2019-11-16 10:38:21 +00:00
|
|
|
package storage
|
|
|
|
|
|
|
|
import (
|
2021-11-23 09:45:38 +00:00
|
|
|
"context"
|
2021-11-25 01:56:58 +00:00
|
|
|
"crypto/sha256"
|
2019-11-16 10:38:21 +00:00
|
|
|
"database/sql"
|
2021-11-23 09:45:38 +00:00
|
|
|
"errors"
|
2019-11-16 19:50:58 +00:00
|
|
|
"fmt"
|
2019-11-16 10:38:21 +00:00
|
|
|
"time"
|
|
|
|
|
2021-11-23 09:45:38 +00:00
|
|
|
"github.com/jmoiron/sqlx"
|
2020-07-16 05:56:08 +00:00
|
|
|
"github.com/sirupsen/logrus"
|
|
|
|
|
2021-12-01 12:11:29 +00:00
|
|
|
"github.com/authelia/authelia/v4/internal/configuration/schema"
|
2021-08-11 01:04:35 +00:00
|
|
|
"github.com/authelia/authelia/v4/internal/logging"
|
2022-03-06 05:47:40 +00:00
|
|
|
"github.com/authelia/authelia/v4/internal/model"
|
2019-11-16 10:38:21 +00:00
|
|
|
)
|
|
|
|
|
2021-11-23 09:45:38 +00:00
|
|
|
// NewSQLProvider generates a generic SQLProvider to be used with other SQL provider NewUp's.
|
2021-12-01 12:11:29 +00:00
|
|
|
func NewSQLProvider(config *schema.Configuration, name, driverName, dataSourceName string) (provider SQLProvider) {
|
2021-11-23 09:45:38 +00:00
|
|
|
db, err := sqlx.Open(driverName, dataSourceName)
|
2020-03-04 23:25:52 +00:00
|
|
|
|
2021-11-23 09:45:38 +00:00
|
|
|
provider = SQLProvider{
|
2021-11-25 01:56:58 +00:00
|
|
|
db: db,
|
2021-12-01 12:11:29 +00:00
|
|
|
key: sha256.Sum256([]byte(config.Storage.EncryptionKey)),
|
2021-11-23 09:45:38 +00:00
|
|
|
name: name,
|
|
|
|
driverName: driverName,
|
2021-12-01 12:11:29 +00:00
|
|
|
config: config,
|
2021-11-23 09:45:38 +00:00
|
|
|
errOpen: err,
|
2021-11-25 01:56:58 +00:00
|
|
|
log: logging.Logger(),
|
2019-11-16 19:50:58 +00:00
|
|
|
|
2021-11-23 09:45:38 +00:00
|
|
|
sqlInsertAuthenticationAttempt: fmt.Sprintf(queryFmtInsertAuthenticationLogEntry, tableAuthenticationLogs),
|
|
|
|
sqlSelectAuthenticationAttemptsByUsername: fmt.Sprintf(queryFmtSelect1FAAuthenticationLogEntryByUsername, tableAuthenticationLogs),
|
2019-11-16 19:50:58 +00:00
|
|
|
|
2021-12-04 04:34:20 +00:00
|
|
|
sqlInsertIdentityVerification: fmt.Sprintf(queryFmtInsertIdentityVerification, tableIdentityVerification),
|
|
|
|
sqlConsumeIdentityVerification: fmt.Sprintf(queryFmtConsumeIdentityVerification, tableIdentityVerification),
|
|
|
|
sqlSelectIdentityVerification: fmt.Sprintf(queryFmtSelectIdentityVerification, tableIdentityVerification),
|
2019-11-16 19:50:58 +00:00
|
|
|
|
2021-11-25 01:56:58 +00:00
|
|
|
sqlUpsertTOTPConfig: fmt.Sprintf(queryFmtUpsertTOTPConfiguration, tableTOTPConfigurations),
|
|
|
|
sqlDeleteTOTPConfig: fmt.Sprintf(queryFmtDeleteTOTPConfiguration, tableTOTPConfigurations),
|
|
|
|
sqlSelectTOTPConfig: fmt.Sprintf(queryFmtSelectTOTPConfiguration, tableTOTPConfigurations),
|
|
|
|
sqlSelectTOTPConfigs: fmt.Sprintf(queryFmtSelectTOTPConfigurations, tableTOTPConfigurations),
|
|
|
|
|
2022-03-03 11:20:43 +00:00
|
|
|
sqlUpdateTOTPConfigSecret: fmt.Sprintf(queryFmtUpdateTOTPConfigurationSecret, tableTOTPConfigurations),
|
|
|
|
sqlUpdateTOTPConfigSecretByUsername: fmt.Sprintf(queryFmtUpdateTOTPConfigurationSecretByUsername, tableTOTPConfigurations),
|
|
|
|
sqlUpdateTOTPConfigRecordSignIn: fmt.Sprintf(queryFmtUpdateTOTPConfigRecordSignIn, tableTOTPConfigurations),
|
|
|
|
sqlUpdateTOTPConfigRecordSignInByUsername: fmt.Sprintf(queryFmtUpdateTOTPConfigRecordSignInByUsername, tableTOTPConfigurations),
|
2019-11-16 19:50:58 +00:00
|
|
|
|
2022-03-03 11:20:43 +00:00
|
|
|
