memos/api/v2/acl.go

package v2

import (
	"context"
	"net/http"
	"strconv"
	"strings"
	"time"

	"github.com/golang-jwt/jwt/v4"
	"github.com/pkg/errors"
	"github.com/usememos/memos/api/auth"
	"github.com/usememos/memos/common/util"
	"github.com/usememos/memos/store"
	"google.golang.org/grpc"
	"google.golang.org/grpc/codes"
	"google.golang.org/grpc/metadata"
	"google.golang.org/grpc/status"
)

// ContextKey is the key type of context value.
type ContextKey int

const (
	// The key name used to store user id in the context
	// user id is extracted from the jwt token subject field.
	UserIDContextKey ContextKey = iota
)

var authenticationAllowlistMethods = map[string]bool{
	"/memos.api.v2.SystemService/GetSystemInfo": true,
	"/memos.api.v2.UserService/GetUser":         true,
	"/memos.api.v2.MemoService/ListMemos":       true,
}

// IsAuthenticationAllowed returns whether the method is exempted from authentication.
func IsAuthenticationAllowed(fullMethodName string) bool {
	if strings.HasPrefix(fullMethodName, "/grpc.reflection") {
		return true
	}
	return authenticationAllowlistMethods[fullMethodName]
}

// GRPCAuthInterceptor is the auth interceptor for gRPC server.
type GRPCAuthInterceptor struct {
	store  *store.Store
	secret string
}

// NewGRPCAuthInterceptor returns a new API auth interceptor.
func NewGRPCAuthInterceptor(store *store.Store, secret string) *GRPCAuthInterceptor {
	return &GRPCAuthInterceptor{
		store:  store,
		secret: secret,
	}
}

// AuthenticationInterceptor is the unary interceptor for gRPC API.
func (in *GRPCAuthInterceptor) AuthenticationInterceptor(ctx context.Context, request any, serverInfo *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (any, error) {
	md, ok := metadata.FromIncomingContext(ctx)
	if !ok {
		return nil, status.Errorf(codes.Unauthenticated, "failed to parse metadata from incoming context")
	}
	accessTokenStr, err := getTokenFromMetadata(md)
	if err != nil {
		return nil, status.Errorf(codes.Unauthenticated, err.Error())
	}

	userID, err := in.authenticate(ctx, accessTokenStr)
	if err != nil {
		if IsAuthenticationAllowed(serverInfo.FullMethod) {
			return handler(ctx, request)
		}
		return nil, err
	}

	// Stores userID into context.
	childCtx := context.WithValue(ctx, UserIDContextKey, userID)
	return handler(childCtx, request)
}

func (in *GRPCAuthInterceptor) authenticate(ctx context.Context, accessTokenStr string) (int32, error) {
	if accessTokenStr == "" {
		return 0, status.Errorf(codes.Unauthenticated, "access token not found")
	}
	claims := &claimsMessage{}
	_, err := jwt.ParseWithClaims(accessTokenStr, claims, func(t *jwt.Token) (any, error) {
		if t.Method.Alg() != jwt.SigningMethodHS256.Name {
			return nil, status.Errorf(codes.Unauthenticated, "unexpected access token signing method=%v, expect %v", t.Header["alg"], jwt.SigningMethodHS256)
		}
		if kid, ok := t.Header["kid"].(string); ok {
			if kid == "v1" {
				return []byte(in.secret), nil
			}
		}
		return nil, status.Errorf(codes.Unauthenticated, "unexpected access token kid=%v", t.Header["kid"])
	})
	if err != nil {
		return 0, status.Errorf(codes.Unauthenticated, "Invalid or expired access token")
	}
	if !audienceContains(claims.Audience, auth.AccessTokenAudienceName) {
		return 0, status.Errorf(codes.Unauthenticated,
			"invalid access token, audience mismatch, got %q, expected %q. you may send request to the wrong environment",
			claims.Audience,
			auth.AccessTokenAudienceName,
		)
	}

