diff options
author | Julien Dessaux | 2024-11-17 00:05:22 +0100 |
---|---|---|
committer | Julien Dessaux | 2024-11-17 00:05:22 +0100 |
commit | 206182fcb9c4ab2b49e8e44c6a2711a988e3f968 (patch) | |
tree | 5cfc55047d833400028fb69a7f069f5cedecaacd | |
parent | fix(tfstated): hash passwords instead of relying on the database encryption key (diff) | |
download | tfstated-206182fcb9c4ab2b49e8e44c6a2711a988e3f968.tar.gz tfstated-206182fcb9c4ab2b49e8e44c6a2711a988e3f968.tar.bz2 tfstated-206182fcb9c4ab2b49e8e44c6a2711a988e3f968.zip |
chore(tfstated): refactored helpers to their own package
Diffstat (limited to '')
-rw-r--r-- | cmd/tfstated/delete.go | 7 | ||||
-rw-r--r-- | cmd/tfstated/get.go | 5 | ||||
-rw-r--r-- | cmd/tfstated/lock.go | 13 | ||||
-rw-r--r-- | cmd/tfstated/post.go | 9 | ||||
-rw-r--r-- | cmd/tfstated/unlock.go | 11 | ||||
-rw-r--r-- | pkg/basic_auth/middleware.go | 16 | ||||
-rw-r--r-- | pkg/database/accounts.go | 5 | ||||
-rw-r--r-- | pkg/helpers/crypto.go | 21 | ||||
-rw-r--r-- | pkg/helpers/error.go | 17 | ||||
-rw-r--r-- | pkg/helpers/json.go (renamed from cmd/tfstated/helpers.go) | 17 | ||||
-rw-r--r-- | pkg/model/account.go | 19 |
11 files changed, 78 insertions, 62 deletions
diff --git a/cmd/tfstated/delete.go b/cmd/tfstated/delete.go index 3b708d5..d594073 100644 --- a/cmd/tfstated/delete.go +++ b/cmd/tfstated/delete.go @@ -5,22 +5,23 @@ import ( "net/http" "git.adyxax.org/adyxax/tfstated/pkg/database" + "git.adyxax.org/adyxax/tfstated/pkg/helpers" ) func handleDelete(db *database.DB) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { if r.URL.Path == "/" { - _ = errorResponse(w, http.StatusBadRequest, + helpers.ErrorResponse(w, http.StatusBadRequest, fmt.Errorf("no state path provided, cannot DELETE /")) return } if success, err := db.DeleteState(r.URL.Path); err != nil { - _ = errorResponse(w, http.StatusInternalServerError, err) + helpers.ErrorResponse(w, http.StatusInternalServerError, err) } else if success { w.WriteHeader(http.StatusOK) } else { - _ = errorResponse(w, http.StatusNotFound, + helpers.ErrorResponse(w, http.StatusNotFound, fmt.Errorf("state path not found: %s", r.URL.Path)) } }) diff --git a/cmd/tfstated/get.go b/cmd/tfstated/get.go index 6bc4466..3310560 100644 --- a/cmd/tfstated/get.go +++ b/cmd/tfstated/get.go @@ -5,6 +5,7 @@ import ( "net/http" "git.adyxax.org/adyxax/tfstated/pkg/database" + "git.adyxax.org/adyxax/tfstated/pkg/helpers" ) func handleGet(db *database.DB) http.Handler { @@ -12,13 +13,13 @@ func handleGet(db *database.DB) http.Handler { w.Header().Set("Cache-Control", "no-store, no-cache") if r.URL.Path == "/" { - _ = errorResponse(w, http.StatusBadRequest, + helpers.ErrorResponse(w, http.StatusBadRequest, fmt.Errorf("no state path provided, cannot GET /")) return } if data, err := db.GetState(r.URL.Path); err != nil { - _ = errorResponse(w, http.StatusInternalServerError, err) + helpers.ErrorResponse(w, http.StatusInternalServerError, err) } else { w.WriteHeader(http.StatusOK) _, _ = w.Write(data) diff --git a/cmd/tfstated/lock.go b/cmd/tfstated/lock.go index bab9c6b..80e3575 100644 --- a/cmd/tfstated/lock.go +++ b/cmd/tfstated/lock.go @@ -7,6 +7,7 @@ import ( "time" "git.adyxax.org/adyxax/tfstated/pkg/database" + "git.adyxax.org/adyxax/tfstated/pkg/helpers" ) type lockRequest struct { @@ -34,27 +35,27 @@ func (l *lockRequest) valid() []error { func handleLock(db *database.DB) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { if r.URL.Path == "/" { - _ = encode(w, http.StatusBadRequest, + _ = helpers.Encode(w, http.StatusBadRequest, fmt.Errorf("no state path provided, cannot LOCK /")) return } var lock lockRequest - if err := decode(r, &lock); err != nil { - _ = encode(w, http.StatusBadRequest, err) + if err := helpers.Decode(r, &lock); err != nil { + _ = helpers.Encode(w, http.StatusBadRequest, err) return } if errs := lock.valid(); len(errs) > 0 { - _ = encode(w, http.StatusBadRequest, + _ = helpers.Encode(w, http.StatusBadRequest, fmt.Errorf("invalid lock: %+v", errs)) return } if success, err := db.SetLockOrGetExistingLock(r.URL.Path, &lock); err != nil { - _ = errorResponse(w, http.StatusInternalServerError, err) + helpers.ErrorResponse(w, http.StatusInternalServerError, err) } else if success { w.WriteHeader(http.StatusOK) } else { - _ = encode(w, http.StatusConflict, lock) + _ = helpers.Encode(w, http.StatusConflict, lock) } }) } diff --git a/cmd/tfstated/post.go b/cmd/tfstated/post.go index 674eaba..86344b1 100644 --- a/cmd/tfstated/post.go +++ b/cmd/tfstated/post.go @@ -6,13 +6,14 @@ import ( "net/http" "git.adyxax.org/adyxax/tfstated/pkg/database" + "git.adyxax.org/adyxax/tfstated/pkg/helpers" "git.adyxax.org/adyxax/tfstated/pkg/model" ) func handlePost(db *database.DB) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { if r.URL.Path == "/" { - _ = errorResponse(w, http.StatusBadRequest, + helpers.ErrorResponse(w, http.StatusBadRequest, fmt.Errorf("no state path provided, cannot POST /"), ) return @@ -22,15 +23,15 @@ func handlePost(db *database.DB) http.Handler { data, err := io.ReadAll(r.Body) if err != nil || len(data) == 0 { - _ = errorResponse(w, http.StatusBadRequest, err) + helpers.ErrorResponse(w, http.StatusBadRequest, err) return } account := r.Context().Value(model.AccountContextKey{}).(*model.Account) if idMismatch, err := db.SetState(r.URL.Path, account.Id, data, id); err != nil { if idMismatch { - _ = errorResponse(w, http.StatusConflict, err) + helpers.ErrorResponse(w, http.StatusConflict, err) } else { - _ = errorResponse(w, http.StatusInternalServerError, err) + helpers.ErrorResponse(w, http.StatusInternalServerError, err) } } else { w.WriteHeader(http.StatusOK) diff --git a/cmd/tfstated/unlock.go b/cmd/tfstated/unlock.go index e8bddd9..c003d8d 100644 --- a/cmd/tfstated/unlock.go +++ b/cmd/tfstated/unlock.go @@ -5,27 +5,28 @@ import ( "net/http" "git.adyxax.org/adyxax/tfstated/pkg/database" + "git.adyxax.org/adyxax/tfstated/pkg/helpers" ) func handleUnlock(db *database.DB) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { if r.URL.Path == "/" { - _ = encode(w, http.StatusBadRequest, + _ = helpers.Encode(w, http.StatusBadRequest, fmt.Errorf("no state path provided, cannot LOCK /")) return } var lock lockRequest - if err := decode(r, &lock); err != nil { - _ = encode(w, http.StatusBadRequest, err) + if err := helpers.Decode(r, &lock); err != nil { + _ = helpers.Encode(w, http.StatusBadRequest, err) return } if success, err := db.Unlock(r.URL.Path, &lock); err != nil { - _ = errorResponse(w, http.StatusInternalServerError, err) + helpers.ErrorResponse(w, http.StatusInternalServerError, err) } else if success { w.WriteHeader(http.StatusOK) } else { - _ = encode(w, http.StatusConflict, lock) + _ = helpers.Encode(w, http.StatusConflict, lock) } }) } diff --git a/pkg/basic_auth/middleware.go b/pkg/basic_auth/middleware.go index 7f8fb4a..0e22ad3 100644 --- a/pkg/basic_auth/middleware.go +++ b/pkg/basic_auth/middleware.go @@ -2,10 +2,12 @@ package basic_auth import ( "context" + "fmt" "net/http" "time" "git.adyxax.org/adyxax/tfstated/pkg/database" + "git.adyxax.org/adyxax/tfstated/pkg/helpers" "git.adyxax.org/adyxax/tfstated/pkg/model" ) @@ -15,26 +17,22 @@ func Middleware(db *database.DB) func(http.Handler) http.Handler { username, password, ok := r.BasicAuth() if !ok { w.Header().Set("WWW-Authenticate", `Basic realm="tfstated", charset="UTF-8"`) - http.Error(w, "Unauthorized", http.StatusUnauthorized) + helpers.ErrorResponse(w, http.StatusUnauthorized, fmt.Errorf("Unauthorized")) return } account, err := db.LoadAccountByUsername(username) if err != nil { - http.Error(w, "Internal Server Error", http.StatusInternalServerError) + helpers.ErrorResponse(w, http.StatusInternalServerError, err) return } - if account == nil { - http.Error(w, "Forbidden", http.StatusForbidden) - return - } - if !account.CheckPassword(password) { - http.Error(w, "Forbidden", http.StatusForbidden) + if account == nil || !account.CheckPassword(password) { + helpers.ErrorResponse(w, http.StatusForbidden, fmt.Errorf("Forbidden")) return } now := time.Now().UTC() _, err = db.Exec(`UPDATE accounts SET last_login = ? WHERE id = ?