good first draft, fixed test

auth/auth.go

@@ -4,6 +4,8 @@ import (
 	"encoding/json"
 	"net/http"
 
+	"github.com/gravitl/netmaker/logic"
+	"github.com/gravitl/netmaker/models"
 	"github.com/gravitl/netmaker/servercfg"
 	"golang.org/x/oauth2"
 )
@@ -18,6 +20,7 @@ const (
 	azure_ad_provider_name = "azure-ad"
 	github_provider_name   = "github"
 	verify_user            = "verifyuser"
+	auth_key               = "netmaker_auth"
 )
 
 var oauth_state_string = "netmaker-oauth-state" // should be set randomly each provider login
@@ -49,6 +52,10 @@ func InitializeAuthProvider() string {
 	if functions == nil {
 		return ""
 	}
+	var _, err = fetchPassValue(logic.RandomString(64))
+	if err != nil {
+		return ""
+	}
 	var authInfo = servercfg.GetAuthProviderInfo()
 	functions[init_provider].(func(string, string, string))(servercfg.GetAPIConnString()+"/api/oauth/callback", authInfo[1], authInfo[2])
 	return authInfo[0]
@@ -72,16 +79,60 @@ func HandleAuthLogin(w http.ResponseWriter, r *http.Request) {
 	functions[handle_login].(func(http.ResponseWriter, *http.Request))(w, r)
 }
 
-// VerifyUserToken - checks if oauth2 token is valid
-func VerifyUserToken(accessToken string) bool {
-	var token = &oauth2.Token{}
-	var err = json.Unmarshal([]byte(accessToken), token)
-	if err != nil || !token.Valid() {
-		return false
+// == private methods ==
+
+func addUser(email string) error {
+	var hasAdmin, err = logic.HasAdmin()
+	if err != nil {
+		logic.Log("error checking for existence of admin user during OAuth login for "+email+", user not added", 1)
+		return err
+	} // generate random password to adapt to current model
+	var newPass, fetchErr = fetchPassValue("")
+	if fetchErr != nil {
+		return fetchErr
 	}
-	var functions = getCurrentAuthFunctions()
-	if functions == nil {
-		return false
+	var newUser = models.User{
+		UserName: email,
+		Password: newPass,
 	}
-	return functions[verify_user].(func(*oauth2.Token) bool)(token)
+	if !hasAdmin { // must be first attempt, create an admin
+		if newUser, err = logic.CreateAdmin(newUser); err != nil {
+			logic.Log("error creating admin from user, "+email+", user not added", 1)
+		} else {
+			logic.Log("admin created from user, "+email+", was first user added", 0)
+		}
+	} else { // otherwise add to db as admin..?
+		// TODO: add ability to add users with preemptive permissions
+		newUser.IsAdmin = true
+		if newUser, err = logic.CreateUser(newUser); err != nil {
+			logic.Log("error creating user, "+email+", user not added", 1)
+		} else {
+			logic.Log("user created from, "+email+"", 0)
+		}
+	}
+	return nil
+}
+
+func fetchPassValue(newValue string) (string, error) {
+
+	type valueHolder struct {
+		Value string `json:"value" bson:"value"`
+	}
+	var newValueHolder = &valueHolder{
+		Value: newValue,
+	}
+	var data, marshalErr = json.Marshal(newValueHolder)
+	if marshalErr != nil {
+		return "", marshalErr
+	}
+
+	var currentValue, err = logic.FetchAuthSecret(auth_key, string(data))
+	if err != nil {
+		return "", err
+	}
+	var unmarshErr = json.Unmarshal([]byte(currentValue), newValueHolder)
+	if unmarshErr != nil {
+		return "", unmarshErr
+	}
+	return newValueHolder.Value, nil
 }

auth/google.go

@@ -7,6 +7,7 @@ import (
 	"net/http"
 
