fleet/server/http_auth.go

package server

import (
	"fmt"
	"net/http"
	"strings"

	jwt "github.com/dgrijalva/jwt-go"
	"github.com/dgrijalva/jwt-go/request"
	kitlog "github.com/go-kit/kit/log"
	kithttp "github.com/go-kit/kit/transport/http"
	"github.com/kolide/kolide-ose/kolide"
	"golang.org/x/net/context"
)

// authentication error
type authError struct {
	reason string
	// client reason is used to provide
	// a different error message to the client
	// when security is a concern
	clientReason string
}

func (e authError) Error() string {
	return e.reason
}

func (e authError) AuthError() string {
	if e.clientReason != "" {
		return e.clientReason
	}
	return "authorization error"
}

// forbidden, set when user is authenticated, but not allowd to perform action
type forbiddenError struct {
	message string
	fields  []string
}

func (e forbiddenError) Error() string {
	if e.message == "" {
		return "unauthorized"
	}
	return fmt.Sprintf("unauthorized: %s", e.message)
}

// ViewerContext is a struct which represents the ability for an execution
// context to participate in certain actions. Most often, a ViewerContext is
// associated with an application user, but a ViewerContext can represent a
// variety of other execution contexts as well (script, test, etc). The main
// purpose of a ViewerContext is to assist in the authorization of sensitive
// actions.
type viewerContext struct {
	user    *kolide.User
	session *kolide.Session
}

// IsAdmin indicates whether or not the current user can perform administrative
// actions.
func (vc *viewerContext) IsAdmin() bool {
	if vc.user != nil {
		return vc.user.Admin && vc.user.Enabled
	}
	return false
}

// UserID is a helper that enables quick access to the user ID of the current
// user.
func (vc *viewerContext) UserID() uint {
	if vc.user != nil {
		return vc.user.ID
	}
	return 0
}

func (vc *viewerContext) SessionID() uint {
	if vc.session != nil {
		return vc.session.ID
	}
	return 0
}

// IsLoggedIn determines whether or not the current VC is attached to a user
// account
func (vc *viewerContext) IsLoggedIn() bool {
	return vc.user != nil && vc.user.Enabled
}

// CanPerformActions returns a bool indicating the current user's ability to
// perform the most basic actions on the site
func (vc *viewerContext) CanPerformActions() bool {
	return vc.IsLoggedIn() && !vc.user.AdminForcedPasswordReset
}

// CanPerformReadActionsOnUser returns a bool indicating the current user's
// ability to perform read actions on the given user
func (vc *viewerContext) CanPerformReadActionOnUser(uid uint) bool {
	return vc.CanPerformActions() || (vc.IsLoggedIn() && vc.IsUserID(uid))
}

// CanPerformWriteActionOnUser returns a bool indicating the current user's
// ability to perform write actions on the given user
func (vc *viewerContext) CanPerformWriteActionOnUser(uid uint) bool {
	return vc.CanPerformActions() && (vc.IsUserID(uid) || vc.IsAdmin())
}

// IsUserID returns true if the given user id the same as the user which is
// represented by this ViewerContext
func (vc *viewerContext) IsUserID(id uint) bool {
	if vc.UserID() == id {
		return true
	}
	return false
}

// newViewerContext generates a ViewerContext given a session
func newViewerContext(user *kolide.User, session *kolide.Session) *viewerContext {
	return &viewerContext{
		user:    user,
		session: session,
	}
}

// emptyVC is a utility which generates an empty ViewerContext. This is often
// used to represent users which are not logged in.
func emptyVC() *viewerContext {
	return &viewerContext{}
}

func viewerContextFromContext(ctx context.Context) (*viewerContext, error) {
	vc, ok := ctx.Value("viewerContext").(*viewerContext)
	if !ok {
		return nil, errNoContext
	}
	return vc, nil
}

