登录 注册
开源 企业版 高校版 私有云 Gitee AI NEW
扫描微信二维码支付
取消
支付完成
Watch
不关注 关注所有动态 仅关注版本发行动态 关注但不提醒动态
1 Star 0 Fork 1

mysnapcore / mysnapd

forked from tupelo-shen / mysnapd 
代码 Issues 0 Pull Requests 0 Wiki 统计 流水线
服务
加入 Gitee
与超过 1200万 开发者一起发现、参与优秀开源项目,私有仓库也完全免费 :)
免费加入
克隆/下载
auth.go 11.16 KB
一键复制 编辑 原始数据 按行查看 历史
tupelo-shen 提交于 2022-11-08 15:12 . fix: overlord commit
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399
// -*- Mode: Go; indent-tabs-mode: t -*-



/*

 * Copyright (C) 2016-2019 Canonical Ltd

 *

 * This program is free software: you can redistribute it and/or modify

 * it under the terms of the GNU General Public License version 3 as

 * published by the Free Software Foundation.

 *

 * This program is distributed in the hope that it will be useful,

 * but WITHOUT ANY WARRANTY; without even the implied warranty of

 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

 * GNU General Public License for more details.

 *

 * You should have received a copy of the GNU General Public License

 * along with this program.  If not, see <http://www.gnu.org/licenses/>.

 *

 */



package auth



import (

	"context"

	"crypto/rand"

	"encoding/base64"

	"errors"

	"fmt"

	"sort"

	"strconv"

	"time"



	"gopkg.in/macaroon.v1"



	"gitee.com/mysnapcore/mysnapd/overlord/state"

)



// AuthState represents current authenticated users as tracked in state

type AuthState struct {

	LastID      int          `json:"last-id"`

	Users       []UserState  `json:"users"`

	Device      *DeviceState `json:"device,omitempty"`

	MacaroonKey []byte       `json:"macaroon-key,omitempty"`

}



// DeviceState represents the device's identity and store credentials

type DeviceState struct {

	// Brand refers to the brand-id

	Brand  string `json:"brand,omitempty"`

	Model  string `json:"model,omitempty"`

	Serial string `json:"serial,omitempty"`



	KeyID string `json:"key-id,omitempty"`



	SessionMacaroon string `json:"session-macaroon,omitempty"`

}



// UserState represents an authenticated user

type UserState struct {

	ID              int       `json:"id"`

	Username        string    `json:"username,omitempty"`

	Email           string    `json:"email,omitempty"`

	Macaroon        string    `json:"macaroon,omitempty"`

	Discharges      []string  `json:"discharges,omitempty"`

	StoreMacaroon   string    `json:"store-macaroon,omitempty"`

	StoreDischarges []string  `json:"store-discharges,omitempty"`

	Expiration      time.Time `json:"expiration,omitempty"`

}



// identificationOnly returns a *UserState with only the

// identification information from u.

func (u *UserState) identificationOnly() *UserState {

	return &UserState{

		ID:       u.ID,

		Username: u.Username,

		Email:    u.Email,

	}

}



// HasStoreAuth returns true if the user has store authorization.

func (u *UserState) HasStoreAuth() bool {

	if u == nil {

		return false

	}

	return u.StoreMacaroon != ""

}



// HasExpired returns true if the user has an expiration set and

// current time is past the expiration date.

func (u *UserState) HasExpired() bool {

	// If the user has no expiration date, then Expiration should not

	// be set, and contain the default value.

	if u.Expiration.IsZero() {

		return false

	}

	return u.Expiration.Before(time.Now())

}



// MacaroonSerialize returns a store-compatible serialized representation of the given macaroon

func MacaroonSerialize(m *macaroon.Macaroon) (string, error) {

	marshalled, err := m.MarshalBinary()

	if err != nil {

		return "", err

	}

	encoded := base64.RawURLEncoding.EncodeToString(marshalled)

	return encoded, nil

}



// MacaroonDeserialize returns a deserialized macaroon from a given store-compatible serialization

func MacaroonDeserialize(serializedMacaroon string) (*macaroon.Macaroon, error) {

	var m macaroon.Macaroon

	decoded, err := base64.RawURLEncoding.DecodeString(serializedMacaroon)

	if err != nil {

		return nil, err

	}

	err = m.UnmarshalBinary(decoded)

	if err != nil {

		return nil, err

	}

	return &m, nil

}



// generateMacaroonKey generates a random key to sign snapd macaroons

func generateMacaroonKey() ([]byte, error) {

	key := make([]byte, 32)

	if _, err := rand.Read(key); err != nil {

		return nil, err

	}

	return key, nil

}



const snapdMacaroonLocation = "snapd"



