fleet/server/service_users.go

package server

import (
	"crypto/rand"
	"encoding/base64"
	"fmt"

	"github.com/kolide/kolide-ose/kolide"
	"golang.org/x/crypto/bcrypt"
	"golang.org/x/net/context"
)

func (svc service) NewUser(ctx context.Context, p kolide.UserPayload) (*kolide.User, error) {
	user, err := userFromPayload(p, svc.config.Auth.SaltKeySize, svc.config.Auth.BcryptCost)
	if err != nil {
		return nil, err
	}
	user, err = svc.ds.NewUser(user)
	if err != nil {
		return nil, err
	}
	return user, nil
}

func (svc service) User(ctx context.Context, id uint) (*kolide.User, error) {
	return svc.ds.UserByID(id)
}

func (svc service) ChangePassword(ctx context.Context, userID uint, old, new string) error {
	user, err := svc.User(ctx, userID)
	if err != nil {
		return err
	}
	if err := user.ValidatePassword(old); err != nil {
		return fmt.Errorf("current password validation failed: %v", err)
	}
	hashed, salt, err := hashPassword(new, svc.config.Auth.SaltKeySize, svc.config.Auth.BcryptCost)
	if err != nil {
		return err
	}
	user.Salt = salt
	user.Password = hashed
	return svc.saveUser(user)
}

func (svc service) UpdateAdminRole(ctx context.Context, userID uint, isAdmin bool) error {
	user, err := svc.User(ctx, userID)
	if err != nil {
		return err
	}
	user.Admin = isAdmin
	return svc.saveUser(user)
}

func (svc service) UpdateUserStatus(ctx context.Context, userID uint, password string, enabled bool) error {
	user, err := svc.User(ctx, userID)
	if err != nil {
		return err
	}
	user.Enabled = enabled
	return svc.saveUser(user)
}

// saves user in datastore.
// doesn't need to be exposed to the transport
// the service should expose actions for modifying a user instead
func (svc service) saveUser(user *kolide.User) error {
	return svc.ds.SaveUser(user)
}

func userFromPayload(p kolide.UserPayload, keySize, cost int) (*kolide.User, error) {
	hashed, salt, err := hashPassword(*p.Password, keySize, cost)
	if err != nil {
		return nil, err
	}

	return &kolide.User{
		Username: *p.Username,
		Email:    *p.Email,
		Admin:    falseIfNil(p.Admin),
		AdminForcedPasswordReset: falseIfNil(p.AdminForcedPasswordReset),
		Salt:     salt,
		Enabled:  true,
		Password: hashed,
	}, nil
}

func hashPassword(plaintext string, keySize, cost int) ([]byte, string, error) {
	salt, err := generateRandomText(keySize)
	if err != nil {
		return nil, "", err
	}

	withSalt := []byte(fmt.Sprintf("%s%s", plaintext, salt))
	hashed, err := bcrypt.GenerateFromPassword(withSalt, cost)
	if err != nil {
		return nil, "", err
	}

	return hashed, salt, nil

}

// generateRandomText return a string generated by filling in keySize bytes with
// random data and then base64 encoding those bytes
func generateRandomText(keySize int) (string, error) {
	key := make([]byte, keySize)
	_, err := rand.Read(key)
	if err != nil {
		return "", err
	}
	return base64.StdEncoding.EncodeToString(key), nil
}

// helper to convert a bool pointer false
func falseIfNil(b *bool) bool {
	if b == nil {
		return false
	}
	return *b
}
removing old server implementation (#109) 2016-09-05 20:03:58 +00:00			`package server`
go-kit server layout 2016-08-28 03:59:17 +00:00
			`import (`
			`"crypto/rand"`
			`"encoding/base64"`
			`"fmt"`

			`"github.com/kolide/kolide-ose/kolide"`
			`"golang.org/x/crypto/bcrypt"`
			`"golang.org/x/net/context"`
			`)`

