jarno
/
hydroxide-push
1
0
Fork 0
Code Issues Pull Requests Wiki Activity

auth: move auth stuff in this new package

This commit is contained in:
emersion 2017-09-19 14:57:29 +02:00
parent 9ea16a03dd
commit 26817a27c7
No known key found for this signature in database
GPG Key ID: 0FDE7BE0E88F5E48
2 changed files with 227 additions and 194 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

200
auth/auth.go Normal file
View File

@ -0,0 +1,200 @@
package auth
import (
"crypto/rand"
"encoding/base64"
"encoding/json"
"errors"
"io"
"os"
"github.com/emersion/hydroxide/protonmail"
"golang.org/x/crypto/bcrypt"
"golang.org/x/crypto/nacl/secretbox"
"golang.org/x/crypto/openpgp"
)
const authFile = "auth.json"
type CachedAuth struct {
protonmail.Auth
LoginPassword string
MailboxPassword string
// TODO: add padding
}
func readCachedAuths() (map[string]string, error) {
f, err := os.Open(authFile)
if os.IsNotExist(err) {
return nil, nil
} else if err != nil {
return nil, err
}
defer f.Close()
auths := make(map[string]string)
err = json.NewDecoder(f).Decode(&auths)
return auths, err
}
func saveAuths(auths map[string]string) error {
f, err := os.Create(authFile)
if err != nil {
return err
}
defer f.Close()
return json.NewEncoder(f).Encode(auths)
}
func encrypt(msg []byte, secretKey *[32]byte) (string, error) {
var nonce [24]byte
if _, err := io.ReadFull(rand.Reader, nonce[:]); err != nil {
return "", err
}
encrypted := secretbox.Seal(nonce[:], msg, &nonce, secretKey)
return base64.StdEncoding.EncodeToString(encrypted), nil
}
func decrypt(encryptedString string, secretKey *[32]byte) ([]byte, error) {
encrypted, err := base64.StdEncoding.DecodeString(encryptedString)
if err != nil {
return nil, err
}
var nonce [24]byte
copy(nonce[:], encrypted[:24])
decrypted, ok := secretbox.Open(nil, encrypted[24:], &nonce, secretKey)
if !ok {
return nil, errors.New("decryption error")
}
return decrypted, nil
}
func EncryptAndSave(auth *CachedAuth, username string, secretKey *[32]byte) error {
cleartext, err := json.Marshal(auth)
if err != nil {
return err
}
encrypted, err := encrypt(cleartext, secretKey)
if err != nil {
return err
}
auths, err := readCachedAuths()
if err != nil {
return err
}
if auths == nil {
auths = make(map[string]string)
}
auths[username] = encrypted
return saveAuths(auths)
}
func authenticate(c *protonmail.Client, CachedAuth *CachedAuth) (openpgp.EntityList, error) {
auth, err := c.AuthRefresh(&CachedAuth.Auth)
if err != nil {
// TODO: handle expired token, re-authenticate
return nil, err
}
CachedAuth.Auth = *auth
return c.Unlock(auth, CachedAuth.MailboxPassword)
}
func GeneratePassword() (secretKey *[32]byte, password string, err error) {
var key [32]byte
if _, err = io.ReadFull(rand.Reader, key[:]); err != nil {
return
}
secretKey = &key
password = base64.StdEncoding.EncodeToString(key[:])
return
}
type session struct {
hashedSecretKey []byte
c *protonmail.Client
privateKeys openpgp.EntityList
}
var ErrUnauthorized = errors.New("Invalid username or password")
type Manager struct {
newClient func() *protonmail.Client
sessions map[string]*session
}
func (m *Manager) Auth(username, password string) (*protonmail.Client, openpgp.EntityList, error) {
var secretKey [32]byte
passwordBytes, err := base64.StdEncoding.DecodeString(password)
