diff --git a/auth/auth.go b/auth/auth.go index b5ca44a0..41adbab0 100644 --- a/auth/auth.go +++ b/auth/auth.go @@ -4,6 +4,8 @@ import ( "encoding/json" "net/http" + "github.com/gravitl/netmaker/logic" + "github.com/gravitl/netmaker/models" "github.com/gravitl/netmaker/servercfg" "golang.org/x/oauth2" ) @@ -18,6 +20,7 @@ const ( azure_ad_provider_name = "azure-ad" github_provider_name = "github" verify_user = "verifyuser" + auth_key = "netmaker_auth" ) var oauth_state_string = "netmaker-oauth-state" // should be set randomly each provider login @@ -49,6 +52,10 @@ func InitializeAuthProvider() string { if functions == nil { return "" } + var _, err = fetchPassValue(logic.RandomString(64)) + if err != nil { + return "" + } var authInfo = servercfg.GetAuthProviderInfo() functions[init_provider].(func(string, string, string))(servercfg.GetAPIConnString()+"/api/oauth/callback", authInfo[1], authInfo[2]) return authInfo[0] @@ -72,16 +79,60 @@ func HandleAuthLogin(w http.ResponseWriter, r *http.Request) { functions[handle_login].(func(http.ResponseWriter, *http.Request))(w, r) } -// VerifyUserToken - checks if oauth2 token is valid -func VerifyUserToken(accessToken string) bool { - var token = &oauth2.Token{} - var err = json.Unmarshal([]byte(accessToken), token) - if err != nil || !token.Valid() { - return false +// == private methods == + +func addUser(email string) error { + var hasAdmin, err = logic.HasAdmin() + if err != nil { + logic.Log("error checking for existence of admin user during OAuth login for "+email+", user not added", 1) + return err + } // generate random password to adapt to current model + var newPass, fetchErr = fetchPassValue("") + if fetchErr != nil { + return fetchErr } - var functions = getCurrentAuthFunctions() - if functions == nil { - return false + var newUser = models.User{ + UserName: email, + Password: newPass, } - return functions[verify_user].(func(*oauth2.Token) bool)(token) + if !hasAdmin { // must be first attempt, create an admin + if newUser, err = logic.CreateAdmin(newUser); err != nil { + logic.Log("error creating admin from user, "+email+", user not added", 1) + } else { + logic.Log("admin created from user, "+email+", was first user added", 0) + } + } else { // otherwise add to db as admin..? + // TODO: add ability to add users with preemptive permissions + newUser.IsAdmin = true + if newUser, err = logic.CreateUser(newUser); err != nil { + logic.Log("error creating user, "+email+", user not added", 1) + } else { + logic.Log("user created from, "+email+"", 0) + } + } + return nil +} + +func fetchPassValue(newValue string) (string, error) { + + type valueHolder struct { + Value string `json:"value" bson:"value"` + } + var newValueHolder = &valueHolder{ + Value: newValue, + } + var data, marshalErr = json.Marshal(newValueHolder) + if marshalErr != nil { + return "", marshalErr + } + + var currentValue, err = logic.FetchAuthSecret(auth_key, string(data)) + if err != nil { + return "", err + } + var unmarshErr = json.Unmarshal([]byte(currentValue), newValueHolder) + if unmarshErr != nil { + return "", unmarshErr + } + return newValueHolder.Value, nil } diff --git a/auth/google.go b/auth/google.go index 44c82489..cb76f9fc 100644 --- a/auth/google.go +++ b/auth/google.go @@ -7,6 +7,7 @@ import ( "net/http" "github.com/gravitl/netmaker/logic" + "github.com/gravitl/netmaker/models" "github.com/gravitl/netmaker/servercfg" "golang.org/x/oauth2" "golang.org/x/oauth2/google" @@ -34,7 +35,7 @@ func initGoogle(redirectURL string, clientID string, clientSecret string) { func handleGoogleLogin(w http.ResponseWriter, r *http.Request) { oauth_state_string = logic.RandomString(16) - url := auth_provider.AuthCodeURL(oauth_state_string) + var url = auth_provider.AuthCodeURL(oauth_state_string) http.Redirect(w, r, url, http.StatusTemporaryRedirect) } @@ -46,8 +47,30 @@ func handleGoogleCallback(w http.ResponseWriter, r *http.Request) { http.Redirect(w, r, servercfg.GetFrontendURL()+"?oauth=callback-error", http.StatusTemporaryRedirect) return } + _, err = logic.GetUser(content.Email) + if err != nil { // user must not exists, so try to make one + if err = addUser(content.Email); err != nil { + return + } + } + var newPass, fetchErr = fetchPassValue("") + if fetchErr != nil { + return + } + // send a netmaker jwt token + var authRequest = models.UserAuthParams{ + UserName: content.Email, + Password: newPass, + } + + var jwt, jwtErr = logic.VerifyAuthRequest(authRequest) + if jwtErr != nil { + logic.Log("could not parse jwt for user "+authRequest.UserName, 1) + return + } + logic.Log("completed google oauth sigin in for "+content.Email, 0) - http.Redirect(w, r, servercfg.GetFrontendURL()+"?oauth="+content.AccessToken+"&email="+content.Email, http.StatusPermanentRedirect) + http.Redirect(w, r, servercfg.GetFrontendURL()+"?login="+jwt+"&email="+content.Email, http.StatusPermanentRedirect) } func getUserInfo(state string, code string) (*OauthUser, error) { diff --git a/controllers/userHttpController.go b/controllers/userHttpController.go index 613a9a4e..478dc42f 100644 --- a/controllers/userHttpController.go +++ b/controllers/userHttpController.go @@ -12,7 +12,6 @@ import ( "github.com/gravitl/netmaker/functions" "github.com/gravitl/netmaker/logic" "github.com/gravitl/netmaker/models" - "golang.org/x/crypto/bcrypt" ) func userHandlers(r *mux.Router) { @@ -53,7 +52,7 @@ func authenticateUser(response http.ResponseWriter, request *http.Request) { return } - jwt, err := VerifyAuthRequest(authRequest) + jwt, err := logic.VerifyAuthRequest(authRequest) if err != nil { returnErrorResponse(response, request, formatError(err, "badrequest")) return @@ -86,35 +85,6 @@ func authenticateUser(response http.ResponseWriter, request *http.Request) { response.Write(successJSONResponse) } -// VerifyAuthRequest - verifies an auth request -func VerifyAuthRequest(authRequest models.UserAuthParams) (string, error) { - var result models.User - if authRequest.UserName == "" { - return "", errors.New("username can't be empty") - } else if authRequest.Password == "" { - return "", errors.New("password can't be empty") - } - //Search DB for node with Mac Address. Ignore pending nodes (they should not be able to authenticate with API until approved). - record, err := database.FetchRecord(database.USERS_TABLE_NAME, authRequest.UserName) - if err != nil { - return "", errors.New("incorrect credentials") - } - if err = json.Unmarshal([]byte(record), &result); err != nil { - return "", errors.New("incorrect credentials") - } - - // compare password from request to stored password in database - // might be able to have a common hash (certificates?) and compare those so that a password isn't passed in in plain text... - // TODO: Consider a way of hashing the password client side before sending, or using certificates - if err = bcrypt.CompareHashAndPassword([]byte(result.Password), []byte(authRequest.Password)); err != nil { - return "", errors.New("incorrect credentials") - } - - //Create a new JWT for the node - tokenString, _ := functions.CreateUserJWT(authRequest.UserName, result.Networks, result.IsAdmin) - return tokenString, nil -} - // The middleware for most requests to the API // They all pass through here first // This will validate the JWT (or check for master token) diff --git a/controllers/userHttpController_test.go b/controllers/userHttpController_test.go index 7efe642d..3afea694 100644 --- a/controllers/userHttpController_test.go +++ b/controllers/userHttpController_test.go @@ -4,52 +4,53 @@ import ( "testing" "github.com/gravitl/netmaker/database" + "github.com/gravitl/netmaker/logic" "github.com/gravitl/netmaker/models" "github.com/stretchr/testify/assert" ) func deleteAllUsers() { - users, _ := GetUsers() + users, _ := logic.GetUsers() for _, user := range users { - DeleteUser(user.UserName) + logic.DeleteUser(user.UserName) } } func