From 393f95aeac8ddd95e136eb4131f885f197bb0113 Mon Sep 17 00:00:00 2001 From: Philipp Heckel Date: Sun, 23 Jan 2022 23:02:39 -0500 Subject: [PATCH] Auth CLI, continued --- auth/auth.go | 19 ++++++-- auth/auth_sqlite.go | 116 +++++++++++++++++++++++++++++++++++++------- cmd/user.go | 38 ++++++++++++++- cmd/user_allow.go | 45 ++++++++++------- cmd/user_deny.go | 6 +-- server/server.go | 2 +- 6 files changed, 183 insertions(+), 43 deletions(-) diff --git a/auth/auth.go b/auth/auth.go index 42c23866..9956778f 100644 --- a/auth/auth.go +++ b/auth/auth.go @@ -11,6 +11,8 @@ type Auther interface { type Manager interface { AddUser(username, password string, role Role) error RemoveUser(username string) error + Users() ([]*User, error) + User(username string) (*User, error) ChangePassword(username, password string) error ChangeRole(username string, role Role) error AllowAccess(username string, topic string, read bool, write bool) error @@ -18,8 +20,16 @@ type Manager interface { } type User struct { - Name string - Role Role + Name string + Pass string // hashed + Role Role + Grants []Grant +} + +type Grant struct { + Topic string + Read bool + Write bool } type Permission int @@ -52,4 +62,7 @@ func AllowedRole(role Role) bool { return role == RoleUser || role == RoleAdmin } -var ErrUnauthorized = errors.New("unauthorized") +var ( + ErrUnauthorized = errors.New("unauthorized") + ErrNotFound = errors.New("not found") +) diff --git a/auth/auth_sqlite.go b/auth/auth_sqlite.go index 9674374b..17cb1dd0 100644 --- a/auth/auth_sqlite.go +++ b/auth/auth_sqlite.go @@ -58,17 +58,19 @@ const ( // Manager-related queries const ( - insertUser = `INSERT INTO user (user, pass, role) VALUES (?, ?, ?)` - updateUserPass = `UPDATE user SET pass = ? WHERE user = ?` - updateUserRole = `UPDATE user SET role = ? WHERE user = ?` - upsertAccess = ` + insertUserQuery = `INSERT INTO user (user, pass, role) VALUES (?, ?, ?)` + selectUsernamesQuery = `SELECT user FROM user ORDER BY role, user` + selectUserTopicPermsQuery = `SELECT topic, read, write FROM access WHERE user = ?` + updateUserPassQuery = `UPDATE user SET pass = ? WHERE user = ?` + updateUserRoleQuery = `UPDATE user SET role = ? WHERE user = ?` + upsertAccessQuery = ` INSERT INTO access (user, topic, read, write) VALUES (?, ?, ?, ?) ON CONFLICT (user, topic) DO UPDATE SET read=excluded.read, write=excluded.write ` - deleteUser = `DELETE FROM user WHERE user = ?` - deleteAllAccess = `DELETE FROM access WHERE user = ?` - deleteAccess = `DELETE FROM access WHERE user = ? AND topic = ?` + deleteUserQuery = `DELETE FROM user WHERE user = ?` + deleteAllAccessQuery = `DELETE FROM access WHERE user = ?` + deleteAccessQuery = `DELETE FROM access WHERE user = ? AND topic = ?` ) type SQLiteAuth struct { @@ -127,13 +129,17 @@ func (a *SQLiteAuth) Authenticate(username, password string) (*User, error) { } func (a *SQLiteAuth) Authorize(user *User, topic string, perm Permission) error { - if user.Role == RoleAdmin { + if user != nil && user.Role == RoleAdmin { return nil // Admin can do everything } // Select the read/write permissions for this user/topic combo. The query may return two // rows (one for everyone, and one for the user), but prioritizes the user. The value for // user.Name may be empty (= everyone). - rows, err := a.db.Query(selectTopicPermsQuery, user.Name, topic) + var username string + if user != nil { + username = user.Name + } + rows, err := a.db.Query(selectTopicPermsQuery, username, topic) if err != nil { return err } @@ -164,42 +170,118 @@ func (a *SQLiteAuth) AddUser(username, password string, role Role) error { if err != nil { return err } - if _, err = a.db.Exec(insertUser, username, hash, role); err != nil { + if _, err = a.db.Exec(insertUserQuery, username, hash, role); err != nil { return err } return nil } func (a *SQLiteAuth) RemoveUser(username string) error { - if _, err := a.db.Exec(deleteUser, username); err != nil { + if _, err := a.db.Exec(deleteUserQuery, username); err != nil { return err } - if _, err := a.db.Exec(deleteAllAccess, username); err != nil { + if _, err := a.db.Exec(deleteAllAccessQuery, username); err != nil { return err } return nil } +func (a *SQLiteAuth) Users() ([]*User, error) { + rows, err := a.db.Query(selectUsernamesQuery) + if err != nil { + return nil, err + } + defer rows.Close() + usernames := make([]string, 0) + for rows.Next() { + var username string + if err := rows.Scan(&username); err != nil { + return nil, err + } else if err := rows.Err(); err != nil { + return nil, err + } + usernames = append(usernames, username) + } + rows.Close() + users := make([]*User, 0) + for _, username := range usernames { + user, err := a.User(username) + if err != nil { + return nil, err + } + users = append(users, user) + } + return users, nil +} + +func (a *SQLiteAuth) User(username string) (*User, error) { + urows, err := a.db.Query(selectUserQuery, username) + if err != nil { + return nil, err + } + defer urows.Close() + var hash, role string + if !urows.Next() { + return nil, ErrNotFound + } + if err := urows.Scan(&hash, &role); err != nil { + return nil, err + } else if err := urows.Err(); err != nil { + return nil, err + } + arows, err := a.db.Query(selectUserTopicPermsQuery, username) + if err != nil { + return nil, err + } + defer arows.Close() + grants := make([]Grant, 0) + for arows.Next() { + var topic string + var read, write bool + if err := arows.Scan(&topic, &read, &write); err != nil { + return nil, err + } else if err := arows.Err(); err != nil { + return nil, err + } + grants = append(grants, Grant{ + Topic: topic, + Read: read, + Write: write, + }) + } + return &User{ + Name: username, + Pass: hash, + Role: Role(role), + Grants: grants, + }, nil +} + func (a *SQLiteAuth) ChangePassword(username, password string) error { hash, err := bcrypt.GenerateFromPassword([]byte(password), bcryptCost) if err != nil { return err } - if _, err := a.db.Exec(updateUserPass, hash, username); err != nil { + if _, err := a.db.Exec(updateUserPassQuery, hash, username); err != nil { return err } return nil } func (a *SQLiteAuth) ChangeRole(username string, role Role) error { - if _, err := a.db.Exec(updateUserRole, string(role), username); err != nil { + if _, err := a.db.Exec(updateUserRoleQuery, string(role), username); err != nil { return err } + if role == RoleAdmin { + if _, err := a.db.Exec(deleteAllAccessQuery, username); err != nil { + return err + } + } return nil } func (a *SQLiteAuth) AllowAccess(username string, topic string, read bool, write bool) error { - if _, err := a.db.Exec(upsertAccess, username, topic, read, write); err != nil { + if _, err := a.db.Exec(upsertAccessQuery, username, topic, read, write); err != nil { return err } return nil @@ -207,11 +289,11 @@ func (a *SQLiteAuth) AllowAccess(username string, topic string, read bool, write func (a *SQLiteAuth) ResetAccess(username string, topic string) error { if topic == "" { - if _, err := a.db.Exec(deleteAllAccess, username); err != nil { + if _, err := a.db.Exec(deleteAllAccessQuery, username); err != nil { return err } } else { - if _, err := a.db.Exec(deleteAccess, username, topic); err != nil { + if _, err := a.db.Exec(deleteAccessQuery, username, topic); err != nil { return err } } diff --git a/cmd/user.go b/cmd/user.go index 9de8f8d0..2d077300 100644 --- a/cmd/user.go +++ b/cmd/user.go @@ -69,7 +69,7 @@ var cmdUser = &cli.Command{ Name: "list", Aliases: []string{"chr"}, Usage: "change user role", - Action: execUserChangeRole, + Action: execUserList, }, }, } @@ -150,6 +150,42 @@ func execUserChangeRole(c *cli.Context) error { return nil } +func execUserList(c *cli.Context) error { + manager, err := createAuthManager(c) + if err != nil { + return err + } + users, err := manager.Users() + if err != nil { + return err + } + return showUsers(c, users) +} + +func showUsers(c *cli.Context, users []*auth.User) error { + for _, user := range users { + fmt.Fprintf(c.App.Writer, "User %s (%s)\n", user.Name, user.Role) + if user.Role == auth.RoleAdmin { + fmt.Fprintf(c.App.ErrWriter, "- read-write access to all topics (admin role)\n") + } else if len(user.Grants) > 0 { + for _, grant := range user.Grants { + if grant.Read && grant.Write { + fmt.Fprintf(c.App.ErrWriter, "- read-write access to topic %s\n", grant.Topic) + } else if grant.Read { + fmt.Fprintf(c.App.ErrWriter, "- read-only access to topic %s\n", grant.Topic) + } else if grant.Write { + fmt.Fprintf(c.App.ErrWriter, "- write-only access to topic %s\n", grant.Topic) + } else { + fmt.Fprintf(c.App.ErrWriter, "- no access to topic %s\n", grant.Topic) + } + } + } else { + fmt.Fprintf(c.App.ErrWriter, "- no topic-specific permissions\n") + } + } + return nil +} + func createAuthManager(c *cli.Context) (auth.Manager, error) { authFile := c.String("auth-file") authDefaultAccess := c.String("auth-default-access") diff --git a/cmd/user_allow.go b/cmd/user_allow.go index a7478ee3..c01b417e 100644 --- a/cmd/user_allow.go +++ b/cmd/user_allow.go @@ -8,6 +8,10 @@ import ( "heckel.io/ntfy/util" ) +const ( + userEveryone = "everyone" +) + var flagsAllow = append( userCommandFlags(), &cli.BoolFlag{Name: "reset", Aliases: []string{"r"}, Usage: "reset access for user (and topic)"}, @@ -16,7 +20,7 @@ var flagsAllow = append( var cmdAllow = &cli.Command{ Name: "allow", Usage: "Grant a user access to a topic", - UsageText: "ntfy allow USERNAME TOPIC [read-write|read-only|write-only]", + UsageText: "ntfy allow USERNAME TOPIC [read-write|read-only|write-only|none]", Flags: flagsAllow, Before: initConfigFileInputSource("config", flagsAllow), Action: execUserAllow, @@ -32,14 +36,14 @@ func execUserAllow(c *cli.Context) error { return errors.New("username expected, type 'ntfy allow --help' for help") } else if !reset && topic == "" { return errors.New("topic expected, type 'ntfy allow --help' for help") - } else if !util.InStringList([]string{"", "read-write", "read-only", "read", "ro", "write-only", "write", "wo", "none"}, perms) { + } else if !util.InStringList([]string{"", "read-write", "rw", "read-only", "read", "ro", "write-only", "write", "wo", "none"}, perms) { return errors.New("permission must be one of: read-write, read-only, write-only, or none (or the aliases: read, ro, write, wo)") } - if username == "everyone" { + if username == userEveryone { username = "" } - read := util.InStringList([]string{"", "read-write", "read-only", "read", "ro"}, perms) - write := util.InStringList([]string{"", "read-write", "write-only", "write", "wo"}, perms) + read := util.InStringList([]string{"", "read-write", "rw", "read-only", "read", "ro"}, perms) + write := util.InStringList([]string{"", "read-write", "rw", "write-only", "write", "wo"}, perms) manager, err := createAuthManager(c) if err != nil { return err @@ -56,26 +60,31 @@ func doAccessAllow(c *cli.Context, manager auth.Manager, username string, topic } if username == "" { if read && write { - fmt.Fprintf(c.App.ErrWriter, "Anonymous users granted full access to topic %s\n", topic) + fmt.Fprintf(c.App.Writer, "Anonymous users granted full access to topic %s\n", topic) } else if read { - fmt.Fprintf(c.App.ErrWriter, "Anonymous