From 12875945057600a4f5202f981d3b3f1e10c03614 Mon Sep 17 00:00:00 2001 From: Philipp Heckel Date: Sat, 22 Jan 2022 23:01:20 -0500 Subject: [PATCH] Simplify tables --- cmd/serve.go | 13 +++ server/auth.go | 28 ++++++ server/auth_simple.go | 197 ------------------------------------------ server/auth_sqlite.go | 157 +++++++++++++++++++++++++++++++++ server/config.go | 6 ++ server/server.go | 24 ++--- 6 files changed, 217 insertions(+), 208 deletions(-) create mode 100644 server/auth.go delete mode 100644 server/auth_simple.go create mode 100644 server/auth_sqlite.go diff --git a/cmd/serve.go b/cmd/serve.go index 2a958c09..670da409 100644 --- a/cmd/serve.go +++ b/cmd/serve.go @@ -24,6 +24,8 @@ var flagsServe = []cli.Flag{ altsrc.NewStringFlag(&cli.StringFlag{Name: "firebase-key-file", Aliases: []string{"F"}, EnvVars: []string{"NTFY_FIREBASE_KEY_FILE"}, Usage: "Firebase credentials file; if set additionally publish to FCM topic"}), altsrc.NewStringFlag(&cli.StringFlag{Name: "cache-file", Aliases: []string{"C"}, EnvVars: []string{"NTFY_CACHE_FILE"}, Usage: "cache file used for message caching"}), altsrc.NewDurationFlag(&cli.DurationFlag{Name: "cache-duration", Aliases: []string{"b"}, EnvVars: []string{"NTFY_CACHE_DURATION"}, Value: server.DefaultCacheDuration, Usage: "buffer messages for this time to allow `since` requests"}), + altsrc.NewStringFlag(&cli.StringFlag{Name: "auth-file", Aliases: []string{"H"}, EnvVars: []string{"NTFY_AUTH_FILE"}, Usage: "auth database file used for access control"}), + altsrc.NewStringFlag(&cli.StringFlag{Name: "auth-default-permissions", Aliases: []string{"p"}, EnvVars: []string{"NTFY_AUTH_DEFAULT_PERMISSIONS"}, Value: "read-write", Usage: "default permissions if no matching entries in the auth database are found"}), altsrc.NewStringFlag(&cli.StringFlag{Name: "attachment-cache-dir", EnvVars: []string{"NTFY_ATTACHMENT_CACHE_DIR"}, Usage: "cache directory for attached files"}), altsrc.NewStringFlag(&cli.StringFlag{Name: "attachment-total-size-limit", Aliases: []string{"A"}, EnvVars: []string{"NTFY_ATTACHMENT_TOTAL_SIZE_LIMIT"}, DefaultText: "5G", Usage: "limit of the on-disk attachment cache"}), altsrc.NewStringFlag(&cli.StringFlag{Name: "attachment-file-size-limit", Aliases: []string{"Y"}, EnvVars: []string{"NTFY_ATTACHMENT_FILE_SIZE_LIMIT"}, DefaultText: "15M", Usage: "per-file attachment size limit (e.g. 300k, 2M, 100M)"}), @@ -80,6 +82,8 @@ func execServe(c *cli.Context) error { firebaseKeyFile := c.String("firebase-key-file") cacheFile := c.String("cache-file") cacheDuration := c.Duration("cache-duration") + authFile := c.String("auth-file") + authDefaultPermissions := c.String("auth-default-permissions") attachmentCacheDir := c.String("attachment-cache-dir") attachmentTotalSizeLimitStr := c.String("attachment-total-size-limit") attachmentFileSizeLimitStr := c.String("attachment-file-size-limit") @@ -126,8 +130,14 @@ func execServe(c *cli.Context) error { return errors.New("if attachment-cache-dir is set, base-url must also be set") } else if baseURL != "" && !strings.HasPrefix(baseURL, "http://") && !strings.HasPrefix(baseURL, "https://") { return errors.New("if set, base-url must start with http:// or https://") + } else if !util.InStringList([]string{"read-write", "read-only", "deny-all"}, authDefaultPermissions) { + return errors.New("if set, auth-default-permissions must start set to 'read-write', 'read-only' or 'deny-all'") } + // Default auth permissions + authDefaultRead := authDefaultPermissions == "read-write" || authDefaultPermissions == "read-only" + authDefaultWrite := authDefaultPermissions == "read-write" + // Special case: Unset default if listenHTTP == "-" { listenHTTP = "" @@ -164,6 +174,9 @@ func execServe(c *cli.Context) error { conf.FirebaseKeyFile = firebaseKeyFile conf.CacheFile = cacheFile conf.CacheDuration = cacheDuration + conf.AuthFile = authFile + conf.AuthDefaultRead = authDefaultRead + conf.AuthDefaultWrite = authDefaultWrite conf.AttachmentCacheDir = attachmentCacheDir conf.AttachmentTotalSizeLimit = attachmentTotalSizeLimit conf.AttachmentFileSizeLimit = attachmentFileSizeLimit diff --git a/server/auth.go b/server/auth.go new file mode 100644 index 00000000..d4a3110d --- /dev/null +++ b/server/auth.go @@ -0,0 +1,28 @@ +package server + +// auth is a generic interface to implement password-based authentication and authorization +type auth interface { + Authenticate(user, pass string) (*user, error) + Authorize(user *user, topic string, perm int) error +} + +type user struct { + Name string + Role string +} + +const ( + permRead = 1 + permWrite = 2 +) + +const ( + roleAdmin = "admin" + roleUser = "user" + roleNone = "none" +) + +var everyone = &user{ + Name: "", + Role: roleNone, +} diff --git a/server/auth_simple.go b/server/auth_simple.go deleted file mode 100644 index 87f566c8..00000000 --- a/server/auth_simple.go +++ /dev/null @@ -1,197 +0,0 @@ -package server - -import ( - "database/sql" - "fmt" - "golang.org/x/crypto/bcrypt" - "log" -) - -/* - -SELECT * FROM user; -SELECT * FROM topic; -SELECT * FROM topic_user; - -INSERT INTO user VALUES('phil','$2a$06$.4W0LI5mcxzxhpjUvpTaNeu0MhRO0T7B.CYnmAkRnlztIy7PrSODu', 'admin'); -INSERT INTO user VALUES('ben','$2a$06$skJK/AecWCUmiCjr69ke.Ow/hFA616RdvJJPxnI221zyohsRlyXL.', 'user'); -INSERT INTO user VALUES('marian','$2a$06$N/BcXR0g6XUlmWttMqciWugR6xQKm2lVj31HLid6Mc4cnzpeOMgnq', 'user'); - -INSERT INTO topic_user VALUES('alerts','ben',1,1); -INSERT INTO topic_user VALUES('alerts','marian',1,0); - -INSERT INTO topic VALUES('announcements',1,0); - -*/ - -const ( - permRead = 1 - permWrite = 2 -) - -const ( - roleAdmin = "admin" - roleUser = "user" - roleNone = "none" -) - -const ( - createAuthTablesQueries = ` - BEGIN; - CREATE TABLE IF NOT EXISTS user ( - user TEXT NOT NULL PRIMARY KEY, - pass TEXT NOT NULL, - role TEXT NOT NULL - ); - CREATE TABLE IF NOT EXISTS topic ( - topic TEXT NOT NULL PRIMARY KEY, - anon_read INT NOT NULL, - anon_write INT NOT NULL - ); - CREATE TABLE IF NOT EXISTS topic_user ( - topic TEXT NOT NULL, - user TEXT NOT NULL, - read INT NOT NULL, - write INT NOT NULL, - PRIMARY KEY (topic, user) - ); - CREATE TABLE IF NOT EXISTS schema_version ( - id INT PRIMARY KEY, - version INT NOT NULL - ); - COMMIT; - ` - selectUserQuery = `SELECT pass FROM user WHERE user = ?` - selectTopicPermsAnonQuery = `SELECT ?, anon_read, anon_write FROM topic WHERE topic = ?` - selectTopicPermsUserQuery = ` - SELECT role, IFNULL(read, 0), IFNULL(write, 0) - FROM user - LEFT JOIN topic_user ON user.user = topic_user.user AND topic_user.topic = ? - WHERE user.user = ? - ` -) - -type auther interface { - Authenticate(user, pass string) error - Authorize(user, topic string, perm int) error -} - -type memAuther struct { -} - -func (m *memAuther) Authenticate(user, pass string) error { - if user == "phil" && pass == "phil" { - return nil - } - return errHTTPUnauthorized -} - -func (m *memAuther) Authorize(user, topic string, perm int) error { - if perm == permRead { - return nil - } - if user == "phil" && topic == "mytopic" { - return nil - } - return errHTTPUnauthorized -} - -type sqliteAuther struct { - db *sql.DB - defaultRead bool - defaultWrite bool -} - -var _ auther = (*sqliteAuther)(nil) - -func newSqliteAuther(filename string, defaultRead, defaultWrite bool) (*sqliteAuther, error) { - db, err := sql.Open("sqlite3", filename) - if err != nil { - return nil, err - } - if err := setupNewAuthDB(db); err != nil { - return nil, err - } - return &sqliteAuther{ - db: db, - defaultRead: defaultRead, - defaultWrite: defaultWrite, - }, nil -} - -func setupNewAuthDB(db *sql.DB) error { - if _, err := db.Exec(createAuthTablesQueries); err != nil { - return err - } - // FIXME schema version - return nil -} - -func (a *sqliteAuther) Authenticate(user, pass string) error { - rows, err := a.db.Query(selectUserQuery, user) - if err != nil { - return err - } - defer rows.Close() - var hash string - if !rows.Next() { - return fmt.Errorf("user %s not found", user) - } - if err := rows.Scan(&hash); err != nil { - return err - } else if err := rows.Err(); err != nil { - return err - } - return bcrypt.CompareHashAndPassword([]byte(hash), []byte(pass)) -} - -func (a *sqliteAuther) Authorize(user, topic string, perm int) error { - if user == "" { - return a.authorizeAnon(topic, perm) - } - return a.authorizeUser(user, topic, perm) -} - -func (a *sqliteAuther) authorizeAnon(topic string, perm int) error { - rows, err := a.db.Query(selectTopicPermsAnonQuery, roleNone, topic) - if err != nil { - return err - } - return a.checkPerms(rows, perm) -} - -func (a *sqliteAuther) authorizeUser(user string, topic string, perm int) error { - rows, err := a.db.Query(selectTopicPermsUserQuery, topic, user) - if err != nil { - return err - } - return a.checkPerms(rows, perm) -} - -func (a *sqliteAuther) checkPerms(rows *sql.Rows, perm int) error { - defer rows.Close() - if !rows.Next() { - return a.resolvePerms(a.defaultRead, a.defaultWrite, perm) - } - var role string - var read, write bool - if err := rows.Scan(&role, &read, &write); err != nil { - return err - } else if err := rows.Err(); err != nil { - return err - } - log.Printf("%#v, %#v, %#v", role, read, write) - if role == roleAdmin { - return nil // Admin can do everything - } - return a.resolvePerms(read, write, perm) -} - -func (a *sqliteAuther) resolvePerms(read, write bool, perm int) error { - if perm == permRead && read { - return nil - } else if perm == permWrite && write { - return nil - } - return errHTTPUnauthorized -} diff --git a/server/auth_sqlite.go b/server/auth_sqlite.go new file mode 100644 index 00000000..548780f2 --- /dev/null +++ b/server/auth_sqlite.go @@ -0,0 +1,157 @@ +package server + +import ( + "database/sql" + "golang.org/x/crypto/bcrypt" +) + +/* + +SELECT * FROM user; +SELECT * FROM user_topic; + +INSERT INTO user VALUES ('phil','$2a$06$.4W0LI5mcxzxhpjUvpTaNeu0MhRO0T7B.CYnmAkRnlztIy7PrSODu', 'admin'); +INSERT INTO user VALUES ('ben','$2a$06$skJK/AecWCUmiCjr69ke.Ow/hFA616RdvJJPxnI221zyohsRlyXL.', 'user'); +INSERT INTO user VALUES ('marian','$2a$06$N/BcXR0g6XUlmWttMqciWugR6xQKm2lVj31HLid6Mc4cnzpeOMgnq', 'user'); + +INSERT INTO user_topic VALUES ('ben','alerts',1,1); +INSERT INTO user_topic VALUES ('marian','alerts',1,0); +INSERT INTO user_topic VALUES ('','announcements',1,0); +INSERT INTO user_topic VALUES ('','write-all',1,1); + +--- +dabbling for CLI + ntfy user add phil --role=admin + ntfy user del phil + ntfy user change-pass phil + ntfy user allow phil mytopic + ntfy user allow phil mytopic --read-only + ntfy user deny phil mytopic + ntfy user list + phil (admin) + - read-write access to everything + ben (user) + - read-write access to a topic alerts + - read access to + everyone (no user) + - read-only access to topic announcements + + +*/ + +const ( + createAuthTablesQueries = ` + BEGIN; + CREATE TABLE IF NOT EXISTS user ( + user TEXT NOT NULL PRIMARY KEY, + pass TEXT NOT NULL, + role TEXT NOT NULL + ); + CREATE TABLE IF NOT EXISTS user_topic ( + user TEXT NOT NULL, + topic TEXT NOT NULL, + read INT NOT NULL, + write INT NOT NULL, + PRIMARY KEY (topic, user) + ); + CREATE TABLE IF NOT EXISTS schema_version ( + id INT PRIMARY KEY, + version INT NOT NULL + ); + COMMIT; + ` + selectUserQuery = `SELECT pass, role FROM user WHERE user = ?` + selectTopicPermsQuery = ` + SELECT read, write + FROM user_topic + WHERE user IN ('', ?) AND topic = ? + ORDER BY user DESC + ` +) + +type sqliteAuth struct { + db *sql.DB + defaultRead bool + defaultWrite bool +} + +var _ auth = (*sqliteAuth)(nil) + +func newSqliteAuth(filename string, defaultRead, defaultWrite bool) (*sqliteAuth, error) { + db, err := sql.Open("sqlite3", filename) + if err != nil { + return nil, err + } + if err := setupNewAuthDB(db); err != nil { + return nil, err + } + return &sqliteAuth{ + db: db, + defaultRead: defaultRead, + defaultWrite: defaultWrite, + }, nil +} + +func setupNewAuthDB(db *sql.DB) error { + if _, err := db.Exec(createAuthTablesQueries); err != nil { + return err + } + // FIXME schema version + return nil +} + +func (a *sqliteAuth) Authenticate(username, password string) (*user, error) { + rows, err := a.db.Query(selectUserQuery, username) + if err != nil { + return nil, err + } + defer rows.Close() + var hash, role string + if rows.Next() { + if err := rows.Scan(&hash, &role); err != nil { + return nil, err + } else if err := rows.Err(); err != nil { + return nil, err + } + } + if err := bcrypt.CompareHashAndPassword([]byte(hash), []byte(password)); err != nil { + return nil, err + } + return &user{ + Name: username, + Role: role, + }, nil +} + +func (a *sqliteAuth) Authorize(user *user, topic string, perm int) error { + if user.Role == roleAdmin { + return nil // Admin can do everything + } + // Select the read/write permissions for this user/topic combo. The query may return two + // rows (one for everyone, and one for the user), but prioritizes the user. The value for + // user.Name may be empty (= everyone). + rows, err := a.db.Query(selectTopicPermsQuery, user.Name, topic) + if err != nil { + return err + } + defer rows.Close() + if !rows.Next() { + return a.resolvePerms(a.defaultRead, a.defaultWrite, perm) + } + var read, write bool + if err := rows.Scan(&read, &write); err != nil { + return err + } else if err := rows.Err(); err != nil { + return err + } + return a.resolvePerms(read, write, perm) +} + +func (a *sqliteAuth) resolvePerms(read, write bool, perm int) error { + if perm == permRead && read { + return nil + } else if perm == permWrite && write { + return nil + } + return errHTTPUnauthorized +} diff --git a/server/config.go b/server/config.go index 1e2b31c0..1d72dfb8 100644 --- a/server/config.go +++ b/server/config.go @@ -55,6 +55,9 @@ type Config struct { FirebaseKeyFile string CacheFile string CacheDuration time.Duration + AuthFile string + AuthDefaultRead bool + AuthDefaultWrite bool AttachmentCacheDir string AttachmentTotalSizeLimit int64 AttachmentFileSizeLimit int64 @@ -97,6 +100,9 @@ func NewConfig() *Config { FirebaseKeyFile: "", CacheFile: "", CacheDuration: DefaultCacheDuration, + AuthFile: "", + AuthDefaultRead: true, + AuthDefaultWrite: true, AttachmentCacheDir: "", AttachmentTotalSizeLimit: DefaultAttachmentTotalSizeLimit, AttachmentFileSizeLimit: DefaultAttachmentFileSizeLimit, diff --git a/server/server.go b/server/server.go index 6a54815a..3c1daed5 100644 --- a/server/server.go +++ b/server/server.go @@ -46,7 +46,7 @@ type Server struct { firebase subscriber mailer mailer messages int64 - auther auther + auth auth cache cache fileCache *fileCache closeChan chan bool @@ -141,9 +141,12 @@ func New(conf *Config) (*Server, error) { return nil, err } } - auther, err := newSqliteAuther("user.db", false, false) - if err != nil { - return nil, err + var auth auth + if conf.AuthFile != "" { + auth, err = newSqliteAuth(conf.AuthFile, conf.AuthDefaultRead, conf.AuthDefaultWrite) + if err != nil { + return nil, err + } } return &Server{ config: conf, @@ -152,7 +155,7 @@ func New(conf *Config) (*Server, error) { firebase: firebaseSubscriber, mailer: mailer, topics: topics, - auther: auther, + auth: auth, visitors: make(map[string]*visitor), }, nil } @@ -1123,23 +1126,22 @@ func (s *Server) authRead(next handleFunc) handleFunc { func (s *Server) withAuth(next handleFunc, perm int) handleFunc { return func(w http.ResponseWriter, r *http.Request, v *visitor) error { - if s.auther == nil { + if s.auth == nil { return next(w, r, v) } t, err := s.topicFromPath(r.URL.Path) if err != nil { return err } - user, pass, ok := r.BasicAuth() + user := everyone + username, password, ok := r.BasicAuth() if ok { - if err := s.auther.Authenticate(user, pass); err != nil { + if user, err = s.auth.Authenticate(username, password); err != nil { log.Printf("authentication failed: %s", err.Error()) return errHTTPUnauthorized } - } else { - user = "" // Just in case } - if err := s.auther.Authorize(user, t.ID, perm); err != nil { + if err := s.auth.Authorize(user, t.ID, perm); err != nil { log.Printf("unauthorized: %s", err.Error()) return errHTTPUnauthorized }