ntfy/auth/auth.go

// Package auth deals with authentication and authorization against topics
package auth

import (
	"errors"
	"regexp"
)

// Auther is a generic interface to implement password-based authentication and authorization
type Auther interface {
	// Authenticate checks username and password and returns a user if correct. The method
	// returns in constant-ish time, regardless of whether the user exists or the password is
	// correct or incorrect.
	Authenticate(username, password string) (*User, error)

	// Authorize returns nil if the given user has access to the given topic using the desired
	// permission. The user param may be nil to signal an anonymous user.
	Authorize(user *User, topic string, perm Permission) error
}

// Manager is an interface representing user and access management
type Manager interface {
	// AddUser adds a user with the given username, password and role. The password should be hashed
	// before it is stored in a persistence layer.
	AddUser(username, password string, role Role) error

	// RemoveUser deletes the user with the given username. The function returns nil on success, even
	// if the user did not exist in the first place.
	RemoveUser(username string) error

	// Users returns a list of users. It always also returns the Everyone user ("*").
	Users() ([]*User, error)

	// User returns the user with the given username if it exists, or ErrNotFound otherwise.
	// You may also pass Everyone to retrieve the anonymous user and its Grant list.
	User(username string) (*User, error)

	// ChangePassword changes a user's password
	ChangePassword(username, password string) error

	// ChangeRole changes a user's role. When a role is changed from RoleUser to RoleAdmin,
	// all existing access control entries (Grant) are removed, since they are no longer needed.
	ChangeRole(username string, role Role) error

	// AllowAccess adds or updates an entry in th access control list for a specific user. It controls
	// read/write access to a topic. The parameter topicPattern may include wildcards (*).
	AllowAccess(username string, topicPattern string, read bool, write bool) error

	// ResetAccess removes an access control list entry for a specific username/topic, or (if topic is
	// empty) for an entire user. The parameter topicPattern may include wildcards (*).
	ResetAccess(username string, topicPattern string) error

	// DefaultAccess returns the default read/write access if no access control entry matches
	DefaultAccess() (read bool, write bool)
}

// User is a struct that represents a user
type User struct {
	Name   string
	Hash   string // password hash (bcrypt)
	Role   Role
	Grants []Grant
}

// Grant is a struct that represents an access control entry to a topic
type Grant struct {
	TopicPattern string // May include wildcard (*)
	AllowRead    bool
	AllowWrite   bool
}

// Permission represents a read or write permission to a topic
type Permission int

// Permissions to a topic
const (
	PermissionRead  = Permission(1)
	PermissionWrite = Permission(2)
)

// Role represents a user's role, either admin or regular user
type Role string

// User roles
const (
	RoleAdmin     = Role("admin")
	RoleUser      = Role("user")
	RoleAnonymous = Role("anonymous")
)

// Everyone is a special username representing anonymous users
const (
	Everyone = "*"
)

var (
	allowedUsernameRegex     = regexp.MustCompile(`^[-_.@a-zA-Z0-9]+$`)     // Does not include Everyone (*)
	allowedTopicPatternRegex = regexp.MustCompile(`^[-_*A-Za-z0-9]{1,64}$`) // Adds '*' for wildcards!
)

// AllowedRole returns true if the given role can be used for new users
func AllowedRole(role Role) bool {
	return role == RoleUser || role == RoleAdmin
}

// AllowedUsername returns true if the given username is valid
func AllowedUsername(username string) bool {
	return allowedUsernameRegex.MatchString(username)
}

// AllowedTopicPattern returns true if the given topic pattern is valid; this includes the wildcard character (*)
func AllowedTopicPattern(username string) bool {
	return allowedTopicPatternRegex.MatchString(username)
}

// Error constants used by the package
var (
	ErrUnauthenticated = errors.New("unauthenticated")
	ErrUnauthorized    = errors.New("unauthorized")
	ErrInvalidArgument = errors.New("invalid argument")
	ErrNotFound        = errors.New("not found")
)
Docs and minor improvements to "ntfy access" 2022-02-01 22:40:33 +01:00			`// Package auth deals with authentication and authorization against topics`
Move to package 2022-01-23 06:02:16 +01:00			`package auth`

