From 460162737a428841989d2b6850d9b1dbc7a954c2 Mon Sep 17 00:00:00 2001 From: Philipp Heckel Date: Mon, 24 Jan 2022 00:54:28 -0500 Subject: [PATCH] More auth --- auth/auth.go | 20 ++--- auth/auth_sqlite.go | 125 +++++++++++++++++++------------ cmd/access.go | 174 ++++++++++++++++++++++++++++++++++++++++++++ cmd/app.go | 3 +- cmd/user.go | 26 +------ cmd/user_allow.go | 108 --------------------------- cmd/user_deny.go | 35 --------- server/errors.go | 1 + server/server.go | 2 +- 9 files changed, 264 insertions(+), 230 deletions(-) create mode 100644 cmd/access.go delete mode 100644 cmd/user_allow.go delete mode 100644 cmd/user_deny.go diff --git a/auth/auth.go b/auth/auth.go index 9956778f..d41843a3 100644 --- a/auth/auth.go +++ b/auth/auth.go @@ -15,6 +15,7 @@ type Manager interface { User(username string) (*User, error) ChangePassword(username, password string) error ChangeRole(username string, role Role) error + DefaultAccess() (read bool, write bool) AllowAccess(username string, topic string, read bool, write bool) error ResetAccess(username string, topic string) error } @@ -42,21 +43,14 @@ const ( type Role string const ( - RoleAdmin = Role("admin") - RoleUser = Role("user") - RoleNone = Role("none") + RoleAdmin = Role("admin") + RoleUser = Role("user") + RoleAnonymous = Role("anonymous") ) -var Everyone = &User{ - Name: "", - Role: RoleNone, -} - -var Roles = []Role{ - RoleAdmin, - RoleUser, - RoleNone, -} +const ( + Everyone = "*" +) func AllowedRole(role Role) bool { return role == RoleUser || role == RoleAdmin diff --git a/auth/auth_sqlite.go b/auth/auth_sqlite.go index 17cb1dd0..7c9f5cd1 100644 --- a/auth/auth_sqlite.go +++ b/auth/auth_sqlite.go @@ -21,10 +21,6 @@ INSERT INTO access VALUES ('','write-all',1,1); */ -const ( - bcryptCost = 11 -) - // Auther-related queries const ( createAuthTablesQueries = ` @@ -51,26 +47,28 @@ const ( selectTopicPermsQuery = ` SELECT read, write FROM access - WHERE user IN ('', ?) AND topic = ? + WHERE user IN ('*', ?) AND topic = ? ORDER BY user DESC ` ) // Manager-related queries const ( - insertUserQuery = `INSERT INTO user (user, pass, role) VALUES (?, ?, ?)` - selectUsernamesQuery = `SELECT user FROM user ORDER BY role, user` - selectUserTopicPermsQuery = `SELECT topic, read, write FROM access WHERE user = ?` - updateUserPassQuery = `UPDATE user SET pass = ? WHERE user = ?` - updateUserRoleQuery = `UPDATE user SET role = ? WHERE user = ?` - upsertAccessQuery = ` + insertUserQuery = `INSERT INTO user (user, pass, role) VALUES (?, ?, ?)` + selectUsernamesQuery = `SELECT user FROM user ORDER BY role, user` + updateUserPassQuery = `UPDATE user SET pass = ? WHERE user = ?` + updateUserRoleQuery = `UPDATE user SET role = ? WHERE user = ?` + deleteUserQuery = `DELETE FROM user WHERE user = ?` + + upsertUserAccessQuery = ` INSERT INTO access (user, topic, read, write) VALUES (?, ?, ?, ?) ON CONFLICT (user, topic) DO UPDATE SET read=excluded.read, write=excluded.write ` - deleteUserQuery = `DELETE FROM user WHERE user = ?` - deleteAllAccessQuery = `DELETE FROM access WHERE user = ?` - deleteAccessQuery = `DELETE FROM access WHERE user = ? AND topic = ?` + selectUserAccessQuery = `SELECT topic, read, write FROM access WHERE user = ?` + deleteAllAccessQuery = `DELETE FROM access` + deleteUserAccessQuery = `DELETE FROM access WHERE user = ?` + deleteTopicAccessQuery = `DELETE FROM access WHERE user = ? AND topic = ?