if err != nil || len(passwordBytes) != len(secretKey) {
return nil, nil, ErrUnauthorized
}
copy(secretKey[:], passwordBytes)
s, ok := m.sessions[username]
if ok {
err := bcrypt.CompareHashAndPassword(s.hashedSecretKey, secretKey[:])
if err != nil {
return nil, nil, ErrUnauthorized
}
} else {
auths, err := readCachedAuths()
if err != nil && !os.IsNotExist(err) {
return nil, nil, err
}
encrypted, ok := auths[username]
if !ok {
return nil, nil, ErrUnauthorized
}
decrypted, err := decrypt(encrypted, &secretKey)
if err != nil {
return nil, nil, ErrUnauthorized
}
var cachedAuth CachedAuth
if err := json.Unmarshal(decrypted, &cachedAuth); err != nil {
return nil, nil, err
}
// authenticate updates cachedAuth with the new refresh token
c := m.newClient()
privateKeys, err := authenticate(c, &cachedAuth)
if err != nil {
return nil, nil, err
}
if err := EncryptAndSave(&cachedAuth, username, &secretKey); err != nil {
return nil, nil, err
}
hashed, err := bcrypt.GenerateFromPassword(secretKey[:], bcrypt.DefaultCost)
if err != nil {
return nil, nil, err
}
s = &session{
c: c,
privateKeys: privateKeys,
hashedSecretKey: hashed,
}
m.sessions[username] = s
}
return s.c, s.privateKeys, nil
}
func NewManager(newClient func() *protonmail.Client) *Manager {
return &Manager{
newClient: newClient,
sessions: make(map[string]*session),
}
}

221
cmd/hydroxide/hydroxide.go
View File

@ -2,10 +2,6 @@ package main
import ( import (
"bufio" "bufio"
"crypto/rand"
"encoding/base64"
"encoding/json"
"errors"
"flag" "flag"
"fmt" "fmt"
"io" "io"
@ -14,95 +10,11 @@ import (
"os" "os"
"time" "time"
"github.com/emersion/hydroxide/auth"
"github.com/emersion/hydroxide/carddav" "github.com/emersion/hydroxide/carddav"
"github.com/emersion/hydroxide/protonmail" "github.com/emersion/hydroxide/protonmail"
"golang.org/x/crypto/bcrypt"
"golang.org/x/crypto/nacl/secretbox"
"golang.org/x/crypto/openpgp"
) )
const authFile = "auth.json"
type cachedAuth struct {
protonmail.Auth
LoginPassword string
MailboxPassword string
// TODO: add padding
}
func readCachedAuths() (map[string]string, error) {
f, err := os.Open(authFile)
if os.IsNotExist(err) {
return nil, nil
} else if err != nil {
return nil, err
}
defer f.Close()
auths := make(map[string]string)
err = json.NewDecoder(f).Decode(&auths)
return auths, err
}
func saveAuths(auths map[string]string) error {
f, err := os.Create(authFile)
if err != nil {
return err
}
defer f.Close()
return json.NewEncoder(f).Encode(auths)
}
func encrypt(msg []byte, secretKey *[32]byte) (string, error) {
var nonce [24]byte
if _, err := io.ReadFull(rand.Reader, nonce[:]); err != nil {
return "", err
}
encrypted := secretbox.Seal(nonce[:], msg, &nonce, secretKey)
return base64.StdEncoding.EncodeToString(encrypted), nil
}
func decrypt(encryptedString string, secretKey *[32]byte) ([]byte, error) {
encrypted, err := base64.StdEncoding.DecodeString(encryptedString)
if err != nil {
return nil, err
}
var nonce [24]byte
copy(nonce[:], encrypted[:24])
decrypted, ok := secretbox.Open(nil, encrypted[24:], &nonce, secretKey)
if !ok {
return nil, errors.New("decryption error")
}
return decrypted, nil
}
func encryptAndSaveAuth(auth *cachedAuth, username string, secretKey *[32]byte) error {
cleartext, err := json.Marshal(auth)
if err != nil {
return err
}
