zrok/controller/util.go

package controller

import (
	"fmt"
	"net/http"
	"strings"
	"unicode"

	errors2 "github.com/go-openapi/errors"
	"github.com/jaevor/go-nanoid"
	"github.com/openziti/zrok/controller/config"
	"github.com/openziti/zrok/rest_model_zrok"
	"github.com/sirupsen/logrus"
)

type zrokAuthenticator struct {
	cfg *config.Config
}

func newZrokAuthenticator(cfg *config.Config) *zrokAuthenticator {
	return &zrokAuthenticator{cfg}
}

func (za *zrokAuthenticator) authenticate(token string) (*rest_model_zrok.Principal, error) {
	tx, err := str.Begin()
	if err != nil {
		logrus.Errorf("error starting transaction for '%v': %v", token, err)
		return nil, err
	}
	defer func() { _ = tx.Rollback() }()

	if a, err := str.FindAccountWithToken(token, tx); err == nil {
		principal := &rest_model_zrok.Principal{
			ID:        int64(a.Id),
			Token:     a.Token,
			Email:     a.Email,
			Limitless: a.Limitless,
		}
		return principal, nil
	} else {
		// check for admin secret
		if cfg.Admin != nil {
			for _, secret := range cfg.Admin.Secrets {
				if token == secret {
					principal := &rest_model_zrok.Principal{
						ID:    int64(-1),
						Admin: true,
					}
					return principal, nil
				}
			}
		}

		// no match
		logrus.Warnf("invalid api key '%v'", token)
		return nil, errors2.New(401, "invalid api key")
	}
}

func createShareToken() (string, error) {
	gen, err := nanoid.CustomASCII("abcdefghijklmnopqrstuvwxyz0123456789", 12)
	if err != nil {
		return "", err
	}
	return gen(), nil
}

func createToken() (string, error) {
	gen, err := nanoid.CustomASCII("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789", 12)
	if err != nil {
		return "", err
	}
	return gen(), nil
}

func realRemoteAddress(req *http.Request) string {
	ip := strings.Split(req.RemoteAddr, ":")[0]
	fwdAddress := req.Header.Get("X-Forwarded-For")
	if fwdAddress != "" {
		ip = fwdAddress

		ips := strings.Split(fwdAddress, ", ")
		if len(ips) > 1 {
			ip = ips[0]
		}
	}
	return ip
}

func proxyUrl(shrToken, template string) string {
	return strings.Replace(template, "{token}", shrToken, -1)
}

func validatePassword(cfg *config.Config, password string) error {
	if cfg.Passwords.Length > len(password) {
		return fmt.Errorf("password length: expected (%d), got (%d)", cfg.Passwords.Length, len(password))
	}
	if cfg.Passwords.RequireCapital {
		if !hasCapital(password) {
			return fmt.Errorf("password requires capital, found none")
		}
	}
	if cfg.Passwords.RequireNumeric {
		if !hasNumeric(password) {
			return fmt.Errorf("password requires numeric, found none")
		}
	}
	if cfg.Passwords.RequireSpecial {
		if !strings.ContainsAny(password, cfg.Passwords.ValidSpecialCharacters) {
			return fmt.Errorf("password requires special character, found none")
		}
	}
	return nil
}

func hasCapital(check string) bool {
	for _, c := range check {
		if unicode.IsUpper(c) {
			return true
		}
	}
	return false
}

func hasNumeric(check string) bool {
	for _, c := range check {
		if unicode.IsDigit(c) {
			return true
		}
	}
	return false
}
rough 'create account' api skeleton 2022-07-25 19:17:52 +02:00			`package controller`