// newUserMacaroon returns a snapd macaroon for the given username

func newUserMacaroon(macaroonKey []byte, userID int) (string, error) {

	userMacaroon, err := macaroon.New(macaroonKey, strconv.Itoa(userID), snapdMacaroonLocation)

	if err != nil {

		return "", fmt.Errorf("cannot create macaroon for snapd user: %s", err)

	}



	serializedMacaroon, err := MacaroonSerialize(userMacaroon)

	if err != nil {

		return "", fmt.Errorf("cannot serialize macaroon for snapd user: %s", err)

	}



	return serializedMacaroon, nil

}



// TODO: possibly move users' related functions to a userstate package



type NewUserParams struct {

	// Username is the name of the user on the system

	Username string

	// Email is the email associated with the user

	Email string

	// Macaroon is the store-associated authentication macaroon

	Macaroon string

	// Discharges contains discharged store auth caveats.

	Discharges []string

	// Expiration informs the devicestate that the user should be removed

	// when passing the expiration time. This is an optional setting.

	Expiration time.Time

}



// NewUser tracks a new authenticated user and saves its details in the state

func NewUser(st *state.State, userParams NewUserParams) (*UserState, error) {

	var authStateData AuthState



	err := st.Get("auth", &authStateData)

	if errors.Is(err, state.ErrNoState) {

		authStateData = AuthState{}

	} else if err != nil {

		return nil, err

	}



	if authStateData.MacaroonKey == nil {

		authStateData.MacaroonKey, err = generateMacaroonKey()

		if err != nil {

			return nil, err

		}

	}



	authStateData.LastID++



	localMacaroon, err := newUserMacaroon(authStateData.MacaroonKey, authStateData.LastID)

	if err != nil {

		return nil, err

	}



	sort.Strings(userParams.Discharges)

	authenticatedUser := UserState{

		ID:              authStateData.LastID,

		Username:        userParams.Username,

		Email:           userParams.Email,

		Macaroon:        localMacaroon,

		Discharges:      nil,

		StoreMacaroon:   userParams.Macaroon,

		StoreDischarges: userParams.Discharges,

		Expiration:      userParams.Expiration,

	}

	authStateData.Users = append(authStateData.Users, authenticatedUser)



	st.Set("auth", authStateData)



	return &authenticatedUser, nil

}



var ErrInvalidUser = errors.New("invalid user")



// RemoveUser removes a user from the state given its ID.

func RemoveUser(st *state.State, userID int) (removed *UserState, err error) {

	return removeUser(st, func(u *UserState) bool { return u.ID == userID })

}



// RemoveUserByUsername removes a user from the state given its username. Returns a *UserState with the identification information for them.

func RemoveUserByUsername(st *state.State, username string) (removed *UserState, err error) {

	return removeUser(st, func(u *UserState) bool { return u.Username == username })

}



// removeUser removes the first user matching given predicate.

func removeUser(st *state.State, p func(*UserState) bool) (*UserState, error) {

	var authStateData AuthState



	err := st.Get("auth", &authStateData)

	if errors.Is(err, state.ErrNoState) {

		return nil, ErrInvalidUser

	}

	if err != nil {

		return nil, err

	}



	for i := range authStateData.Users {

		u := &authStateData.Users[i]

		if p(u) {

			removed := u.identificationOnly()

			// delete without preserving order

			n := len(authStateData.Users) - 1

			authStateData.Users[i] = authStateData.Users[n]

			authStateData.Users[n] = UserState{}

			authStateData.Users = authStateData.Users[:n]

			st.Set("auth", authStateData)

			return removed, nil

		}

	}



	return nil, ErrInvalidUser

}



func Users(st *state.State) ([]*UserState, error) {

	var authStateData AuthState



	err := st.Get("auth", &authStateData)

	if errors.Is(err, state.ErrNoState) {

		return nil, nil

	}

	if err != nil {

		return nil, err

	}



	users := make([]*UserState, len(authStateData.Users))

	for i := range authStateData.Users {

		users[i] = &authStateData.Users[i]

	}

	return users, nil

}



// User returns a user from the state given its ID.

func User(st *state.State, id int) (*UserState, error) {

	return findUser(st, func(u *UserState) bool { return u.ID == id })

}



// UserByUsername returns a user from the state given its username.