update user service (#101) - Added all required methods for a UserService - Added authentication handlers `/api/login` and `/api/logout` - Added authMiddleware for authentication for `/api/v1/kolide` path - Added authorization middleware for each endoint - Added validation middleware for validating API inputs - Began work on logging middleware 2016-09-01 04:51:38 +00:00			`func (svc service) NewUser(ctx context.Context, p kolide.UserPayload) (*kolide.User, error) {`
Refactoring for config patterns (#159) This PR refactors most of the codebase to use the new config patterns implemented in #149. Now the core service keeps a copy of the KolideConfig struct, and service methods can reference the configuration in that struct when they need it. The most significant refactoring is in the sessions code, separating the business logic from the storage layer. 2016-09-14 16:11:06 +00:00			`user, err := userFromPayload(p, svc.config.Auth.SaltKeySize, svc.config.Auth.BcryptCost)`
go-kit server layout 2016-08-28 03:59:17 +00:00			`if err != nil {`
			`return nil, err`
			`}`
update user service (#101) - Added all required methods for a UserService - Added authentication handlers `/api/login` and `/api/logout` - Added authMiddleware for authentication for `/api/v1/kolide` path - Added authorization middleware for each endoint - Added validation middleware for validating API inputs - Began work on logging middleware 2016-09-01 04:51:38 +00:00			`user, err = svc.ds.NewUser(user)`
go-kit server layout 2016-08-28 03:59:17 +00:00			`if err != nil {`
			`return nil, err`
			`}`
			`return user, nil`
			`}`

update user service (#101) - Added all required methods for a UserService - Added authentication handlers `/api/login` and `/api/logout` - Added authMiddleware for authentication for `/api/v1/kolide` path - Added authorization middleware for each endoint - Added validation middleware for validating API inputs - Began work on logging middleware 2016-09-01 04:51:38 +00:00			`func (svc service) User(ctx context.Context, id uint) (*kolide.User, error) {`
			`return svc.ds.UserByID(id)`
add tests for set password 2016-08-29 00:29:56 +00:00			`}`

update user service (#101) - Added all required methods for a UserService - Added authentication handlers `/api/login` and `/api/logout` - Added authMiddleware for authentication for `/api/v1/kolide` path - Added authorization middleware for each endoint - Added validation middleware for validating API inputs - Began work on logging middleware 2016-09-01 04:51:38 +00:00			`func (svc service) ChangePassword(ctx context.Context, userID uint, old, new string) error {`
			`user, err := svc.User(ctx, userID)`
add tests for set password 2016-08-29 00:29:56 +00:00			`if err != nil {`
			`return err`
			`}`
add more user auth methods 2016-08-29 17:04:07 +00:00			`if err := user.ValidatePassword(old); err != nil {`
update user service (#101) - Added all required methods for a UserService - Added authentication handlers `/api/login` and `/api/logout` - Added authMiddleware for authentication for `/api/v1/kolide` path - Added authorization middleware for each endoint - Added validation middleware for validating API inputs - Began work on logging middleware 2016-09-01 04:51:38 +00:00			`return fmt.Errorf("current password validation failed: %v", err)`
add more user auth methods 2016-08-29 17:04:07 +00:00			`}`
Refactoring for config patterns (#159) This PR refactors most of the codebase to use the new config patterns implemented in #149. Now the core service keeps a copy of the KolideConfig struct, and service methods can reference the configuration in that struct when they need it. The most significant refactoring is in the sessions code, separating the business logic from the storage layer. 2016-09-14 16:11:06 +00:00			`hashed, salt, err := hashPassword(new, svc.config.Auth.SaltKeySize, svc.config.Auth.BcryptCost)`
add tests for set password 2016-08-29 00:29:56 +00:00			`if err != nil {`
			`return err`
			`}`
			`user.Salt = salt`
			`user.Password = hashed`
update user service (#101) - Added all required methods for a UserService - Added authentication handlers `/api/login` and `/api/logout` - Added authMiddleware for authentication for `/api/v1/kolide` path - Added authorization middleware for each endoint - Added validation middleware for validating API inputs - Began work on logging middleware 2016-09-01 04:51:38 +00:00			`return svc.saveUser(user)`
add tests for set password 2016-08-29 00:29:56 +00:00			`}`

update user service (#101) - Added all required methods for a UserService - Added authentication handlers `/api/login` and `/api/logout` - Added authMiddleware for authentication for `/api/v1/kolide` path - Added authorization middleware for each endoint - Added validation middleware for validating API inputs - Began work on logging middleware 2016-09-01 04:51:38 +00:00			`func (svc service) UpdateAdminRole(ctx context.Context, userID uint, isAdmin bool) error {`
			`user, err := svc.User(ctx, userID)`
add more user auth methods 2016-08-29 17:04:07 +00:00			`if err != nil {`
			`return err`
			`}`
			`user.Admin = isAdmin`
update user service (#101) - Added all required methods for a UserService - Added authentication handlers `/api/login` and `/api/logout` - Added authMiddleware for authentication for `/api/v1/kolide` path - Added authorization middleware for each endoint - Added validation middleware for validating API inputs - Began work on logging middleware 2016-09-01 04:51:38 +00:00			`return svc.saveUser(user)`
add more user auth methods 2016-08-29 17:04:07 +00:00			`}`