` ) type SQLiteAuth struct { @@ -106,6 +104,9 @@ func setupNewAuthDB(db *sql.DB) error { } func (a *SQLiteAuth) Authenticate(username, password string) (*User, error) { + if username == Everyone { + return nil, ErrUnauthorized + } rows, err := a.db.Query(selectUserQuery, username) if err != nil { return nil, err @@ -135,7 +136,7 @@ func (a *SQLiteAuth) Authorize(user *User, topic string, perm Permission) error // Select the read/write permissions for this user/topic combo. The query may return two // rows (one for everyone, and one for the user), but prioritizes the user. The value for // user.Name may be empty (= everyone). - var username string + username := Everyone if user != nil { username = user.Name } @@ -166,7 +167,7 @@ func (a *SQLiteAuth) resolvePerms(read, write bool, perm Permission) error { } func (a *SQLiteAuth) AddUser(username, password string, role Role) error { - hash, err := bcrypt.GenerateFromPassword([]byte(password), bcryptCost) + hash, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost) if err != nil { return err } @@ -180,7 +181,7 @@ func (a *SQLiteAuth) RemoveUser(username string) error { if _, err := a.db.Exec(deleteUserQuery, username); err != nil { return err } - if _, err := a.db.Exec(deleteAllAccessQuery, username); err != nil { + if _, err := a.db.Exec(deleteUserAccessQuery, username); err != nil { return err } return nil @@ -211,10 +212,18 @@ func (a *SQLiteAuth) Users() ([]*User, error) { } users = append(users, user) } + everyone, err := a.everyoneUser() + if err != nil { + return nil, err + } + users = append(users, everyone) return users, nil } func (a *SQLiteAuth) User(username string) (*User, error) { + if username == Everyone { + return a.everyoneUser() + } urows, err := a.db.Query(selectUserQuery, username) if err != nil { return nil, err @@ -229,26 +238,10 @@ func (a *SQLiteAuth) User(username string) (*User, error) { } else if err := urows.Err(); err != nil { return nil, err } - arows, err := a.db.Query(selectUserTopicPermsQuery, username) + grants, err := a.readGrants(username) if err != nil { return nil, err } - defer arows.Close() - grants := make([]Grant, 0) - for arows.Next() { - var topic string - var read, write bool - if err := arows.Scan(&topic, &read, &write); err != nil { - return nil, err - } else if err := arows.Err(); err != nil { - return nil, err - } - grants = append(grants, Grant{ - Topic: topic, - Read: read, - Write: write, - }) - } return &User{ Name: username, Pass: hash, @@ -257,8 +250,45 @@ func (a *SQLiteAuth) User(username string) (*User, error) { }, nil } +func (a *SQLiteAuth) everyoneUser() (*User, error) { + grants, err := a.readGrants(Everyone) + if err != nil { + return nil, err + } + return &User{ + Name: Everyone, + Pass: "", + Role: RoleAnonymous, + Grants: grants, + }, nil +} + +func (a *SQLiteAuth) readGrants(username string) ([]Grant, error) { + rows, err := a.db.Query(selectUserAccessQuery, username) + if err != nil { + return nil, err + } + defer rows.Close() + grants := make([]Grant, 0) + for rows.Next() { + var topic string + var read, write bool + if err := rows.Scan(&topic, &read, &write); err != nil { + return nil, err + } else if err := rows.Err(); err != nil { + return nil, err + } + grants = append(grants, Grant{ + Topic: topic, + Read: read, + Write: write, + }) + } + return grants, nil +} + func (a *SQLiteAuth) ChangePassword(username, password string) error { - hash, err := bcrypt.GenerateFromPassword([]byte(password), bcryptCost) + hash, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost) if err != nil { return err } @@ -273,29 +303,32 @@ func (a *SQLiteAuth) ChangeRole(username string, role Role) error { return err } if role == RoleAdmin { - if _, err := a.db.Exec(deleteAllAccessQuery, username); err != nil { + if _, err := a.db.Exec(deleteUserAccessQuery, username); err != nil { return err } } return nil } +func (a *SQLiteAuth) DefaultAccess() (read bool, write bool) { + return