TestHasAdmin(t *testing.T) { //delete all current users database.InitializeDatabase() - users, _ := GetUsers() + users, _ := logic.GetUsers() for _, user := range users { - success, err := DeleteUser(user.UserName) + success, err := logic.DeleteUser(user.UserName) assert.Nil(t, err) assert.True(t, success) } t.Run("NoUser", func(t *testing.T) { - found, err := HasAdmin() + found, err := logic.HasAdmin() assert.Nil(t, err) assert.False(t, found) }) t.Run("No admin user", func(t *testing.T) { var user = models.User{"noadmin", "password", nil, false} - _, err := CreateUser(user) + _, err := logic.CreateUser(user) assert.Nil(t, err) - found, err := HasAdmin() + found, err := logic.HasAdmin() assert.Nil(t, err) assert.False(t, found) }) t.Run("admin user", func(t *testing.T) { var user = models.User{"admin", "password", nil, true} - _, err := CreateUser(user) + _, err := logic.CreateUser(user) assert.Nil(t, err) - found, err := HasAdmin() + found, err := logic.HasAdmin() assert.Nil(t, err) assert.True(t, found) }) t.Run("multiple admins", func(t *testing.T) { var user = models.User{"admin1", "password", nil, true} - _, err := CreateUser(user) + _, err := logic.CreateUser(user) assert.Nil(t, err) - found, err := HasAdmin() + found, err := logic.HasAdmin() assert.Nil(t, err) assert.True(t, found) }) @@ -60,12 +61,12 @@ func TestCreateUser(t *testing.T) { deleteAllUsers() user := models.User{"admin", "password", nil, true} t.Run("NoUser", func(t *testing.T) { - admin, err := CreateUser(user) + admin, err := logic.CreateUser(user) assert.Nil(t, err) assert.Equal(t, user.UserName, admin.UserName) }) t.Run("UserExists", func(t *testing.T) { - _, err := CreateUser(user) + _, err := logic.CreateUser(user) assert.NotNil(t, err) assert.EqualError(t, err, "user exists") }) @@ -78,14 +79,14 @@ func TestCreateAdmin(t *testing.T) { t.Run("NoAdmin", func(t *testing.T) { user.UserName = "admin" user.Password = "password" - admin, err := CreateAdmin(user) + admin, err := logic.CreateAdmin(user) assert.Nil(t, err) assert.Equal(t, user.UserName, admin.UserName) }) t.Run("AdminExists", func(t *testing.T) { user.UserName = "admin2" user.Password = "password1" - admin, err := CreateAdmin(user) + admin, err := logic.CreateAdmin(user) assert.EqualError(t, err, "admin user already exists") assert.Equal(t, admin, models.User{}) }) @@ -95,14 +96,14 @@ func TestDeleteUser(t *testing.T) { database.InitializeDatabase() deleteAllUsers() t.Run("NonExistent User", func(t *testing.T) { - deleted, err := DeleteUser("admin") + deleted, err := logic.DeleteUser("admin") assert.EqualError(t, err, "user does not exist") assert.False(t, deleted) }) t.Run("Existing User", func(t *testing.T) { user := models.User{"admin", "password", nil, true} - CreateUser(user) - deleted, err := DeleteUser("admin") + logic.CreateUser(user) + deleted, err := logic.DeleteUser("admin") assert.Nil(t, err) assert.True(t, deleted) }) @@ -114,44 +115,44 @@ func TestValidateUser(t *testing.T) { t.Run("Valid Create", func(t *testing.T) { user.UserName = "admin" user.Password = "validpass" - err := ValidateUser("create", user) + err := logic.ValidateUser(user) assert.Nil(t, err) }) t.Run("Valid Update", func(t *testing.T) { user.UserName = "admin" user.Password = "password" - err := ValidateUser("update", user) + err := logic.ValidateUser(user) assert.Nil(t, err) }) t.Run("Invalid UserName", func(t *testing.T) { t.Skip() user.UserName = "*invalid" - err := ValidateUser("create", user) + err := logic.ValidateUser(user) assert.Error(t, err) //assert.Contains(t, err.Error(), "Field validation for 'UserName' failed") }) t.Run("Short UserName", func(t *testing.T) { t.Skip() user.UserName = "1" - err := ValidateUser("create", user) + err := logic.ValidateUser(user) assert.NotNil(t, err) //assert.Contains(t, err.Error(), "Field validation for 'UserName' failed") }) t.Run("Empty UserName", func(t *testing.T) { t.Skip() user.UserName = "" - err := ValidateUser("create", user) + err := logic.ValidateUser(user) assert.EqualError(t, err, "some string") //assert.Contains(t, err.Error(), "Field validation for 'UserName' failed") }) t.Run("EmptyPassword", func(t *testing.T) { user.Password = "" - err := ValidateUser("create", user) + err := logic.ValidateUser(user) assert.EqualError(t, err, "Key: 'User.Password' Error:Field validation for 'Password' failed on the 'required' tag") }) t.Run("ShortPassword", func(t *testing.T) { user.Password = "123" - err := ValidateUser("create", user) + err := logic.ValidateUser(user) assert.EqualError(t, err, "Key: 'User.Password' Error:Field validation for 'Password' failed on the 'min' tag") }) } @@ -160,14 +161,14 @@ func TestGetUser(t *testing.T) { database.InitializeDatabase() deleteAllUsers() t.Run("NonExistantUser", func(t *testing.T) { - admin, err := GetUser("admin") + admin, err := logic.GetUser("admin") assert.EqualError(t, err, "could not find any records") assert.Equal(t, "", admin.UserName) }) t.Run("UserExisits", func(t *testing.T) { user := models.User{"admin", "password", nil, true} - CreateUser(user) - admin, err := GetUser("admin") + logic.CreateUser(user) + admin, err := logic.GetUser("admin") assert.Nil(t, err) assert.Equal(t, user.UserName, admin.UserName) }) @@ -183,7 +184,7 @@ func TestGetUserInternal(t *testing.T) { }) t.Run("UserExisits", func(t *testing.T) { user := models.User{"admin", "password", nil, true} - CreateUser(user) + logic.CreateUser(user) admin, err := GetUserInternal("admin") assert.Nil(t, err) assert.Equal(t, user.UserName, admin.UserName) @@ -194,21 +195,21 @@ func TestGetUsers(t *testing.T) { database.InitializeDatabase() deleteAllUsers() t.Run("NonExistantUser", func(t *testing.T) { - admin, err := GetUsers() + admin, err := logic.GetUsers() assert.EqualError(t, err, "could not find any records") assert.Equal(t, []models.ReturnUser(nil), admin) }) t.Run("UserExisits", func(t *testing.T) { user := models.User{"admin", "password", nil, true} - CreateUser(user) - admins, err := GetUsers() + logic.CreateUser(user) + admins, err := logic.GetUsers() assert.Nil(t, err) assert.Equal(t, user.UserName, admins[0].UserName) }) t.Run("MulipleUsers", func(t *testing.T) { user := models.User{"user", "password", nil, true} - CreateUser(user) - admins, err := GetUsers() + logic.CreateUser(user) + admins, err := logic.GetUsers() assert.Nil(t, err) for _, u := range admins { if u.UserName == "admin" { @@ -227,14 +228,14 @@ func TestUpdateUser(t *testing.T) { user := models.User{"admin", "password", nil, true} newuser := models.User{"hello", "world", []string{"wirecat, netmaker"}, true} t.Run("NonExistantUser", func(t *testing.T) { - admin, err := UpdateUser(newuser, user) + admin, err := logic.UpdateUser(newuser, user) assert.EqualError(t, err, "could not find any records") assert.Equal(t, "", admin.UserName) }) t.Run("UserExists", func(t *testing.T) { - CreateUser(user) - admin, err := UpdateUser(newuser, user) + logic.CreateUser(user) + admin, err := logic.UpdateUser(newuser, user) assert.Nil(t, err) assert.Equal(t, newuser.UserName, admin.UserName) }) @@ -271,43 +272,43 @@ func TestVerifyAuthRequest(t *testing.T) { t.Run("EmptyUserName", func(t *testing.T) { authRequest.UserName = "" authRequest.Password = "Password" - jwt, err := VerifyAuthRequest(authRequest) + jwt, err := logic.VerifyAuthRequest(authRequest) assert.Equal(t, "", jwt) assert.EqualError(t, err, "username can't be empty") }) t.Run("EmptyPassword", func(t *testing.T) { authRequest.UserName = "admin" authRequest.Password = "" - jwt, err := VerifyAuthRequest(authRequest) + jwt, err := logic.VerifyAuthRequest(authRequest) assert.Equal(t, "", jwt) assert.EqualError(t, err, "password can't be empty") }) t.Run("NonExistantUser", func(t *testing.T) { authRequest.UserName = "admin" authRequest.Password = "password" - jwt, err := VerifyAuthRequest(authRequest) + jwt, err := logic.VerifyAuthRequest(authRequest) assert.Equal(t, "", jwt) assert.EqualError(t, err, "incorrect credentials") }) t.Run("Non-Admin", func(t *testing.T) { user := models.User{"nonadmin", "somepass", nil, false} - CreateUser(user) + logic.CreateUser(user) authRequest := models.UserAuthParams{"nonadmin", "somepass"} - jwt, err := VerifyAuthRequest(authRequest) + jwt, err := logic.VerifyAuthRequest(authRequest) assert.NotNil(t, jwt) assert.Nil(t, err) }) t.Run("WrongPassword", func(t *testing.T) { user := models.User{"admin", "password", nil, false} - CreateUser(user) + logic.CreateUser(user) authRequest := models.UserAuthParams{"admin", "badpass"} - jwt, err := VerifyAuthRequest(authRequest) + jwt, err := logic.VerifyAuthRequest(authRequest) assert.Equal(t, "", jwt) assert.EqualError(t, err, "incorrect credentials") }) t.Run("Success", func(t *testing.T) { authRequest := models.UserAuthParams{"admin", "password"} - jwt, err := VerifyAuthRequest(authRequest) + jwt, err := logic.VerifyAuthRequest(authRequest) assert.Nil(t, err) assert.NotNil(t, jwt) }) diff --git a/database/database.go b/database/database.go index 1dd4a733..7981ece2 100644 --- a/database/database.go +++ b/database/database.go @@ -39,6 +39,9 @@ const SERVERCONF_TABLE_NAME = "serverconf" // DATABASE_FILENAME - database file name const DATABASE_FILENAME = "netmaker.db" +// GENERATED_TABLE_NAME - stores server generated k/v +const GENERATED_TABLE_NAME = "generated" + // == ERROR CONSTS == // NO_RECORD - no singular result found @@ -114,6 +117,7 @@ func createTables() { createTable(INT_CLIENTS_TABLE_NAME) createTable(PEERS_TABLE_NAME) createTable(SERVERCONF_TABLE_NAME) + createTable(GENERATED_TABLE_NAME) } func createTable(tableName string) error { diff --git a/logic/auth.go b/logic/auth.go index 4939cb8f..41e82e43 100644 --- a/logic/auth.go +++ b/logic/auth.go @@ -123,6 +123,35 @@ func CreateAdmin(admin models.User) (models.User, error) { return CreateUser(admin) } +// VerifyAuthRequest - verifies an auth request +func VerifyAuthRequest(authRequest models.UserAuthParams) (string, error) { + var result models.User + if authRequest.UserName == "" { + return "", errors.New("username can't be empty") + } else if authRequest.Password == "" { + return "", errors.New("password can't be empty") + } + //Search DB for node with Mac Address. Ignore pending nodes (they should not be able to authenticate with API until approved). + record, err := database.FetchRecord(database.USERS_TABLE_NAME, authRequest.UserName) + if err != nil { + return "", errors.New("incorrect credentials") + } + if err = json.Unmarshal([]byte(record), &result); err != nil { + return "", errors.New("incorrect credentials") + } + + // compare password from request to stored password in database + // might be able to have a common hash (certificates?) and compare those so that a password isn't passed in in plain text... + // TODO: Consider a way of hashing the password client side before sending, or using certificates + if err = bcrypt.CompareHashAndPassword([]byte(result.Password), []byte(authRequest.Password)); err != nil { + return "", errors.New("incorrect credentials") + } + + //Create a new JWT for the node + tokenString, _ := functions.CreateUserJWT(authRequest.UserName, result.Networks, result.IsAdmin) + return tokenString, nil +} + // UpdateUser - updates a given user func UpdateUser(userchange models.User, user models.User) (models.User, error) { //check if user exists @@ -197,3 +226,14 @@ func DeleteUser(user string) (bool, error) { } return true, nil } + +// FetchAuthSecret - manages secrets for oauth +func FetchAuthSecret(key string, secret string) (string, error) { + var record, err = database.FetchRecord(database.GENERATED_TABLE_NAME, key) + if err != nil { + if err = database.Insert(key, secret, database.GENERATED_TABLE_NAME); err != nil { + return "", err + } + } + return record, nil +}