther) checkPerms(rows *sql.Rows, perm int) error {
+	defer rows.Close()
+	if !rows.Next() {
+		return a.resolvePerms(a.defaultRead, a.defaultWrite, perm)
+	}
+	var role string
+	var read, write bool
+	if err := rows.Scan(&role, &read, &write); err != nil {
+		return err
+	} else if err := rows.Err(); err != nil {
+		return err
+	}
+	log.Printf("%#v, %#v, %#v", role, read, write)
+	if role == roleAdmin {
+		return nil // Admin can do everything
+	}
+	return a.resolvePerms(read, write, perm)
+}
+
+func (a *sqliteAuther) resolvePerms(read, write bool, perm int) error {
+	if perm == permRead && read {
+		return nil
+	} else if perm == permWrite && write {
+		return nil
+	}
+	return errHTTPUnauthorized
 }
--- a/server/cache_sqlite.go
+++ b/server/cache_sqlite.go
@ -121,7 +121,7 @@ func newSqliteCache(filename string) (*sqliteCache, error) {
 	if err != nil {
 		return nil, err
 	}
-	if err := setupDB(db); err != nil {
+	if err := setupCacheDB(db); err != nil {
 		return nil, err
 	}
 	return &sqliteCache{
@ -340,11 +340,11 @@ func readMessages(rows *sql.Rows) ([]*message, error) {
 	return messages, nil
 }

-func setupDB(db *sql.DB) error {
+func setupCacheDB(db *sql.DB) error {
 	// If 'messages' table does not exist, this must be a new database
 	rowsMC, err := db.Query(selectMessagesCountQuery)
 	if err != nil {
-		return setupNewDB(db)
+		return setupNewCacheDB(db)
 	}
 	rowsMC.Close()

@ -377,7 +377,7 @@ func setupDB(db *sql.DB) error {
 	return fmt.Errorf("unexpected schema version found: %d", schemaVersion)
 }

-func setupNewDB(db *sql.DB) error {
+func setupNewCacheDB(db *sql.DB) error {
 	if _, err := db.Exec(createMessagesTableQuery); err != nil {
 		return err
 	}
--- a/server/server.go
+++ b/server/server.go
@ -141,6 +141,10 @@ func New(conf *Config) (*Server, error) {
 			return nil, err
 		}
 	}
+	auther, err := newSqliteAuther("user.db", false, false)
+	if err != nil {
+		return nil, err
+	}
 	return &Server{
 		config:    conf,
 		cache:     cache,
@ -148,7 +152,7 @@ func New(conf *Config) (*Server, error) {
 		firebase:  firebaseSubscriber,
 		mailer:    mailer,
 		topics:    topics,
-		auther:    &memAuther{},
+		auther:    auther,
 		visitors:  make(map[string]*visitor),
 	}, nil
 }
@ -1128,13 +1132,15 @@ func (s *Server) withAuth(next handleFunc, perm int) handleFunc {
 		}
 		user, pass, ok := r.BasicAuth()
 		if ok {
-			if !s.auther.Authenticate(user, pass) {
+			if err := s.auther.Authenticate(user, pass); err != nil {
+				log.Printf("authentication failed: %s", err.Error())
 				return errHTTPUnauthorized
 			}
 		} else {
 			user = "" // Just in case
 		}
-		if !s.auther.Authorize(user, t.ID, perm) {
+		if err := s.auther.Authorize(user, t.ID, perm); err != nil {
+			log.Printf("unauthorized: %s", err.Error())
 			return errHTTPUnauthorized
 		}
 		return next(w, r, v)