auth.go 7.6 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308
  1. package logic
  2. import (
  3. "encoding/json"
  4. "errors"
  5. "fmt"
  6. "time"
  7. "github.com/go-playground/validator/v10"
  8. "golang.org/x/crypto/bcrypt"
  9. "github.com/gravitl/netmaker/database"
  10. "github.com/gravitl/netmaker/logger"
  11. "github.com/gravitl/netmaker/models"
  12. )
  13. // HasSuperAdmin - checks if server has an superadmin/owner
  14. func HasSuperAdmin() (bool, error) {
  15. collection, err := database.FetchRecords(database.USERS_TABLE_NAME)
  16. if err != nil {
  17. if database.IsEmptyRecord(err) {
  18. return false, nil
  19. } else {
  20. return true, err
  21. }
  22. }
  23. for _, value := range collection { // filter for isadmin true
  24. var user models.User
  25. err = json.Unmarshal([]byte(value), &user)
  26. if err != nil {
  27. continue
  28. }
  29. if user.IsSuperAdmin {
  30. return true, nil
  31. }
  32. }
  33. return false, err
  34. }
  35. // GetUsers - gets users
  36. func GetUsers() ([]models.ReturnUser, error) {
  37. var users []models.ReturnUser
  38. collection, err := database.FetchRecords(database.USERS_TABLE_NAME)
  39. if err != nil {
  40. return users, err
  41. }
  42. for _, value := range collection {
  43. var user models.ReturnUser
  44. err = json.Unmarshal([]byte(value), &user)
  45. if err != nil {
  46. continue // get users
  47. }
  48. users = append(users, user)
  49. }
  50. return users, err
  51. }
  52. // CreateUser - creates a user
  53. func CreateUser(user *models.User) error {
  54. // check if user exists
  55. if _, err := GetUser(user.UserName); err == nil {
  56. return errors.New("user exists")
  57. }
  58. var err = ValidateUser(user)
  59. if err != nil {
  60. return err
  61. }
  62. // encrypt that password so we never see it again
  63. hash, err := bcrypt.GenerateFromPassword([]byte(user.Password), 5)
  64. if err != nil {
  65. return err
  66. }
  67. // set password to encrypted password
  68. user.Password = string(hash)
  69. tokenString, _ := CreateUserJWT(user.UserName, user.IsSuperAdmin, user.IsAdmin)
  70. if tokenString == "" {
  71. return err
  72. }
  73. SetUserDefaults(user)
  74. // connect db
  75. data, err := json.Marshal(user)
  76. if err != nil {
  77. return err
  78. }
  79. err = database.Insert(user.UserName, string(data), database.USERS_TABLE_NAME)
  80. if err != nil {
  81. return err
  82. }
  83. return nil
  84. }
  85. // CreateSuperAdmin - creates an super admin user
  86. func CreateSuperAdmin(u *models.User) error {
  87. hassuperadmin, err := HasSuperAdmin()
  88. if err != nil {
  89. return err
  90. }
  91. if hassuperadmin {
  92. return errors.New("superadmin user already exists")
  93. }
  94. u.IsSuperAdmin = true
  95. return CreateUser(u)
  96. }
  97. // VerifyAuthRequest - verifies an auth request
  98. func VerifyAuthRequest(authRequest models.UserAuthParams) (string, error) {
  99. var result models.User
  100. if authRequest.UserName == "" {
  101. return "", errors.New("username can't be empty")
  102. } else if authRequest.Password == "" {
  103. return "", errors.New("password can't be empty")
  104. }
  105. // Search DB for node with Mac Address. Ignore pending nodes (they should not be able to authenticate with API until approved).
  106. record, err := database.FetchRecord(database.USERS_TABLE_NAME, authRequest.UserName)
  107. if err != nil {
  108. return "", errors.New("incorrect credentials")
  109. }
  110. if err = json.Unmarshal([]byte(record), &result); err != nil {
  111. return "", errors.New("error unmarshalling user json: " + err.Error())
  112. }
  113. // compare password from request to stored password in database
  114. // might be able to have a common hash (certificates?) and compare those so that a password isn't passed in in plain text...
