Authd: users are now logged and have an 'admin' attribute.

This commit is contained in:
Philippe Pittoli 2023-06-10 17:26:12 +02:00
parent 683bcb5970
commit 2a267ea7a2
18 changed files with 91 additions and 96 deletions

View File

@ -23,11 +23,11 @@ module AuthD
end end
def get_token?(login : String, password : String) : String? def get_token?(login : String, password : String) : String?
send_now Request::GetToken.new login, password send_now Request::Login.new login, password
response = AuthD.responses.parse_ipc_json read response = AuthD.responses.parse_ipc_json read
if response.is_a?(Response::Token) if response.is_a?(Response::Login)
response.token response.token
else else
nil nil
@ -78,11 +78,12 @@ module AuthD
# FIXME: Extra options may be useful to implement here. # FIXME: Extra options may be useful to implement here.
def add_user(login : String, password : String, def add_user(login : String, password : String,
admin : Bool,
email : String?, email : String?,
phone : String?, phone : String?,
profile : Hash(String, ::JSON::Any)?) : ::AuthD::User::Public | Exception profile : Hash(String, ::JSON::Any)?) : ::AuthD::User::Public | Exception
send_now Request::AddUser.new @key, login, password, email, phone, profile send_now Request::AddUser.new login, password, admin, email, phone, profile
response = AuthD.responses.parse_ipc_json read response = AuthD.responses.parse_ipc_json read
@ -158,7 +159,7 @@ module AuthD
end end
def mod_user(uid_or_login : Int32 | String, password : String? = nil, email : String? = nil, phone : String? = nil, avatar : String? = nil) : Bool | Exception def mod_user(uid_or_login : Int32 | String, password : String? = nil, email : String? = nil, phone : String? = nil, avatar : String? = nil) : Bool | Exception
request = Request::ModUser.new @key, uid_or_login request = Request::ModUser.new uid_or_login
request.password = password if password request.password = password if password
request.email = email if email request.email = email if email
@ -180,7 +181,7 @@ module AuthD
end end
def check_permission(user : Int32, service_name : String, resource_name : String) : User::PermissionLevel def check_permission(user : Int32, service_name : String, resource_name : String) : User::PermissionLevel
request = Request::CheckPermission.new @key, user, service_name, resource_name request = Request::CheckPermission.new user, service_name, resource_name
send_now request send_now request
@ -197,7 +198,7 @@ module AuthD
end end
def set_permission(uid : Int32, service : String, resource : String, permission : User::PermissionLevel) def set_permission(uid : Int32, service : String, resource : String, permission : User::PermissionLevel)
request = Request::SetPermission.new @key, uid, service, resource, permission request = Request::SetPermission.new uid, service, resource, permission
send_now request send_now request

View File

@ -31,6 +31,7 @@ class AuthD::User
# Public. # Public.
property login : String property login : String
property uid : Int32 property uid : Int32
property admin : Bool = false
property profile : Hash(String, JSON::Any)? property profile : Hash(String, JSON::Any)?
# Private. # Private.
@ -47,7 +48,7 @@ class AuthD::User
Token.new @login, @uid Token.new @login, @uid
end end
def initialize(@uid, @login, @password_hash) def initialize(@uid, @login, @password_hash, @admin = false)
@contact = Contact.new @contact = Contact.new
@permissions = Hash(String, Hash(String, PermissionLevel)).new @permissions = Hash(String, Hash(String, PermissionLevel)).new
@configuration = Hash(String, Hash(String, JSON::Any)).new @configuration = Hash(String, Hash(String, JSON::Any)).new
@ -58,16 +59,17 @@ class AuthD::User
property login : String property login : String
property uid : Int32 property uid : Int32
property admin : Bool = false
property profile : Hash(String, JSON::Any)? property profile : Hash(String, JSON::Any)?
property date_registration : Time? property date_registration : Time?
def initialize(@uid, @login, @profile, @date_registration) def initialize(@uid, @login, @admin, @profile, @date_registration)
end end
end end
def to_public : Public def to_public : Public
Public.new @uid, @login, @profile, @date_registration Public.new @uid, @login, @admin, @profile, @date_registration
end end
end end