	userID, err := util.ConvertStringToInt32(claims.Subject)
	if err != nil {
		return 0, status.Errorf(codes.Unauthenticated, "malformed ID %q in the access token", claims.Subject)
	}
	user, err := in.store.GetUser(ctx, &store.FindUser{
		ID: &userID,
	})
	if err != nil {
		return 0, status.Errorf(codes.Unauthenticated, "failed to find user ID %q in the access token", userID)
	}
	if user == nil {
		return 0, status.Errorf(codes.Unauthenticated, "user ID %q not exists in the access token", userID)
	}
	if user.RowStatus == store.Archived {
		return 0, status.Errorf(codes.Unauthenticated, "user ID %q has been deactivated by administrators", userID)
	}

	return userID, nil
}

func getTokenFromMetadata(md metadata.MD) (string, error) {
	authorizationHeaders := md.Get("Authorization")
	if len(md.Get("Authorization")) > 0 {
		authHeaderParts := strings.Fields(authorizationHeaders[0])
		if len(authHeaderParts) != 2 || strings.ToLower(authHeaderParts[0]) != "bearer" {
			return "", errors.Errorf("authorization header format must be Bearer {token}")
		}
		return authHeaderParts[1], nil
	}
	// check the HTTP cookie
	var accessToken string
	for _, t := range append(md.Get("grpcgateway-cookie"), md.Get("cookie")...) {
		header := http.Header{}
		header.Add("Cookie", t)
		request := http.Request{Header: header}
		if v, _ := request.Cookie(auth.AccessTokenCookieName); v != nil {
			accessToken = v.Value
		}
	}
	return accessToken, nil
}

func audienceContains(audience jwt.ClaimStrings, token string) bool {
	for _, v := range audience {
		if v == token {
			return true
		}
	}
	return false
}

type claimsMessage struct {
	Name string `json:"name"`
	jwt.RegisteredClaims
}

// GenerateAccessToken generates an access token for web.
func GenerateAccessToken(username string, userID int, secret string) (string, error) {
	expirationTime := time.Now().Add(auth.AccessTokenDuration)
	return generateToken(username, userID, auth.AccessTokenAudienceName, expirationTime, []byte(secret))
}

func generateToken(username string, userID int, aud string, expirationTime time.Time, secret []byte) (string, error) {
	// Create the JWT claims, which includes the username and expiry time.
	claims := &claimsMessage{
		Name: username,
		RegisteredClaims: jwt.RegisteredClaims{
			Audience: jwt.ClaimStrings{aud},
			// In JWT, the expiry time is expressed as unix milliseconds.
			ExpiresAt: jwt.NewNumericDate(expirationTime),
			IssuedAt:  jwt.NewNumericDate(time.Now()),
			Issuer:    auth.Issuer,
			Subject:   strconv.Itoa(userID),
		},
	}

	// Declare the token with the HS256 algorithm used for signing, and the claims.
	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
	token.Header["kid"] = auth.KeyID

	// Create the JWT string.
	tokenString, err := token.SignedString(secret)
	if err != nil {
		return "", err
	}

	return tokenString, nil
}
chore: update auth middleware (#2057) * chore: update auth middleware * chore: update * chore: update 2023-07-31 20:55:40 +08:00			`package v2`

			`import (`
			`"context"`
			`"net/http"`
			`"strconv"`
			`"strings"`
			`"time"`

			`"github.com/golang-jwt/jwt/v4"`
			`"github.com/pkg/errors"`
			`"github.com/usememos/memos/api/auth"`
chore: update id type to int32 (#2076) 2023-08-04 21:55:07 +08:00			`"github.com/usememos/memos/common/util"`
chore: update auth middleware (#2057) * chore: update auth middleware * chore: update * chore: update 2023-07-31 20:55:40 +08:00			`"github.com/usememos/memos/store"`
			`"google.golang.org/grpc"`
			`"google.golang.org/grpc/codes"`
			`"google.golang.org/grpc/metadata"`
			`"google.golang.org/grpc/status"`
			`)`

chore: initial memo service definition (#2077) * chore: initial memo service definition * chore: update * chore: update * chore: update 2023-08-05 09:32:52 +08:00			`// ContextKey is the key type of context value.`
			`type ContextKey int`