func UserByUsername(st *state.State, username string) (*UserState, error) {

	return findUser(st, func(u *UserState) bool { return u.Username == username })

}



// findUser finds the first user matching given predicate.

func findUser(st *state.State, p func(*UserState) bool) (*UserState, error) {

	var authStateData AuthState



	err := st.Get("auth", &authStateData)

	if errors.Is(err, state.ErrNoState) {

		return nil, ErrInvalidUser

	}

	if err != nil {

		return nil, err

	}



	for i := range authStateData.Users {

		u := &authStateData.Users[i]

		if p(u) {

			return u, nil

		}

	}

	return nil, ErrInvalidUser

}



// UpdateUser updates user in state

func UpdateUser(st *state.State, user *UserState) error {

	var authStateData AuthState



	err := st.Get("auth", &authStateData)

	if errors.Is(err, state.ErrNoState) {

		return ErrInvalidUser

	}

	if err != nil {

		return err

	}



	for i := range authStateData.Users {

		if authStateData.Users[i].ID == user.ID {

			authStateData.Users[i] = *user

			st.Set("auth", authStateData)

			return nil

		}

	}



	return ErrInvalidUser

}



var ErrInvalidAuth = fmt.Errorf("invalid authentication")



// CheckMacaroon returns the UserState for the given macaroon/discharges credentials

func CheckMacaroon(st *state.State, macaroon string, discharges []string) (*UserState, error) {

	var authStateData AuthState

	err := st.Get("auth", &authStateData)

	if err != nil {

		return nil, ErrInvalidAuth

	}



	snapdMacaroon, err := MacaroonDeserialize(macaroon)

	if err != nil {

		return nil, ErrInvalidAuth

	}

	// attempt snapd macaroon verification

	if snapdMacaroon.Location() == snapdMacaroonLocation {

		// no caveats to check so far

		check := func(caveat string) error { return nil }

		// ignoring discharges, unused for snapd macaroons atm

		err = snapdMacaroon.Verify(authStateData.MacaroonKey, check, nil)

		if err != nil {

			return nil, ErrInvalidAuth

		}

		macaroonID := snapdMacaroon.Id()

		userID, err := strconv.Atoi(macaroonID)

		if err != nil {

			return nil, ErrInvalidAuth

		}

		user, err := User(st, userID)

		if err != nil {

			return nil, ErrInvalidAuth

		}

		if macaroon != user.Macaroon {

			return nil, ErrInvalidAuth

		}

		return user, nil

	}



	// if macaroon is not a snapd macaroon, fallback to previous token-style check

NextUser:

	for _, user := range authStateData.Users {

		if user.Macaroon != macaroon {

			continue

		}

		if len(user.Discharges) != len(discharges) {

			continue

		}

		// sort discharges (stored users' discharges are already sorted)

		sort.Strings(discharges)

		for i, d := range user.Discharges {

			if d != discharges[i] {

				continue NextUser

			}

		}

		return &user, nil

	}

	return nil, ErrInvalidAuth

}



// CloudInfo reflects cloud information for the system (as captured in the core configuration).

type CloudInfo struct {

	Name             string `json:"name"`

	Region           string `json:"region,omitempty"`

	AvailabilityZone string `json:"availability-zone,omitempty"`

}



type ensureContextKey struct{}



// EnsureContextTODO returns a provisional context marked as

// pertaining to an Ensure loop.

// TODO: see Overlord.Loop to replace it with a proper context passed to all Ensures.

func EnsureContextTODO() context.Context {

	ctx := context.TODO()

	return context.WithValue(ctx, ensureContextKey{}, struct{}{})

}



// IsEnsureContext returns whether context was marked as pertaining to an Ensure loop.

func IsEnsureContext(ctx context.Context) bool {

	return ctx.Value(ensureContextKey{}) != nil

}
Go
1
https://gitee.com/mysnapcore/mysnapd.git
git@gitee.com:mysnapcore/mysnapd.git
mysnapcore
mysnapd
mysnapd
v0.1.0
点此查找更多帮助

搜索帮助

Git 命令在线学习 如何在 Gitee 导入 GitHub 仓库
Git 仓库基础操作
企业版和社区版功能对比
SSH 公钥设置
如何处理代码冲突
仓库体积过大,如何减小?
如何找回被删除的仓库数据
Gitee 产品配额说明
GitHub仓库快速导入Gitee及同步更新
什么是 Release(发行版)
将 PHP 项目自动发布到 packagist.org
评论
仓库举报
回到顶部
53164aa7 5694891 3bd8fe86 5694891