  115. // TODO: Consider a way of hashing the password client side before sending, or using certificates
  116. if err = bcrypt.CompareHashAndPassword([]byte(result.Password), []byte(authRequest.Password)); err != nil {
  117. return "", errors.New("incorrect credentials")
  118. }
  119. // Create a new JWT for the node
  120. tokenString, _ := CreateUserJWT(authRequest.UserName, result.IsSuperAdmin, result.IsAdmin)
  121. return tokenString, nil
  122. }
  123. // UpsertUser - updates user in the db
  124. func UpsertUser(user models.User) error {
  125. data, err := json.Marshal(&user)
  126. if err != nil {
  127. return err
  128. }
  129. if err = database.Insert(user.UserName, string(data), database.USERS_TABLE_NAME); err != nil {
  130. return err
  131. }
  132. return nil
  133. }
  134. // UpdateUser - updates a given user
  135. func UpdateUser(userchange, user *models.User) (*models.User, error) {
  136. // check if user exists
  137. if _, err := GetUser(user.UserName); err != nil {
  138. return &models.User{}, err
  139. }
  140. queryUser := user.UserName
  141. if userchange.UserName != "" && user.UserName != userchange.UserName {
  142. // check if username is available
  143. if _, err := GetUser(userchange.UserName); err == nil {
  144. return &models.User{}, errors.New("username exists already")
  145. }
  146. user.UserName = userchange.UserName
  147. }
  148. if userchange.Password != "" {
  149. // encrypt that password so we never see it again
  150. hash, err := bcrypt.GenerateFromPassword([]byte(userchange.Password), 5)
  151. if err != nil {
  152. return userchange, err
  153. }
  154. // set password to encrypted password
  155. userchange.Password = string(hash)
  156. user.Password = userchange.Password
  157. }
  158. user.IsAdmin = userchange.IsAdmin
  159. err := ValidateUser(user)
  160. if err != nil {
  161. return &models.User{}, err
  162. }
  163. if err = database.DeleteRecord(database.USERS_TABLE_NAME, queryUser); err != nil {
  164. return &models.User{}, err
  165. }
  166. data, err := json.Marshal(&user)
  167. if err != nil {
  168. return &models.User{}, err
  169. }
  170. if err = database.Insert(user.UserName, string(data), database.USERS_TABLE_NAME); err != nil {
  171. return &models.User{}, err
  172. }
  173. logger.Log(1, "updated user", queryUser)
  174. return user, nil
  175. }
  176. // ValidateUser - validates a user model
  177. func ValidateUser(user *models.User) error {
  178. v := validator.New()
  179. _ = v.RegisterValidation("in_charset", func(fl validator.FieldLevel) bool {
  180. isgood := user.NameInCharSet()
  181. return isgood
  182. })
  183. err := v.Struct(user)
  184. if err != nil {
  185. for _, e := range err.(validator.ValidationErrors) {
  186. logger.Log(2, e.Error())
  187. }
  188. }
  189. return err
  190. }
  191. // DeleteUser - deletes a given user
  192. func DeleteUser(user string) (bool, error) {
  193. if userRecord, err := database.FetchRecord(database.USERS_TABLE_NAME, user); err != nil || len(userRecord) == 0 {
  194. return false, errors.New("user does not exist")
  195. }
  196. err := database.DeleteRecord(database.USERS_TABLE_NAME, user)
  197. if err != nil {
  198. return false, err
  199. }
  200. return true, nil
  201. }
  202. // FetchAuthSecret - manages secrets for oauth
  203. func FetchAuthSecret(key string, secret string) (string, error) {
  204. var record, err = database.FetchRecord(database.GENERATED_TABLE_NAME, key)
  205. if err != nil {
  206. if err = database.Insert(key, secret, database.GENERATED_TABLE_NAME); err != nil {
  207. return "", err
  208. } else {
  209. return secret, nil
  210. }
  211. }
  212. return record, nil
  213. }
  214. // GetState - gets an SsoState from DB, if expired returns error
  215. func GetState(state string) (*models.SsoState, error) {
  216. var s models.SsoState
  217. record, err := database.FetchRecord(database.SSO_STATE_CACHE, state)
  218. if err != nil {
  219. return &s, err
  220. }
  221. if err = json.Unmarshal([]byte(record), &s); err != nil {
  222. return &s, err
  223. }
  224. if s.IsExpired() {
  225. return &s, fmt.Errorf("state expired")
  226. }
  227. return &s, nil
  228. }
  229. // SetState - sets a state with new expiration
  230. func SetState(state string) error {
  231. s := models.SsoState{
  232. Value: state,
  233. Expiration: time.Now().Add(models.DefaultExpDuration),
  234. }
  235. data, err := json.Marshal(&s)
  236. if err != nil {
  237. return err
  238. }
  239. return database.Insert(state, string(data), database.SSO_STATE_CACHE)
  240. }
  241. // IsStateValid - checks if given state is valid or not
  242. // deletes state after call is made to clean up, should only be called once per sign-in
  243. func IsStateValid(state string) (string, bool) {
  244. s, err := GetState(state)
  245. if err != nil {
  246. logger.Log(2, "error retrieving oauth state:", err.Error())
  247. return "", false
  248. }
  249. if s.Value != "" {
  250. if err = delState(state); err != nil {
  251. logger.Log(2, "error deleting oauth state:", err.Error())
  252. return "", false
  253. }
  254. }
  255. return s.Value, true
  256. }
  257. // delState - removes a state from cache/db
  258. func delState(state string) error {
  259. return database.DeleteRecord(database.SSO_STATE_CACHE, state)
  260. }