sqlUpsertWebauthnDevice: fmt.Sprintf(queryFmtUpsertWebauthnDevice, tableWebauthnDevices),
|
|
|
|
sqlSelectWebauthnDevices: fmt.Sprintf(queryFmtSelectWebauthnDevices, tableWebauthnDevices),
|
|
|
|
sqlSelectWebauthnDevicesByUsername: fmt.Sprintf(queryFmtSelectWebauthnDevicesByUsername, tableWebauthnDevices),
|
2021-12-03 00:04:11 +00:00
|
|
|
|
2022-03-03 11:20:43 +00:00
|
|
|
sqlUpdateWebauthnDevicePublicKey: fmt.Sprintf(queryFmtUpdateWebauthnDevicePublicKey, tableWebauthnDevices),
|
|
|
|
sqlUpdateWebauthnDevicePublicKeyByUsername: fmt.Sprintf(queryFmtUpdateUpdateWebauthnDevicePublicKeyByUsername, tableWebauthnDevices),
|
|
|
|
sqlUpdateWebauthnDeviceRecordSignIn: fmt.Sprintf(queryFmtUpdateWebauthnDeviceRecordSignIn, tableWebauthnDevices),
|
|
|
|
sqlUpdateWebauthnDeviceRecordSignInByUsername: fmt.Sprintf(queryFmtUpdateWebauthnDeviceRecordSignInByUsername, tableWebauthnDevices),
|
2020-07-16 05:56:08 +00:00
|
|
|
|
2021-12-01 03:32:58 +00:00
|
|
|
sqlUpsertDuoDevice: fmt.Sprintf(queryFmtUpsertDuoDevice, tableDuoDevices),
|
|
|
|
sqlDeleteDuoDevice: fmt.Sprintf(queryFmtDeleteDuoDevice, tableDuoDevices),
|
|
|
|
sqlSelectDuoDevice: fmt.Sprintf(queryFmtSelectDuoDevice, tableDuoDevices),
|
|
|
|
|
2021-11-23 09:45:38 +00:00
|
|
|
sqlUpsertPreferred2FAMethod: fmt.Sprintf(queryFmtUpsertPreferred2FAMethod, tableUserPreferences),
|
|
|
|
sqlSelectPreferred2FAMethod: fmt.Sprintf(queryFmtSelectPreferred2FAMethod, tableUserPreferences),
|
2022-03-03 11:20:43 +00:00
|
|
|
sqlSelectUserInfo: fmt.Sprintf(queryFmtSelectUserInfo, tableTOTPConfigurations, tableWebauthnDevices, tableDuoDevices, tableUserPreferences),
|
2019-11-16 10:38:21 +00:00
|
|
|
|
2021-11-23 09:45:38 +00:00
|
|
|
sqlInsertMigration: fmt.Sprintf(queryFmtInsertMigration, tableMigrations),
|
|
|
|
sqlSelectMigrations: fmt.Sprintf(queryFmtSelectMigrations, tableMigrations),
|
|
|
|
sqlSelectLatestMigration: fmt.Sprintf(queryFmtSelectLatestMigration, tableMigrations),
|
2019-11-16 10:38:21 +00:00
|
|
|
|
2021-11-25 01:56:58 +00:00
|
|
|
sqlUpsertEncryptionValue: fmt.Sprintf(queryFmtUpsertEncryptionValue, tableEncryption),
|
|
|
|
sqlSelectEncryptionValue: fmt.Sprintf(queryFmtSelectEncryptionValue, tableEncryption),
|
|
|
|
|
2021-11-23 09:45:38 +00:00
|
|
|
sqlFmtRenameTable: queryFmtRenameTable,
|
2019-11-16 10:38:21 +00:00
|
|
|
}
|
|
|
|
|
2021-11-23 09:45:38 +00:00
|
|
|
return provider
|
|
|
|
}
|
2020-07-16 05:56:08 +00:00
|
|
|
|
2021-11-23 09:45:38 +00:00
|
|
|
// SQLProvider is a storage provider persisting data in a SQL database.
|
|
|
|
type SQLProvider struct {
|
|
|
|
db *sqlx.DB
|
2021-11-25 01:56:58 +00:00
|
|
|
key [32]byte
|
2021-11-23 09:45:38 +00:00
|
|
|
name string
|
|
|
|
driverName string
|
2021-12-03 06:29:55 +00:00
|
|
|
schema string
|
2021-12-01 12:11:29 +00:00
|
|
|
config *schema.Configuration
|
2021-11-23 09:45:38 +00:00
|
|
|
errOpen error
|
|
|
|
|
2021-11-25 01:56:58 +00:00
|
|
|
log *logrus.Logger
|
|
|
|
|
2021-11-23 09:45:38 +00:00
|
|
|
// Table: authentication_logs.
|
|
|
|
sqlInsertAuthenticationAttempt string
|
|
|
|
sqlSelectAuthenticationAttemptsByUsername string
|
|
|
|
|
2021-11-30 06:58:21 +00:00
|
|
|
// Table: identity_verification.
|
2021-12-04 04:34:20 +00:00
|
|
|
sqlInsertIdentityVerification string
|
|
|
|
sqlConsumeIdentityVerification string
|
|
|
|
sqlSelectIdentityVerification string
|
2021-11-23 09:45:38 +00:00
|
|
|
|
|
|
|
// Table: totp_configurations.