encrypted, err := encrypt(cleartext, secretKey)
if err != nil {
return err
}
auths, err := readCachedAuths()
if err != nil {
return err
}
if auths == nil {
auths = make(map[string]string)
}
auths[username] = encrypted
return saveAuths(auths)
}
func newClient() *protonmail.Client { func newClient() *protonmail.Client {
return &protonmail.Client{ return &protonmail.Client{
RootURL: "https://dev.protonmail.com/api", RootURL: "https://dev.protonmail.com/api",
@ -112,17 +24,6 @@ func newClient() *protonmail.Client {
} }
} }
func authenticate(c *protonmail.Client, cachedAuth *cachedAuth) (openpgp.EntityList, error) {
auth, err := c.AuthRefresh(&cachedAuth.Auth)
if err != nil {
// TODO: handle expired token, re-authenticate
return nil, err
}
cachedAuth.Auth = *auth
return c.Unlock(auth, cachedAuth.MailboxPassword)
}
func receiveEvents(c *protonmail.Client, last string, ch chan<- *protonmail.Event) { func receiveEvents(c *protonmail.Client, last string, ch chan<- *protonmail.Event) {
t := time.NewTicker(time.Minute) t := time.NewTicker(time.Minute)
defer t.Stop() defer t.Stop()
@ -143,12 +44,6 @@ func receiveEvents(c *protonmail.Client, last string, ch chan<- *protonmail.Even
} }
} }
type session struct {
h http.Handler
hashedSecretKey []byte
privateKeys openpgp.EntityList
}
func main() { func main() {
flag.Parse() flag.Parse()
@ -159,10 +54,10 @@ func main() {
c := newClient() c := newClient()
var auth *protonmail.Auth var a *protonmail.Auth
/*if cachedAuth, ok := auths[username]; ok { /*if cachedAuth, ok := auths[username]; ok {
var err error var err error
auth, err = c.AuthRefresh(auth) a, err = c.AuthRefresh(a)
if err != nil { if err != nil {
// TODO: handle expired token error // TODO: handle expired token error
log.Fatal(err) log.Fatal(err)
@ -170,7 +65,7 @@ func main() {
}*/ }*/
var loginPassword string var loginPassword string
if auth == nil { if a == nil {
fmt.Printf("Password: ") fmt.Printf("Password: ")
scanner.Scan() scanner.Scan()
loginPassword = scanner.Text() loginPassword = scanner.Text()
@ -187,18 +82,18 @@ func main() {
twoFactorCode = scanner.Text() twoFactorCode = scanner.Text()
} }
auth, err = c.Auth(username, loginPassword, twoFactorCode, authInfo) a, err = c.Auth(username, loginPassword, twoFactorCode, authInfo)
if err != nil { if err != nil {
log.Fatal(err) log.Fatal(err)
} }
} }
var mailboxPassword string var mailboxPassword string
if auth.PasswordMode == protonmail.PasswordSingle { if a.PasswordMode == protonmail.PasswordSingle {
mailboxPassword = loginPassword mailboxPassword = loginPassword
} }
if mailboxPassword == "" { if mailboxPassword == "" {
if auth.PasswordMode == protonmail.PasswordTwo { if a.PasswordMode == protonmail.PasswordTwo {
fmt.Printf("Mailbox password: ") fmt.Printf("Mailbox password: ")
} else { } else {
fmt.Printf("Password: ") fmt.Printf("Password: ")
@ -207,22 +102,21 @@ func main() {
mailboxPassword = scanner.Text() mailboxPassword = scanner.Text()
} }
_, err := c.Unlock(auth, mailboxPassword) _, err := c.Unlock(a, mailboxPassword)
if err != nil { if err != nil {
log.Fatal(err) log.Fatal(err)
} }
var secretKey [32]byte secretKey, bridgePassword, err := auth.GeneratePassword()
if _, err := io.ReadFull(rand.Reader, secretKey[:]); err != nil { if err != nil {
log.Fatal(err) log.Fatal(err)