View File

@ -49,8 +49,8 @@ opt_email = -> (parser : OptionParser) {
# Unrecognized parameters are used to create commands with multiple arguments. # Unrecognized parameters are used to create commands with multiple arguments.
# Example: user add _login email phone_ # Example: user add _login email
# Here, login, email and phone are unrecognized arguments. # Here, login and email are unrecognized arguments.
# Still, the "user add" command expect them. # Still, the "user add" command expect them.
unrecognized_args_to_context_args = -> (parser : OptionParser, n_expected_args : Int32) { unrecognized_args_to_context_args = -> (parser : OptionParser, n_expected_args : Int32) {
# With the right args, these will be interpreted as serialized data. # With the right args, these will be interpreted as serialized data.
@ -87,7 +87,7 @@ parser = OptionParser.new do |parser|
parser.banner = "Usage: user [add | mod | delete | validate | search | get | recover | register ]" parser.banner = "Usage: user [add | mod | delete | validate | search | get | recover | register ]"
parser.on "add", "Adding a user to the DB." do parser.on "add", "Adding a user to the DB." do
parser.banner = "usage: user add login email phone [-P profile] [opt]" parser.banner = "usage: user add login email [-P profile] [opt]"
Baguette::Log.info "Adding a user to the DB." Baguette::Log.info "Adding a user to the DB."
Context.command = "user-add" Context.command = "user-add"
opt_authd_admin.call parser opt_authd_admin.call parser
@ -96,7 +96,7 @@ parser = OptionParser.new do |parser|
opt_phone.call parser opt_phone.call parser
opt_help.call parser opt_help.call parser
# login email phone # login email phone
unrecognized_args_to_context_args.call parser, 3 unrecognized_args_to_context_args.call parser, 2
end end
parser.on "mod", "Modify a user account." do parser.on "mod", "Modify a user account." do

View File

@ -74,13 +74,14 @@ class Actions
def user_add def user_add
puts "User add!!!" puts "User add!!!"
args = Context.args.not_nil! args = Context.args.not_nil!
login, email, phone = args[0..2] login, email = args[0..1]
profile = Context.user_profile profile = Context.user_profile
password = Actions.ask_password password = Actions.ask_password
exit 1 unless password exit 1 unless password
pp! authd.add_user login, password.not_nil!, email, phone, profile: profile # By default: no phone, not admin.
pp! authd.add_user login, password.not_nil!, false, email, nil, profile: profile
rescue e : AuthD::Exception rescue e : AuthD::Exception
puts "error: #{e.message}" puts "error: #{e.message}"
end end

View File

@ -2,7 +2,7 @@ require "ipc"
require "ipc/json" require "ipc/json"
class IPC::JSON class IPC::JSON
def handle(service : AuthD::Service) def handle(service : AuthD::Service, fd : Int32)
raise "unimplemented" raise "unimplemented"
end end
end end

View File

@ -1,24 +1,19 @@
class AuthD::Request class AuthD::Request
IPC::JSON.message AddUser, 1 do IPC::JSON.message AddUser, 1 do
# Only clients that have the right shared key will be allowed
# to create users.
property shared_key : String
property login : String property login : String
property password : String property password : String
property admin : Bool = false
property email : String? = nil property email : String? = nil
property phone : String? = nil property phone : String? = nil
property profile : Hash(String, JSON::Any)? = nil property profile : Hash(String, JSON::Any)? = nil
def initialize(@shared_key, @login, @password, @email, @phone, @profile) def initialize(@login, @password, @admin, @email, @phone, @profile)
end end
def handle(authd : AuthD::Service) def handle(authd : AuthD::Service, fd : Int32)
# No verification of the users' informations when an admin adds it. # No verification of the users' informations when an admin adds it.
# No mail address verification. # No mail address verification.
if @shared_key != authd.configuration.shared_key # TODO: ADMIN OPERATION, verify the logged user is an admin.
return Response::Error.new "invalid authentication key"
end
if authd.users_per_login.get? @login if authd.users_per_login.get? @login
return Response::Error.new "login already used" return Response::Error.new "login already used"
@ -35,6 +30,7 @@ class AuthD::Request
user = User.new uid, @login, password_hash user = User.new uid, @login, password_hash
user.contact.email = @email unless @email.nil? user.contact.email = @email unless @email.nil?
user.contact.phone = @phone unless @phone.nil? user.contact.phone = @phone unless @phone.nil?
user.admin = @admin
@profile.try do |profile| @profile.try do |profile|
user.profile = profile user.profile = profile
@ -55,6 +51,7 @@ class AuthD::Request
property shared_key : String property shared_key : String
property user : Int32 | String property user : Int32 | String
property admin : Bool = false
property password : String? = nil property password : String? = nil
property email : String? = nil property email : String? = nil
property phone : String? = nil property phone : String? = nil
@ -63,7 +60,7 @@ class AuthD::Request
def initialize(@shared_key, @user) def initialize(@shared_key, @user)
end end
def handle(authd : AuthD::Service) def handle(authd : AuthD::Service, fd : Int32)
if @shared_key != authd.configuration.shared_key if @shared_key != authd.configuration.shared_key
return Response::Error.new "invalid authentication key" return Response::Error.new "invalid authentication key"
end end

