authd/src/main.cr

require "uuid"
require "option_parser"
require "openssl"

require "jwt"
require "passwd"
require "ipc"

require "./authd.cr"

extend AuthD

class IPC::Connection
	def send(type : AuthD::Response::Type, payload : String)
		send type.to_u8, payload
	end
end

authd_passwd_file = "passwd"
authd_group_file = "group"
authd_jwt_key = "nico-nico-nii"

OptionParser.parse do |parser|
	parser.on "-u file", "--passwd-file file", "passwd file." do |name|
		authd_passwd_file = name
	end

	parser.on "-g file", "--group-file file", "group file." do |name|
		authd_group_file = name
	end

	parser.on "-K file", "--key-file file", "JWT key file" do |file_name|
		authd_jwt_key = File.read(file_name).chomp
	end

	parser.on "-h", "--help", "Show this help" do
		puts parser

		exit 0
	end
end

passwd = Passwd.new authd_passwd_file, authd_group_file

##
# Provides a JWT-based authentication scheme for service-specific users.
IPC::Service.new "auth" do |event|
	if event.is_a? IPC::Exception
		puts "oh no"
		pp! event
		next
	end

	case event
	when IPC::Event::Message
		client = event.connection

		message = event.message
		payload = message.payload

		case Request::Type.new message.type.to_i
		when Request::Type::GetToken
			begin
				request = Request::GetToken.from_json String.new payload
			rescue e
				client.send Response::Type::Malformed.value.to_u8, e.message || ""

				next
			end

			user = passwd.get_user request.login, request.password

			if user.nil?
				client.send Response::Type::InvalidCredentials.value.to_u8, ""
				
				next
			end

			client.send Response::Type::Ok.value.to_u8,
				JWT.encode user.to_h, authd_jwt_key, JWT::Algorithm::HS256
		when Request::Type::AddUser
			begin
				request = Request::AddUser.from_json String.new payload
			rescue e
				client.send Response::Type::Malformed.value.to_u8, e.message || ""

				next
			end

			if request.shared_key != authd_jwt_key
				client.send Response::Type::AuthenticationError, "Invalid authentication key."
				next
			end

			if passwd.user_exists? request.login
				client.send Response::Type::InvalidUser, "Another user with the same login already exists."

				next
			end

			user = passwd.add_user request.login, request.password

			client.send Response::Type::Ok, user.sanitize!.to_json
		when Request::Type::GetUserByCredentials
			begin
				request = Request::GetUserByCredentials.from_json String.new payload
			rescue e
				client.send Response::Type::Malformed, e.message || ""
				next
			end

			user = passwd.get_user request.login, request.password

			if user
				client.send Response::Type::Ok, user.sanitize!.to_json
			else
				client.send Response::Type::UserNotFound, ""
			end
		when Request::Type::GetUser
			begin
				request = Request::GetUser.from_json String.new payload
			rescue e
				client.send Response::Type::Malformed, e.message || ""
				next
			end

			user = passwd.get_user request.uid

			if user
				client.send Response::Type::Ok, user.sanitize!.to_json
			else
				client.send Response::Type::UserNotFound, ""
			end
		when Request::Type::ModUser
			begin
				request = Request::ModUser.from_json String.new payload
			rescue e
				client.send Response::Type::Malformed, e.message || ""
				next
			end

			if request.shared_key != authd_jwt_key
				client.send Response::Type::AuthenticationError, "Invalid authentication key."
				next
			end

			password_hash = request.password.try do |s|
				Passwd.hash_password s
			end

			passwd.mod_user request.uid, password_hash: password_hash

			client.send Response::Type::Ok, ""
		end
	end
end
initial commit 2018-09-22 19:08:28 +02:00			`require "uuid"`
Finished conversion to a libIPC-based microservice. 2018-11-12 18:51:21 +01:00			`require "option_parser"`
Fixing obsolete requires. 2019-02-19 20:45:19 +01:00			`require "openssl"`
initial commit 2018-09-22 19:08:28 +02:00
			`require "jwt"`
Split "passwd" to a shard. 2019-11-17 15:56:35 +01:00			`require "passwd"`
Finished conversion to a libIPC-based microservice. 2018-11-12 18:51:21 +01:00			`require "ipc"`

			`require "./authd.cr"`

			`extend AuthD`
Various. - JWT key can be set from command-line (through a file). - User class split to a separate file to allow use by other tools. - Minor style changes. 2018-09-22 21:23:50 +02:00
Updates for new libipc APIs. 2019-06-05 22:30:29 +02:00			`class IPC::Connection`
Grooming. 2019-11-22 17:31:56 +01:00			`def send(type : AuthD::Response::Type, payload : String)`
Updates for new libipc APIs. 2019-06-05 22:30:29 +02:00			`send type.to_u8, payload`
WIP registration. 2018-12-19 13:54:19 +01:00			`end`
			`end`

