Move to package
This commit is contained in:
Philipp Heckel
parent
b908f07355
commit
f388fd9c90
4 changed files with 59 additions and 50 deletions
|
|
@ -1,28 +0,0 @@
|
|||
package server
|
||||
|
||||
// auth is a generic interface to implement password-based authentication and authorization
|
||||
type auth interface {
|
||||
Authenticate(user, pass string) (*user, error)
|
||||
Authorize(user *user, topic string, perm int) error
|
||||
}
|
||||
|
||||
type user struct {
|
||||
Name string
|
||||
Role string
|
||||
}
|
||||
|
||||
const (
|
||||
permRead = 1
|
||||
permWrite = 2
|
||||
)
|
||||
|
||||
const (
|
||||
roleAdmin = "admin"
|
||||
roleUser = "user"
|
||||
roleNone = "none"
|
||||
)
|
||||
|
||||
var everyone = &user{
|
||||
Name: "",
|
||||
Role: roleNone,
|
||||
}
|
||||
|
|
@ -1,157 +0,0 @@
|
|||
package server
|
||||
|
||||
import (
|
||||
"database/sql"
|
||||
"golang.org/x/crypto/bcrypt"
|
||||
)
|
||||
|
||||
/*
|
||||
|
||||
SELECT * FROM user;
|
||||
SELECT * FROM user_topic;
|
||||
|
||||
INSERT INTO user VALUES ('phil','$2a$06$.4W0LI5mcxzxhpjUvpTaNeu0MhRO0T7B.CYnmAkRnlztIy7PrSODu', 'admin');
|
||||
INSERT INTO user VALUES ('ben','$2a$06$skJK/AecWCUmiCjr69ke.Ow/hFA616RdvJJPxnI221zyohsRlyXL.', 'user');
|
||||
INSERT INTO user VALUES ('marian','$2a$10$8U90swQIatvHHI4sw0Wo7.OUy6dUwzMcoOABi6BsS4uF0x3zcSXRW', 'user');
|
||||
|
||||
INSERT INTO user_topic VALUES ('ben','alerts',1,1);
|
||||
INSERT INTO user_topic VALUES ('marian','alerts',1,0);
|
||||
INSERT INTO user_topic VALUES ('','announcements',1,0);
|
||||
INSERT INTO user_topic VALUES ('','write-all',1,1);
|
||||
|
||||
---
|
||||
dabbling for CLI
|
||||
ntfy user add phil --role=admin
|
||||
ntfy user del phil
|
||||
ntfy user change-pass phil
|
||||
ntfy user allow phil mytopic
|
||||
ntfy user allow phil mytopic --read-only
|
||||
ntfy user deny phil mytopic
|
||||
ntfy user list
|
||||
phil (admin)
|
||||
- read-write access to everything
|
||||
ben (user)
|
||||
- read-write access to a topic alerts
|
||||
- read access to
|
||||
everyone (no user)
|
||||
- read-only access to topic announcements
|
||||
|
||||
|
||||
*/
|
||||
|
||||
const (
|
||||
createAuthTablesQueries = `
|
||||
BEGIN;
|
||||
CREATE TABLE IF NOT EXISTS user (
|
||||
user TEXT NOT NULL PRIMARY KEY,
|
||||
pass TEXT NOT NULL,
|
||||
role TEXT NOT NULL
|
||||
);
|
||||
CREATE TABLE IF NOT EXISTS user_topic (
|
||||
user TEXT NOT NULL,
|
||||
topic TEXT NOT NULL,
|
||||
read INT NOT NULL,
|
||||
write INT NOT NULL,
|
||||
PRIMARY KEY (topic, user)
|
||||
);
|
||||
CREATE TABLE IF NOT EXISTS schema_version (
|
||||
id INT PRIMARY KEY,
|
||||
version INT NOT NULL
|
||||
);
|
||||
COMMIT;
|
||||
`
|
||||
selectUserQuery = `SELECT pass, role FROM user WHERE user = ?`
|
||||
selectTopicPermsQuery = `
|
||||
SELECT read, write
|
||||
FROM user_topic
|
||||
WHERE user IN ('', ?) AND topic = ?