View File

@ -8,7 +8,7 @@ class AuthD::Request
def initialize(@token) def initialize(@token)
end end
def handle(authd : AuthD::Service) def handle(authd : AuthD::Service, fd : Int32)
user = authd.get_user_from_token @token user = authd.get_user_from_token @token
return Response::Error.new "invalid user" unless user return Response::Error.new "invalid user" unless user
@ -32,7 +32,7 @@ class AuthD::Request
def initialize(@token) def initialize(@token)
end end
def handle(authd : AuthD::Service) def handle(authd : AuthD::Service, fd : Int32)
user = authd.get_user_from_token @token user = authd.get_user_from_token @token
return Response::Error.new "invalid user" unless user return Response::Error.new "invalid user" unless user

View File

@ -1,58 +1,24 @@
class AuthD::Request class AuthD::Request
IPC::JSON.message Delete, 17 do IPC::JSON.message Delete, 17 do
# Deletion can be triggered by either an admin or the user. # Deletion can be triggered by either an admin or the related user.
property shared_key : String? = nil
property login : String? = nil
property password : String? = nil
property user : String | Int32 property user : String | Int32
def initialize(@user, @login, @password) def initialize(@user)
end
def initialize(@user, @shared_key)
end end
def handle(authd : AuthD::Service) def handle(authd : AuthD::Service, fd : Int32)
uid_or_login = @user user_to_delete = authd.user? @user
user_to_delete = if uid_or_login.is_a? Int32 return Response::Error.new "invalid user" if user_to_delete.nil?
authd.users_per_uid.get? uid_or_login.to_s
else # Get currently logged user.
authd.users_per_login.get? uid_or_login logged_user = authd.get_logged_user? fd
if logged_user.nil?
return Response::Error.new "you must be logged"
end end
if user_to_delete.nil? unless logged_user.admin
return Response::Error.new "invalid user" # Is the logged user the target?
end if logged_user.uid != user_to_delete.uid
# Either the request comes from an admin or the user.
# Shared key == admin, check the key.
if key = @shared_key
return Response::Error.new "unauthorized (wrong shared key)" unless key == authd.configuration.shared_key
else
login = @login
pass = @password
if login.nil? || pass.nil?
return Response::Error.new "authentication failed (no shared key, no login)"
end
# authenticate the user
begin
user = authd.users_per_login.get login
rescue e : DODB::MissingEntry
return Response::Error.new "invalid credentials"
end
if user.nil?
return Response::Error.new "invalid credentials"
end
if user.password_hash != authd.hash_password pass
return Response::Error.new "invalid credentials"
end
# Is the user to delete the requesting user?
if user.uid != user_to_delete.uid
return Response::Error.new "invalid credentials" return Response::Error.new "invalid credentials"
end end
end end
@ -60,10 +26,15 @@ class AuthD::Request
# User or admin is now verified: let's proceed with the user deletion. # User or admin is now verified: let's proceed with the user deletion.
authd.users_per_login.delete user_to_delete.login authd.users_per_login.delete user_to_delete.login
# TODO: if the current user is deleted, unlog!
if logged_user.uid == user_to_delete.uid
authd.close fd
authd.logged_users.delete fd
end
# TODO: better response # TODO: better response
Response::User.new user_to_delete.to_public Response::User.new user_to_delete.to_public
end end
end end
AuthD.requests << Delete AuthD.requests << Delete
end end

View File

@ -6,7 +6,7 @@ class AuthD::Request
def initialize(@token, @key) def initialize(@token, @key)
end end
def handle(authd : AuthD::Service) def handle(authd : AuthD::Service, fd : Int32)
# FIXME: Lines too long, repeatedly (>80c with 4c tabs). # FIXME: Lines too long, repeatedly (>80c with 4c tabs).
@token.try do |token| @token.try do |token|
user = authd.get_user_from_token token user = authd.get_user_from_token token