 	"github.com/gravitl/netmaker/logic"
+	"github.com/gravitl/netmaker/models"
 	"github.com/gravitl/netmaker/servercfg"
 	"golang.org/x/oauth2"
 	"golang.org/x/oauth2/google"
@@ -34,7 +35,7 @@ func initGoogle(redirectURL string, clientID string, clientSecret string) {
 
 func handleGoogleLogin(w http.ResponseWriter, r *http.Request) {
 	oauth_state_string = logic.RandomString(16)
-	url := auth_provider.AuthCodeURL(oauth_state_string)
+	var url = auth_provider.AuthCodeURL(oauth_state_string)
 	http.Redirect(w, r, url, http.StatusTemporaryRedirect)
 }
 
@@ -46,8 +47,30 @@ func handleGoogleCallback(w http.ResponseWriter, r *http.Request) {
 		http.Redirect(w, r, servercfg.GetFrontendURL()+"?oauth=callback-error", http.StatusTemporaryRedirect)
 		return
 	}
+	_, err = logic.GetUser(content.Email)
+	if err != nil { // user must not exists, so try to make one
+		if err = addUser(content.Email); err != nil {
+			return
+		}
+	}
+	var newPass, fetchErr = fetchPassValue("")
+	if fetchErr != nil {
+		return
+	}
+	// send a netmaker jwt token
+	var authRequest = models.UserAuthParams{
+		UserName: content.Email,
+		Password: newPass,
+	}
+
+	var jwt, jwtErr = logic.VerifyAuthRequest(authRequest)
+	if jwtErr != nil {
+		logic.Log("could not parse jwt for user "+authRequest.UserName, 1)
+		return
+	}
+
 	logic.Log("completed google oauth sigin in for "+content.Email, 0)
-	http.Redirect(w, r, servercfg.GetFrontendURL()+"?oauth="+content.AccessToken+"&email="+content.Email, http.StatusPermanentRedirect)
+	http.Redirect(w, r, servercfg.GetFrontendURL()+"?login="+jwt+"&email="+content.Email, http.StatusPermanentRedirect)
 }
 
 func getUserInfo(state string, code string) (*OauthUser, error) {

controllers/userHttpController.go

@@ -12,7 +12,6 @@ import (
 	"github.com/gravitl/netmaker/functions"
 	"github.com/gravitl/netmaker/logic"
 	"github.com/gravitl/netmaker/models"
-	"golang.org/x/crypto/bcrypt"
 )
 
 func userHandlers(r *mux.Router) {
@@ -53,7 +52,7 @@ func authenticateUser(response http.ResponseWriter, request *http.Request) {
 		return
 	}
 
-	jwt, err := VerifyAuthRequest(authRequest)
+	jwt, err := logic.VerifyAuthRequest(authRequest)
 	if err != nil {
 		returnErrorResponse(response, request, formatError(err, "badrequest"))
 		return
@@ -86,35 +85,6 @@ func authenticateUser(response http.ResponseWriter, request *http.Request) {
 	response.Write(successJSONResponse)
 }
 
-// VerifyAuthRequest - verifies an auth request
-func VerifyAuthRequest(authRequest models.UserAuthParams) (string, error) {
-	var result models.User
-	if authRequest.UserName == "" {
-		return "", errors.New("username can't be empty")
-	} else if authRequest.Password == "" {
-		return "", errors.New("password can't be empty")
-	}
-	//Search DB for node with Mac Address. Ignore pending nodes (they should not be able to authenticate with API until approved).
-	record, err := database.FetchRecord(database.USERS_TABLE_NAME, authRequest.UserName)
-	if err != nil {
-		return "", errors.New("incorrect credentials")
-	}
-	if err = json.Unmarshal([]byte(record), &result); err != nil {
-		return "", errors.New("incorrect credentials")
-	}
-
-	// compare password from request to stored password in database
-	// might be able to have a common hash (certificates?) and compare those so that a password isn't passed in in plain text...
-	// TODO: Consider a way of hashing the password client side before sending, or using certificates
-	if err = bcrypt.CompareHashAndPassword([]byte(result.Password), []byte(authRequest.Password)); err != nil {
-		return "", errors.New("incorrect credentials")
-	}
-
-	//Create a new JWT for the node
-	tokenString, _ := functions.CreateUserJWT(authRequest.UserName, result.Networks, result.IsAdmin)
-	return tokenString, nil
-}
-
 // The middleware for most requests to the API
 // They all pass  through here first
 // This will validate the JWT (or check for master token)

controllers/userHttpController_test.go

@@ -4,52 +4,53 @@ import (
 	"testing"
 