// setViewerContext updates the context with a viewerContext,
// which holds the currently logged in user
func setViewerContext(svc kolide.Service, ds kolide.Datastore, jwtKey string, logger kitlog.Logger) kithttp.RequestFunc {
	return func(ctx context.Context, r *http.Request) context.Context {
		token, err := request.ParseFromRequest(r, request.AuthorizationHeaderExtractor, func(token *jwt.Token) (interface{}, error) {
			if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
				return nil, fmt.Errorf("Unexpected signing method: %v", token.Header["alg"])
			}
			return []byte(jwtKey), nil
		})
		if err != nil {
			if err != request.ErrNoTokenInRequest {
				// all unauthenticated requests (login,logout,passwordreset) result in the
				// request.ErrNoTokenInRequest error. we can ignore logging it
				logger.Log("err", err, "error-source", "setViewerContext")
			}
			return context.WithValue(ctx, "viewerContext", emptyVC())
		}

		claims, ok := token.Claims.(jwt.MapClaims)
		if !ok {
			return context.WithValue(ctx, "viewerContext", emptyVC())
		}

		sessionKeyClaim, ok := claims["session_key"]
		if !ok {
			return context.WithValue(ctx, "viewerContext", emptyVC())
		}

		sessionKey, ok := sessionKeyClaim.(string)
		if !ok {
			return context.WithValue(ctx, "viewerContext", emptyVC())
		}

		session, err := svc.GetSessionByKey(ctx, sessionKey)
		if err != nil {
			switch err {
			case kolide.ErrNoActiveSession:
				// If the code path got this far, it's likely that the user was logged
				// in some time in the past, but their session has been expired since
				// their last usage of the application
				return context.WithValue(ctx, "viewerContext", emptyVC())
			default:
				return context.WithValue(ctx, "viewerContext", emptyVC())
			}
		}

		user, err := svc.User(ctx, session.UserID)
		if err != nil {
			logger.Log("err", err, "error-source", "setViewerContext")
			return context.WithValue(ctx, "viewerContext", emptyVC())
		}

		ctx = context.WithValue(ctx, "viewerContext", newViewerContext(user, session))
		logger.Log("msg", "viewer context set", "user", user.ID)
		// get the user-id for request
		if strings.Contains(r.URL.Path, "users/") {
			ctx = withUserIDFromRequest(r, ctx)
		}
		return ctx
	}
}

func withUserIDFromRequest(r *http.Request, ctx context.Context) context.Context {
	id, _ := idFromRequest(r, "id")
	return context.WithValue(ctx, "request-id", id)
}
removing old server implementation (#109) 2016-09-05 20:03:58 +00:00			`package server`
go-kit server layout 2016-08-28 03:59:17 +00:00
			`import (`
			`"fmt"`
			`"net/http"`
Header based JWT authentication (#131) * add a test data subcommand * updated sessions stuff * merge and tests 2016-09-08 01:24:11 +00:00			`"strings"`
go-kit server layout 2016-08-28 03:59:17 +00:00
Header based JWT authentication (#131) * add a test data subcommand * updated sessions stuff * merge and tests 2016-09-08 01:24:11 +00:00			`jwt "github.com/dgrijalva/jwt-go"`
			`"github.com/dgrijalva/jwt-go/request"`
go-kit server layout 2016-08-28 03:59:17 +00:00			`kitlog "github.com/go-kit/kit/log"`
Header based JWT authentication (#131) * add a test data subcommand * updated sessions stuff * merge and tests 2016-09-08 01:24:11 +00:00			`kithttp "github.com/go-kit/kit/transport/http"`
go-kit server layout 2016-08-28 03:59:17 +00:00			`"github.com/kolide/kolide-ose/kolide"`
Organizing cobra commands (#100) 2016-09-03 17:25:16 +00:00			`"golang.org/x/net/context"`
go-kit server layout 2016-08-28 03:59:17 +00:00			`)`

update user service (#101) - Added all required methods for a UserService - Added authentication handlers `/api/login` and `/api/logout` - Added authMiddleware for authentication for `/api/v1/kolide` path - Added authorization middleware for each endoint - Added validation middleware for validating API inputs - Began work on logging middleware 2016-09-01 04:51:38 +00:00			`// authentication error`
go-kit server layout 2016-08-28 03:59:17 +00:00			`type authError struct {`
Auth errors (#185) Return well formatted authentication errors to the client Log the reason for an error serveside but return a masked/generic reason to the client Assert go errors by behavior rather than type. 2016-09-20 19:22:54 +00:00			`reason string`
			`// client reason is used to provide`
			`// a different error message to the client`
			`// when security is a concern`
			`clientReason string`
go-kit server layout 2016-08-28 03:59:17 +00:00			`}`