			`const (`
			`// The key name used to store user id in the context`
			`// user id is extracted from the jwt token subject field.`
			`UserIDContextKey ContextKey = iota`
			`)`

chore: update auth middleware (#2057) * chore: update auth middleware * chore: update * chore: update 2023-07-31 20:55:40 +08:00			`var authenticationAllowlistMethods = map[string]bool{`
feat: add system service (#2083) * feat: add system service * chore: update 2023-08-05 21:30:23 +08:00			`"/memos.api.v2.SystemService/GetSystemInfo": true,`
			`"/memos.api.v2.UserService/GetUser": true,`
			`"/memos.api.v2.MemoService/ListMemos": true,`
chore: update auth middleware (#2057) * chore: update auth middleware * chore: update * chore: update 2023-07-31 20:55:40 +08:00			`}`

			`// IsAuthenticationAllowed returns whether the method is exempted from authentication.`
			`func IsAuthenticationAllowed(fullMethodName string) bool {`
			`if strings.HasPrefix(fullMethodName, "/grpc.reflection") {`
			`return true`
			`}`
			`return authenticationAllowlistMethods[fullMethodName]`
			`}`

			`// GRPCAuthInterceptor is the auth interceptor for gRPC server.`
			`type GRPCAuthInterceptor struct {`
			`store *store.Store`
			`secret string`
			`}`

			`// NewGRPCAuthInterceptor returns a new API auth interceptor.`
			`func NewGRPCAuthInterceptor(store store.Store, secret string) GRPCAuthInterceptor {`
			`return &GRPCAuthInterceptor{`
			`store: store,`
			`secret: secret,`
			`}`
			`}`

			`// AuthenticationInterceptor is the unary interceptor for gRPC API.`
			`func (in GRPCAuthInterceptor) AuthenticationInterceptor(ctx context.Context, request any, serverInfo grpc.UnaryServerInfo, handler grpc.UnaryHandler) (any, error) {`
			`md, ok := metadata.FromIncomingContext(ctx)`
			`if !ok {`
			`return nil, status.Errorf(codes.Unauthenticated, "failed to parse metadata from incoming context")`
			`}`
			`accessTokenStr, err := getTokenFromMetadata(md)`
			`if err != nil {`
			`return nil, status.Errorf(codes.Unauthenticated, err.Error())`
			`}`

			`userID, err := in.authenticate(ctx, accessTokenStr)`
			`if err != nil {`
			`if IsAuthenticationAllowed(serverInfo.FullMethod) {`
			`return handler(ctx, request)`
			`}`
			`return nil, err`
			`}`

			`// Stores userID into context.`
			`childCtx := context.WithValue(ctx, UserIDContextKey, userID)`
			`return handler(childCtx, request)`
			`}`

chore: update id type to int32 (#2076) 2023-08-04 21:55:07 +08:00			`func (in *GRPCAuthInterceptor) authenticate(ctx context.Context, accessTokenStr string) (int32, error) {`
chore: update auth middleware (#2057) * chore: update auth middleware * chore: update * chore: update 2023-07-31 20:55:40 +08:00			`if accessTokenStr == "" {`
			`return 0, status.Errorf(codes.Unauthenticated, "access token not found")`
			`}`
			`claims := &claimsMessage{}`
			`_, err := jwt.ParseWithClaims(accessTokenStr, claims, func(t *jwt.Token) (any, error) {`
			`if t.Method.Alg() != jwt.SigningMethodHS256.Name {`
			`return nil, status.Errorf(codes.Unauthenticated, "unexpected access token signing method=%v, expect %v", t.Header["alg"], jwt.SigningMethodHS256)`
			`}`
			`if kid, ok := t.Header["kid"].(string); ok {`
			`if kid == "v1" {`
			`return []byte(in.secret), nil`
			`}`
			`}`
			`return nil, status.Errorf(codes.Unauthenticated, "unexpected access token kid=%v", t.Header["kid"])`
			`})`
			`if err != nil {`
			`return 0, status.Errorf(codes.Unauthenticated, "Invalid or expired access token")`
			`}`
			`if !audienceContains(claims.Audience, auth.AccessTokenAudienceName) {`
			`return 0, status.Errorf(codes.Unauthenticated,`
			`"invalid access token, audience mismatch, got %q, expected %q. you may send request to the wrong environment",`
			`claims.Audience,`
			`auth.AccessTokenAudienceName,`
			`)`
			`}`