} }
bridgePassword := base64.StdEncoding.EncodeToString(secretKey[:])
err = encryptAndSaveAuth(&cachedAuth{ err = auth.EncryptAndSave(&auth.CachedAuth{
*auth, *a,
loginPassword, loginPassword,
mailboxPassword, mailboxPassword,
}, username, &secretKey) }, username, secretKey)
if err != nil { if err != nil {
log.Fatal(err) log.Fatal(err)
} }
@ -234,7 +128,8 @@ func main() {
port = "8080" port = "8080"
} }
sessions := make(map[string]*session) sessions := auth.NewManager(newClient)
handlers := make(map[string]http.Handler)
s := &http.Server{ s := &http.Server{
Addr: "127.0.0.1:" + port, Addr: "127.0.0.1:" + port,
@ -248,86 +143,24 @@ func main() {
return return
} }
var secretKey [32]byte c, privateKeys, err := sessions.Auth(username, password)
passwordBytes, err := base64.StdEncoding.DecodeString(password) if err != nil {
if err != nil || len(passwordBytes) != len(secretKey) { if err == auth.ErrUnauthorized {
resp.WriteHeader(http.StatusUnauthorized) resp.WriteHeader(http.StatusUnauthorized)
io.WriteString(resp, "Invalid password format") } else {
resp.WriteHeader(http.StatusInternalServerError)
}
io.WriteString(resp, err.Error())
return return
} }
copy(secretKey[:], passwordBytes)
var h http.Handler
s, ok := sessions[username]
if ok {
err := bcrypt.CompareHashAndPassword(s.hashedSecretKey, secretKey[:])
if err != nil {
resp.WriteHeader(http.StatusUnauthorized)
io.WriteString(resp, "Invalid username or password")
return
}
h = s.h
} else {
auths, err := readCachedAuths()
if err != nil && !os.IsNotExist(err) {
resp.WriteHeader(http.StatusInternalServerError)
log.Println("Cannot open cached auths")
return
}
encrypted, ok := auths[username]
if !ok {
resp.WriteHeader(http.StatusUnauthorized)
io.WriteString(resp, "Invalid username or password")
return
}
decrypted, err := decrypt(encrypted, &secretKey)
if err != nil {
resp.WriteHeader(http.StatusUnauthorized)
io.WriteString(resp, "Invalid username or password")
return
}
var cachedAuth cachedAuth
if err := json.Unmarshal(decrypted, &cachedAuth); err != nil {
resp.WriteHeader(http.StatusInternalServerError)
log.Printf("Cannot unmarshal cached auth for %q: %v", username, err)
return
}
// authenticate updates cachedAuth with the new refresh token
c := newClient()
privateKeys, err := authenticate(c, &cachedAuth)
if err != nil {
resp.WriteHeader(http.StatusInternalServerError)
log.Printf("Cannot authenticate %q: %v", username, err)
return
}
if err := encryptAndSaveAuth(&cachedAuth, username, &secretKey); err != nil {
resp.WriteHeader(http.StatusInternalServerError)
log.Printf("Cannot save auth for %q: %v", username, err)
return
}
hashed, err := bcrypt.GenerateFromPassword(secretKey[:], bcrypt.DefaultCost)
if err != nil {
resp.WriteHeader(http.StatusInternalServerError)
log.Printf("Cannot hash password for %q: %v", username, err)
return
}
h, ok := handlers[username]
if !ok {
events := make(chan *protonmail.Event) events := make(chan *protonmail.Event)
go receiveEvents(c, cachedAuth.EventID, events) go receiveEvents(c, "", events)
h = carddav.NewHandler(c, privateKeys, events) h = carddav.NewHandler(c, privateKeys, events)
sessions[username] = &session{ handlers[username] = h
h: h,
hashedSecretKey: hashed,
privateKeys: privateKeys,
}
} }
h.ServeHTTP(resp, req) h.ServeHTTP(resp, req)