Crecto replacement. Replaced by a `passwd` and `group` files reader that both follow UNIX format. Only difference with a live system will be the password hash field, which is stored in `passwd` instead of a dedicated `shadow` file (and which is likely encoded differently). 2018-12-17 00:56:03 +01:00			`authd_passwd_file = "passwd"`
			`authd_group_file = "group"`
Improved configuration CLI. 2018-09-22 19:46:48 +02:00			`authd_jwt_key = "nico-nico-nii"`
initial commit 2018-09-22 19:08:28 +02:00
Imposed authentication on a few requests. 2019-10-10 20:58:44 +02:00			`OptionParser.parse do \|parser\|`
Crecto replacement. Replaced by a `passwd` and `group` files reader that both follow UNIX format. Only difference with a live system will be the password hash field, which is stored in `passwd` instead of a dedicated `shadow` file (and which is likely encoded differently). 2018-12-17 00:56:03 +01:00			`parser.on "-u file", "--passwd-file file", "passwd file." do \|name\|`
			`authd_passwd_file = name`
initial commit 2018-09-22 19:08:28 +02:00			`end`

Crecto replacement. Replaced by a `passwd` and `group` files reader that both follow UNIX format. Only difference with a live system will be the password hash field, which is stored in `passwd` instead of a dedicated `shadow` file (and which is likely encoded differently). 2018-12-17 00:56:03 +01:00			`parser.on "-g file", "--group-file file", "group file." do \|name\|`
			`authd_group_file = name`
Improved configuration CLI. 2018-09-22 19:46:48 +02:00			`end`

			`parser.on "-K file", "--key-file file", "JWT key file" do \|file_name\|`
chomp() used instead of gsub where possible. 2018-09-24 22:10:24 +02:00			`authd_jwt_key = File.read(file_name).chomp`
initial commit 2018-09-22 19:08:28 +02:00			`end`

Finished conversion to a libIPC-based microservice. 2018-11-12 18:51:21 +01:00			`parser.on "-h", "--help", "Show this help" do`
			`puts parser`
initial commit 2018-09-22 19:08:28 +02:00
Finished conversion to a libIPC-based microservice. 2018-11-12 18:51:21 +01:00			`exit 0`
initial commit 2018-09-22 19:08:28 +02:00			`end`
			`end`

Crecto replacement. Replaced by a `passwd` and `group` files reader that both follow UNIX format. Only difference with a live system will be the password hash field, which is stored in `passwd` instead of a dedicated `shadow` file (and which is likely encoded differently). 2018-12-17 00:56:03 +01:00			`passwd = Passwd.new authd_passwd_file, authd_group_file`
Finished conversion to a libIPC-based microservice. 2018-11-12 18:51:21 +01:00
			`##`
			`# Provides a JWT-based authentication scheme for service-specific users.`
			`IPC::Service.new "auth" do \|event\|`
Updates for new libipc APIs. 2019-06-05 22:30:29 +02:00			`if event.is_a? IPC::Exception`
			`puts "oh no"`
			`pp! event`
			`next`
			`end`

Finished conversion to a libIPC-based microservice. 2018-11-12 18:51:21 +01:00			`case event`
			`when IPC::Event::Message`
Updating for new IPC.cr API. 2019-11-03 13:17:24 +01:00			`client = event.connection`

Finished conversion to a libIPC-based microservice. 2018-11-12 18:51:21 +01:00			`message = event.message`
			`payload = message.payload`

Grooming. 2019-11-22 17:31:56 +01:00			`case Request::Type.new message.type.to_i`
			`when Request::Type::GetToken`
Finished conversion to a libIPC-based microservice. 2018-11-12 18:51:21 +01:00			`begin`
Grooming. 2019-11-22 17:31:56 +01:00			`request = Request::GetToken.from_json String.new payload`
Finished conversion to a libIPC-based microservice. 2018-11-12 18:51:21 +01:00			`rescue e`
Grooming. 2019-11-22 17:31:56 +01:00			`client.send Response::Type::Malformed.value.to_u8, e.message \|\| ""`
Finished conversion to a libIPC-based microservice. 2018-11-12 18:51:21 +01:00
			`next`
			`end`

Variable naming. Some breaking changes in the communications with authd (some request attributes renamed), but projects using AuthD::Client shouldn’t see anything. 2018-12-17 04:39:01 +01:00			`user = passwd.get_user request.login, request.password`
Finished conversion to a libIPC-based microservice. 2018-11-12 18:51:21 +01:00
			`if user.nil?`
Grooming. 2019-11-22 17:31:56 +01:00			`client.send Response::Type::InvalidCredentials.value.to_u8, ""`
Finished conversion to a libIPC-based microservice. 2018-11-12 18:51:21 +01:00
			`next`
			`end`

Grooming. 2019-11-22 17:31:56 +01:00			`client.send Response::Type::Ok.value.to_u8,`
Update to new crystal-jwt APIs. 2019-06-28 18:20:34 +02:00			`JWT.encode user.to_h, authd_jwt_key, JWT::Algorithm::HS256`
Grooming. 2019-11-22 17:31:56 +01:00			`when Request::Type::AddUser`
WIP registration. 2018-12-19 13:54:19 +01:00			`begin`
Grooming. 2019-11-22 17:31:56 +01:00			`request = Request::AddUser.from_json String.new payload`
WIP registration. 2018-12-19 13:54:19 +01:00			`rescue e`
Grooming. 2019-11-22 17:31:56 +01:00			`client.send Response::Type::Malformed.value.to_u8, e.message \|\| ""`
WIP registration. 2018-12-19 13:54:19 +01:00
			`next`
			`end`

