Головна сторінка Огляд Довідка
Увійти
Troglodyne
/
tCMS
2
0
Відгалуження 0
Файли Проблеми 0 Запити на злиття 0 Wiki
Гілка: master
Гілки Теги
tCMS
/
lib
/
Trog
/
Auth.pm

Auth.pm 12 KB
Постійне посилання Історія Запис

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397 
  1. package Trog::Auth;
    2. 

  2. 

  3. use strict;
    4. 

  4. use warnings;
    5. 

  5. 

  6. no warnings 'experimental';
    7. 

  7. use feature qw{signatures state};
    8. 

  8. 

  9. use FindBin::libs;
    10. 

  10. 

  11. use Ref::Util qw{is_arrayref};
    12. 

  12. use Digest::SHA 'sha256';
    13. 

  13. use Trog::TOTP;
    14. 

  14. use Imager::QRCode;
    15. 

  15. 

  16. use Trog::Utils;
    17. 

  17. use Trog::Log qw{:all};
    18. 

  18. use Trog::Config;
    19. 

  19. use Trog::SQLite;
    20. 

  20. use Trog::Data;
    21. 

  21. 

  22. =head1 Trog::Auth
    23. 

  23. 

  24. An SQLite3 authdb.
    25. 

  25. 

  26. =head1 Termination Conditions
    27. 

  27. 

  28. Throws exceptions in the event the session database cannot be accessed.
    29. 

  29. 

  30. =head1 FUNCTIONS
    31. 

  31. 

  32. =head2 session2user(STRING sessid) = STRING
    33. 

  33. 

  34. Translate a session UUID into a username.
    35. 

  35. 

  36. Returns empty string on no active session.
    37. 

  37. 

  38. =cut
    39. 

  39. 

  40. sub session2user ($sessid) {
    41. 

  41.     my $dbh  = _dbh();
    42. 

  42.     my $rows = $dbh->selectall_arrayref( "SELECT name FROM sess_user WHERE session=?", { Slice => {} }, $sessid );
    43. 

  43.     return '' unless ref $rows eq 'ARRAY' && @$rows;
    44. 

  44.     return $rows->[0]->{name};
    45. 

  45. }
    46. 

  46. 

  47. =head2 user_has_session
    48. 

  48. 

  49. Return whether the user has an active session.
    50. 

  50. If the user has an active session, things like password reset requests should fail when not coming from said session.
    51. 

  51. 

  52. =cut
    53. 

  53. 

  54. sub user_has_session ($user) {
    55. 

  55.     my $dbh  = _dbh();
    56. 

  56.     my $rows = $dbh->selectall_arrayref( "SELECT session FROM sess_user WHERE name=?", { Slice => {} }, $user );
    57. 

  57.     return 0 unless ref $rows eq 'ARRAY' && @$rows;
    58. 

  58.     return 1;
    59. 

  59. }
    60. 

  60. 

  61. =head2 user_exists
    62. 

  62. 

  63. Return whether the user exists at all.
    64. 

  64. 

  65. =cut
    66. 

  66. 

  67. sub user_exists ($user) {
    68. 

  68.     my $dbh  = _dbh();
    69. 

  69.     my $rows = $dbh->selectall_arrayref( "SELECT name FROM user WHERE name=?", { Slice => {} }, $user );
    70. 

  70.     return 0 unless ref $rows eq 'ARRAY' && @$rows;
    71. 

  71.     return 1;
    72. 

  72. }
    73. 

  73. 

  74. =head2 primary_user
    75. 

  75. 

  76. Returns the oldest user with the admin ACL.
    77. 

  77. 

  78. =cut
    79. 

  79. 

  80. sub primary_user {
    81. 

  81.     my $dbh  = _dbh();
    82. 

  82.     my $rows = $dbh->selectall_arrayref( "SELECT username FROM user_acl WHERE acl='admin' LIMIT 1", { Slice => {} } );
    83. 

  83.     return 0 unless ref $rows eq 'ARRAY' && @$rows;
    84. 

  84.     return $rows->[0]{username};
    85. 

  85. }
    86. 

  86. 

  87. =head2 get_existing_user_data
    88. 

  88. 

  89. Fetch existing settings for a user.
    90. 

  90. 

  91. =cut
    92. 