users granted read-only access to topic %s\n", topic) + fmt.Fprintf(c.App.Writer, "Anonymous users granted read-only access to topic %s\n", topic) } else if write { - fmt.Fprintf(c.App.ErrWriter, "Anonymous users granted write-only access to topic %s\n", topic) + fmt.Fprintf(c.App.Writer, "Anonymous users granted write-only access to topic %s\n", topic) } else { - fmt.Fprintf(c.App.ErrWriter, "Revoked all access to topic %s for all anonymous users\n", topic) + fmt.Fprintf(c.App.Writer, "Revoked all access to topic %s for all anonymous users\n", topic) } } else { if read && write { - fmt.Fprintf(c.App.ErrWriter, "User %s now has read-write access to topic %s\n", username, topic) + fmt.Fprintf(c.App.Writer, "User %s now has read-write access to topic %s\n", username, topic) } else if read { - fmt.Fprintf(c.App.ErrWriter, "User %s now has read-only access to topic %s\n", username, topic) + fmt.Fprintf(c.App.Writer, "User %s now has read-only access to topic %s\n", username, topic) } else if write { - fmt.Fprintf(c.App.ErrWriter, "User %s now has write-only access to topic %s\n", username, topic) + fmt.Fprintf(c.App.Writer, "User %s now has write-only access to topic %s\n", username, topic) } else { - fmt.Fprintf(c.App.ErrWriter, "Revoked all access to topic %s for user %s\n", topic, username) + fmt.Fprintf(c.App.Writer, "Revoked all access to topic %s for user %s\n", topic, username) } } - return nil + user, err := manager.User(username) + if err != nil { + return err + } + fmt.Fprintln(c.App.Writer) + return showUsers(c, []*auth.User{user}) } func doAccessReset(c *cli.Context, manager auth.Manager, username, topic string) error { @@ -84,15 +93,15 @@ func doAccessReset(c *cli.Context, manager auth.Manager, username, topic string) } if username == "" { if topic == "" { - fmt.Fprintln(c.App.ErrWriter, "Reset access for all anonymous users and all topics") + fmt.Fprintln(c.App.Writer, "Reset access for all anonymous users and all topics") } else { - fmt.Fprintf(c.App.ErrWriter, "Reset access to topic %s for all anonymous users\n", topic) + fmt.Fprintf(c.App.Writer, "Reset access to topic %s for all anonymous users\n", topic) } } else { if topic == "" { - fmt.Fprintf(c.App.ErrWriter, "Reset access for user %s to all topics\n", username) + fmt.Fprintf(c.App.Writer, "Reset access for user %s to all topics\n", username) } else { - fmt.Fprintf(c.App.ErrWriter, "Reset access for user %s and topic %s\n", username, topic) + fmt.Fprintf(c.App.Writer, "Reset access for user %s and topic %s\n", username, topic) } } return nil diff --git a/cmd/user_deny.go b/cmd/user_deny.go index d757bf69..6431bdb1 100644 --- a/cmd/user_deny.go +++ b/cmd/user_deny.go @@ -20,11 +20,11 @@ func execUserDeny(c *cli.Context) error { username := c.Args().Get(0) topic := c.Args().Get(1) if username == "" { - return errors.New("username expected, type 'ntfy allow --help' for help") + return errors.New("username expected, type 'ntfy deny --help' for help") } else if topic == "" { - return errors.New("topic expected, type 'ntfy allow --help' for help") + return errors.New("topic expected, type 'ntfy deny --help' for help") } - if username == "everyone" { + if username == userEveryone { username = "" } manager, err := createAuthManager(c) diff --git a/server/server.go b/server/server.go index 887213a3..0cc53394 100644 --- a/server/server.go +++ b/server/server.go @@ -1134,7 +1134,7 @@ func (s *Server) withAuth(next handleFunc, perm auth.Permission) handleFunc { if err != nil { return err } - user := auth.Everyone + var user *auth.User // may stay nil if no auth header! username, password, ok := r.BasicAuth() if ok { if user, err = s.auth.Authenticate(username, password); err != nil {