impl test fileauth

server/auth.go

@@ -0,0 +1,61 @@
+package main
+
+import (
+	"errors"
+	"io/ioutil"
+
+	yaml "gopkg.in/yaml.v2"
+)
+
+type auth interface {
+	Login(string, string) (bool, error)
+	Groups(string) ([]string, error)
+}
+
+type FileAuth struct {
+	path string
+}
+
+type fileAuthContent struct {
+	Users map[string]struct {
+		Password string
+		Groups   []string
+	}
+}
+
+func NewFileAuth(path string) FileAuth {
+	return FileAuth{path: path}
+}
+
+func (fileAuth FileAuth) Login(u, p string) (bool, error) {
+	content, err := fileAuth.load()
+	if err != nil {
+		return false, err
+	}
+	entry, ok := content.Users[u]
+	return ok && entry.Password == p, nil
+}
+
+func (fileAuth FileAuth) Groups(u string) ([]string, error) {
+	content, err := fileAuth.load()
+	if err != nil {
+		return nil, err
+	}
+	entry, ok := content.Users[u]
+	if !ok {
+		return nil, errors.New("invalid user")
+	}
+	return entry.Groups, nil
+}
+
+func (fileAuth FileAuth) load() (fileAuthContent, error) {
+	var fileAuthContent fileAuthContent
+	b, err := ioutil.ReadFile(fileAuth.path)
+	if err != nil {
+		return fileAuthContent, err
+	}
+	if err := yaml.Unmarshal(b, &fileAuthContent); err != nil {
+		return fileAuthContent, err
+	}
+	return fileAuthContent, nil
+}

server/auth_test.go

@@ -0,0 +1,118 @@
+package main
+
+import (
+	"fmt"
+	"io/ioutil"
+	"os"
+	"path"
+	"testing"
+)
+
+func TestFileAuth(t *testing.T) {
+	user := "username"
+	passw := "password"
+	g := "group"
+	emptyp := func() string {
+		d := t.TempDir()
+		f, err := ioutil.TempFile(d, "login.yaml.*")
+		if err != nil {
+			t.Fatal(err)
+		}
+		f.Close()
+		return path.Join(d, f.Name())
+	}
+	goodp := func() string {
+		p := emptyp()
+		if err := ensureAndWrite(p, []byte(fmt.Sprintf(`{
+			"users": {
+				%q: {
+					"password": %q,
+					"groups": [%q]
+				}
+			}
+		}`, user, passw, g))); err != nil {
+			t.Fatal(err)
+		}
+		return p
+	}
+
+	t.Run("no file", func(t *testing.T) {
+		p := emptyp()
+		os.Remove(p)
+		fa := NewFileAuth(p)
+		if _, err := fa.Login(user, passw); err == nil {
+			t.Fatal(err)
+		}
+	})
+
+	t.Run("bad file", func(t *testing.T) {
+		p := emptyp()
+		if err := ensureAndWrite(p, []byte(`{"hello:}`)); err != nil {
+			t.Fatal(err)
+		}
+		fa := NewFileAuth(p)
+		if _, err := fa.Login(user, passw); err == nil {
+			t.Fatal(err)
+		}
+	})
+
+	t.Run("bad user", func(t *testing.T) {
+		p := goodp()
+		fa := NewFileAuth(p)
+		if ok, err := fa.Login("bad"+user, passw); err != nil {
+			t.Fatal(err)
+		} else if ok {
+			t.Fatal(ok)
+		}
+	})
+
+	t.Run("bad pass", func(t *testing.T) {
+		p := goodp()
+		fa := NewFileAuth(p)
+		if ok, err := fa.Login(user, "bad"+passw); err != nil {
+			t.Fatal(err)
+		} else if ok {
+			t.Fatal(ok)
+		}
+	})
+
+	t.Run("good load", func(t *testing.T) {
+		p := goodp()
+		fa := NewFileAuth(p)
+		got, err := fa.load()
+		if err != nil {
+			t.Fatal(err)
+		}
+		if len(got.Users) != 1 {
+			t.Error(got.Users)
+		}
+		if entry, ok := got.Users[user]; !ok {
+			t.Error(ok)
+		} else if entry.Password != passw {
+			t.Error(entry)
+		} else if len(entry.Groups) != 1 {
+			t.Error(entry.Groups)
+		} else if entry.Groups[0] != g {
+			t.Error(entry.Groups)
+		}
+	})
+
+	t.Run("good", func(t *testing.T) {
+		p := goodp()
+		b, _ := ioutil.ReadFile(p)
+		t.Logf("goodp: %s: %s", p, b)
+		fa := NewFileAuth(p)
+		if ok, err := fa.Login(user, passw); err != nil {
+			t.Fatal(err)
+		} else if !ok {
+			t.Fatal(ok)
+		}
+		if groups, err := fa.Groups(user); err != nil {
+			t.Fatal(err)
+		} else if len(groups) != 1 {
+			t.Fatal(groups)
+		} else if groups[0] != g {
+			t.Fatal(groups)
+		}
+	})
+}

server/authenticate.go

@@ -0,0 +1,75 @@
+package main
+
+import (
+	"errors"
+	"net/http"
+	"time"
+)
+
+func (server *Server) authenticate(w http.ResponseWriter, r *http.Request) (*Server, bool, error) {
+	if err := server.parseLogin(w, r); err != nil {
+		return nil, false, err
+	}
+	if ok, err := server.needsLogin(r); err != nil {
+		return nil, false, err
+	} else if ok {
+		w.Header().Set("WWW-Authenticate", "Basic")
+		w.WriteHeader(http.StatusUnauthorized)
+		return nil, true, nil
+	}
+	// TODO: if bad cookie OR no cookie: https://blog.stevensanderson.com/2008/08/25/using-the-browsers-native-login-prompt/
+	// TODO: prompt for user-pass if nothing supplied
+	// TODO: login
+	// TODO: logged in
+	// TODO: get namespaces
+	// TODO: verify cookie namespace is OK
+	// TODO: ~~logout~~ // client side
+	return server.WithLoggedIn("", "", []string{}), false, errors.New("not impl")
+}
+
+func (server *Server) parseLogin(w http.ResponseWriter, r *http.Request) error {
+	username, password, ok := r.BasicAuth()
+	if !ok {
+		return nil
+	}
+	_, _ = username, password
+	server.setLoginCookie(w, r, "abc")
+	return errors.New("todo: use username+password to set cookie")
+}
+
+func (server *Server) needsLogin(r *http.Request) (bool, error) {
+	_, ok := server.loginCookie(r)
+	if !ok {
+		return true, nil
+	}
+	// TODO compare namespace + cookie groups
+	return false, errors.New("not impl")
+}
+
+func (server *Server) setLoginCookie(w http.ResponseWriter, r *http.Request, value string) {
+	cookie := &http.Cookie{
+		Name:    "login",
+		Value:   server.encodeCookie(value),
+		Expires: time.Now().Add(time.Hour * 24),
+	}
+	w.Header().Set("Set-Cookie", cookie.String())
+	r.AddCookie(cookie)
+}
+
+func (server *Server) loginCookie(r *http.Request) (string, bool) {
+	cookies := r.Cookies()
+	for i := range cookies {
+		if cookies[i].Name == "login" && time.Now().Before(cookies[i].Expires) {
+			return server.decodeCookie(cookies[i].Value)
+		}
+	}
+	return "", false
+}
+
+func (server *Server) decodeCookie(s string) (string, bool) {
+	panic("not impl")
+}
+
+func (server *Server) encodeCookie(s string) string {
+	panic("not impl")
+}