 	"github.com/gravitl/netmaker/database"
+	"github.com/gravitl/netmaker/logic"
 	"github.com/gravitl/netmaker/models"
 	"github.com/stretchr/testify/assert"
 )
 
 func deleteAllUsers() {
-	users, _ := GetUsers()
+	users, _ := logic.GetUsers()
 	for _, user := range users {
-		DeleteUser(user.UserName)
+		logic.DeleteUser(user.UserName)
 	}
 }
 
 func TestHasAdmin(t *testing.T) {
 	//delete all current users
 	database.InitializeDatabase()
-	users, _ := GetUsers()
+	users, _ := logic.GetUsers()
 	for _, user := range users {
-		success, err := DeleteUser(user.UserName)
+		success, err := logic.DeleteUser(user.UserName)
 		assert.Nil(t, err)
 		assert.True(t, success)
 	}
 	t.Run("NoUser", func(t *testing.T) {
-		found, err := HasAdmin()
+		found, err := logic.HasAdmin()
 		assert.Nil(t, err)
 		assert.False(t, found)
 	})
 	t.Run("No admin user", func(t *testing.T) {
 		var user = models.User{"noadmin", "password", nil, false}
-		_, err := CreateUser(user)
+		_, err := logic.CreateUser(user)
 		assert.Nil(t, err)
-		found, err := HasAdmin()
+		found, err := logic.HasAdmin()
 		assert.Nil(t, err)
 		assert.False(t, found)
 	})
 	t.Run("admin user", func(t *testing.T) {
 		var user = models.User{"admin", "password", nil, true}
-		_, err := CreateUser(user)
+		_, err := logic.CreateUser(user)
 		assert.Nil(t, err)
-		found, err := HasAdmin()
+		found, err := logic.HasAdmin()
 		assert.Nil(t, err)
 		assert.True(t, found)
 	})
 	t.Run("multiple admins", func(t *testing.T) {
 		var user = models.User{"admin1", "password", nil, true}
-		_, err := CreateUser(user)
+		_, err := logic.CreateUser(user)
 		assert.Nil(t, err)
-		found, err := HasAdmin()
+		found, err := logic.HasAdmin()
 		assert.Nil(t, err)
 		assert.True(t, found)
 	})
@@ -60,12 +61,12 @@ func TestCreateUser(t *testing.T) {
 	deleteAllUsers()
 	user := models.User{"admin", "password", nil, true}
 	t.Run("NoUser", func(t *testing.T) {
-		admin, err := CreateUser(user)
+		admin, err := logic.CreateUser(user)
 		assert.Nil(t, err)
 		assert.Equal(t, user.UserName, admin.UserName)
 	})
 	t.Run("UserExists", func(t *testing.T) {
-		_, err := CreateUser(user)
+		_, err := logic.CreateUser(user)
 		assert.NotNil(t, err)
 		assert.EqualError(t, err, "user exists")
 	})
@@ -78,14 +79,14 @@ func TestCreateAdmin(t *testing.T) {
 	t.Run("NoAdmin", func(t *testing.T) {
 		user.UserName = "admin"
 		user.Password = "password"
-		admin, err := CreateAdmin(user)
+		admin, err := logic.CreateAdmin(user)
 		assert.Nil(t, err)
 		assert.Equal(t, user.UserName, admin.UserName)
 	})
 	t.Run("AdminExists", func(t *testing.T) {
 		user.UserName = "admin2"
 		user.Password = "password1"
-		admin, err := CreateAdmin(user)
+		admin, err := logic.CreateAdmin(user)
 		assert.EqualError(t, err, "admin user already exists")
 		assert.Equal(t, admin, models.User{})
 	})
@@ -95,14 +96,14 @@ func TestDeleteUser(t *testing.T) {
 	database.InitializeDatabase()
 	deleteAllUsers()
 	t.Run("NonExistent User", func(t *testing.T) {
-		deleted, err := DeleteUser("admin")
+		deleted, err := logic.DeleteUser("admin")
 		assert.EqualError(t, err, "user does not exist")
 		assert.False(t, deleted)
 	})
 	t.Run("Existing User", func(t *testing.T) {
 		user := models.User{"admin", "password", nil, true}
-		CreateUser(user)
-		deleted, err := DeleteUser("admin")
+		logic.CreateUser(user)
+		deleted, err := logic.DeleteUser("admin")
 		assert.Nil(t, err)
 		assert.True(t, deleted)
 	})
@@ -114,44 +115,44 @@ func TestValidateUser(t *testing.T) {
 	t.Run("Valid Create", func(t *testing.T) {
 		user.UserName = "admin"
 		user.Password = "validpass"
-		err := ValidateUser("create", user)
+		err := logic.ValidateUser(user)
 		assert.Nil(t, err)
 	})
 	t.Run("Valid Update", func(t *testing.T) {
 		user.UserName = "admin"