a.defaultRead, a.defaultWrite +} + func (a *SQLiteAuth) AllowAccess(username string, topic string, read bool, write bool) error { - if _, err := a.db.Exec(upsertAccessQuery, username, topic, read, write); err != nil { + if _, err := a.db.Exec(upsertUserAccessQuery, username, topic, read, write); err != nil { return err } return nil } func (a *SQLiteAuth) ResetAccess(username string, topic string) error { - if topic == "" { - if _, err := a.db.Exec(deleteAllAccessQuery, username); err != nil { - return err - } - } else { - if _, err := a.db.Exec(deleteAccessQuery, username, topic); err != nil { - return err - } + if username == "" && topic == "" { + _, err := a.db.Exec(deleteAllAccessQuery, username) + return err + } else if topic == "" { + _, err := a.db.Exec(deleteUserAccessQuery, username) + return err } - return nil + _, err := a.db.Exec(deleteTopicAccessQuery, username, topic) + return err } diff --git a/cmd/access.go b/cmd/access.go new file mode 100644 index 00000000..d46e155e --- /dev/null +++ b/cmd/access.go @@ -0,0 +1,174 @@ +package cmd + +import ( + "errors" + "fmt" + "github.com/urfave/cli/v2" + "heckel.io/ntfy/auth" + "heckel.io/ntfy/util" +) + +/* + +ntfy access # Shows access control list +ntfy access phil # Shows access for user phil +ntfy access phil mytopic # Shows access for user phil and topic mytopic +ntfy access phil mytopic rw # Allow read-write access to mytopic for user phil +ntfy access everyone mytopic rw # Allow anonymous read-write access to mytopic +ntfy access --reset # Reset entire access control list +ntfy access --reset phil # Reset all access for user phil +ntfy access --reset phil mytopic # Reset access for user phil and topic mytopic + +*/ + +const ( + userEveryone = "everyone" +) + +var flagsAccess = append( + userCommandFlags(), + &cli.BoolFlag{Name: "reset", Aliases: []string{"r"}, Usage: "reset access for user (and topic)"}, +) + +var cmdAccess = &cli.Command{ + Name: "access", + Usage: "Grant/revoke access to a topic, or show access", + UsageText: "ntfy access [USERNAME [TOPIC [PERMISSION]]]", + Flags: flagsAccess, + Before: initConfigFileInputSource("config", flagsAccess), + Action: execUserAccess, + Category: categoryServer, +} + +func execUserAccess(c *cli.Context) error { + manager, err := createAuthManager(c) + if err != nil { + return err + } + username := c.Args().Get(0) + if username == userEveryone { + username = auth.Everyone + } + topic := c.Args().Get(1) + perms := c.Args().Get(2) + reset := c.Bool("reset") + if reset { + return resetAccess(c, manager, username, topic) + } else if perms == "" { + return showAccess(c, manager, username) + } + return changeAccess(c, manager, username, topic, perms) +} + +func changeAccess(c *cli.Context, manager auth.Manager, username string, topic string, perms string) error { + if !util.InStringList([]string{"", "read-write", "rw", "read-only", "read", "ro", "write-only", "write", "wo", "none", "deny"}, perms) { + return errors.New("permission must be one of: read-write, read-only, write-only, or deny (or the aliases: read, ro, write, wo, none)") + } + read := util.InStringList([]string{"read-write", "rw", "read-only", "read", "ro"}, perms) + write := util.InStringList([]string{"read-write", "rw", "write-only", "write", "wo"}, perms) + if err := manager.AllowAccess(username, topic, read, write); err != nil { + return err + } + if read && write { + fmt.Fprintf(c.App.Writer, "Granted read-write access to topic %s\n\n", topic) + } else if read { + fmt.Fprintf(c.App.Writer, "Granted read-only access to topic %s\n\n", topic) + } else if write { + fmt.Fprintf(c.App.Writer, "Granted write-only access to topic %s\n\n", topic) + } else { + fmt.Fprintf(c.App.Writer, "Revoked all access to topic %s\n\n", topic) + } + return showUserAccess(c, manager, username) +} + +func resetAccess(c *cli.Context, manager auth.Manager, username, topic string) error { + if username == "" { + return resetAllAccess(c, manager) + } else if topic == "" { + return resetUserAccess(c, manager, username) + } + return resetUserTopicAccess(c, manager, username, topic) +} + +func resetAllAccess(c *cli.Context, manager auth.Manager) error { + if err := manager.ResetAccess("", ""); err != nil { + return err + } + fmt.Fprintln(c.App.Writer, "Reset access for all users") + return nil +} + +func resetUserAccess(c *cli.Context, manager auth.Manager, username string) error { + if err := manager.ResetAccess(username, ""); err != nil { + return err + } + fmt.Fprintf(c.App.Writer, "Reset access for user %s\n\n", username) + return showUserAccess(c, manager, username) +} + +func resetUserTopicAccess(c *cli.Context, manager auth.Manager, username string, topic string) error { + if err := manager.ResetAccess(username, topic); err != nil { + return err + } + fmt.Fprintf(c.App.Writer, "Reset access for user %s and topic %s\n\n", username, topic) + return showUserAccess(c, manager, username) +} + +func showAccess(c *cli.Context, manager auth.Manager, username string) error { + if username == "" { + return showAllAccess(c, manager) + } + return showUserAccess(c, manager, username) +} + +func showAllAccess(c *cli.Context, manager auth.Manager) error { + users, err := manager.Users() + if err != nil { + return err + } + return showUsers(c, manager, users) +} + +func showUserAccess(c *cli.Context, manager auth.Manager, username string) error { + users, err := manager.User(username) + if err != nil { + return err + } + return showUsers(c, manager, []*auth.User{users}) +} + +func showUsers(c *cli.Context, manager auth.Manager, users []*auth.User) error { + for _, user := range users { + fmt.Fprintf(c.App.Writer, "User %s (%s)\n", user.Name, user.Role) + if user.Role == auth.RoleAdmin { + fmt.Fprintf(c.App.ErrWriter, "- read-write access to all topics (admin role)\n") + } else if len(user.Grants) > 0 { + for _, grant := range user.Grants { + if grant.Read && grant.Write { + fmt.Fprintf(c.App.ErrWriter, "- read-write access to topic %s\n", grant.Topic) + } else if grant.Read { + fmt.Fprintf(c.App.ErrWriter, "- read-only access to topic %s\n", grant.Topic) + } else if grant.Write { + fmt.Fprintf(c.App.ErrWriter, "- write-only access to topic %s\n", grant.Topic) + } else { + fmt.Fprintf(c.App.ErrWriter, "- no access to topic %s\n", grant.Topic) + } + } + } else { + fmt.Fprintf(c.App.ErrWriter, "- no topic-specific permissions\n") + } + if user.Name == auth.Everyone { + defaultRead, defaultWrite := manager.DefaultAccess() + if defaultRead && defaultWrite { + fmt.Fprintln(c.App.ErrWriter, "- read-write access to all (other) topics (server config)") + } else if defaultRead { + fmt.Fprintln(c.App.ErrWriter, "- read-only access to all (other) topics (server config)") + } else if defaultWrite { + fmt.Fprintln(c.App.ErrWriter, "- write-only access to all (other) topics (server config)") + } else { + fmt.Fprintln(c.App.ErrWriter, "- no access to any (other) topics (server config)") + } + } + } + return nil +} diff --git a/cmd/app.go b/cmd/app.go index 0c38993c..9ef5679b 100644 --- a/cmd/app.go +++ b/cmd/app.go @@ -37,8 +37,7 @@ func New() *cli.App { // Server commands cmdServe, cmdUser, - cmdAllow, - cmdDeny, + cmdAccess, // Client commands cmdPublish, diff --git a/cmd/user.go b/cmd/user.go index 2d077300..d72bd6a9 100644 --- a/cmd/user.go +++ b/cmd/user.go @@ -159,31 +159,7 @@ func execUserList(c *cli.Context) error { if err != nil { return err } - return showUsers(c, users) -} - -func showUsers(c *cli.Context, users []*auth.User) error { - for _, user := range users { - fmt.Fprintf(c.App.Writer, "User %s (%s)\n", user.Name, user.Role) - if user.Role == auth.RoleAdmin { - fmt.Fprintf(c.App.ErrWriter, "- read-write access to all topics (admin role)\n") - } else if len(user.Grants) > 0 { - for _, grant := range user.Grants { - if grant.Read && grant.Write { - fmt.Fprintf(c.App.ErrWriter, "- read-write access to topic %s\n", grant.Topic) - } else if grant.Read { - fmt.Fprintf(c.App.ErrWriter, "- read-only access to topic %s\n", grant.Topic) - } else if grant.Write { - fmt.Fprintf(c.App.ErrWriter, "- write-only access to topic %s\n", grant.Topic) - } else { - fmt.Fprintf(c.App.ErrWriter, "- no access to topic %s\n", grant.Topic) - } - } - } else { - fmt.Fprintf(c.App.ErrWriter, "- no topic-specific permissions\n") - } - } - return nil + return showUsers(c, manager, users) } func createAuthManager(c *cli.Context) (auth.Manager, error) { diff --git a/cmd/user_allow.go b/cmd/user_allow.go deleted file mode 100644 index c01b417e..00000000 --- a/cmd/user_allow.go +++ /dev/null @@ -1,108 +0,0 @@ -package cmd - -import ( - "errors" - "fmt" - "github.com/urfave/cli/v2" - "heckel.io/ntfy/auth" - "heckel.io/ntfy/util" -) - -const ( - userEveryone = "everyone" -) - -var flagsAllow = append( - userCommandFlags(), - &cli.BoolFlag{Name: "reset", Aliases: []string{"r"}, Usage: "reset access for user (and topic)"}, -) - -var cmdAllow = &cli.Command{ - Name: "allow", - Usage: "Grant a user access to a topic", - UsageText: "ntfy allow USERNAME TOPIC [read-write|read-only|write-only|none]", - Flags: flagsAllow, - Before: initConfigFileInputSource("config", flagsAllow), - Action: execUserAllow, - Category: categoryServer, -} - -func execUserAllow(c *cli.Context) error { - username := c.Args().Get(0) - topic := c.Args().Get(1) - perms := c.Args().Get(2) - reset := c.Bool("reset") - if username == "" { - return errors.New("username expected, type 'ntfy allow --help' for help") - } else if !reset && topic == "" { - return errors.New("topic expected, type 'ntfy allow --help' for help") - } else if !util.InStringList([]string{"", "read-write", "rw", "read-only", "read", "ro", "write-only", "write", "wo", "none"}, perms) { - return errors.New("permission must be one of: read-write, read-only, write-only, or none (or the aliases: read, ro, write, wo)") - } - if username == userEveryone { - username = "" - } - read := util.InStringList([]string{"", "read-write", "rw", "read-only", "read", "ro"}, perms) - write := util.InStringList([]string{"", "read-write", "rw", "write-only", "write", "wo"}, perms) - manager, err := createAuthManager(c) - if err != nil { - return err - } - if reset { - return doAccessReset(c, manager, username, topic) - } - return doAccessAllow(c, manager, username, topic, read, write) -} - -func doAccessAllow(c *cli.Context, manager auth.Manager, username string, topic string, read bool, write bool) error { - if err := manager.AllowAccess(username, topic, read, write); err != nil { - return err - } - if username == "" { - if read && write { - fmt.Fprintf(c.App.Writer, "Anonymous users granted full access to topic %s\n", topic) - } else if read { - fmt.Fprintf(c.App.Writer, "Anonymous users granted read-only access to topic %s\n", topic) - } else if write { - fmt.Fprintf(c.App.Writer, "Anonymous users granted write-only access to topic %s\n", topic) - } else { - fmt.Fprintf(c.App.Writer, "Revoked all access to topic %s for all anonymous users\n", topic) - } - } else { - if read && write { - fmt.Fprintf(c.App.Writer, "User %s now has read-write