update user service (#101) - Added all required methods for a UserService - Added authentication handlers `/api/login` and `/api/logout` - Added authMiddleware for authentication for `/api/v1/kolide` path - Added authorization middleware for each endoint - Added validation middleware for validating API inputs - Began work on logging middleware 2016-09-01 04:51:38 +00:00			`func (svc service) UpdateUserStatus(ctx context.Context, userID uint, password string, enabled bool) error {`
			`user, err := svc.User(ctx, userID)`
add more user auth methods 2016-08-29 17:04:07 +00:00			`if err != nil {`
			`return err`
			`}`
			`user.Enabled = enabled`
update user service (#101) - Added all required methods for a UserService - Added authentication handlers `/api/login` and `/api/logout` - Added authMiddleware for authentication for `/api/v1/kolide` path - Added authorization middleware for each endoint - Added validation middleware for validating API inputs - Began work on logging middleware 2016-09-01 04:51:38 +00:00			`return svc.saveUser(user)`
add more user auth methods 2016-08-29 17:04:07 +00:00			`}`

add tests for set password 2016-08-29 00:29:56 +00:00			`// saves user in datastore.`
			`// doesn't need to be exposed to the transport`
			`// the service should expose actions for modifying a user instead`
update user service (#101) - Added all required methods for a UserService - Added authentication handlers `/api/login` and `/api/logout` - Added authMiddleware for authentication for `/api/v1/kolide` path - Added authorization middleware for each endoint - Added validation middleware for validating API inputs - Began work on logging middleware 2016-09-01 04:51:38 +00:00			`func (svc service) saveUser(user *kolide.User) error {`
			`return svc.ds.SaveUser(user)`
add tests for set password 2016-08-29 00:29:56 +00:00			`}`

go-kit server layout 2016-08-28 03:59:17 +00:00			`func userFromPayload(p kolide.UserPayload, keySize, cost int) (*kolide.User, error) {`
			`hashed, salt, err := hashPassword(*p.Password, keySize, cost)`
			`if err != nil {`
			`return nil, err`
			`}`

			`return &kolide.User{`
Update user properties (#143) * renamed NeedsPasswordReset field for clarity This field was not obvious when it should be set or checked. This makes it a bit more obious. The property should only be set if the password request was requested by an admin. Having this property checked should - invalidate current user auth token - force user to reset password on their next login - NOT send a password reset email * add GravatarURL property we considered uploading and storing an image url in the future as well * Add a user property to save the user's job role/position 2016-09-08 22:57:05 +00:00			`Username: *p.Username,`
			`Email: *p.Email,`
			`Admin: falseIfNil(p.Admin),`
			`AdminForcedPasswordReset: falseIfNil(p.AdminForcedPasswordReset),`
			`Salt: salt,`
			`Enabled: true,`
			`Password: hashed,`
go-kit server layout 2016-08-28 03:59:17 +00:00			`}, nil`
			`}`

			`func hashPassword(plaintext string, keySize, cost int) ([]byte, string, error) {`
			`salt, err := generateRandomText(keySize)`
			`if err != nil {`
			`return nil, "", err`
			`}`

			`withSalt := []byte(fmt.Sprintf("%s%s", plaintext, salt))`
			`hashed, err := bcrypt.GenerateFromPassword(withSalt, cost)`
			`if err != nil {`
			`return nil, "", err`
			`}`

			`return hashed, salt, nil`

			`}`

			`// generateRandomText return a string generated by filling in keySize bytes with`
			`// random data and then base64 encoding those bytes`
			`func generateRandomText(keySize int) (string, error) {`
			`key := make([]byte, keySize)`
			`_, err := rand.Read(key)`
			`if err != nil {`
			`return "", err`
			`}`
			`return base64.StdEncoding.EncodeToString(key), nil`
			`}`

			`// helper to convert a bool pointer false`
			`func falseIfNil(b *bool) bool {`
			`if b == nil {`
			`return false`
			`}`
			`return *b`
			`}`