|
2021-11-25 01:56:58 +00:00
|
|
|
sqlUpsertTOTPConfig string
|
|
|
|
sqlDeleteTOTPConfig string
|
|
|
|
sqlSelectTOTPConfig string
|
|
|
|
sqlSelectTOTPConfigs string
|
|
|
|
|
2022-03-03 11:20:43 +00:00
|
|
|
sqlUpdateTOTPConfigSecret string
|
|
|
|
sqlUpdateTOTPConfigSecretByUsername string
|
|
|
|
sqlUpdateTOTPConfigRecordSignIn string
|
|
|
|
sqlUpdateTOTPConfigRecordSignInByUsername string
|
2021-11-23 09:45:38 +00:00
|
|
|
|
2022-03-03 11:20:43 +00:00
|
|
|
// Table: webauthn_devices.
|
|
|
|
sqlUpsertWebauthnDevice string
|
|
|
|
sqlSelectWebauthnDevices string
|
|
|
|
sqlSelectWebauthnDevicesByUsername string
|
2021-12-03 00:04:11 +00:00
|
|
|
|
2022-03-03 11:20:43 +00:00
|
|
|
sqlUpdateWebauthnDevicePublicKey string
|
|
|
|
sqlUpdateWebauthnDevicePublicKeyByUsername string
|
|
|
|
sqlUpdateWebauthnDeviceRecordSignIn string
|
|
|
|
sqlUpdateWebauthnDeviceRecordSignInByUsername string
|
2021-11-23 09:45:38 +00:00
|
|
|
|
2022-01-31 05:25:15 +00:00
|
|
|
// Table: duo_devices.
|
2021-12-01 03:32:58 +00:00
|
|
|
sqlUpsertDuoDevice string
|
|
|
|
sqlDeleteDuoDevice string
|
|
|
|
sqlSelectDuoDevice string
|
|
|
|
|
2021-11-23 09:45:38 +00:00
|
|
|
// Table: user_preferences.
|
|
|
|
sqlUpsertPreferred2FAMethod string
|
|
|
|
sqlSelectPreferred2FAMethod string
|
|
|
|
sqlSelectUserInfo string
|
|
|
|
|
|
|
|
// Table: migrations.
|
|
|
|
sqlInsertMigration string
|
|
|
|
sqlSelectMigrations string
|
|
|
|
sqlSelectLatestMigration string
|
|
|
|
|
2021-11-25 01:56:58 +00:00
|
|
|
// Table: encryption.
|
|
|
|
sqlUpsertEncryptionValue string
|
|
|
|
sqlSelectEncryptionValue string
|
|
|
|
|
2021-11-23 09:45:38 +00:00
|
|
|
// Utility.
|
|
|
|
sqlSelectExistingTables string
|
|
|
|
sqlFmtRenameTable string
|
|
|
|
}
|
2020-07-16 05:56:08 +00:00
|
|
|
|
2021-11-25 01:56:58 +00:00
|
|
|
// Close the underlying database connection.
|
|
|
|
func (p *SQLProvider) Close() (err error) {
|
|
|
|
return p.db.Close()
|
|
|
|
}
|
|
|
|
|
2021-11-23 09:45:38 +00:00
|
|
|
// StartupCheck implements the provider startup check interface.
|
|
|
|
func (p *SQLProvider) StartupCheck() (err error) {
|
|
|
|
if p.errOpen != nil {
|
2021-11-25 01:56:58 +00:00
|
|
|
return fmt.Errorf("error opening database: %w", p.errOpen)
|
2019-11-16 10:38:21 +00:00
|
|
|
}
|
|
|
|
|
2021-11-23 09:45:38 +00:00
|
|
|
// TODO: Decide if this is needed, or if it should be configurable.
|
|
|
|
for i := 0; i < 19; i++ {
|
2021-11-25 01:56:58 +00:00
|
|
|
if err = p.db.Ping(); err == nil {
|
2021-11-23 09:45:38 +00:00
|
|
|
break
|
2020-07-16 05:56:08 +00:00
|
|
|
}
|
|
|
|
|
2021-11-23 09:45:38 +00:00
|
|
|
time.Sleep(time.Millisecond * 500)
|
2019-11-16 10:38:21 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
if err != nil {
|
2021-11-25 01:56:58 +00:00
|
|
|
return fmt.Errorf("error pinging database: %w", err)
|
2019-11-16 10:38:21 +00:00
|
|
|
}
|
|
|
|
|
2021-11-23 09:45:38 +00:00
|
|
|
p.log.Infof("Storage schema is being checked for updates")
|
2020-07-16 05:56:08 +00:00
|
|
|
|
2021-11-23 09:45:38 +00:00
|
|
|
ctx := context.Background()
|
2020-07-16 05:56:08 +00:00
|
|
|
|
2021-11-25 01:56:58 +00:00
|
|
|
if err = p.SchemaEncryptionCheckKey(ctx, false); err != nil && !errors.Is(err, ErrSchemaEncryptionVersionUnsupported) {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2021-11-23 09:45:38 +00:00
|
|
|
err = p.SchemaMigrate(ctx, true, SchemaLatest)
|
2020-05-05 19:35:32 +00:00
|
|
|
|
2021-11-23 09:45:38 +00:00
|
|
|
switch err {
|
|
|
|
case ErrSchemaAlreadyUpToDate:
|
|
|
|
p.log.Infof("Storage schema is already up to date")
|
|
|
|
return nil
|
|
|
|
case nil:
|
|
|
|
return nil
|
|
|
|
default:
|
2021-11-25 01:56:58 +00:00
|
|
|
return fmt.Errorf("error during schema migrate: %w", err)
|
2021-11-23 09:45:38 +00:00
|
|
|
}
|
2019-11-16 10:38:21 +00:00
|
|
|
}
|
|
|
|
|
2021-11-23 09:45:38 +00:00
|
|
|
// SavePreferred2FAMethod save the preferred method for 2FA to the database.
