package authenticate import ( "context" "crypto/sha256" "encoding/base32" "fmt" "regexp" "strings" "sync/atomic" "github.com/hashicorp/watchtower/internal/authtoken" "github.com/hashicorp/watchtower/internal/db" pba "github.com/hashicorp/watchtower/internal/gen/controller/api/resources/authtokens" "github.com/hashicorp/watchtower/internal/gen/controller/api/resources/scopes" pbs "github.com/hashicorp/watchtower/internal/gen/controller/api/services" "github.com/hashicorp/watchtower/internal/iam" iamStore "github.com/hashicorp/watchtower/internal/iam/store" "github.com/hashicorp/watchtower/internal/servers/controller/common" "github.com/hashicorp/watchtower/internal/servers/controller/handlers" "google.golang.org/grpc/codes" "google.golang.org/grpc/status" ) const scopeIdFieldName = "scope_id" var ( reInvalidID = regexp.MustCompile("[^A-Za-z0-9]") // TODO: Remove once auth methods are in Scope string RWDb = new(atomic.Value) ) func init() { RWDb.Store((*db.Db)(nil)) } // Service handles request as described by the pbs.OrgServiceServer interface. type Service struct { iamRepo common.IamRepoFactory authTokenRepo common.AuthTokenRepoFactory } // NewService returns an org service which handles org related requests to watchtower. func NewService(iamRepo common.IamRepoFactory, atRepo common.AuthTokenRepoFactory) (Service, error) { if iamRepo == nil { return Service{}, fmt.Errorf("nil iam repository provided") } if atRepo == nil { return Service{}, fmt.Errorf("nil auth token repository provided") } return Service{iamRepo: iamRepo, authTokenRepo: atRepo}, nil } var _ pbs.AuthenticationServiceServer = Service{} // Authenticate implements the interface pbs.AuthenticationServiceServer. func (s Service) Authenticate(ctx context.Context, req *pbs.AuthenticateRequest) (*pbs.AuthenticateResponse, error) { if err := validateAuthenticateRequest(req); err != nil { return nil, err } tok, err := s.authenticateWithRepo(ctx, req) if err != nil { return nil, err } return &pbs.AuthenticateResponse{Item: tok}, nil } // Deauthenticate implements the interface pbs.AuthenticationServiceServer. func (s Service) Deauthenticate(ctx context.Context, req *pbs.DeauthenticateRequest) (*pbs.DeauthenticateResponse, error) { return nil, status.Error(codes.Unimplemented, "Requested method is unimplemented.") } func (s Service) authenticateWithRepo(ctx context.Context, req *pbs.AuthenticateRequest) (*pba.AuthToken, error) { iamRepo, err := s.iamRepo() if err != nil { return nil, err } atRepo, err := s.authTokenRepo() if err != nil { return nil, err } // Place holder for making a request to authenticate creds := req.GetCredentials().GetFields() pwName, password := creds["name"], creds["password"] if pwName.GetStringValue() == "wrong" && password.GetStringValue() == "wrong" { return nil, status.Error(codes.Unauthenticated, "Unable to authenticate.") } // Get back a password.Account with a CredentialId string and a public Id // Create a fake auth account ID for the moment acctIdBytes := sha256.Sum256([]byte(pwName.GetStringValue())) acctId := fmt.Sprintf("aa_%s", base32.StdEncoding.EncodeToString(acctIdBytes[:])[0:10]) aAcct := &iam.AuthAccount{AuthAccount: &iamStore.AuthAccount{ PublicId: acctId, ScopeId: Scope, AuthMethodId: req.AuthMethodId, }} RWDb.Load().(*db.Db).Create(ctx, aAcct) u, err := iamRepo.LookupUserWithLogin(ctx, acctId, iam.WithAutoVivify(true)) if err != nil { return nil, err } tok, err := atRepo.CreateAuthToken(ctx, u.GetPublicId(), acctId) if err != nil { return nil, err } tok.Token = tok.GetPublicId() + "_" + tok.GetToken() prot := toProto(tok) scp, err := iamRepo.LookupScope(ctx, u.GetScopeId()) if err != nil { return nil, err } if scp == nil { return nil, err } prot.Scope = &scopes.ScopeInfo{ Id: scp.GetPublicId(), Type: scp.GetType(), ParentScopeId: scp.GetParentId(), } return prot, nil } func toProto(t *authtoken.AuthToken) *pba.AuthToken { return &pba.AuthToken{ Id: t.GetPublicId(), Token: t.GetToken(), UserId: t.GetIamUserId(), AuthMethodId: t.GetAuthMethodId(), CreatedTime: t.GetCreateTime().GetTimestamp(), UpdatedTime: t.GetUpdateTime().GetTimestamp(), ApproximateLastUsedTime: t.GetApproximateLastAccessTime().GetTimestamp(), ExpirationTime: t.GetExpirationTime().GetTimestamp(), } } // A validateX method should exist for each method above. These methods do not make calls to any backing service but enforce // requirements on the structure of the request. They verify that: // * The path passed in is correctly formatted // * All required parameters are set // * There are no conflicting parameters provided func validateAuthenticateRequest(req *pbs.AuthenticateRequest) error { badFields := make(map[string]string) if strings.TrimSpace(req.GetAuthMethodId()) == "" { badFields["auth_method_id"] = "This is a required field." } else if validId(req.GetAuthMethodId(), "am") { badFields["auth_method_id"] = "Invalid formatted identifier." } // TODO: Update this when we enable different auth method types. if req.GetCredentials() == nil { badFields["credentials"] = "This is a required field." } // TODO: Update this when we enable split cookie token types. tType := strings.ToLower(strings.TrimSpace(req.GetTokenType())) if tType != "" && tType != "token" { badFields["token_type"] = "The only accepted type is 'token'." } if len(badFields) > 0 { return handlers.InvalidArgumentErrorf("Invalid fields provided in request.", badFields) } return nil } func validId(id, prefix string) bool { if !strings.HasPrefix(id, prefix) { return false } id = strings.TrimPrefix(id, prefix) return !reInvalidID.Match([]byte(id)) }