			`import (`
Enhanced password requirements and relevant ui changes 2023-05-11 20:35:49 +02:00			`"fmt"`
			`"net/http"`
			`"strings"`
			`"unicode"`

authentication (#11) 2022-07-27 20:50:46 +02:00			`errors2 "github.com/go-openapi/errors"`
fix for service name creation (#79) 2022-10-20 20:16:18 +02:00			`"github.com/jaevor/go-nanoid"`
consolidated configuration; 'zrok metrics' and 'zrok ctrl' share config (#269) 2023-03-13 19:19:38 +01:00			`"github.com/openziti/zrok/controller/config"`
openziti-rest-kitchen -> openziti (#158) 2023-01-13 21:01:34 +01:00			`"github.com/openziti/zrok/rest_model_zrok"`
log invalid authentication attempts (#186) 2023-01-30 17:43:28 +01:00			`"github.com/sirupsen/logrus"`
rough 'create account' api skeleton 2022-07-25 19:17:52 +02:00			`)`

add admin support to rest_model_zrok.Principal; authenticator (#116) 2022-12-01 20:48:23 +01:00			`type zrokAuthenticator struct {`
consolidated configuration; 'zrok metrics' and 'zrok ctrl' share config (#269) 2023-03-13 19:19:38 +01:00			`cfg *config.Config`
add admin support to rest_model_zrok.Principal; authenticator (#116) 2022-12-01 20:48:23 +01:00			`}`

consolidated configuration; 'zrok metrics' and 'zrok ctrl' share config (#269) 2023-03-13 19:19:38 +01:00			`func newZrokAuthenticator(cfg config.Config) zrokAuthenticator {`
add admin support to rest_model_zrok.Principal; authenticator (#116) 2022-12-01 20:48:23 +01:00			`return &zrokAuthenticator{cfg}`
			`}`

			`func (za zrokAuthenticator) authenticate(token string) (rest_model_zrok.Principal, error) {`
not public; lint 2022-07-29 21:28:40 +02:00			`tx, err := str.Begin()`
authentication; enable only (for now) (#11) 2022-07-27 20:45:16 +02:00			`if err != nil {`
log invalid authentication attempts (#186) 2023-01-30 17:43:28 +01:00			`logrus.Errorf("error starting transaction for '%v': %v", token, err)`
authentication; enable only (for now) (#11) 2022-07-27 20:45:16 +02:00			`return nil, err`
			`}`
fix authentication transaction; record created identities (#10) 2022-07-29 21:54:13 +02:00			`defer func() { _ = tx.Rollback() }()`
add admin support to rest_model_zrok.Principal; authenticator (#116) 2022-12-01 20:48:23 +01:00
not public; lint 2022-07-29 21:28:40 +02:00			`if a, err := str.FindAccountWithToken(token, tx); err == nil {`
add admin support to rest_model_zrok.Principal; authenticator (#116) 2022-12-01 20:48:23 +01:00			`principal := &rest_model_zrok.Principal{`
limitless flag on accounts (#96) 2023-01-13 19:16:10 +01:00			`ID: int64(a.Id),`
			`Token: a.Token,`
			`Email: a.Email,`
			`Limitless: a.Limitless,`
richer principal (#11) 2022-07-28 18:12:50 +02:00			`}`
add admin support to rest_model_zrok.Principal; authenticator (#116) 2022-12-01 20:48:23 +01:00			`return principal, nil`
authentication; enable only (for now) (#11) 2022-07-27 20:45:16 +02:00			`} else {`
add admin support to rest_model_zrok.Principal; authenticator (#116) 2022-12-01 20:48:23 +01:00			`// check for admin secret`
			`if cfg.Admin != nil {`
			`for _, secret := range cfg.Admin.Secrets {`
			`if token == secret {`
			`principal := &rest_model_zrok.Principal{`
			`ID: int64(-1),`
			`Admin: true,`
			`}`
			`return principal, nil`
			`}`
			`}`
			`}`