|
|
|
|
func (p *SQLProvider) SavePreferred2FAMethod(ctx context.Context, username string, method string) (err error) {
|
2022-03-03 11:20:43 +00:00
|
|
|
if _, err = p.db.ExecContext(ctx, p.sqlUpsertPreferred2FAMethod, username, method); err != nil {
|
|
|
|
return fmt.Errorf("error upserting preferred two factor method for user '%s': %w", username, err)
|
|
|
|
}
|
2020-07-16 05:56:08 +00:00
|
|
|
|
2022-03-03 11:20:43 +00:00
|
|
|
return nil
|
2020-07-16 05:56:08 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// LoadPreferred2FAMethod load the preferred method for 2FA from the database.
|
2021-11-23 09:45:38 +00:00
|
|
|
func (p *SQLProvider) LoadPreferred2FAMethod(ctx context.Context, username string) (method string, err error) {
|
|
|
|
err = p.db.GetContext(ctx, &method, p.sqlSelectPreferred2FAMethod, username)
|
2020-05-05 19:35:32 +00:00
|
|
|
|
2021-11-25 01:56:58 +00:00
|
|
|
switch {
|
|
|
|
case err == nil:
|
|
|
|
return method, nil
|
|
|
|
case errors.Is(err, sql.ErrNoRows):
|
2022-03-28 01:26:30 +00:00
|
|
|
return "", sql.ErrNoRows
|
2021-11-23 09:45:38 +00:00
|
|
|
default:
|
2021-11-25 01:56:58 +00:00
|
|
|
return "", fmt.Errorf("error selecting preferred two factor method for user '%s': %w", username, err)
|
2019-11-16 10:38:21 +00:00
|
|
|
}
|
2021-11-23 09:45:38 +00:00
|
|
|
}
|
2020-05-05 19:35:32 +00:00
|
|
|
|
2022-03-06 05:47:40 +00:00
|
|
|
// LoadUserInfo loads the model.UserInfo from the database.
|
|
|
|
func (p *SQLProvider) LoadUserInfo(ctx context.Context, username string) (info model.UserInfo, err error) {
|
2021-12-01 03:32:58 +00:00
|
|
|
err = p.db.GetContext(ctx, &info, p.sqlSelectUserInfo, username, username, username, username)
|
2020-05-05 19:35:32 +00:00
|
|
|
|
2021-11-23 09:45:38 +00:00
|
|
|
switch {
|
2022-03-28 01:26:30 +00:00
|
|
|
case err == nil, errors.Is(err, sql.ErrNoRows):
|
2021-11-23 09:45:38 +00:00
|
|
|
return info, nil
|
|
|
|
default:
|
2022-03-06 05:47:40 +00:00
|
|
|
return model.UserInfo{}, fmt.Errorf("error selecting user info for user '%s': %w", username, err)
|
2021-11-23 09:45:38 +00:00
|
|
|
}
|
2019-11-16 10:38:21 +00:00
|
|
|
}
|
|
|
|
|
2021-11-23 09:45:38 +00:00
|
|
|
// SaveIdentityVerification save an identity verification record to the database.
|
2022-03-06 05:47:40 +00:00
|
|
|
func (p *SQLProvider) SaveIdentityVerification(ctx context.Context, verification model.IdentityVerification) (err error) {
|
2021-11-30 06:58:21 +00:00
|
|
|
if _, err = p.db.ExecContext(ctx, p.sqlInsertIdentityVerification,
|
2021-12-03 00:04:11 +00:00
|
|
|
verification.JTI, verification.IssuedAt, verification.IssuedIP, verification.ExpiresAt,
|
2021-11-30 06:58:21 +00:00
|
|
|
verification.Username, verification.Action); err != nil {
|
2022-03-03 11:20:43 +00:00
|
|
|
return fmt.Errorf("error inserting identity verification for user '%s' with uuid '%s': %w", verification.Username, verification.JTI, err)
|
2021-11-25 01:56:58 +00:00
|
|
|
}
|
2021-11-23 09:45:38 +00:00
|
|
|
|
2021-11-25 01:56:58 +00:00
|
|
|
return nil
|
2019-11-16 10:38:21 +00:00
|
|
|
}
|
|
|
|
|
2021-12-03 00:04:11 +00:00
|
|
|
// ConsumeIdentityVerification marks an identity verification record in the database as consumed.
