From 09c06a4a0c4897761a5eadb3f8a70f629acf0243 Mon Sep 17 00:00:00 2001 From: Bel LaPointe Date: Fri, 18 Feb 2022 08:05:50 -0700 Subject: [PATCH] impl test fileauth --- server/auth.go | 61 +++++++++++++++++++++ server/auth_test.go | 118 +++++++++++++++++++++++++++++++++++++++++ server/authenticate.go | 75 ++++++++++++++++++++++++++ 3 files changed, 254 insertions(+) create mode 100644 server/auth.go create mode 100644 server/auth_test.go create mode 100644 server/authenticate.go diff --git a/server/auth.go b/server/auth.go new file mode 100644 index 0000000..32d4fce --- /dev/null +++ b/server/auth.go @@ -0,0 +1,61 @@ +package main + +import ( + "errors" + "io/ioutil" + + yaml "gopkg.in/yaml.v2" +) + +type auth interface { + Login(string, string) (bool, error) + Groups(string) ([]string, error) +} + +type FileAuth struct { + path string +} + +type fileAuthContent struct { + Users map[string]struct { + Password string + Groups []string + } +} + +func NewFileAuth(path string) FileAuth { + return FileAuth{path: path} +} + +func (fileAuth FileAuth) Login(u, p string) (bool, error) { + content, err := fileAuth.load() + if err != nil { + return false, err + } + entry, ok := content.Users[u] + return ok && entry.Password == p, nil +} + +func (fileAuth FileAuth) Groups(u string) ([]string, error) { + content, err := fileAuth.load() + if err != nil { + return nil, err + } + entry, ok := content.Users[u] + if !ok { + return nil, errors.New("invalid user") + } + return entry.Groups, nil +} + +func (fileAuth FileAuth) load() (fileAuthContent, error) { + var fileAuthContent fileAuthContent + b, err := ioutil.ReadFile(fileAuth.path) + if err != nil { + return fileAuthContent, err + } + if err := yaml.Unmarshal(b, &fileAuthContent); err != nil { + return fileAuthContent, err + } + return fileAuthContent, nil +} diff --git a/server/auth_test.go b/server/auth_test.go new file mode 100644 index 0000000..6fb3e18 --- /dev/null +++ b/server/auth_test.go @@ -0,0 +1,118 @@ +package main + +import ( + "fmt" + "io/ioutil" + "os" + "path" + "testing" +) + +func TestFileAuth(t *testing.T) { + user := "username" + passw := "password" + g := "group" + emptyp := func() string { + d := t.TempDir() + f, err := ioutil.TempFile(d, "login.yaml.*") + if err != nil { + t.Fatal(err) + } + f.Close() + return path.Join(d, f.Name()) + } + goodp := func() string { + p := emptyp() + if err := ensureAndWrite(p, []byte(fmt.Sprintf(`{ + "users": { + %q: { + "password": %q, + "groups": [%q] + } + } + }`, user, passw, g))); err != nil { + t.Fatal(err) + } + return p + } + + t.Run("no file", func(t *testing.T) { + p := emptyp() + os.Remove(p) + fa := NewFileAuth(p) + if _, err := fa.Login(user, passw); err == nil { + t.Fatal(err) + } + }) + + t.Run("bad file", func(t *testing.T) { + p := emptyp() + if err := ensureAndWrite(p, []byte(`{"hello:}`)); err != nil { + t.Fatal(err) + } + fa := NewFileAuth(p) + if _, err := fa.Login(user, passw); err == nil { + t.Fatal(err) + } + }) + + t.Run("bad user", func(t *testing.T) { + p := goodp() + fa := NewFileAuth(p) + if ok, err := fa.Login("bad"+user, passw); err != nil { + t.Fatal(err) + } else if ok { + t.Fatal(ok) + } + }) + + t.Run("bad pass", func(t *testing.T) { + p := goodp() + fa := NewFileAuth(p) + if ok, err := fa.Login(user, "bad"+passw); err != nil { + t.Fatal(err) + } else if ok { + t.Fatal(ok) + } + }) + + t.Run("good load", func(t *testing.T) { + p := goodp() + fa := NewFileAuth(p) + got, err := fa.load() + if err != nil { + t.Fatal(err) + } + if len(got.Users) != 1 { + t.Error(got.Users) + } + if entry, ok := got.Users[user]; !ok { + t.Error(ok) + } else if entry.Password != passw { + t.Error(entry) + } else if len(entry.Groups) != 1 { + t.Error(entry.Groups) + } else if entry.Groups[0] != g { + t.Error(entry.Groups) + } + }) + + t.Run("good", func(t *testing.T) { + p := goodp() + b, _ := ioutil.ReadFile(p) + t.Logf("goodp: %s: %s", p, b) + fa := NewFileAuth(p) + if ok, err := fa.Login(user, passw); err != nil { + t.Fatal(err) + } else if !ok { + t.Fatal(ok) + } + if groups, err := fa.Groups(user); err != nil { + t.Fatal(err) + } else if len(groups) != 1 { + t.Fatal(groups) + } else if groups[0] != g { + t.Fatal(groups) + } + }) +} diff --git a/server/authenticate.go b/server/authenticate.go new file mode 100644 index 0000000..efad610 --- /dev/null +++ b/server/authenticate.go @@ -0,0 +1,75 @@ +package main + +import ( + "errors" + "net/http" + "time" +) + +func (server *Server) authenticate(w http.ResponseWriter, r *http.Request) (*Server, bool, error) { + if err := server.parseLogin(w, r); err != nil { + return nil, false, err + } + if ok, err := server.needsLogin(r); err != nil { + return nil, false, err + } else if ok { + w.Header().Set("WWW-Authenticate", "Basic") + w.WriteHeader(http.StatusUnauthorized) + return nil, true, nil + } + // TODO: if bad cookie OR no cookie: https://blog.stevensanderson.com/2008/08/25/using-the-browsers-native-login-prompt/ + // TODO: prompt for user-pass if nothing supplied + // TODO: login + // TODO: logged in + // TODO: get namespaces + // TODO: verify cookie namespace is OK + // TODO: ~~logout~~ // client side + return server.WithLoggedIn("", "", []string{}), false, errors.New("not impl") +} + +func (server *Server) parseLogin(w http.ResponseWriter, r *http.Request) error { + username, password, ok := r.BasicAuth() + if !ok { + return nil + } + _, _ = username, password + server.setLoginCookie(w, r, "abc") + return errors.New("todo: use username+password to set cookie") +} + +func (server *Server) needsLogin(r *http.Request) (bool, error) { + _, ok := server.loginCookie(r) + if !ok { + return true, nil + } + // TODO compare namespace + cookie groups + return false, errors.New("not impl") +} + +func (server *Server) setLoginCookie(w http.ResponseWriter, r *http.Request, value string) { + cookie := &http.Cookie{ + Name: "login", + Value: server.encodeCookie(value), + Expires: time.Now().Add(time.Hour * 24), + } + w.Header().Set("Set-Cookie", cookie.String()) + r.AddCookie(cookie) +} + +func (server *Server) loginCookie(r *http.Request) (string, bool) { + cookies := r.Cookies() + for i := range cookies { + if cookies[i].Name == "login" && time.Now().Before(cookies[i].Expires) { + return server.decodeCookie(cookies[i].Value) + } + } + return "", false +} + +func (server *Server) decodeCookie(s string) (string, bool) { + panic("not impl") +} + +func (server *Server) encodeCookie(s string) string { + panic("not impl") +}