chore: update id type to int32 (#2076) 2023-08-04 21:55:07 +08:00			`userID, err := util.ConvertStringToInt32(claims.Subject)`
chore: update auth middleware (#2057) * chore: update auth middleware * chore: update * chore: update 2023-07-31 20:55:40 +08:00			`if err != nil {`
			`return 0, status.Errorf(codes.Unauthenticated, "malformed ID %q in the access token", claims.Subject)`
			`}`
			`user, err := in.store.GetUser(ctx, &store.FindUser{`
			`ID: &userID,`
			`})`
			`if err != nil {`
			`return 0, status.Errorf(codes.Unauthenticated, "failed to find user ID %q in the access token", userID)`
			`}`
			`if user == nil {`
			`return 0, status.Errorf(codes.Unauthenticated, "user ID %q not exists in the access token", userID)`
			`}`
			`if user.RowStatus == store.Archived {`
			`return 0, status.Errorf(codes.Unauthenticated, "user ID %q has been deactivated by administrators", userID)`
			`}`

			`return userID, nil`
			`}`

			`func getTokenFromMetadata(md metadata.MD) (string, error) {`
			`authorizationHeaders := md.Get("Authorization")`
			`if len(md.Get("Authorization")) > 0 {`
			`authHeaderParts := strings.Fields(authorizationHeaders[0])`
			`if len(authHeaderParts) != 2 \|\| strings.ToLower(authHeaderParts[0]) != "bearer" {`
			`return "", errors.Errorf("authorization header format must be Bearer {token}")`
			`}`
			`return authHeaderParts[1], nil`
			`}`
			`// check the HTTP cookie`
			`var accessToken string`
			`for _, t := range append(md.Get("grpcgateway-cookie"), md.Get("cookie")...) {`
			`header := http.Header{}`
			`header.Add("Cookie", t)`
			`request := http.Request{Header: header}`
			`if v, _ := request.Cookie(auth.AccessTokenCookieName); v != nil {`
			`accessToken = v.Value`
			`}`
			`}`
			`return accessToken, nil`
			`}`

			`func audienceContains(audience jwt.ClaimStrings, token string) bool {`
			`for _, v := range audience {`
			`if v == token {`
			`return true`
			`}`
			`}`
			`return false`
			`}`

			`type claimsMessage struct {`
			Name string `json:"name"`
			`jwt.RegisteredClaims`
			`}`

			`// GenerateAccessToken generates an access token for web.`
			`func GenerateAccessToken(username string, userID int, secret string) (string, error) {`
			`expirationTime := time.Now().Add(auth.AccessTokenDuration)`
			`return generateToken(username, userID, auth.AccessTokenAudienceName, expirationTime, []byte(secret))`
			`}`

			`func generateToken(username string, userID int, aud string, expirationTime time.Time, secret []byte) (string, error) {`
			`// Create the JWT claims, which includes the username and expiry time.`
			`claims := &claimsMessage{`
			`Name: username,`
			`RegisteredClaims: jwt.RegisteredClaims{`
			`Audience: jwt.ClaimStrings{aud},`
			`// In JWT, the expiry time is expressed as unix milliseconds.`
			`ExpiresAt: jwt.NewNumericDate(expirationTime),`
			`IssuedAt: jwt.NewNumericDate(time.Now()),`
			`Issuer: auth.Issuer,`
			`Subject: strconv.Itoa(userID),`
			`},`
			`}`

			`// Declare the token with the HS256 algorithm used for signing, and the claims.`
			`token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)`
			`token.Header["kid"] = auth.KeyID`

			`// Create the JWT string.`
			`tokenString, err := token.SignedString(secret)`
			`if err != nil {`
			`return "", err`
			`}`

			`return tokenString, nil`
			`}`