|
2022-03-06 05:47:40 +00:00
|
|
|
func (p *SQLProvider) ConsumeIdentityVerification(ctx context.Context, jti string, ip model.NullIP) (err error) {
|
2021-12-03 00:04:11 +00:00
|
|
|
if _, err = p.db.ExecContext(ctx, p.sqlConsumeIdentityVerification, ip, jti); err != nil {
|
2021-11-25 01:56:58 +00:00
|
|
|
return fmt.Errorf("error updating identity verification: %w", err)
|
|
|
|
}
|
2021-11-23 09:45:38 +00:00
|
|
|
|
2021-11-25 01:56:58 +00:00
|
|
|
return nil
|
2021-11-23 09:45:38 +00:00
|
|
|
}
|
2020-05-05 19:35:32 +00:00
|
|
|
|
2021-11-23 09:45:38 +00:00
|
|
|
// FindIdentityVerification checks if an identity verification record is in the database and active.
|
2021-11-30 06:58:21 +00:00
|
|
|
func (p *SQLProvider) FindIdentityVerification(ctx context.Context, jti string) (found bool, err error) {
|
2022-03-06 05:47:40 +00:00
|
|
|
verification := model.IdentityVerification{}
|
2021-12-04 04:34:20 +00:00
|
|
|
if err = p.db.GetContext(ctx, &verification, p.sqlSelectIdentityVerification, jti); err != nil {
|
|
|
|
if errors.Is(err, sql.ErrNoRows) {
|
|
|
|
return false, nil
|
|
|
|
}
|
|
|
|
|
2021-11-25 01:56:58 +00:00
|
|
|
return false, fmt.Errorf("error selecting identity verification exists: %w", err)
|
2019-11-16 10:38:21 +00:00
|
|
|
}
|
2020-05-05 19:35:32 +00:00
|
|
|
|
2021-12-04 04:34:20 +00:00
|
|
|
switch {
|
2022-03-02 05:33:47 +00:00
|
|
|
case verification.Consumed != nil:
|
|
|
|
return false, fmt.Errorf("the token has already been consumed")
|
|
|
|
case verification.ExpiresAt.Before(time.Now()):
|
|
|
|
return false, fmt.Errorf("the token expired %s ago", time.Since(verification.ExpiresAt))
|
2021-12-04 04:34:20 +00:00
|
|
|
default:
|
|
|
|
return true, nil
|
|
|
|
}
|
2019-11-16 10:38:21 +00:00
|
|
|
}
|
|
|
|
|
2021-11-25 01:56:58 +00:00
|
|
|
// SaveTOTPConfiguration save a TOTP configuration of a given user in the database.
|
2022-03-06 05:47:40 +00:00
|
|
|
func (p *SQLProvider) SaveTOTPConfiguration(ctx context.Context, config model.TOTPConfiguration) (err error) {
|
2021-11-25 01:56:58 +00:00
|
|
|
if config.Secret, err = p.encrypt(config.Secret); err != nil {
|
2022-03-03 11:20:43 +00:00
|
|
|
return fmt.Errorf("error encrypting the TOTP configuration secret for user '%s': %w", config.Username, err)
|
2021-11-25 01:56:58 +00:00
|
|
|
}
|
2019-11-16 10:38:21 +00:00
|
|
|
|
2021-11-25 01:56:58 +00:00
|
|
|
if _, err = p.db.ExecContext(ctx, p.sqlUpsertTOTPConfig,
|
2022-03-03 11:20:43 +00:00
|
|
|
config.CreatedAt, config.LastUsedAt,
|
|
|
|
config.Username, config.Issuer,
|
|
|
|
config.Algorithm, config.Digits, config.Period, config.Secret); err != nil {
|
|
|
|
return fmt.Errorf("error upserting TOTP configuration for user '%s': %w", config.Username, err)
|
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// UpdateTOTPConfigurationSignIn updates a registered Webauthn devices sign in information.
|
|
|
|
func (p *SQLProvider) UpdateTOTPConfigurationSignIn(ctx context.Context, id int, lastUsedAt *time.Time) (err error) {
|
|
|
|
if _, err = p.db.ExecContext(ctx, p.sqlUpdateTOTPConfigRecordSignIn, lastUsedAt, id); err != nil {
|
|
|
|
return fmt.Errorf("error updating TOTP configuration id %d: %w", id, err)
|
2021-11-25 01:56:58 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
2019-11-16 10:38:21 +00:00
|
|
|
}
|
|
|
|
|
2021-11-25 01:56:58 +00:00
|
|
|
// DeleteTOTPConfiguration delete a TOTP configuration from the database given a username.
|
2021-11-23 09:45:38 +00:00
|
|
|
func (p *SQLProvider) DeleteTOTPConfiguration(ctx context.Context, username string) (err error) {
|
2021-11-25 01:56:58 +00:00
|
|
|
if _, err = p.db.ExecContext(ctx, p.sqlDeleteTOTPConfig, username); err != nil {
|
2022-03-03 11:20:43 +00:00
|
|
|
return fmt.Errorf("error deleting TOTP configuration for user '%s': %w", username, err)
|
2021-11-25 01:56:58 +00:00
|
|
|
}
|
2021-11-23 09:45:38 +00:00
|
|
|
|
2021-11-25 01:56:58 +00:00
|
|
|
return nil
|
2019-11-16 10:38:21 +00:00
|
|
|
}
|
|
|
|
|
2021-11-25 01:56:58 +00:00
|
|
|
// LoadTOTPConfiguration load a TOTP configuration given a username from the database.