Add wildcard access control 2022-01-31 17:44:58 +01:00			`import (`
			`"errors"`
			`"regexp"`
			`)`
Move to package 2022-01-23 06:02:16 +01:00
More auth CLi 2022-01-23 06:54:18 +01:00			`// Auther is a generic interface to implement password-based authentication and authorization`
			`type Auther interface {`
Docblocking 2022-01-26 04:30:53 +01:00			`// Authenticate checks username and password and returns a user if correct. The method`
			`// returns in constant-ish time, regardless of whether the user exists or the password is`
			`// correct or incorrect.`
			`Authenticate(username, password string) (*User, error)`

			`// Authorize returns nil if the given user has access to the given topic using the desired`
			`// permission. The user param may be nil to signal an anonymous user.`
Move to package 2022-01-23 06:02:16 +01:00			`Authorize(user *User, topic string, perm Permission) error`
			`}`

Docblocking 2022-01-26 04:30:53 +01:00			`// Manager is an interface representing user and access management`
More auth CLi 2022-01-23 06:54:18 +01:00			`type Manager interface {`
Docblocking 2022-01-26 04:30:53 +01:00			`// AddUser adds a user with the given username, password and role. The password should be hashed`
			`// before it is stored in a persistence layer.`
More auth CLi 2022-01-23 06:54:18 +01:00			`AddUser(username, password string, role Role) error`
Docblocking 2022-01-26 04:30:53 +01:00
			`// RemoveUser deletes the user with the given username. The function returns nil on success, even`
			`// if the user did not exist in the first place.`
More auth CLi 2022-01-23 06:54:18 +01:00			`RemoveUser(username string) error`
Docblocking 2022-01-26 04:30:53 +01:00
			`// Users returns a list of users. It always also returns the Everyone user ("*").`
Auth CLI, continued 2022-01-24 05:02:39 +01:00			`Users() ([]*User, error)`
Docblocking 2022-01-26 04:30:53 +01:00
			`// User returns the user with the given username if it exists, or ErrNotFound otherwise.`
			`// You may also pass Everyone to retrieve the anonymous user and its Grant list.`
Auth CLI, continued 2022-01-24 05:02:39 +01:00			`User(username string) (*User, error)`
Docblocking 2022-01-26 04:30:53 +01:00
			`// ChangePassword changes a user's password`
More auth CLi 2022-01-23 06:54:18 +01:00			`ChangePassword(username, password string) error`
Docblocking 2022-01-26 04:30:53 +01:00
			`// ChangeRole changes a user's role. When a role is changed from RoleUser to RoleAdmin,`
			`// all existing access control entries (Grant) are removed, since they are no longer needed.`
More CLI for access control 2022-01-23 21:30:30 +01:00			`ChangeRole(username string, role Role) error`
Docblocking 2022-01-26 04:30:53 +01:00
			`// AllowAccess adds or updates an entry in th access control list for a specific user. It controls`
Add wildcard access control 2022-01-31 17:44:58 +01:00			`// read/write access to a topic. The parameter topicPattern may include wildcards (*).`
			`AllowAccess(username string, topicPattern string, read bool, write bool) error`
Docblocking 2022-01-26 04:30:53 +01:00
			`// ResetAccess removes an access control list entry for a specific username/topic, or (if topic is`
Add wildcard access control 2022-01-31 17:44:58 +01:00			`// empty) for an entire user. The parameter topicPattern may include wildcards (*).`
			`ResetAccess(username string, topicPattern string) error`
Docblocking 2022-01-26 04:30:53 +01:00
			`// DefaultAccess returns the default read/write access if no access control entry matches`
			`DefaultAccess() (read bool, write bool)`
More auth CLi 2022-01-23 06:54:18 +01:00			`}`