 		user.Password = "password"
-		err := ValidateUser("update", user)
+		err := logic.ValidateUser(user)
 		assert.Nil(t, err)
 	})
 	t.Run("Invalid UserName", func(t *testing.T) {
 		t.Skip()
 		user.UserName = "*invalid"
-		err := ValidateUser("create", user)
+		err := logic.ValidateUser(user)
 		assert.Error(t, err)
 		//assert.Contains(t, err.Error(), "Field validation for 'UserName' failed")
 	})
 	t.Run("Short UserName", func(t *testing.T) {
 		t.Skip()
 		user.UserName = "1"
-		err := ValidateUser("create", user)
+		err := logic.ValidateUser(user)
 		assert.NotNil(t, err)
 		//assert.Contains(t, err.Error(), "Field validation for 'UserName' failed")
 	})
 	t.Run("Empty UserName", func(t *testing.T) {
 		t.Skip()
 		user.UserName = ""
-		err := ValidateUser("create", user)
+		err := logic.ValidateUser(user)
 		assert.EqualError(t, err, "some string")
 		//assert.Contains(t, err.Error(), "Field validation for 'UserName' failed")
 	})
 	t.Run("EmptyPassword", func(t *testing.T) {
 		user.Password = ""
-		err := ValidateUser("create", user)
+		err := logic.ValidateUser(user)
 		assert.EqualError(t, err, "Key: 'User.Password' Error:Field validation for 'Password' failed on the 'required' tag")
 	})
 	t.Run("ShortPassword", func(t *testing.T) {
 		user.Password = "123"
-		err := ValidateUser("create", user)
+		err := logic.ValidateUser(user)
 		assert.EqualError(t, err, "Key: 'User.Password' Error:Field validation for 'Password' failed on the 'min' tag")
 	})
 }
@@ -160,14 +161,14 @@ func TestGetUser(t *testing.T) {
 	database.InitializeDatabase()
 	deleteAllUsers()
 	t.Run("NonExistantUser", func(t *testing.T) {
-		admin, err := GetUser("admin")
+		admin, err := logic.GetUser("admin")
 		assert.EqualError(t, err, "could not find any records")
 		assert.Equal(t, "", admin.UserName)
 	})
 	t.Run("UserExisits", func(t *testing.T) {
 		user := models.User{"admin", "password", nil, true}
-		CreateUser(user)
-		admin, err := GetUser("admin")
+		logic.CreateUser(user)
+		admin, err := logic.GetUser("admin")
 		assert.Nil(t, err)
 		assert.Equal(t, user.UserName, admin.UserName)
 	})
@@ -183,7 +184,7 @@ func TestGetUserInternal(t *testing.T) {
 	})
 	t.Run("UserExisits", func(t *testing.T) {
 		user := models.User{"admin", "password", nil, true}
-		CreateUser(user)
+		logic.CreateUser(user)
 		admin, err := GetUserInternal("admin")
 		assert.Nil(t, err)
 		assert.Equal(t, user.UserName, admin.UserName)
@@ -194,21 +195,21 @@ func TestGetUsers(t *testing.T) {
 	database.InitializeDatabase()
 	deleteAllUsers()
 	t.Run("NonExistantUser", func(t *testing.T) {
-		admin, err := GetUsers()
+		admin, err := logic.GetUsers()
 		assert.EqualError(t, err, "could not find any records")
 		assert.Equal(t, []models.ReturnUser(nil), admin)
 	})
 	t.Run("UserExisits", func(t *testing.T) {
 		user := models.User{"admin", "password", nil, true}
-		CreateUser(user)
-		admins, err := GetUsers()
+		logic.CreateUser(user)
+		admins, err := logic.GetUsers()
 		assert.Nil(t, err)
 		assert.Equal(t, user.UserName, admins[0].UserName)
 	})
 	t.Run("MulipleUsers", func(t *testing.T) {
 		user := models.User{"user", "password", nil, true}
-		CreateUser(user)
-		admins, err := GetUsers()
+		logic.CreateUser(user)
+		admins, err := logic.GetUsers()
 		assert.Nil(t, err)
 		for _, u := range admins {
 			if u.UserName == "admin" {
@@ -227,14 +228,14 @@ func TestUpdateUser(t *testing.T) {
 	user := models.User{"admin", "password", nil, true}
 	newuser := models.User{"hello", "world", []string{"wirecat, netmaker"}, true}
 	t.Run("NonExistantUser", func(t *testing.T) {
-		admin, err := UpdateUser(newuser, user)
+		admin, err := logic.UpdateUser(newuser, user)
 		assert.EqualError(t, err, "could not find any records")
 		assert.Equal(t, "", admin.UserName)
 	})
 