			`func (e authError) Error() string {`
Auth errors (#185) Return well formatted authentication errors to the client Log the reason for an error serveside but return a masked/generic reason to the client Assert go errors by behavior rather than type. 2016-09-20 19:22:54 +00:00			`return e.reason`
			`}`

			`func (e authError) AuthError() string {`
			`if e.clientReason != "" {`
			`return e.clientReason`
go-kit server layout 2016-08-28 03:59:17 +00:00			`}`
Auth errors (#185) Return well formatted authentication errors to the client Log the reason for an error serveside but return a masked/generic reason to the client Assert go errors by behavior rather than type. 2016-09-20 19:22:54 +00:00			`return "authorization error"`
go-kit server layout 2016-08-28 03:59:17 +00:00			`}`

update user service (#101) - Added all required methods for a UserService - Added authentication handlers `/api/login` and `/api/logout` - Added authMiddleware for authentication for `/api/v1/kolide` path - Added authorization middleware for each endoint - Added validation middleware for validating API inputs - Began work on logging middleware 2016-09-01 04:51:38 +00:00			`// forbidden, set when user is authenticated, but not allowd to perform action`
			`type forbiddenError struct {`
			`message string`
Update users service (#156) Closes #144 #145 #160 Implements PATCH method on user and endpoint middleware for authnz Implements `reset_password` (with token) and `forgot_password` endpoints Added godoc comments for UserService interface Shift to using testify/assert in test code Multiple fixes/changes to the UserService API 2016-09-15 14:52:17 +00:00			`fields []string`
update user service (#101) - Added all required methods for a UserService - Added authentication handlers `/api/login` and `/api/logout` - Added authMiddleware for authentication for `/api/v1/kolide` path - Added authorization middleware for each endoint - Added validation middleware for validating API inputs - Began work on logging middleware 2016-09-01 04:51:38 +00:00			`}`

			`func (e forbiddenError) Error() string {`
			`if e.message == "" {`
			`return "unauthorized"`
			`}`
			`return fmt.Sprintf("unauthorized: %s", e.message)`
			`}`

			`// ViewerContext is a struct which represents the ability for an execution`
go-kit server layout 2016-08-28 03:59:17 +00:00			`// context to participate in certain actions. Most often, a ViewerContext is`
			`// associated with an application user, but a ViewerContext can represent a`
			`// variety of other execution contexts as well (script, test, etc). The main`
			`// purpose of a ViewerContext is to assist in the authorization of sensitive`
			`// actions.`
			`type viewerContext struct {`
Header based JWT authentication (#131) * add a test data subcommand * updated sessions stuff * merge and tests 2016-09-08 01:24:11 +00:00			`user *kolide.User`
			`session *kolide.Session`
go-kit server layout 2016-08-28 03:59:17 +00:00			`}`

			`// IsAdmin indicates whether or not the current user can perform administrative`
			`// actions.`
			`func (vc *viewerContext) IsAdmin() bool {`
			`if vc.user != nil {`
			`return vc.user.Admin && vc.user.Enabled`
			`}`
			`return false`
			`}`

			`// UserID is a helper that enables quick access to the user ID of the current`
			`// user.`
			`func (vc *viewerContext) UserID() uint {`
			`if vc.user != nil {`
			`return vc.user.ID`
			`}`
			`return 0`
			`}`

Header based JWT authentication (#131) * add a test data subcommand * updated sessions stuff * merge and tests 2016-09-08 01:24:11 +00:00			`func (vc *viewerContext) SessionID() uint {`
			`if vc.session != nil {`
			`return vc.session.ID`
			`}`
			`return 0`
			`}`

go-kit server layout 2016-08-28 03:59:17 +00:00			`// IsLoggedIn determines whether or not the current VC is attached to a user`
			`// account`
			`func (vc *viewerContext) IsLoggedIn() bool {`
			`return vc.user != nil && vc.user.Enabled`
			`}`