  92. 

  93. sub get_existing_user_data ($user) {
    94. 

  94.     my $dbh  = _dbh();
    95. 

  95.     my $rows = $dbh->selectall_arrayref( "SELECT hash, salt, totp_secret, display_name, contact_email FROM user WHERE name=?", { Slice => {} }, $user );
    96. 

  96.     return ( undef, undef, undef ) unless ref $rows eq 'ARRAY' && @$rows;
    97. 

  97.     return ( $rows->[0]{hash}, $rows->[0]{salt}, $rows->[0]{totp_secret}, $rows->[0]{display_name}, $rows->[0]{contact_email} );
    98. 

  98. }
    99. 

  99. 

  100. =head2 email4user(STRING username) = STRING
    101. 

  101. 

  102. Return the associated contact email for the user.
    103. 

  103. 

  104. =cut
    105. 

  105. 

  106. sub email4user ($user) {
    107. 

  107.     my $dbh  = _dbh();
    108. 

  108.     my $rows = $dbh->selectall_arrayref( "SELECT contact_email FROM user WHERE name=?", { Slice => {} }, $user );
    109. 

  109.     return '' unless ref $rows eq 'ARRAY' && @$rows;
    110. 

  110.     return $rows->[0]{contact_email};
    111. 

  111. }
    112. 

  112. 

  113. sub display2username ($display_name) {
    114. 

  114.     my $dbh  = _dbh();
    115. 

  115.     my $rows = $dbh->selectall_arrayref( "SELECT name FROM user WHERE display_name=?", { Slice => {} }, $display_name );
    116. 

  116.     return '' unless ref $rows eq 'ARRAY' && @$rows;
    117. 

  117.     return $rows->[0]{name};
    118. 

  118. }
    119. 

  119. 

  120. sub username2display ($name) {
    121. 

  121.     my $dbh  = _dbh();
    122. 

  122.     my $rows = $dbh->selectall_arrayref( "SELECT display_name FROM user WHERE name=?", { Slice => {} }, $name );
    123. 

  123.     return '' unless ref $rows eq 'ARRAY' && @$rows;
    124. 

  124.     return $rows->[0]{display_name};
    125. 

  125. }
    126. 

  126. 

  127. sub username2classname ($name) {
    128. 

  128. 

  129.     # Just return the user's post UUID.
    130. 

  130.     state $data;
    131. 

  131.     state $conf;
    132. 

  132.     $conf //= Trog::Config::get();
    133. 

  133.     $data //= Trog::Data->new($conf);
    134. 

  134. 

  135.     state @userposts = $data->get( tags => ['about'], acls => [qw{admin}] );
    136. 

  136. 

  137.     # Users are always self-authored, you see
    138. 

  138. 

  139.     my $user_obj = List::Util::first { ( $_->{user} || '' ) eq $name } @userposts;
    140. 

  140.     my $NNname   = $user_obj->{id} || '';
    141. 

  141.     $NNname =~ tr/-/_/;
    142. 

  142.     return "a_$NNname";
    143. 

  143. }
    144. 

  144. 

  145. =head2 acls4user(STRING username) = ARRAYREF
    146. 

  146. 

  147. Return the list of ACLs belonging to the user.
    148. 

  148. The function of ACLs are to allow you to access content tagged 'private' which are also tagged with the ACL name.
    149. 

  149. 

  150. The 'admin' ACL is the only special one, as it allows for authoring posts, configuring tCMS, adding series (ACLs) and more.
    151. 

  151. 

  152. =cut
    153. 

  153. 

  154. sub acls4user ($username) {
    155. 

  155.     my $dbh     = _dbh();
    156. 

  156.     my $records = $dbh->selectall_arrayref( "SELECT acl FROM user_acl WHERE username = ?", { Slice => {} }, $username );
    157. 

  157. 

  158.     return () unless ref $records eq 'ARRAY' && @$records;
    159. 

  159.     my @acls = map { $_->{acl} } @$records;
    160. 

  160.     return \@acls;
    161. 

  161. }
    162. 

  162. 

  163. =head2 totp(user, domain)
    164. 

  164. 

  165. Enable TOTP 2fa for the specified user, or if already enabled return the existing info.
    166. 

  166. Returns a QR code and URI for pasting into authenticator apps.
    167. 

  167. 