View File

@ -1,12 +1,12 @@
class AuthD::Request class AuthD::Request
IPC::JSON.message GetToken, 0 do IPC::JSON.message Login, 0 do
property login : String property login : String
property password : String property password : String
def initialize(@login, @password) def initialize(@login, @password)
end end
def handle(authd : AuthD::Service) def handle(authd : AuthD::Service, fd : Int32)
begin begin
user = authd.users_per_login.get @login user = authd.users_per_login.get @login
rescue e : DODB::MissingEntry rescue e : DODB::MissingEntry
@ -27,8 +27,8 @@ class AuthD::Request
# change the date of the last connection # change the date of the last connection
authd.users_per_uid.update user.uid.to_s, user authd.users_per_uid.update user.uid.to_s, user
Response::Token.new (token.to_s authd.configuration.shared_key), user.uid Response::Login.new (token.to_s authd.configuration.shared_key), user.uid
end end
end end
AuthD.requests << GetToken AuthD.requests << Login
end end

View File

@ -7,7 +7,7 @@ class AuthD::Request
def initialize(@login, @old_password, @new_password) def initialize(@login, @old_password, @new_password)
end end
def handle(authd : AuthD::Service) def handle(authd : AuthD::Service, fd : Int32)
user = authd.users_per_login.get? @login user = authd.users_per_login.get? @login
unless user unless user
@ -35,7 +35,7 @@ class AuthD::Request
def initialize(@user, @password_renew_key, @new_password) def initialize(@user, @password_renew_key, @new_password)
end end
def handle(authd : AuthD::Service) def handle(authd : AuthD::Service, fd : Int32)
uid_or_login = @user uid_or_login = @user
user = if uid_or_login.is_a? Int32 user = if uid_or_login.is_a? Int32
authd.users_per_uid.get? uid_or_login.to_s authd.users_per_uid.get? uid_or_login.to_s
@ -69,7 +69,7 @@ class AuthD::Request
def initialize(@user, @email) def initialize(@user, @email)
end end
def handle(authd : AuthD::Service) def handle(authd : AuthD::Service, fd : Int32)
uid_or_login = @user uid_or_login = @user
user = if uid_or_login.is_a? Int32 user = if uid_or_login.is_a? Int32
authd.users_per_uid.get? uid_or_login.to_s authd.users_per_uid.get? uid_or_login.to_s

View File

@ -10,7 +10,7 @@ class AuthD::Request
def initialize(@shared_key, @user, @service, @resource) def initialize(@shared_key, @user, @service, @resource)
end end
def handle(authd : AuthD::Service) def handle(authd : AuthD::Service, fd : Int32)
authorized = false authorized = false
if key = @shared_key if key = @shared_key
@ -79,7 +79,7 @@ class AuthD::Request
def initialize(@shared_key, @user, @service, @resource, @permission) def initialize(@shared_key, @user, @service, @resource, @permission)
end end
def handle(authd : AuthD::Service) def handle(authd : AuthD::Service, fd : Int32)
unless @shared_key == authd.configuration.shared_key unless @shared_key == authd.configuration.shared_key
return Response::Error.new "unauthorized" return Response::Error.new "unauthorized"
end end

View File

@ -6,7 +6,7 @@ class AuthD::Request
def initialize(@token, @new_profile) def initialize(@token, @new_profile)
end end
def handle(authd : AuthD::Service) def handle(authd : AuthD::Service, fd : Int32)
user = authd.get_user_from_token @token user = authd.get_user_from_token @token
return Response::Error.new "invalid user" unless user return Response::Error.new "invalid user" unless user
@ -45,7 +45,7 @@ class AuthD::Request
def initialize(@token, @new_profile) def initialize(@token, @new_profile)
end end
def handle(authd : AuthD::Service) def handle(authd : AuthD::Service, fd : Int32)
user = if token = @token user = if token = @token
u = authd.get_user_from_token token u = authd.get_user_from_token token
raise UserNotFound.new unless u raise UserNotFound.new unless u

View File

@ -9,7 +9,7 @@ class AuthD::Request
def initialize(@login, @password, @email, @phone, @profile) def initialize(@login, @password, @email, @phone, @profile)
end end
def handle(authd : AuthD::Service) def handle(authd : AuthD::Service, fd : Int32)
if ! authd.configuration.registrations if ! authd.configuration.registrations
return Response::Error.new "registrations not allowed" return Response::Error.new "registrations not allowed"
end end

View File

@ -5,7 +5,7 @@ class AuthD::Request
def initialize(@user) def initialize(@user)
end end
def handle(authd : AuthD::Service) def handle(authd : AuthD::Service, fd : Int32)
pattern = Regex.new @user, Regex::Options::IGNORE_CASE pattern = Regex.new @user, Regex::Options::IGNORE_CASE
matching_users = Array(AuthD::User::Public).new matching_users = Array(AuthD::User::Public).new