Imposed authentication on a few requests. 2019-10-10 20:58:44 +02:00			`if request.shared_key != authd_jwt_key`
Grooming. 2019-11-22 17:31:56 +01:00			`client.send Response::Type::AuthenticationError, "Invalid authentication key."`
Imposed authentication on a few requests. 2019-10-10 20:58:44 +02:00			`next`
			`end`

WIP registration. 2018-12-19 13:54:19 +01:00			`if passwd.user_exists? request.login`
Grooming. 2019-11-22 17:31:56 +01:00			`client.send Response::Type::InvalidUser, "Another user with the same login already exists."`
WIP registration. 2018-12-19 13:54:19 +01:00
			`next`
			`end`

			`user = passwd.add_user request.login, request.password`

Grooming. 2019-11-22 17:31:56 +01:00			`client.send Response::Type::Ok, user.sanitize!.to_json`
			`when Request::Type::GetUserByCredentials`
AuthD::Client#get_user?(login, password) added. 2019-02-16 22:06:56 +01:00			`begin`
Grooming. 2019-11-22 17:31:56 +01:00			`request = Request::GetUserByCredentials.from_json String.new payload`
AuthD::Client#get_user?(login, password) added. 2019-02-16 22:06:56 +01:00			`rescue e`
Grooming. 2019-11-22 17:31:56 +01:00			`client.send Response::Type::Malformed, e.message \|\| ""`
AuthD::Client#get_user?(login, password) added. 2019-02-16 22:06:56 +01:00			`next`
			`end`

			`user = passwd.get_user request.login, request.password`

			`if user`
Grooming. 2019-11-22 17:31:56 +01:00			`client.send Response::Type::Ok, user.sanitize!.to_json`
AuthD::Client#get_user?(login, password) added. 2019-02-16 22:06:56 +01:00			`else`
Grooming. 2019-11-22 17:31:56 +01:00			`client.send Response::Type::UserNotFound, ""`
AuthD::Client#get_user?(login, password) added. 2019-02-16 22:06:56 +01:00			`end`
Grooming. 2019-11-22 17:31:56 +01:00			`when Request::Type::GetUser`
GetUser requests. 2019-01-07 17:04:20 +01:00			`begin`
Grooming. 2019-11-22 17:31:56 +01:00			`request = Request::GetUser.from_json String.new payload`
GetUser requests. 2019-01-07 17:04:20 +01:00			`rescue e`
Grooming. 2019-11-22 17:31:56 +01:00			`client.send Response::Type::Malformed, e.message \|\| ""`
GetUser requests. 2019-01-07 17:04:20 +01:00			`next`
			`end`

			`user = passwd.get_user request.uid`

			`if user`
Grooming. 2019-11-22 17:31:56 +01:00			`client.send Response::Type::Ok, user.sanitize!.to_json`
GetUser requests. 2019-01-07 17:04:20 +01:00			`else`
Grooming. 2019-11-22 17:31:56 +01:00			`client.send Response::Type::UserNotFound, ""`
GetUser requests. 2019-01-07 17:04:20 +01:00			`end`
Grooming. 2019-11-22 17:31:56 +01:00			`when Request::Type::ModUser`
ModUser request. 2019-05-29 16:06:11 +02:00			`begin`
Grooming. 2019-11-22 17:31:56 +01:00			`request = Request::ModUser.from_json String.new payload`
ModUser request. 2019-05-29 16:06:11 +02:00			`rescue e`
Grooming. 2019-11-22 17:31:56 +01:00			`client.send Response::Type::Malformed, e.message \|\| ""`
ModUser request. 2019-05-29 16:06:11 +02:00			`next`
			`end`

Imposed authentication on a few requests. 2019-10-10 20:58:44 +02:00			`if request.shared_key != authd_jwt_key`
Grooming. 2019-11-22 17:31:56 +01:00			`client.send Response::Type::AuthenticationError, "Invalid authentication key."`
Imposed authentication on a few requests. 2019-10-10 20:58:44 +02:00			`next`
			`end`

ModUser request. 2019-05-29 16:06:11 +02:00			`password_hash = request.password.try do \|s\|`
			`Passwd.hash_password s`
			`end`

Avatars removed from passwd and authd APIs. Will be re-added later through a more extensible mechanism. 2019-11-17 15:30:53 +01:00			`passwd.mod_user request.uid, password_hash: password_hash`
ModUser request. 2019-05-29 16:06:11 +02:00
Grooming. 2019-11-22 17:31:56 +01:00			`client.send Response::Type::Ok, ""`
Finished conversion to a libIPC-based microservice. 2018-11-12 18:51:21 +01:00			`end`
DataBase connection check during startup. 2018-09-23 16:17:48 +02:00			`end`
initial commit 2018-09-22 19:08:28 +02:00			`end`
Finished conversion to a libIPC-based microservice. 2018-11-12 18:51:21 +01:00