  168. =cut
    169. 

  169. 

  170. sub totp ( $user, $domain ) {
    171. 

  171.     my $totp = _totp();
    172. 

  172.     my $dbh  = _dbh();
    173. 

  173. 

  174.     my $failure = 0;
    175. 

  175.     my $message = "TOTP Secret generated successfully.";
    176. 

  176. 

  177.     # Make sure we re-generate the same one in case the user forgot.
    178. 

  178.     my $secret;
    179. 

  179.     my $worked = $dbh->selectall_arrayref( "SELECT totp_secret FROM user WHERE name = ?", { Slice => {} }, $user );
    180. 

  180.     if ( ref $worked eq 'ARRAY' && @$worked ) {
    181. 

  181.         $secret = $worked->[0]{totp_secret};
    182. 

  182.     }
    183. 

  183.     $failure = -1 if $secret;
    184. 

  184. 

  185.     # Generate a new secret if needed
    186. 

  186.     my $secret_is_generated = 0;
    187. 

  187.     if ( !$secret ) {
    188. 

  188.         $secret_is_generated = 1;
    189. 

  189.         $totp->_valid_secret();
    190. 

  190.         $secret = $totp->secret();
    191. 

  191.     }
    192. 

  192. 

  193.     my $uri = $totp->generate_otp(
    194. 

  194.         user   => "$user\@$domain",
    195. 

  195.         issuer => $domain,
    196. 

  196. 

  197.         #XXX verifier apps will only do 30s :(
    198. 

  198.         period => 30,
    199. 

  199.         digits => 6,
    200. 

  200.         secret => $secret,
    201. 

  201.     );
    202. 

  202. 

  203.     my $qr = "$user\@$domain.bmp";
    204. 

  204.     if ($secret_is_generated) {
    205. 

  205. 

  206.         # Liquidate the QR code if it's already there
    207. 

  207.         unlink "totp/$qr" if -f "totp/$qr";
    208. 

  208. 

  209.         $dbh->do( "UPDATE user SET totp_secret=? WHERE name=?", undef, $secret, $user ) or return ( undef, undef, 1, "Failed to store TOTP secret." );
    210. 

  210.     }
    211. 

  211. 

  212.     # This is subsequently served via authenticated _serve() in TCMS.pm
    213. 

  213.     if ( !-f "totp/$qr" ) {
    214. 

  214.         my $qrcode = Imager::QRCode->new(
    215. 

  215.             size          => 4,
    216. 

  216.             margin        => 3,
    217. 

  217.             level         => 'L',
    218. 

  218.             casesensitive => 1,
    219. 

  219.             lightcolor    => Imager::Color->new( 255, 255, 255 ),
    220. 

  220.             darkcolor     => Imager::Color->new( 0,   0,   0 ),
    221. 

  221.         );
    222. 

  222. 

  223.         my $img = $qrcode->plot($uri);
    224. 

  224.         $img->write( file => "totp/$qr", type => "bmp" ) or return ( undef, undef, 1, "Could not write totp/$qr: " . $img->errstr );
    225. 

  225.     }
    226. 

  226.     return ( $uri, $qr, $failure, $message, $totp );
    227. 

  227. }
    228. 

  228. 

  229. sub _totp {
    230. 

  230.     state $totp;
    231. 

  231.     if ( !$totp ) {
    232. 

  232.         $totp = Trog::TOTP->new();
    233. 

  233.         die "Cannot instantiate TOTP client!" unless $totp;
    234. 

  234.         $totp->{DEBUG} = 1 if is_debug();
    235. 

  235.     }
    236. 

  236.     return $totp;
    237. 

  237. }
    238. 

  238. 

  239. =head2 clear_totp
    240. 

  240. 

  241. Clear the totp codes for provided user
    242. 

  242. 

  243. =cut
    244. 

  244. 

  245. sub clear_totp ($user) {
    246. 

  246.     my $dbh = _dbh();
    247. 

  247.     my $res = $dbh->do( "UPDATE user SET totp_secret=null WHERE name=?", undef, $user ) or die "Could not clear user TOTP secrets";
    248. 

  248.     return !!$res;
    249. 

  249. }
    250. 

  250. 

  251. =head2 mksession(user, pass, token) = STRING
    252. 

  252. 

  253. Create a session for the user and waste all other sessions.
    254. 

  254. 

  255. Returns a session ID, or blank string in the event the user does not exist or incorrect auth was passed.
    256. 

  256. 

  257. =cut
    258. 

  258. 

  259. sub mksession ( $user, $pass, $token ) {
    260. 

  260.     my $dbh  = _dbh();
    261. 

  261.     my $totp = _totp();
    262. 

  262. 

  263.     # Check the password
    264. 

  264.     my $records = $dbh->selectall_arrayref( "SELECT salt FROM user WHERE name = ?", { Slice => {} }, $user );
    265. 

  265.     return '' unless ref $records eq 'ARRAY' && @$records;
    266. 

  266.     my $salt   = $records->[0]->{salt};
    267. 

  267.     my $hash   = sha256( $pass . $salt );
    268. 

  268.     my $worked = $dbh->selectall_arrayref( "SELECT name, totp_secret FROM user WHERE hash=? AND name = ?", { Slice => {} }, $hash, $user );
    269. 

  269.     if ( !( ref $worked eq 'ARRAY' && @$worked ) ) {
    270. 

  270.         INFO("Failed login for user $user");
    271. 

  271.         return '';
    272. 

  272.     }
    273. 

  273.     my $uid    = $worked->[0]{name};
    274. 

  274.     my $secret = $worked->[0]{totp_secret};
    275. 

  275. 

  276.     # Validate the 2FA Token.  If we have no secret, allow login so they can see their QR code, and subsequently re-auth.
    277. 

  277.     if ($secret) {
    278. 

  278.         return '' unless $token;
    279. 

  279.         DEBUG( "TOTP Auth: Sent code $token, expect " . $totp->expected_totp_code(time) );
    280. 

  280. 

  281.         #XXX we have to force the secret into compliance, otherwise it generates one on the fly, oof
    282. 

  282.         $totp->{secret} = $secret;
    283. 

  283.         my $rc = $totp->validate_otp( otp => $token, secret => $secret, tolerance => 3, period => 30, digits => 6 );
    284. 

  284.         INFO("TOTP Auth failed for user $user") unless $rc;
    285. 

  285.         return ''                               unless $rc;
    286. 

  286.     }
    287. 

  287. 

  288.     # Issue cookie
    289. 

  289.     my $uuid = Trog::Utils::uuid();
    290. 

  290.     $dbh->do( "INSERT OR REPLACE INTO session (id,username) VALUES (?,?)", undef, $uuid, $uid ) or return '';
    291. 

  291.     return $uuid;
    292. 

  292. }
    293. 

  293. 

  294. =head2 killsession(user) = BOOL
    295. 

  295. 

  296. Delete the provided user's session from the auth db.
    297. 

  297. 

  298. =cut
    299. 

  299. 

  300. sub killsession ($user) {
    301. 

  301.     my $dbh = _dbh();
    302. 

  302.     $dbh->do( "DELETE FROM session WHERE username=?", undef, $user );
    303. 

  303.     return 1;
    304. 

  304. }
    305. 

  305. 

  306. =head2 useradd(user, displayname, pass, acls, contactemail) = BOOL
    307. 

  307. 

  308. Adds a user identified by the provided password into the auth DB.
    309. 

  309. Also used to alter users.
    310. 

  310. 

  311. Returns True or False (likely false when user already exists).
    312. 

  312. 

  313. =cut
    314. 

  314. 

  315. sub useradd ( $user, $displayname, $pass, $acls, $contactemail ) {
    316. 

  316. 

  317.     # See if the user exists already, keep pw if nothing's passed
    318. 

  318.     my ( $hash, $salt, $t_secret, $dn, $ce ) = get_existing_user_data($user);
    319. 

  319.     $displayname  //= $dn;
    320. 

  320.     $contactemail //= $ce;
    321. 

  321. 

  322.     die "No username set!"     unless $user;
    323. 

  323.     die "No display name set!" unless $displayname;
    324. 

  324.     die "Username and display name cannot be the same" if $user eq $displayname;
    325. 

  325.     die "No password set for user!"                    if !$pass && !$hash;
    326. 

  326.     die "ACLs must be array"             unless is_arrayref($acls);
    327. 

  327.     die "No contact email set for user!" unless $contactemail;
    328. 

  328. 

  329.     my $dbh = _dbh();
    330. 

  330.     if ($pass) {
    331. 

  331.         $salt = Trog::Utils::uuid();
    332. 

  332.         $hash = sha256( $pass . $salt );
    333. 

  333.     }
    334. 

  334.     my $res = $dbh->do( "INSERT OR REPLACE INTO user (name, display_name, salt, hash, contact_email, totp_secret) VALUES (?,?,?,?,?,?)", undef, $user, $displayname, $salt, $hash, $contactemail, $t_secret );
    335. 

  335.     return unless $res && ref $acls eq 'ARRAY';
    336. 

  336. 

  337.     #XXX this is clearly not normalized with an ACL mapping table, will be an issue with large number of users
    338. 

  338.     foreach my $acl (@$acls) {
    339. 

  339.         return unless $dbh->do( "INSERT OR REPLACE INTO user_acl (username,acl) VALUES (?,?)", undef, $user, $acl );
    340. 

  340.     }
    341. 

  341.     return 1;
    342. 

  342. }
    343. 

  343. 

  344. sub add_change_request (%args) {
    345. 

  345.     my $dbh = _dbh();
    346. 

  346.     my $res = $dbh->do( "INSERT INTO change_request (username,token,type,secret) VALUES (?,?,?,?)", undef, $args{user}, $args{token}, $args{type}, $args{secret} );
    347. 

  347.     return !!$res;
    348. 

  348. }
    349. 

  349. 

  350. sub process_change_request ($token) {
    351. 

  351.     my $dbh  = _dbh();
    352. 

  352.     my $rows = $dbh->selectall_arrayref( "SELECT username, display_name, type, secret, contact_email FROM change_request_full WHERE processed=0 AND token=?", { Slice => {} }, $token );
    353. 

  353.     return 0 unless ref $rows eq 'ARRAY' && @$rows;
    354. 

  354. 

  355.     my $user         = $rows->[0]{username};
    356. 

  356.     my $display      = $rows->[0]{display_name};
    357. 

  357.     my $type         = $rows->[0]{type};
    358. 

  358.     my $secret       = $rows->[0]{secret};
    359. 

  359.     my $contactemail = $rows->[0]{contact_email};
    360. 

  360. 

  361.     state %dispatch = (
    362. 

  362.         reset_pass => sub {
    363. 

  363.             my ( $user, $pass ) = @_;
    364. 

  364. 

  365.             #XXX The fact that this is an INSERT OR REPLACE means all the entries in change_request for this user will get cascade wiped.  Which is good, as the secrets aren't salted.
    366. 

  366.             # This is also why we have to snag the user's ACLs or they will be wiped.
    367. 

  367.             my @acls = acls4user($user);
    368. 

  368.             useradd( $user, $display, $pass, \@acls, $contactemail ) or do {
    369. 

  369.                 return '';
    370. 

  370.             };
    371. 

  371.             killsession($user);
    372. 

  372.             return "Password set to $pass for $user";
    373. 

  373.         },
    374. 

  374.         clear_totp => sub {
    375. 

  375.             my ($user) = @_;
    376. 

  376.             clear_totp($user) or do {
    377. 

  377.                 return '';
    378. 

  378.             };
    379. 

  379.             killsession($user);
    380. 

  380.             return "TOTP auth turned off for $user";
    381. 

  381.         },
    382. 

  382.     );
    383. 

  383.     my $res = $dispatch{$type}->( $user, $secret );
    384. 

  384.     $dbh->do( "UPDATE change_request SET processed=1 WHERE token=?", undef, $token ) or do {
    385. 

  385.         FATAL("Could not set job with token $token to completed!");
    386. 

  386.     };
    387. 

  387.     return $res;
    388. 

  388. }
    389. 

  389. 

  390. # Ensure the db schema is OK, and give us a handle
    391. 

  391. sub _dbh {
    392. 

  392.     my $file   = 'schema/auth.schema';
    393. 

  393.     my $dbname = "config/auth.db";
    394. 

  394.     return Trog::SQLite::dbh( $file, $dbname );
    395. 

  395. }
    396. 

  396. 

  397. 1;
    398.