			`// no match`
log invalid authentication attempts (#186) 2023-01-30 17:43:28 +01:00			`logrus.Warnf("invalid api key '%v'", token)`
authentication (#11) 2022-07-27 20:50:46 +02:00			`return nil, errors2.New(401, "invalid api key")`
authentication; enable only (for now) (#11) 2022-07-27 20:45:16 +02:00			`}`
			`}`

massive services -> share boatload (#144) 2023-01-04 19:43:37 +01:00			`func createShareToken() (string, error) {`
fix for service name creation (#79) 2022-10-20 20:16:18 +02:00			`gen, err := nanoid.CustomASCII("abcdefghijklmnopqrstuvwxyz0123456789", 12)`
			`if err != nil {`
			`return "", err`
			`}`
			`return gen(), nil`
dnsSafeShortid (#79) 2022-10-18 21:49:30 +02:00			`}`

simply token generation; createToken+createServiceName (#114) 2022-11-28 17:18:56 +01:00			`func createToken() (string, error) {`
			`gen, err := nanoid.CustomASCII("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789", 12)`
dnsSafeShortid (#79) 2022-10-18 21:49:30 +02:00			`if err != nil {`
			`return "", err`
			`}`
simply token generation; createToken+createServiceName (#114) 2022-11-28 17:18:56 +01:00			`return gen(), nil`
rough and sketchy identity creation and enrollment 2022-07-26 18:26:58 +02:00			`}`
remove immediate create; streamline controller account infrastructure (#50) 2022-09-20 20:05:27 +02:00
extract real ip address when behind a load balancer (#68) 2022-09-26 22:21:49 +02:00			`func realRemoteAddress(req *http.Request) string {`
			`ip := strings.Split(req.RemoteAddr, ":")[0]`
			`fwdAddress := req.Header.Get("X-Forwarded-For")`
			`if fwdAddress != "" {`
			`ip = fwdAddress`

			`ips := strings.Split(fwdAddress, ", ")`
			`if len(ips) > 1 {`
			`ip = ips[0]`
			`}`
			`}`
			`return ip`
			`}`
private sharing handler (#99, #109) 2022-11-22 21:31:02 +01:00
more services -> shares (#144) 2023-01-04 20:21:23 +01:00			`func proxyUrl(shrToken, template string) string {`
			`return strings.Replace(template, "{token}", shrToken, -1)`
private sharing handler (#99, #109) 2022-11-22 21:31:02 +01:00			`}`
Enhanced password requirements and relevant ui changes 2023-05-11 20:35:49 +02:00
			`func validatePassword(cfg *config.Config, password string) error {`
password subsystem tweaks (#167) 2023-05-23 19:51:33 +02:00			`if cfg.Passwords.Length > len(password) {`
			`return fmt.Errorf("password length: expected (%d), got (%d)", cfg.Passwords.Length, len(password))`
Enhanced password requirements and relevant ui changes 2023-05-11 20:35:49 +02:00			`}`
password subsystem tweaks (#167) 2023-05-23 19:51:33 +02:00			`if cfg.Passwords.RequireCapital {`
Enhanced password requirements and relevant ui changes 2023-05-11 20:35:49 +02:00			`if !hasCapital(password) {`
			`return fmt.Errorf("password requires capital, found none")`
			`}`
			`}`
password subsystem tweaks (#167) 2023-05-23 19:51:33 +02:00			`if cfg.Passwords.RequireNumeric {`
Enhanced password requirements and relevant ui changes 2023-05-11 20:35:49 +02:00			`if !hasNumeric(password) {`
			`return fmt.Errorf("password requires numeric, found none")`
			`}`
			`}`
password subsystem tweaks (#167) 2023-05-23 19:51:33 +02:00			`if cfg.Passwords.RequireSpecial {`
			`if !strings.ContainsAny(password, cfg.Passwords.ValidSpecialCharacters) {`
Enhanced password requirements and relevant ui changes 2023-05-11 20:35:49 +02:00			`return fmt.Errorf("password requires special character, found none")`
			`}`
			`}`
			`return nil`
			`}`

			`func hasCapital(check string) bool {`
			`for _, c := range check {`
			`if unicode.IsUpper(c) {`
			`return true`
			`}`
			`}`
			`return false`
			`}`

			`func hasNumeric(check string) bool {`
			`for _, c := range check {`
			`if unicode.IsDigit(c) {`
			`return true`
			`}`
			`}`
			`return false`
			`}`