 	t.Run("UserExists", func(t *testing.T) {
-		CreateUser(user)
-		admin, err := UpdateUser(newuser, user)
+		logic.CreateUser(user)
+		admin, err := logic.UpdateUser(newuser, user)
 		assert.Nil(t, err)
 		assert.Equal(t, newuser.UserName, admin.UserName)
 	})
@@ -271,43 +272,43 @@ func TestVerifyAuthRequest(t *testing.T) {
 	t.Run("EmptyUserName", func(t *testing.T) {
 		authRequest.UserName = ""
 		authRequest.Password = "Password"
-		jwt, err := VerifyAuthRequest(authRequest)
+		jwt, err := logic.VerifyAuthRequest(authRequest)
 		assert.Equal(t, "", jwt)
 		assert.EqualError(t, err, "username can't be empty")
 	})
 	t.Run("EmptyPassword", func(t *testing.T) {
 		authRequest.UserName = "admin"
 		authRequest.Password = ""
-		jwt, err := VerifyAuthRequest(authRequest)
+		jwt, err := logic.VerifyAuthRequest(authRequest)
 		assert.Equal(t, "", jwt)
 		assert.EqualError(t, err, "password can't be empty")
 	})
 	t.Run("NonExistantUser", func(t *testing.T) {
 		authRequest.UserName = "admin"
 		authRequest.Password = "password"
-		jwt, err := VerifyAuthRequest(authRequest)
+		jwt, err := logic.VerifyAuthRequest(authRequest)
 		assert.Equal(t, "", jwt)
 		assert.EqualError(t, err, "incorrect credentials")
 	})
 	t.Run("Non-Admin", func(t *testing.T) {
 		user := models.User{"nonadmin", "somepass", nil, false}
-		CreateUser(user)
+		logic.CreateUser(user)
 		authRequest := models.UserAuthParams{"nonadmin", "somepass"}
-		jwt, err := VerifyAuthRequest(authRequest)
+		jwt, err := logic.VerifyAuthRequest(authRequest)
 		assert.NotNil(t, jwt)
 		assert.Nil(t, err)
 	})
 	t.Run("WrongPassword", func(t *testing.T) {
 		user := models.User{"admin", "password", nil, false}
-		CreateUser(user)
+		logic.CreateUser(user)
 		authRequest := models.UserAuthParams{"admin", "badpass"}
-		jwt, err := VerifyAuthRequest(authRequest)
+		jwt, err := logic.VerifyAuthRequest(authRequest)
 		assert.Equal(t, "", jwt)
 		assert.EqualError(t, err, "incorrect credentials")
 	})
 	t.Run("Success", func(t *testing.T) {
 		authRequest := models.UserAuthParams{"admin", "password"}
-		jwt, err := VerifyAuthRequest(authRequest)
+		jwt, err := logic.VerifyAuthRequest(authRequest)
 		assert.Nil(t, err)
 		assert.NotNil(t, jwt)
 	})