|
2022-03-06 05:47:40 +00:00
|
|
|
func (p *SQLProvider) LoadTOTPConfiguration(ctx context.Context, username string) (config *model.TOTPConfiguration, err error) {
|
|
|
|
config = &model.TOTPConfiguration{}
|
2021-11-23 09:45:38 +00:00
|
|
|
|
2021-11-25 01:56:58 +00:00
|
|
|
if err = p.db.QueryRowxContext(ctx, p.sqlSelectTOTPConfig, username).StructScan(config); err != nil {
|
|
|
|
if errors.Is(err, sql.ErrNoRows) {
|
2021-12-01 12:11:29 +00:00
|
|
|
return nil, ErrNoTOTPConfiguration
|
2019-11-16 10:38:21 +00:00
|
|
|
}
|
2020-05-05 19:35:32 +00:00
|
|
|
|
2022-03-03 11:20:43 +00:00
|
|
|
return nil, fmt.Errorf("error selecting TOTP configuration for user '%s': %w", username, err)
|
2021-11-25 01:56:58 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
if config.Secret, err = p.decrypt(config.Secret); err != nil {
|
2022-03-03 11:20:43 +00:00
|
|
|
return nil, fmt.Errorf("error decrypting the TOTP secret for user '%s': %w", username, err)
|
2019-11-16 10:38:21 +00:00
|
|
|
}
|
2020-05-05 19:35:32 +00:00
|
|
|
|
2021-11-23 09:45:38 +00:00
|
|
|
return config, nil
|
2019-11-16 10:38:21 +00:00
|
|
|
}
|
|
|
|
|
2021-11-25 01:56:58 +00:00
|
|
|
// LoadTOTPConfigurations load a set of TOTP configurations.
|
2022-03-06 05:47:40 +00:00
|
|
|
func (p *SQLProvider) LoadTOTPConfigurations(ctx context.Context, limit, page int) (configs []model.TOTPConfiguration, err error) {
|
|
|
|
configs = make([]model.TOTPConfiguration, 0, limit)
|
2022-03-03 11:20:43 +00:00
|
|
|
|
|
|
|
if err = p.db.SelectContext(ctx, &configs, p.sqlSelectTOTPConfigs, limit, limit*page); err != nil {
|
2021-11-25 01:56:58 +00:00
|
|
|
if errors.Is(err, sql.ErrNoRows) {
|
2022-03-03 11:20:43 +00:00
|
|
|
return nil, nil
|
2021-11-25 01:56:58 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
return nil, fmt.Errorf("error selecting TOTP configurations: %w", err)
|
|
|
|
}
|
|
|
|
|
2022-03-03 11:20:43 +00:00
|
|
|
for i, c := range configs {
|
|
|
|
if configs[i].Secret, err = p.decrypt(c.Secret); err != nil {
|
|
|
|
return nil, fmt.Errorf("error decrypting TOTP configuration for user '%s': %w", c.Username, err)
|
2021-11-25 01:56:58 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return configs, nil
|
|
|
|
}
|
|
|
|
|
2022-03-06 05:47:40 +00:00
|
|
|
func (p *SQLProvider) updateTOTPConfigurationSecret(ctx context.Context, config model.TOTPConfiguration) (err error) {
|
2021-11-25 01:56:58 +00:00
|
|
|
switch config.ID {
|
|
|
|
case 0:
|
|
|
|
_, err = p.db.ExecContext(ctx, p.sqlUpdateTOTPConfigSecretByUsername, config.Secret, config.Username)
|
|
|
|
default:
|
|
|
|
_, err = p.db.ExecContext(ctx, p.sqlUpdateTOTPConfigSecret, config.Secret, config.ID)
|
|
|
|
}
|
|
|
|
|
|
|
|
if err != nil {
|
2022-03-03 11:20:43 +00:00
|
|
|
return fmt.Errorf("error updating TOTP configuration secret for user '%s': %w", config.Username, err)
|
2021-11-25 01:56:58 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2022-03-03 11:20:43 +00:00
|
|
|
// SaveWebauthnDevice saves a registered Webauthn device.
|
2022-03-06 05:47:40 +00:00
|
|
|
func (p *SQLProvider) SaveWebauthnDevice(ctx context.Context, device model.WebauthnDevice) (err error) {
|
2021-12-03 00:04:11 +00:00
|
|
|
if device.PublicKey, err = p.encrypt(device.PublicKey); err != nil {
|
2022-03-03 11:20:43 +00:00
|
|
|
return fmt.Errorf("error encrypting the Webauthn device public key for user '%s' kid '%x': %w", device.Username, device.KID, err)
|
2021-12-03 00:04:11 +00:00
|
|
|
}
|
|
|
|
|
2022-03-03 11:20:43 +00:00
|
|
|
if _, err = p.db.ExecContext(ctx, p.sqlUpsertWebauthnDevice,
|
|
|
|
device.CreatedAt, device.LastUsedAt,
|
|
|
|
device.RPID, device.Username, device.Description,
|
|
|
|
device.KID, device.PublicKey,
|
|
|
|
device.AttestationType, device.Transport, device.AAGUID, device.SignCount, device.CloneWarning,
|
|
|
|
); err != nil {
|
|
|
|
return fmt.Errorf("error upserting Webauthn device for user '%s' kid '%x': %w", device.Username, device.KID, err)
|
2021-11-25 01:56:58 +00:00
|
|
|
}
|
2020-05-05 19:35:32 +00:00
|
|
|
|
2021-11-25 01:56:58 +00:00
|
|
|
return nil
|
2019-11-16 10:38:21 +00:00
|
|
|
}
|
|
|
|
|
2022-03-03 11:20:43 +00:00
|
|
|
// UpdateWebauthnDeviceSignIn updates a registered Webauthn devices sign in information.