Docblocking 2022-01-26 04:30:53 +01:00			`// User is a struct that represents a user`
Move to package 2022-01-23 06:02:16 +01:00			`type User struct {`
Auth CLI, continued 2022-01-24 05:02:39 +01:00			`Name string`
Tests 2022-01-26 03:57:28 +01:00			`Hash string // password hash (bcrypt)`
Auth CLI, continued 2022-01-24 05:02:39 +01:00			`Role Role`
			`Grants []Grant`
			`}`

Docblocking 2022-01-26 04:30:53 +01:00			`// Grant is a struct that represents an access control entry to a topic`
Auth CLI, continued 2022-01-24 05:02:39 +01:00			`type Grant struct {`
Rename Topic to TopicPattern in Grant 2022-01-31 17:47:30 +01:00			`TopicPattern string // May include wildcard (*)`
Do not forward messages to Firebase if topic is not world-readable 2022-02-01 01:33:22 +01:00			`AllowRead bool`
			`AllowWrite bool`
Move to package 2022-01-23 06:02:16 +01:00			`}`

Docblocking 2022-01-26 04:30:53 +01:00			`// Permission represents a read or write permission to a topic`
Move to package 2022-01-23 06:02:16 +01:00			`type Permission int`

Docblocking 2022-01-26 04:30:53 +01:00			`// Permissions to a topic`
Move to package 2022-01-23 06:02:16 +01:00			`const (`
			`PermissionRead = Permission(1)`
			`PermissionWrite = Permission(2)`
			`)`

Docblocking 2022-01-26 04:30:53 +01:00			`// Role represents a user's role, either admin or regular user`
Move to package 2022-01-23 06:02:16 +01:00			`type Role string`

Docblocking 2022-01-26 04:30:53 +01:00			`// User roles`
Move to package 2022-01-23 06:02:16 +01:00			`const (`
More auth 2022-01-24 06:54:28 +01:00			`RoleAdmin = Role("admin")`
			`RoleUser = Role("user")`
			`RoleAnonymous = Role("anonymous")`
Move to package 2022-01-23 06:02:16 +01:00			`)`

Docblocking 2022-01-26 04:30:53 +01:00			`// Everyone is a special username representing anonymous users`
More auth 2022-01-24 06:54:28 +01:00			`const (`
			`Everyone = "*"`
			`)`
More CLI for access control 2022-01-23 21:30:30 +01:00
Add wildcard access control 2022-01-31 17:44:58 +01:00			`var (`
			allowedUsernameRegex = regexp.MustCompile(`^[-_.@a-zA-Z0-9]+$`) // Does not include Everyone (*)
			allowedTopicPatternRegex = regexp.MustCompile(`^[-_A-Za-z0-9]{1,64}$`) // Adds '' for wildcards!
			`)`

Docblocking 2022-01-26 04:30:53 +01:00			`// AllowedRole returns true if the given role can be used for new users`
More CLI for access control 2022-01-23 21:30:30 +01:00			`func AllowedRole(role Role) bool {`
			`return role == RoleUser \|\| role == RoleAdmin`
			`}`

Add wildcard access control 2022-01-31 17:44:58 +01:00			`// AllowedUsername returns true if the given username is valid`
			`func AllowedUsername(username string) bool {`
			`return allowedUsernameRegex.MatchString(username)`
			`}`

			`// AllowedTopicPattern returns true if the given topic pattern is valid; this includes the wildcard character (*)`
			`func AllowedTopicPattern(username string) bool {`
			`return allowedTopicPatternRegex.MatchString(username)`
			`}`

Docblocking 2022-01-26 04:30:53 +01:00			`// Error constants used by the package`
Auth CLI, continued 2022-01-24 05:02:39 +01:00			`var (`
Tests 2022-01-26 03:57:28 +01:00			`ErrUnauthenticated = errors.New("unauthenticated")`
			`ErrUnauthorized = errors.New("unauthorized")`
			`ErrInvalidArgument = errors.New("invalid argument")`
			`ErrNotFound = errors.New("not found")`
Auth CLI, continued 2022-01-24 05:02:39 +01:00			`)`