			`// CanPerformActions returns a bool indicating the current user's ability to`
			`// perform the most basic actions on the site`
			`func (vc *viewerContext) CanPerformActions() bool {`
Update user properties (#143) * renamed NeedsPasswordReset field for clarity This field was not obvious when it should be set or checked. This makes it a bit more obious. The property should only be set if the password request was requested by an admin. Having this property checked should - invalidate current user auth token - force user to reset password on their next login - NOT send a password reset email * add GravatarURL property we considered uploading and storing an image url in the future as well * Add a user property to save the user's job role/position 2016-09-08 22:57:05 +00:00			`return vc.IsLoggedIn() && !vc.user.AdminForcedPasswordReset`
go-kit server layout 2016-08-28 03:59:17 +00:00			`}`

			`// CanPerformReadActionsOnUser returns a bool indicating the current user's`
			`// ability to perform read actions on the given user`
update user service (#101) - Added all required methods for a UserService - Added authentication handlers `/api/login` and `/api/logout` - Added authMiddleware for authentication for `/api/v1/kolide` path - Added authorization middleware for each endoint - Added validation middleware for validating API inputs - Began work on logging middleware 2016-09-01 04:51:38 +00:00			`func (vc *viewerContext) CanPerformReadActionOnUser(uid uint) bool {`
			`return vc.CanPerformActions() \|\| (vc.IsLoggedIn() && vc.IsUserID(uid))`
go-kit server layout 2016-08-28 03:59:17 +00:00			`}`

add WriteActions context 2016-08-28 15:12:04 +00:00			`// CanPerformWriteActionOnUser returns a bool indicating the current user's`
			`// ability to perform write actions on the given user`
update user service (#101) - Added all required methods for a UserService - Added authentication handlers `/api/login` and `/api/logout` - Added authMiddleware for authentication for `/api/v1/kolide` path - Added authorization middleware for each endoint - Added validation middleware for validating API inputs - Began work on logging middleware 2016-09-01 04:51:38 +00:00			`func (vc *viewerContext) CanPerformWriteActionOnUser(uid uint) bool {`
			`return vc.CanPerformActions() && (vc.IsUserID(uid) \|\| vc.IsAdmin())`
add WriteActions context 2016-08-28 15:12:04 +00:00			`}`

go-kit server layout 2016-08-28 03:59:17 +00:00			`// IsUserID returns true if the given user id the same as the user which is`
			`// represented by this ViewerContext`
			`func (vc *viewerContext) IsUserID(id uint) bool {`
			`if vc.UserID() == id {`
			`return true`
			`}`
			`return false`
			`}`

Header based JWT authentication (#131) * add a test data subcommand * updated sessions stuff * merge and tests 2016-09-08 01:24:11 +00:00			`// newViewerContext generates a ViewerContext given a session`
			`func newViewerContext(user kolide.User, session kolide.Session) *viewerContext {`
go-kit server layout 2016-08-28 03:59:17 +00:00			`return &viewerContext{`
Header based JWT authentication (#131) * add a test data subcommand * updated sessions stuff * merge and tests 2016-09-08 01:24:11 +00:00			`user: user,`
			`session: session,`
go-kit server layout 2016-08-28 03:59:17 +00:00			`}`
			`}`

queries and packs services via go-kit (#102) * osquery services via go-kit * Visual Studio Code configurations * create query and pack endpoints * organizing files more scalably * modify query and pack endpoints * delete query and pack endpoints * get query and pack endpoints * get all queries and packs endpoints * add and remove queries from packs * test stubs * removing some indirection * query service tests * service pack tests * transport tests * adding config file flag back * organizing package kolide * get queries in pack endpoint * run tests on 1.7? * no 1.7 image :( * typo in circle.yml 2016-09-04 05:13:42 +00:00			`// emptyVC is a utility which generates an empty ViewerContext. This is often`
go-kit server layout 2016-08-28 03:59:17 +00:00			`// used to represent users which are not logged in.`
			`func emptyVC() *viewerContext {`
			`return &viewerContext{}`
			`}`

Header based JWT authentication (#131) * add a test data subcommand * updated sessions stuff * merge and tests 2016-09-08 01:24:11 +00:00			`func viewerContextFromContext(ctx context.Context) (*viewerContext, error) {`
			`vc, ok := ctx.Value("viewerContext").(*viewerContext)`
			`if !ok {`
			`return nil, errNoContext`
			`}`
			`return vc, nil`
			`}`

			`// setViewerContext updates the context with a viewerContext,`
			`// which holds the currently logged in user`
			`func setViewerContext(svc kolide.Service, ds kolide.Datastore, jwtKey string, logger kitlog.Logger) kithttp.RequestFunc {`
			`return func(ctx context.Context, r *http.Request) context.Context {`
			`token, err := request.ParseFromRequest(r, request.AuthorizationHeaderExtractor, func(token *jwt.Token) (interface{}, error) {`
			`if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {`
			`return nil, fmt.Errorf("Unexpected signing method: %v", token.Header["alg"])`
			`}`
jwtKey should be []byte but string is returned (#154) 2016-09-12 15:31:58 +00:00			`return []byte(jwtKey), nil`
Header based JWT authentication (#131) * add a test data subcommand * updated sessions stuff * merge and tests 2016-09-08 01:24:11 +00:00			`})`
			`if err != nil {`
Update users service (#156) Closes #144 #145 #160 Implements PATCH method on user and endpoint middleware for authnz Implements `reset_password` (with token) and `forgot_password` endpoints Added godoc comments for UserService interface Shift to using testify/assert in test code Multiple fixes/changes to the UserService API 2016-09-15 14:52:17 +00:00			`if err != request.ErrNoTokenInRequest {`
			`// all unauthenticated requests (login,logout,passwordreset) result in the`
			`// request.ErrNoTokenInRequest error. we can ignore logging it`
			`logger.Log("err", err, "error-source", "setViewerContext")`
			`}`
Header based JWT authentication (#131) * add a test data subcommand * updated sessions stuff * merge and tests 2016-09-08 01:24:11 +00:00			`return context.WithValue(ctx, "viewerContext", emptyVC())`
			`}`

			`claims, ok := token.Claims.(jwt.MapClaims)`
			`if !ok {`
			`return context.WithValue(ctx, "viewerContext", emptyVC())`
			`}`

			`sessionKeyClaim, ok := claims["session_key"]`
			`if !ok {`
			`return context.WithValue(ctx, "viewerContext", emptyVC())`
			`}`

			`sessionKey, ok := sessionKeyClaim.(string)`
			`if !ok {`
			`return context.WithValue(ctx, "viewerContext", emptyVC())`
			`}`

Refactoring for config patterns (#159) This PR refactors most of the codebase to use the new config patterns implemented in #149. Now the core service keeps a copy of the KolideConfig struct, and service methods can reference the configuration in that struct when they need it. The most significant refactoring is in the sessions code, separating the business logic from the storage layer. 2016-09-14 16:11:06 +00:00			`session, err := svc.GetSessionByKey(ctx, sessionKey)`
Header based JWT authentication (#131) * add a test data subcommand * updated sessions stuff * merge and tests 2016-09-08 01:24:11 +00:00			`if err != nil {`
			`switch err {`
			`case kolide.ErrNoActiveSession:`
			`// If the code path got this far, it's likely that the user was logged`
			`// in some time in the past, but their session has been expired since`
			`// their last usage of the application`
			`return context.WithValue(ctx, "viewerContext", emptyVC())`
			`default:`
			`return context.WithValue(ctx, "viewerContext", emptyVC())`
			`}`
			`}`

			`user, err := svc.User(ctx, session.UserID)`
			`if err != nil {`
			`logger.Log("err", err, "error-source", "setViewerContext")`
			`return context.WithValue(ctx, "viewerContext", emptyVC())`
			`}`

			`ctx = context.WithValue(ctx, "viewerContext", newViewerContext(user, session))`
			`logger.Log("msg", "viewer context set", "user", user.ID)`
			`// get the user-id for request`
			`if strings.Contains(r.URL.Path, "users/") {`
			`ctx = withUserIDFromRequest(r, ctx)`
			`}`
			`return ctx`
go-kit server layout 2016-08-28 03:59:17 +00:00			`}`
Header based JWT authentication (#131) * add a test data subcommand * updated sessions stuff * merge and tests 2016-09-08 01:24:11 +00:00			`}`

			`func withUserIDFromRequest(r *http.Request, ctx context.Context) context.Context {`
			`id, _ := idFromRequest(r, "id")`
			`return context.WithValue(ctx, "request-id", id)`
go-kit server layout 2016-08-28 03:59:17 +00:00			`}`