/
external_initiator.go
106 lines (92 loc) · 3.25 KB
/
external_initiator.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
package models
import (
"crypto/subtle"
"encoding/hex"
"fmt"
"math/rand"
"github.com/jinzhu/gorm"
"github.com/pkg/errors"
"github.com/smartcontractkit/chainlink/core/utils"
"golang.org/x/crypto/sha3"
)
// ExternalInitiator represents a user that can initiate runs remotely
type ExternalInitiator struct {
*gorm.Model
AccessKey string
Salt string
HashedSecret string
}
// NewExternalInitiator generates an ExternalInitiator from an
// ExternalInitiatorAuthentication, hashing the password for storage
func NewExternalInitiator(eia *ExternalInitiatorAuthentication) (*ExternalInitiator, error) {
salt := NewSecret()
hashedSecret, err := HashedSecret(eia, salt)
if err != nil {
return nil, errors.Wrap(err, "error hashing secret for external initiator")
}
return &ExternalInitiator{
AccessKey: eia.AccessKey,
HashedSecret: hashedSecret,
Salt: salt,
}, nil
}
// AuthenticateExternalInitiator compares an auth against an initiator and
// returns true if the password hashes match
func AuthenticateExternalInitiator(eia *ExternalInitiatorAuthentication, ea *ExternalInitiator) (bool, error) {
hashedSecret, err := HashedSecret(eia, ea.Salt)
if err != nil {
return false, err
}
return subtle.ConstantTimeCompare([]byte(hashedSecret), []byte(ea.HashedSecret)) == 1, nil
}
// NewExternalInitiatorAuthentication returns a new
// ExternalInitiatorAuthentication with a freshly generated access key and
// secret, this is intended to be supplied to the user and saved, as it cannot
// be regenerated in the future.
func NewExternalInitiatorAuthentication() *ExternalInitiatorAuthentication {
return &ExternalInitiatorAuthentication{
AccessKey: utils.NewBytes32ID(),
Secret: NewSecret(),
}
}
func hashInput(eia *ExternalInitiatorAuthentication, salt string) []byte {
return []byte(fmt.Sprintf("v0-%s-%s-%s", eia.AccessKey, eia.Secret, salt))
}
// HashedSecret generates a hashed password for an external initiator
// authentication
func HashedSecret(eia *ExternalInitiatorAuthentication, salt string) (string, error) {
hasher := sha3.New256()
_, err := hasher.Write(hashInput(eia, salt))
if err != nil {
return "", errors.Wrap(err, "error writing external initiator authentication to hasher")
}
return hex.EncodeToString(hasher.Sum(nil)), nil
}
// ExternalInitiatorAuthentication represents the credentials needed to
// authenticate as an external initiator
type ExternalInitiatorAuthentication struct {
AccessKey string
Secret string
}
// GetID returns the ID of this structure for jsonapi serialization.
func (eia *ExternalInitiatorAuthentication) GetID() string {
return eia.AccessKey
}
// GetName returns the pluralized "type" of this structure for jsonapi serialization.
func (eia *ExternalInitiatorAuthentication) GetName() string {
return "external_initiators"
}
// SetID returns the ID of this structure for jsonapi serialization.
func (eia *ExternalInitiatorAuthentication) SetID(id string) error {
eia.AccessKey = id
return nil
}
// NewSecret returns a new secret for use for authenticating external initiators
func NewSecret() string {
var characters = []rune("0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ")
b := make([]rune, 64)
for i := range b {
b[i] = characters[rand.Intn(len(characters))]
}
return string(b)
}