View File

@ -6,7 +6,7 @@ class AuthD::Request
def initialize(@login, @activation_key) def initialize(@login, @activation_key)
end end
def handle(authd : AuthD::Service) def handle(authd : AuthD::Service, fd : Int32)
user = authd.users_per_login.get? @login user = authd.users_per_login.get? @login
if user.nil? if user.nil?
@ -37,7 +37,7 @@ class AuthD::Request
def initialize(@user) def initialize(@user)
end end
def handle(authd : AuthD::Service) def handle(authd : AuthD::Service, fd : Int32)
uid_or_login = @user uid_or_login = @user
user = if uid_or_login.is_a? Int32 user = if uid_or_login.is_a? Int32
authd.users_per_uid.get? uid_or_login.to_s authd.users_per_uid.get? uid_or_login.to_s
@ -61,7 +61,7 @@ class AuthD::Request
def initialize(@login, @password) def initialize(@login, @password)
end end
def handle(authd : AuthD::Service) def handle(authd : AuthD::Service, fd : Int32)
user = authd.users_per_login.get? @login user = authd.users_per_login.get? @login
unless user unless user

View File

@ -1,9 +1,9 @@
class AuthD::Response class AuthD::Response
IPC::JSON.message Token, 1 do IPC::JSON.message Login, 1 do
property uid : Int32 property uid : Int32
property token : String property token : String
def initialize(@token, @uid) def initialize(@token, @uid)
end end
end end
AuthD.responses << Token AuthD.responses << Login
end end

View File

@ -26,6 +26,8 @@ class AuthD::Service < IPC
property users_per_uid : DODB::Index(User) property users_per_uid : DODB::Index(User)
property users_per_login : DODB::Index(User) property users_per_login : DODB::Index(User)
property logged_users : Hash(Int32, AuthD::User::Public)
# #{@configuration.storage}/last_used_uid # #{@configuration.storage}/last_used_uid
property last_uid_file : String property last_uid_file : String
@ -38,6 +40,8 @@ class AuthD::Service < IPC
@last_uid_file = "#{@configuration.storage}/last_used_uid" @last_uid_file = "#{@configuration.storage}/last_used_uid"
@logged_users = Hash(Int32, AuthD::User::Public).new
if @configuration.recreate_indexes if @configuration.recreate_indexes
@users.reindex_everything! @users.reindex_everything!
end end
@ -75,6 +79,18 @@ class AuthD::Service < IPC
File.write @last_uid_file, uid.to_s File.write @last_uid_file, uid.to_s
end end
def get_logged_user?(fd : Int32)
@logged_users[fd]?
end
def user?(uid_or_login : Int32 | String)
if uid_or_login.is_a? Int32
@users_per_uid.get? uid_or_login.to_s
else
@users_per_login.get? uid_or_login
end
end
def handle_request(event : IPC::Event) def handle_request(event : IPC::Event)
request_start = Time.utc request_start = Time.utc
@ -91,7 +107,7 @@ class AuthD::Service < IPC
Baguette::Log.debug "<< #{request_name}" Baguette::Log.debug "<< #{request_name}"
response = begin response = begin
request.handle self request.handle self, event.fd
rescue e : UserNotFound rescue e : UserNotFound
Baguette::Log.error "#{request_name} user not found" Baguette::Log.error "#{request_name} user not found"
AuthD::Response::Error.new "authorization error" AuthD::Response::Error.new "authorization error"
@ -156,8 +172,15 @@ class AuthD::Service < IPC
Baguette::Log.debug "Connection from #{event.fd}" if @configuration.print_ipc_connection Baguette::Log.debug "Connection from #{event.fd}" if @configuration.print_ipc_connection
when LibIPC::EventType::Disconnection when LibIPC::EventType::Disconnection
Baguette::Log.debug "Disconnection from #{event.fd}" if @configuration.print_ipc_disconnection Baguette::Log.debug "Disconnection from #{event.fd}" if @configuration.print_ipc_disconnection
@logged_users.delete event.fd
else else
Baguette::Log.error "Not implemented behavior for event: #{event}" Baguette::Log.error "Not implemented behavior for event: #{event}"
if event.responds_to?(:fd)
fd = event.fd
Baguette::Log.warning "closing #{fd}"
close fd
@logged_users.delete fd
end
end end
end end