access to topic %s\n", username, topic) - } else if read { - fmt.Fprintf(c.App.Writer, "User %s now has read-only access to topic %s\n", username, topic) - } else if write { - fmt.Fprintf(c.App.Writer, "User %s now has write-only access to topic %s\n", username, topic) - } else { - fmt.Fprintf(c.App.Writer, "Revoked all access to topic %s for user %s\n", topic, username) - } - } - user, err := manager.User(username) - if err != nil { - return err - } - fmt.Fprintln(c.App.Writer) - return showUsers(c, []*auth.User{user}) -} - -func doAccessReset(c *cli.Context, manager auth.Manager, username, topic string) error { - if err := manager.ResetAccess(username, topic); err != nil { - return err - } - if username == "" { - if topic == "" { - fmt.Fprintln(c.App.Writer, "Reset access for all anonymous users and all topics") - } else { - fmt.Fprintf(c.App.Writer, "Reset access to topic %s for all anonymous users\n", topic) - } - } else { - if topic == "" { - fmt.Fprintf(c.App.Writer, "Reset access for user %s to all topics\n", username) - } else { - fmt.Fprintf(c.App.Writer, "Reset access for user %s and topic %s\n", username, topic) - } - } - return nil -} diff --git a/cmd/user_deny.go b/cmd/user_deny.go deleted file mode 100644 index 6431bdb1..00000000 --- a/cmd/user_deny.go +++ /dev/null @@ -1,35 +0,0 @@ -package cmd - -import ( - "errors" - "github.com/urfave/cli/v2" -) - -var flagsDeny = userCommandFlags() -var cmdDeny = &cli.Command{ - Name: "deny", - Usage: "Revoke user access from a topic", - UsageText: "ntfy deny USERNAME TOPIC", - Flags: flagsDeny, - Before: initConfigFileInputSource("config", flagsDeny), - Action: execUserDeny, - Category: categoryServer, -} - -func execUserDeny(c *cli.Context) error { - username := c.Args().Get(0) - topic := c.Args().Get(1) - if username == "" { - return errors.New("username expected, type 'ntfy deny --help' for help") - } else if topic == "" { - return errors.New("topic expected, type 'ntfy deny --help' for help") - } - if username == userEveryone { - username = "" - } - manager, err := createAuthManager(c) - if err != nil { - return err - } - return doAccessAllow(c, manager, username, topic, false, false) -} diff --git a/server/errors.go b/server/errors.go index 0ad81de1..db475b8c 100644 --- a/server/errors.go +++ b/server/errors.go @@ -41,6 +41,7 @@ var ( errHTTPBadRequestWebSocketsUpgradeHeaderMissing = &errHTTP{40016, http.StatusBadRequest, "invalid request: client not using the websocket protocol", ""} errHTTPNotFound = &errHTTP{40401, http.StatusNotFound, "page not found", ""} errHTTPUnauthorized = &errHTTP{40101, http.StatusUnauthorized, "unauthorized", ""} + errHTTPForbidden = &errHTTP{40301, http.StatusForbidden, "forbidden", ""} errHTTPTooManyRequestsLimitRequests = &errHTTP{42901, http.StatusTooManyRequests, "limit reached: too many requests, please be nice", "https://ntfy.sh/docs/publish/#limitations"} errHTTPTooManyRequestsLimitEmails = &errHTTP{42902, http.StatusTooManyRequests, "limit reached: too many emails, please be nice", "https://ntfy.sh/docs/publish/#limitations"} errHTTPTooManyRequestsLimitSubscriptions = &errHTTP{42903, http.StatusTooManyRequests, "limit reached: too many active subscriptions, please be nice", "https://ntfy.sh/docs/publish/#limitations"} diff --git a/server/server.go b/server/server.go index 0cc53394..6f537944 100644 --- a/server/server.go +++ b/server/server.go @@ -1144,7 +1144,7 @@ func (s *Server) withAuth(next handleFunc, perm auth.Permission) handleFunc { } if err := s.auth.Authorize(user, t.ID, perm); err != nil { log.Printf("unauthorized: %s", err.Error()) - return errHTTPUnauthorized + return errHTTPForbidden } return next(w, r, v) }