|
|
|
|
func (p *SQLProvider) UpdateWebauthnDeviceSignIn(ctx context.Context, id int, rpid string, lastUsedAt *time.Time, signCount uint32, cloneWarning bool) (err error) {
|
|
|
|
if _, err = p.db.ExecContext(ctx, p.sqlUpdateWebauthnDeviceRecordSignIn, rpid, lastUsedAt, signCount, cloneWarning, id); err != nil {
|
|
|
|
return fmt.Errorf("error updating Webauthn signin metadata for id '%x': %w", id, err)
|
|
|
|
}
|
2019-11-17 01:05:46 +00:00
|
|
|
|
2022-03-03 11:20:43 +00:00
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// LoadWebauthnDevices loads Webauthn device registrations.
|
2022-03-06 05:47:40 +00:00
|
|
|
func (p *SQLProvider) LoadWebauthnDevices(ctx context.Context, limit, page int) (devices []model.WebauthnDevice, err error) {
|
|
|
|
devices = make([]model.WebauthnDevice, 0, limit)
|
2022-03-03 11:20:43 +00:00
|
|
|
|
|
|
|
if err = p.db.SelectContext(ctx, &devices, p.sqlSelectWebauthnDevices, limit, limit*page); err != nil {
|
2021-11-25 01:56:58 +00:00
|
|
|
if errors.Is(err, sql.ErrNoRows) {
|
2022-03-03 11:20:43 +00:00
|
|
|
return nil, nil
|
2021-11-23 09:45:38 +00:00
|
|
|
}
|
2019-11-17 01:05:46 +00:00
|
|
|
|
2022-03-03 11:20:43 +00:00
|
|
|
return nil, fmt.Errorf("error selecting Webauthn devices: %w", err)
|
2019-11-16 10:38:21 +00:00
|
|
|
}
|
2019-11-16 19:50:58 +00:00
|
|
|
|
2022-03-03 11:20:43 +00:00
|
|
|
for i, device := range devices {
|
|
|
|
if devices[i].PublicKey, err = p.decrypt(device.PublicKey); err != nil {
|
|
|
|
return nil, fmt.Errorf("error decrypting Webauthn public key for user '%s': %w", device.Username, err)
|
|
|
|
}
|
2021-12-03 00:04:11 +00:00
|
|
|
}
|
|
|
|
|
2022-03-03 11:20:43 +00:00
|
|
|
return devices, nil
|
2019-11-16 10:38:21 +00:00
|
|
|
}
|
|
|
|
|
2022-03-03 11:20:43 +00:00
|
|
|
// LoadWebauthnDevicesByUsername loads all webauthn devices registration for a given username.
|
2022-03-06 05:47:40 +00:00
|
|
|
func (p *SQLProvider) LoadWebauthnDevicesByUsername(ctx context.Context, username string) (devices []model.WebauthnDevice, err error) {
|
2022-03-03 11:20:43 +00:00
|
|
|
if err = p.db.SelectContext(ctx, &devices, p.sqlSelectWebauthnDevicesByUsername, username); err != nil {
|
2021-12-03 00:04:11 +00:00
|
|
|
if errors.Is(err, sql.ErrNoRows) {
|
2022-03-03 11:20:43 +00:00
|
|
|
return nil, ErrNoWebauthnDevice
|
2021-12-03 00:04:11 +00:00
|
|
|
}
|
|
|
|
|
2022-03-03 11:20:43 +00:00
|
|
|
return nil, fmt.Errorf("error selecting Webauthn devices for user '%s': %w", username, err)
|
2021-12-03 00:04:11 +00:00
|
|
|
}
|
|
|
|
|
2022-03-03 11:20:43 +00:00
|
|
|
for i, device := range devices {
|
|
|
|
if devices[i].PublicKey, err = p.decrypt(device.PublicKey); err != nil {
|
|
|
|
return nil, fmt.Errorf("error decrypting Webauthn public key for user '%s': %w", username, err)
|
2021-12-03 00:04:11 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return devices, nil
|
|
|
|
}
|
|
|
|
|
2022-03-06 05:47:40 +00:00
|
|
|
func (p *SQLProvider) updateWebauthnDevicePublicKey(ctx context.Context, device model.WebauthnDevice) (err error) {
|
2021-12-03 00:04:11 +00:00
|
|
|
switch device.ID {
|
|
|
|
case 0:
|
2022-03-03 11:20:43 +00:00
|
|
|
_, err = p.db.ExecContext(ctx, p.sqlUpdateWebauthnDevicePublicKeyByUsername, device.PublicKey, device.Username, device.KID)
|
2021-12-03 00:04:11 +00:00
|
|
|
default:
|
2022-03-03 11:20:43 +00:00
|
|
|
_, err = p.db.ExecContext(ctx, p.sqlUpdateWebauthnDevicePublicKey, device.PublicKey, device.ID)
|
2021-12-03 00:04:11 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
if err != nil {
|
2022-03-03 11:20:43 +00:00
|
|
|
return fmt.Errorf("error updating Webauthn public key for user '%s' kid '%x': %w", device.Username, device.KID, err)
|
2021-12-03 00:04:11 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2021-12-01 03:32:58 +00:00
|
|
|
// SavePreferredDuoDevice saves a Duo device.