`, now.Unix(), account.Id) if err != nil { - http.Error(w, "Internal Server Error", http.StatusInternalServerError) + helpers.ErrorResponse(w, http.StatusInternalServerError, err) return } ctx := context.WithValue(r.Context(), model.AccountContextKey{}, account) diff --git a/pkg/database/accounts.go b/pkg/database/accounts.go index 6400d5a..f506155 100644 --- a/pkg/database/accounts.go +++ b/pkg/database/accounts.go @@ -7,6 +7,7 @@ import ( "log/slog" "time" + "git.adyxax.org/adyxax/tfstated/pkg/helpers" "git.adyxax.org/adyxax/tfstated/pkg/model" "go.n16f.net/uuid" ) @@ -69,8 +70,8 @@ func (db *DB) InitAdminAccount() error { if err = password.Generate(uuid.V4); err != nil { return fmt.Errorf("failed to generate initial admin password: %w", err) } - salt := model.GenerateSalt() - hash := model.HashPassword(password.String(), salt) + salt := helpers.GenerateSalt() + hash := helpers.HashPassword(password.String(), salt) if _, err = tx.ExecContext(db.ctx, `INSERT INTO accounts(username, salt, password_hash, is_admin) VALUES ("admin", :salt, :hash, TRUE) diff --git a/pkg/helpers/crypto.go b/pkg/helpers/crypto.go new file mode 100644 index 0000000..ce73cd3 --- /dev/null +++ b/pkg/helpers/crypto.go @@ -0,0 +1,21 @@ +package helpers + +import ( + "crypto/sha256" + + "git.adyxax.org/adyxax/tfstated/pkg/scrypto" + "golang.org/x/crypto/pbkdf2" +) + +const ( + PBKDF2Iterations = 600000 + SaltSize = 32 +) + +func GenerateSalt() []byte { + return scrypto.RandomBytes(SaltSize) +} + +func HashPassword(password string, salt []byte) []byte { + return pbkdf2.Key([]byte(password), salt, PBKDF2Iterations, 32, sha256.New) +} diff --git a/pkg/helpers/error.go b/pkg/helpers/error.go new file mode 100644 index 0000000..006759d --- /dev/null +++ b/pkg/helpers/error.go @@ -0,0 +1,17 @@ +package helpers + +import ( + "fmt" + "net/http" +) + +func ErrorResponse(w http.ResponseWriter, status int, err error) { + type errorResponse struct { + Msg string `json:"msg"` + Status int `json:"status"` + } + _ = Encode(w, status, &errorResponse{ + Msg: fmt.Sprintf("%+v", err), + Status: status, + }) +} diff --git a/cmd/tfstated/helpers.go b/pkg/helpers/json.go index 33e14a4..664a984 100644 --- a/cmd/tfstated/helpers.go +++ b/pkg/helpers/json.go @@ -1,4 +1,4 @@ -package main +package helpers import ( "encoding/json" @@ -7,14 +7,14 @@ import ( "net/http" ) -func decode(r *http.Request, data any) error { +func Decode(r *http.Request, data any) error { if err := json.NewDecoder(r.Body).Decode(&data); err != nil { return fmt.Errorf("failed to decode json: %w", err) } return nil } -func encode(w http.ResponseWriter, status int, data any) error { +func Encode(w http.ResponseWriter, status int, data any) error { w.Header().Set("Content-Type", "application/json") w.WriteHeader(status) if err := json.NewEncoder(w).Encode(data); err != nil { @@ -23,14 +23,3 @@ func encode(w http.ResponseWriter, status int, data any) error { } return nil } - -func errorResponse(w http.ResponseWriter, status int, err error) error { - type errorResponse struct { - Msg string `json:"msg"` - Status int `json:"status"` - } - return encode(w, status, &errorResponse{ - Msg: fmt.Sprintf("%+v", err), - Status: status, - }) -} diff --git a/pkg/model/account.go b/pkg/model/account.go index 4336dfa..7a69685 100644 --- a/pkg/model/account.go +++ b/pkg/model/account.go @@ -1,17 +1,10 @@ package model import ( - "crypto/sha256" "crypto/subtle" "time" - "git.adyxax.org/adyxax/tfstated/pkg/scrypto" - "golang.org/x/crypto/pbkdf2" -) - -const ( - PBKDF2Iterations = 600000 - SaltSize = 32 + "git.adyxax.org/adyxax/tfstated/pkg/helpers" ) type AccountContextKey struct{} @@ -28,14 +21,6 @@ type Account struct { } func (account *Account) CheckPassword(password string) bool { - hash := HashPassword(password, account.Salt) + hash := helpers.HashPassword(password, account.Salt) return subtle.ConstantTimeCompare(hash, account.PasswordHash) == 1 } - -func GenerateSalt() []byte { - return scrypto.RandomBytes(SaltSize) -} - -func HashPassword(password string, salt []byte) []byte { - return pbkdf2.Key([]byte(password), salt, PBKDF2Iterations, 32, sha256.New) -} |