// Authenticate implements the Provider interface authenticating a user against a
// password file. None of this is intended for prodcution use.
func (p *PwdProvider) Authenticate(user string, challenge string) bool {
salt := util.GetConfig().Authn.PwdProvider.Salt
pwdFilePath := util.GetPaths([]string{util.GetConfig().Authn.PwdProvider.PwdFileName})[0]
log.Debugf("Reading passwords from %s", pwdFilePath)
file, err := os.Open(pwdFilePath)
if err != nil {
panic(err)
}
defer file.Close()
s := bufio.NewScanner(file)
for s.Scan() {
u, p := getUnP(s.Text())
log.Debugf("Validating %s against %s and %s", user, u, p)
if u == user {
pwd, err := base64.StdEncoding.DecodeString(p)
if err != nil {
log.Debugf("Base64 decode failed for user %s", user)
return false
}
r := bcrypt.CompareHashAndPassword(pwd, []byte(salt+challenge))
if r == nil {
log.Debugf("Authenticated user %s", user)
return true
}
}
}
log.Debugf("User %s not found", user)
return false
}
func (provider *LdapProvider) bindFoxApiAsUser(ldapConnection *ldap.Conn) (bool, error) {
err := ldapConnection.Bind(
fmt.Sprintf("uid=%s,ou=users,ou=system", util.GetConfig().Authz.User),
util.GetConfig().Authz.Password)
fmt.Print("")
if err != nil {
return true, err
} else {
return false, nil
}
}
// HashPassword creates a valid base64 encoded hash for the given password
func HashPassword(password string) string {
salt := util.GetConfig().Authn.PwdProvider.Salt
b, _ := bcrypt.GenerateFromPassword([]byte(salt+password), 10)
return base64.StdEncoding.EncodeToString(b)
}
// Decrypt decrypts a string containing a token
// It returns nil if
// - the token has been minted more than tokenTTL minutes ago
// - the token message is not a valid TokenStruct
// - the token cannot be decrypted using known keys
func Decrypt(token string) *TokenStruct {
var message TokenStruct
// If the configuration has changed, re-load the keys
if confVersion != util.GetConfig().Version {
loadValidateKeys()
}
tok := []byte(token)
m := fernet.VerifyAndDecrypt(tok, time.Duration(util.GetConfig().Authn.TokenTTL)*time.Minute, GetValidateKeys())
err := json.Unmarshal(m, &message)
if err != nil {
log.Info("Failed to unmarshall token contents " + string(m))
return nil
}
return &message
}
func GetFoxes() ([]Fox, error) {
var foxes []Fox
foxes = make([]Fox, 0)
fname := util.GetConfig().Storage.Filepath
files, _ := ioutil.ReadDir(fname)
for _, f := range files {
fox, err := ReadFox(f.Name())
if err != nil {
return foxes, err
}
foxes = append(foxes, fox)
}
return foxes, nil
}
// GetToken wraps the incoming username into a TokenStruct, serializes the result to json
// and generates a Fernet token based on the resulting string
func GetToken(username string) string {
var t []byte
// If the configuration has changed, re-load the keys
if confVersion != util.GetConfig().Version {
loadMintKey()
}
n, _ := time.Now().MarshalText()
t, _ = json.Marshal(TokenStruct{Username: username, MintTime: string(n)})
token, err := fernet.EncryptAndSign(t, GetKey())
if err != nil {
panic(err)
}
return string(token)
}
func loadValidateKeys() {
loadValidateKeyByName(util.GetConfig().Authn.ValidateKeyNames)
confVersion = util.GetConfig().Version
}
// InitValidator initializes the validator by storing current config version,
// creating a new lock and loading validation keys
func InitValidator() {
confVersion = util.GetConfig().Version
validateLock = new(sync.RWMutex)
loadValidateKeys()
}
func loadMintKey() {
LoadMintKeyByName(util.GetConfig().Authn.MintKeyName)
confVersion = util.GetConfig().Version
}
func InitMint() {
confVersion = util.GetConfig().Version
mintLock = new(sync.RWMutex)
loadMintKey()
}
func getFileName(uuid string) string {
return util.GetConfig().Storage.Filepath + uuid
}