|
2022-03-06 05:47:40 +00:00
|
|
|
func (p *SQLProvider) SavePreferredDuoDevice(ctx context.Context, device model.DuoDevice) (err error) {
|
2022-03-03 11:20:43 +00:00
|
|
|
if _, err = p.db.ExecContext(ctx, p.sqlUpsertDuoDevice, device.Username, device.Device, device.Method); err != nil {
|
|
|
|
return fmt.Errorf("error upserting preferred duo device for user '%s': %w", device.Username, err)
|
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
2021-12-01 03:32:58 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// DeletePreferredDuoDevice deletes a Duo device of a given user.
|
|
|
|
func (p *SQLProvider) DeletePreferredDuoDevice(ctx context.Context, username string) (err error) {
|
2022-03-03 11:20:43 +00:00
|
|
|
if _, err = p.db.ExecContext(ctx, p.sqlDeleteDuoDevice, username); err != nil {
|
|
|
|
return fmt.Errorf("error deleting preferred duo device for user '%s': %w", username, err)
|
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
2021-12-01 03:32:58 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// LoadPreferredDuoDevice loads a Duo device of a given user.
|
2022-03-06 05:47:40 +00:00
|
|
|
func (p *SQLProvider) LoadPreferredDuoDevice(ctx context.Context, username string) (device *model.DuoDevice, err error) {
|
|
|
|
device = &model.DuoDevice{}
|
2021-12-01 03:32:58 +00:00
|
|
|
|
2022-03-03 11:20:43 +00:00
|
|
|
if err = p.db.QueryRowxContext(ctx, p.sqlSelectDuoDevice, username).StructScan(device); err != nil {
|
2021-12-01 03:32:58 +00:00
|
|
|
if err == sql.ErrNoRows {
|
|
|
|
return nil, ErrNoDuoDevice
|
|
|
|
}
|
|
|
|
|
2022-03-03 11:20:43 +00:00
|
|
|
return nil, fmt.Errorf("error selecting preferred duo device for user '%s': %w", username, err)
|
2021-12-01 03:32:58 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
return device, nil
|
|
|
|
}
|
|
|
|
|
2019-11-16 10:38:21 +00:00
|
|
|
// AppendAuthenticationLog append a mark to the authentication log.
|
2022-03-06 05:47:40 +00:00
|
|
|
func (p *SQLProvider) AppendAuthenticationLog(ctx context.Context, attempt model.AuthenticationAttempt) (err error) {
|
2021-11-29 03:09:14 +00:00
|
|
|
if _, err = p.db.ExecContext(ctx, p.sqlInsertAuthenticationAttempt,
|
|
|
|
attempt.Time, attempt.Successful, attempt.Banned, attempt.Username,
|
|
|
|
attempt.Type, attempt.RemoteIP, attempt.RequestURI, attempt.RequestMethod); err != nil {
|
2022-03-03 11:20:43 +00:00
|
|
|
return fmt.Errorf("error inserting authentication attempt for user '%s': %w", attempt.Username, err)
|
2021-11-25 01:56:58 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
2019-11-16 10:38:21 +00:00
|
|
|
}
|
|
|
|
|
2021-11-23 09:45:38 +00:00
|
|
|
// LoadAuthenticationLogs retrieve the latest failed authentications from the authentication log.
|
2022-03-06 05:47:40 +00:00
|
|
|
func (p *SQLProvider) LoadAuthenticationLogs(ctx context.Context, username string, fromDate time.Time, limit, page int) (attempts []model.AuthenticationAttempt, err error) {
|
|
|
|
attempts = make([]model.AuthenticationAttempt, 0, limit)
|
2020-05-05 19:35:32 +00:00
|
|
|
|
2022-03-03 11:20:43 +00:00
|
|
|
if err = p.db.SelectContext(ctx, &attempts, p.sqlSelectAuthenticationAttemptsByUsername, fromDate, username, limit, limit*page); err != nil {
|
|
|
|
if errors.Is(err, sql.ErrNoRows) {
|
|
|
|
return nil, ErrNoAuthenticationLogs
|
2019-11-16 10:38:21 +00:00
|
|
|
}
|
2020-05-05 19:35:32 +00:00
|
|
|
|
2022-03-03 11:20:43 +00:00
|
|
|
return nil, fmt.Errorf("error selecting authentication logs for user '%s': %w", username, err)
|
2019-11-16 10:38:21 +00:00
|
|
|
}
|
2020-05-05 19:35:32 +00:00
|
|
|
|
2019-11-16 10:38:21 +00:00
|
|
|
return attempts, nil
|
|
|
|
}
|