database/database.go

@@ -39,6 +39,9 @@ const SERVERCONF_TABLE_NAME = "serverconf"
 // DATABASE_FILENAME - database file name
 const DATABASE_FILENAME = "netmaker.db"
 
+// GENERATED_TABLE_NAME - stores server generated k/v
+const GENERATED_TABLE_NAME = "generated"
+
 // == ERROR CONSTS ==
 
 // NO_RECORD - no singular result found
@@ -114,6 +117,7 @@ func createTables() {
 	createTable(INT_CLIENTS_TABLE_NAME)
 	createTable(PEERS_TABLE_NAME)
 	createTable(SERVERCONF_TABLE_NAME)
+	createTable(GENERATED_TABLE_NAME)
 }
 
 func createTable(tableName string) error {

logic/auth.go

@@ -123,6 +123,35 @@ func CreateAdmin(admin models.User) (models.User, error) {
 	return CreateUser(admin)
 }
 
+// VerifyAuthRequest - verifies an auth request
+func VerifyAuthRequest(authRequest models.UserAuthParams) (string, error) {
+	var result models.User
+	if authRequest.UserName == "" {
+		return "", errors.New("username can't be empty")
+	} else if authRequest.Password == "" {
+		return "", errors.New("password can't be empty")
+	}
+	//Search DB for node with Mac Address. Ignore pending nodes (they should not be able to authenticate with API until approved).
+	record, err := database.FetchRecord(database.USERS_TABLE_NAME, authRequest.UserName)
+	if err != nil {
+		return "", errors.New("incorrect credentials")
+	}
+	if err = json.Unmarshal([]byte(record), &result); err != nil {
+		return "", errors.New("incorrect credentials")
+	}
+
+	// compare password from request to stored password in database
+	// might be able to have a common hash (certificates?) and compare those so that a password isn't passed in in plain text...
+	// TODO: Consider a way of hashing the password client side before sending, or using certificates
+	if err = bcrypt.CompareHashAndPassword([]byte(result.Password), []byte(authRequest.Password)); err != nil {
+		return "", errors.New("incorrect credentials")
+	}
+
+	//Create a new JWT for the node
+	tokenString, _ := functions.CreateUserJWT(authRequest.UserName, result.Networks, result.IsAdmin)
+	return tokenString, nil
+}
+
 // UpdateUser - updates a given user
 func UpdateUser(userchange models.User, user models.User) (models.User, error) {
 	//check if user exists
@@ -197,3 +226,14 @@ func DeleteUser(user string) (bool, error) {
 	}
 	return true, nil
 }
+
+// FetchAuthSecret - manages secrets for oauth
+func FetchAuthSecret(key string, secret string) (string, error) {
+	var record, err = database.FetchRecord(database.GENERATED_TABLE_NAME, key)
+	if err != nil {
+		if err = database.Insert(key, secret, database.GENERATED_TABLE_NAME); err != nil {
+			return "", err
+		}
+	}
+	return record, nil
+}