/
usersdb.go
83 lines (72 loc) · 2.11 KB
/
usersdb.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
// Package usersdb provides auth facilities from a CouchDB _users database.
package usersdb
import (
"context"
"crypto/sha1"
"errors"
"fmt"
"net/http"
"golang.org/x/crypto/pbkdf2"
"github.com/go-kivik/kivik/v4"
"github.com/go-kivik/kivikd/v4/authdb"
"github.com/go-kivik/kivikd/v4/internal"
)
type db struct {
*kivik.DB
}
var _ authdb.UserStore = &db{}
// New returns a new authdb.UserStore backed by a the provided database.
func New(userDB *kivik.DB) authdb.UserStore {
return &db{userDB}
}
type user struct {
Name string `json:"name"`
Roles []string `json:"roles"`
PasswordScheme string `json:"password_scheme,omitempty"`
Salt string `json:"salt,omitempty"`
Iterations int `json:"iterations,omitempty"`
DerivedKey string `json:"derived_key,omitempty"`
}
func (db *db) getUser(ctx context.Context, username string) (*user, error) {
var u user
if err := db.Get(ctx, kivik.UserPrefix+username, nil).ScanDoc(&u); err != nil {
return nil, err
}
return &u, nil
}
func (db *db) Validate(ctx context.Context, username, password string) (*authdb.UserContext, error) {
u, err := db.getUser(ctx, username)
if err != nil {
if kivik.HTTPStatus(err) == http.StatusNotFound {
err = &internal.Error{Status: http.StatusUnauthorized, Message: "unauthorized"}
}
return nil, err
}
switch u.PasswordScheme {
case "":
return nil, errors.New("no password scheme set for user")
case authdb.SchemePBKDF2:
default:
return nil, fmt.Errorf("unsupported password scheme: %s", u.PasswordScheme)
}
key := fmt.Sprintf("%x", pbkdf2.Key([]byte(password), []byte(u.Salt), u.Iterations, authdb.PBKDF2KeyLength, sha1.New))
if key != u.DerivedKey {
return nil, &internal.Error{Status: http.StatusUnauthorized, Message: "unauthorized"}
}
return &authdb.UserContext{
Name: u.Name,
Roles: u.Roles,
Salt: u.Salt,
}, nil
}
func (db *db) UserCtx(ctx context.Context, username string) (*authdb.UserContext, error) {
u, err := db.getUser(ctx, username)
if err != nil {
return nil, err
}
return &authdb.UserContext{
Name: u.Name,
Roles: u.Roles,
Salt: u.Salt,
}, nil
}