|
||||
ORDER BY user DESC
|
||||
`
|
||||
)
|
||||
|
||||
type sqliteAuth struct {
|
||||
db *sql.DB
|
||||
defaultRead bool
|
||||
defaultWrite bool
|
||||
}
|
||||
|
||||
var _ auth = (*sqliteAuth)(nil)
|
||||
|
||||
func newSqliteAuth(filename string, defaultRead, defaultWrite bool) (*sqliteAuth, error) {
|
||||
db, err := sql.Open("sqlite3", filename)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
if err := setupNewAuthDB(db); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return &sqliteAuth{
|
||||
db: db,
|
||||
defaultRead: defaultRead,
|
||||
defaultWrite: defaultWrite,
|
||||
}, nil
|
||||
}
|
||||
|
||||
func setupNewAuthDB(db *sql.DB) error {
|
||||
if _, err := db.Exec(createAuthTablesQueries); err != nil {
|
||||
return err
|
||||
}
|
||||
// FIXME schema version
|
||||
return nil
|
||||
}
|
||||
|
||||
func (a *sqliteAuth) Authenticate(username, password string) (*user, error) {
|
||||
rows, err := a.db.Query(selectUserQuery, username)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
defer rows.Close()
|
||||
var hash, role string
|
||||
if rows.Next() {
|
||||
if err := rows.Scan(&hash, &role); err != nil {
|
||||
return nil, err
|
||||
} else if err := rows.Err(); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
}
|
||||
if err := bcrypt.CompareHashAndPassword([]byte(hash), []byte(password)); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return &user{
|
||||
Name: username,
|
||||
Role: role,
|
||||
}, nil
|
||||
}
|
||||
|
||||
func (a *sqliteAuth) Authorize(user *user, topic string, perm int) error {
|
||||
if user.Role == roleAdmin {
|
||||
return nil // Admin can do everything
|
||||
}
|
||||
// Select the read/write permissions for this user/topic combo. The query may return two
|
||||
// rows (one for everyone, and one for the user), but prioritizes the user. The value for
|
||||
// user.Name may be empty (= everyone).
|
||||
rows, err := a.db.Query(selectTopicPermsQuery, user.Name, topic)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
defer rows.Close()
|
||||
if !rows.Next() {
|
||||
return a.resolvePerms(a.defaultRead, a.defaultWrite, perm)
|
||||
}
|
||||
var read, write bool
|
||||
if err := rows.Scan(&read, &write); err != nil {
|
||||
return err
|
||||
} else if err := rows.Err(); err != nil {
|
||||
return err
|
||||
}
|
||||
return a.resolvePerms(read, write, perm)
|
||||
}
|
||||
|
||||
func (a *sqliteAuth) resolvePerms(read, write bool, perm int) error {
|
||||
if perm == permRead && read {
|
||||
return nil
|
||||
} else if perm == permWrite && write {
|
||||
return nil
|
||||
}
|
||||
return errHTTPUnauthorized
|
||||
}
|
||||
|
|
@ -14,6 +14,7 @@ import (
|
|||
"github.com/gorilla/websocket"
|
||||
"golang.org/x/sync/errgroup"
|
||||
"google.golang.org/api/option"
|
||||
"heckel.io/ntfy/auth"
|
||||
"heckel.io/ntfy/util"
|
||||
"html/template"
|
||||
"io"
|
||||
|
|
@ -46,7 +47,7 @@ type Server struct {
|
|||
firebase subscriber
|
||||
mailer mailer
|
||||
messages int64
|
||||
auth auth
|
||||
auth auth.Auth
|
||||
cache cache
|
||||
fileCache *fileCache
|
||||
closeChan chan bool
|
||||
|
|
@ -141,9 +142,9 @@ func New(conf *Config) (*Server, error) {
|
|||
return nil, err
|
||||
}
|
||||
}
|
||||
var auth auth
|
||||
var auther auth.Auth
|
||||
if conf.AuthFile != "" {
|
||||
auth, err = newSqliteAuth(conf.AuthFile, conf.AuthDefaultRead, conf.AuthDefaultWrite)
|
||||
auther, err = auth.NewSQLiteAuth(conf.AuthFile, conf.AuthDefaultRead, conf.AuthDefaultWrite)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
|
@ -155,7 +156,7 @@ func New(conf *Config) (*Server, error) {
|
|||
firebase: firebaseSubscriber,
|
||||
mailer: mailer,
|
||||
topics: topics,
|
||||
auth: auth,
|
||||
auth: auther,
|
||||
visitors: make(map[string]*visitor),
|
||||
}, nil
|
||||
}
|
||||
|
|
@ -1117,14 +1118,14 @@ func (s *Server) limitRequests(next handleFunc) handleFunc {
|
|||
}
|
||||
|
||||
func (s *Server) authWrite(next handleFunc) handleFunc {
|
||||
return s.withAuth(next, permWrite)
|
||||
return s.withAuth(next, auth.PermissionWrite)
|
||||
}
|
||||
|
||||
func (s *Server) authRead(next handleFunc) handleFunc {
|
||||
return s.withAuth(next, permRead)
|
||||
return s.withAuth(next, auth.PermissionRead)
|
||||
}
|
||||
|
||||
func (s *Server) withAuth(next handleFunc, perm int) handleFunc {
|
||||
func (s *Server) withAuth(next handleFunc, perm auth.Permission) handleFunc {
|
||||
return func(w http.ResponseWriter, r *http.Request, v *visitor) error {
|
||||
if s.auth == nil {
|
||||
return next(w, r, v)
|
||||
|
|
@ -1133,7 +1134,7 @@ func (s *Server) withAuth(next handleFunc, perm int) handleFunc {
|
|||
if err != nil {
|
||||
return err
|
||||
}
|
||||
user := everyone
|
||||
user := auth.Everyone
|
||||
username, password, ok := r.BasicAuth()
|
||||
if ok {
|
||||
if user, err = s.auth.Authenticate(username, password); err != nil {
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue