// Copyright © 2016 SurrealDB Ltd. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. package web import ( "fmt" "net" "bytes" "strings" "encoding/base64" "github.com/surrealdb/fibre" "github.com/surrealdb/surrealdb/cnf" "github.com/surrealdb/surrealdb/db" "github.com/surrealdb/surrealdb/sql" "github.com/surrealdb/surrealdb/txn" "github.com/dgrijalva/jwt-go" "github.com/gorilla/websocket" ) var ignore = func() error { return nil } func cidr(ip net.IP, networks []*net.IPNet) bool { for _, network := range networks { if network.Contains(ip) { return true } } return false } func auth() fibre.MiddlewareFunc { return func(h fibre.HandlerFunc) fibre.HandlerFunc { return func(c *fibre.Context) (err error) { // Initialise the connection authentication // information which will store whether the // connection has authenticated or not. auth := new(cnf.Auth) c.Set(varKeyAuth, auth) // Start off with an authentication level // which prevents running any sql queries, // and denies access to all data. auth.Kind = cnf.AuthNO // Retrieve the current domain host and // if we are using a subdomain then set // the NS and DB to the subdomain bits. bits := strings.Split(c.Request().URL().Host, ".") subs := strings.Split(bits[0], "-") if len(subs) == 2 { auth.NS = subs[0] auth.DB = subs[1] } // If there is a Session ID specified in // the request headers, then mark it as // the connection Session ID. if id := c.Request().Header().Get(varKeyId); len(id) != 0 { c.Set(varKeyUniq, id) } // If there is a namespace specified in // the request headers, then mark it as // the selected namespace. if ns := c.Request().Header().Get(varKeyNs); len(ns) != 0 { auth.NS = ns } // If there is a database specified in // the request headers, then mark it as // the selected database. if db := c.Request().Header().Get(varKeyDb); len(db) != 0 { auth.DB = db } // Retrieve the HTTP Authorization header // from the request, so that we can detect // whether it is Basic auth or Bearer auth. head := c.Request().Header().Get("Authorization") // Check whether the Authorization header // is a Basic Auth header, and if it is then // process this as root authentication. if len(head) > 6 && head[:5] == "Basic" { return checkBasics(c, head[6:], func() error { return h(c) }) } // Check whether the Authorization header // is a Bearer Auth header, and if it is then // process this as default authentication. if len(head) > 7 && head[:6] == "Bearer" { return checkBearer(c, head[7:], func() error { return h(c) }) } // If there is no HTTP Authorization header, // check to see if there are confuguration // options specified in the socket protocols. if len(head) == 0 { // If there is a Session ID specified as // one of the socket protocols then use // this as the connection Session ID. for _, prot := range websocket.Subprotocols(c.Request().Request) { if len(prot) > 3 && prot[0:3] == "id-" { c.Set(varKeyUniq, prot[3:]) } } // If there is a NS configuration option // defined as one of the socket protocols // then use this as the selected NS. for _, prot := range websocket.Subprotocols(c.Request().Request) { if len(prot) > 3 && prot[0:3] == "ns-" { auth.NS = prot[3:] } } // If there is a DB configuration option // defined as one of the socket protocols // then use this as the selected DB. for _, prot := range websocket.Subprotocols(c.Request().Request) { if len(prot) > 3 && prot[0:3] == "db-" { auth.DB = prot[3:] } } // If there is a Auth configuration option // defined as one of the socket protocols // then use this as the auth information. for _, prot := range websocket.Subprotocols(c.Request().Request) { if len(prot) > 5 && prot[0:5] == "auth-" { if err := checkBasics(c, prot[5:], ignore); err == nil { return h(c) } if err := checkBearer(c, prot[5:], ignore); err == nil { return h(c) } } } } return h(c) } } } func checkBasics(c *fibre.Context, info string, callback func() error) (err error) { var base []byte var cred [][]byte auth := c.Get(varKeyAuth).(*cnf.Auth) user := []byte(cnf.Settings.Auth.User) pass := []byte(cnf.Settings.Auth.Pass) // Parse the base64 encoded basic auth data if base, err = base64.StdEncoding.DecodeString(info); err != nil { return fibre.NewHTTPError(401).WithMessage("Problem with basic auth data") } // Split the basic auth USER and PASS details if cred = bytes.SplitN(base, []byte(":"), 2); len(cred) != 2 { return fibre.NewHTTPError(401).WithMessage("Problem with basic auth data") } // Check to see if IP, USER, and PASS match server settings if bytes.Equal(cred[0], user) && bytes.Equal(cred[1], pass) { // FIXME does not work for IPv6 addresses if cidr(c.IP(), cnf.Settings.Auth.Nets) { auth.Kind = cnf.AuthKV return callback() } return fibre.NewHTTPError(403).WithMessage("IP invalid for root authentication") } // If no KV authentication, then try to authenticate as NS user if auth.NS != "" { n := auth.NS u := string(cred[0]) p := string(cred[1]) if _, err = signinNS(c, n, u, p); err == nil { auth.Kind = cnf.AuthNS auth.NS = n return callback() } // If no NS authentication, then try to authenticate as DB user if auth.DB != "" { n := auth.NS d := auth.DB u := string(cred[0]) p := string(cred[1]) if _, err = signinDB(c, n, d, u, p); err == nil { auth.Kind = cnf.AuthDB auth.NS = n auth.DB = d return callback() } } } return fibre.NewHTTPError(401).WithMessage("Invalid authentication details") } func checkBearer(c *fibre.Context, info string, callback func() error) (err error) { var tx *txn.TX var res []*db.Response var vars jwt.MapClaims var nsk, dbk, sck, tkk, usk, tbk, idk bool var nsv, dbv, scv, tkv, usv, tbv, idv string // Start a new read transaction. if tx, err = txn.New(c.Context(), false); err != nil { return fibre.NewHTTPError(500) } // Ensure the transaction closes. defer tx.Cancel() // Get the current context. ctx := c.Context() // Reset the auth data first. auth := c.Get(varKeyAuth).(*cnf.Auth).Reset() // Parse the specified JWT Token. token, err := jwt.Parse(info, func(token *jwt.Token) (interface{}, error) { vars = token.Claims.(jwt.MapClaims) if err := vars.Valid(); err != nil { return nil, err } nsv, nsk = vars[varKeyNs].(string) // Namespace dbv, dbk = vars[varKeyDb].(string) // Database scv, sck = vars[varKeySc].(string) // Scope tkv, tkk = vars[varKeyTk].(string) // Token usv, usk = vars[varKeyUs].(string) // Login tbv, tbk = vars[varKeyTb].(string) // Table idv, idk = vars[varKeyId].(string) // Thing if tkv == "default" { if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok { return nil, fmt.Errorf("Unexpected signing method") } } if nsk && dbk && sck && tkk { scp, err := tx.GetSC(ctx, nsv, dbv, scv) if err != nil { return nil, fmt.Errorf("Credentials failed") } // Store the authenticated scope. auth.Scope = scp.Name.VA // Store the authenticated thing. if tbk && idk { auth.Data = sql.NewThing(tbv, idv) } // Check that the scope specifies connect. if exp, ok := scp.Connect.(*sql.SubExpression); ok { // Process the scope connect statement. c := fibre.NewContext(c.Request(), c.Response(), c.Fibre()) c.Set(varKeyAuth, &cnf.Auth{Kind: cnf.AuthDB, NS: nsv, DB: dbv}) qvars := map[string]interface{}{ "id": auth.Data, "token": vars, } query := &sql.Query{Statements: []sql.Statement{exp.Expr}} // If the query fails then fail authentication. if res, err = db.Process(c, query, qvars); err != nil { return nil, fmt.Errorf("Credentials failed") } // If the response is not 1 record then fail authentication. if len(res) != 1 || len(res[0].Result) != 1 { return nil, fmt.Errorf("Credentials failed") } auth.Data = res[0].Result[0] } if tkv != "default" { key, err := tx.GetST(ctx, nsv, dbv, scv, tkv) if err != nil { return nil, fmt.Errorf("Credentials failed") } if token.Header["alg"] != key.Type { return nil, fmt.Errorf("Unexpected signing method") } auth.Kind = cnf.AuthSC return key.Code, nil } else { auth.Kind = cnf.AuthSC return scp.Code, nil } } else if nsk && dbk && tkk { if tkv != "default" { key, err := tx.GetDT(ctx, nsv, dbv, tkv) if err != nil { return nil, fmt.Errorf("Credentials failed") } if token.Header["alg"] != key.Type { return nil, fmt.Errorf("Unexpected signing method") } auth.Kind = cnf.AuthDB return key.Code, nil } else if usk { usr, err := tx.GetDU(ctx, nsv, dbv, usv) if err != nil { return nil, fmt.Errorf("Credentials failed") } auth.Kind = cnf.AuthDB return usr.Code, nil } } else if nsk && tkk { if tkv != "default" { key, err := tx.GetNT(ctx, nsv, tkv) if err != nil { return nil, fmt.Errorf("Credentials failed") } if token.Header["alg"] != key.Type { return nil, fmt.Errorf("Unexpected signing method") } auth.Kind = cnf.AuthNS return key.Code, nil } else if usk { usr, err := tx.GetNU(ctx, nsv, usv) if err != nil { return nil, fmt.Errorf("Credentials failed") } auth.Kind = cnf.AuthNS return usr.Code, nil } } return nil, fmt.Errorf("No available token") }) if err == nil && token.Valid { if auth.Kind == cnf.AuthNS { auth.NS = nsv } if auth.Kind == cnf.AuthDB { auth.NS = nsv auth.DB = dbv } if auth.Kind == cnf.AuthSC { auth.NS = nsv auth.DB = dbv } return callback() } else { auth.Reset() } return fibre.NewHTTPError(401).WithMessage("Invalid authentication details: " + err.Error()) }