authelia/internal/storage/sql_provider.go

package storage

import (
	"database/sql"
	"encoding/base64"
	"fmt"
	"time"

	"github.com/authelia/authelia/internal/models"
)

// SQLProvider is a storage provider persisting data in a SQL database.
type SQLProvider struct {
	db *sql.DB

	sqlGetPreferencesByUsername     string
	sqlUpsertSecondFactorPreference string

	sqlTestIdentityVerificationTokenExistence string
	sqlInsertIdentityVerificationToken        string
	sqlDeleteIdentityVerificationToken        string

	sqlGetTOTPSecretByUsername string
	sqlUpsertTOTPSecret        string
	sqlDeleteTOTPSecret        string

	sqlGetU2FDeviceHandleByUsername string
	sqlUpsertU2FDeviceHandle        string

	sqlInsertAuthenticationLog     string
	sqlGetLatestAuthenticationLogs string
}

func (p *SQLProvider) initialize(db *sql.DB) error {
	p.db = db

	_, err := db.Exec(fmt.Sprintf("CREATE TABLE IF NOT EXISTS %s (username VARCHAR(100) PRIMARY KEY, second_factor_method VARCHAR(11))", preferencesTableName))
	if err != nil {
		return err
	}

	_, err = db.Exec(fmt.Sprintf("CREATE TABLE IF NOT EXISTS %s (token VARCHAR(512))", identityVerificationTokensTableName))
	if err != nil {
		return err
	}

	_, err = db.Exec(fmt.Sprintf("CREATE TABLE IF NOT EXISTS %s (username VARCHAR(100) PRIMARY KEY, secret VARCHAR(64))", totpSecretsTableName))
	if err != nil {
		return err
	}

	// keyHandle and publicKey are stored in base64 format
	_, err = db.Exec(fmt.Sprintf("CREATE TABLE IF NOT EXISTS %s (username VARCHAR(100) PRIMARY KEY, keyHandle TEXT, publicKey TEXT)", u2fDeviceHandlesTableName))
	if err != nil {
		return err
	}

	_, err = db.Exec(fmt.Sprintf("CREATE TABLE IF NOT EXISTS %s (username VARCHAR(100), successful BOOL, time INTEGER)", authenticationLogsTableName))
	if err != nil {
		return err
	}

	_, err = db.Exec(fmt.Sprintf("CREATE INDEX IF NOT EXISTS time ON %s (time);", authenticationLogsTableName))
	if err != nil {
		return err
	}

	_, err = db.Exec(fmt.Sprintf("CREATE INDEX IF NOT EXISTS username ON %s (username);", authenticationLogsTableName))
	if err != nil {
		return err
	}
	return nil
}

// LoadPreferred2FAMethod load the preferred method for 2FA from sqlite db.
func (p *SQLProvider) LoadPreferred2FAMethod(username string) (string, error) {
	rows, err := p.db.Query(p.sqlGetPreferencesByUsername, username)
	defer rows.Close()
	if err != nil {
		return "", err
	}
	if rows.Next() {
		var method string
		err = rows.Scan(&method)
		if err != nil {
			return "", err
		}
		return method, nil
	}
	return "", nil
}

// SavePreferred2FAMethod save the preferred method for 2FA in sqlite db.
func (p *SQLProvider) SavePreferred2FAMethod(username string, method string) error {
	_, err := p.db.Exec(p.sqlUpsertSecondFactorPreference, username, method)
	return err
}

// FindIdentityVerificationToken look for an identity verification token in DB.
func (p *SQLProvider) FindIdentityVerificationToken(token string) (bool, error) {
	var found bool
	err := p.db.QueryRow(p.sqlTestIdentityVerificationTokenExistence, token).Scan(&found)
	if err != nil {
		return false, err
	}
	return found, nil
}

// SaveIdentityVerificationToken save an identity verification token in DB.
func (p *SQLProvider) SaveIdentityVerificationToken(token string) error {
	_, err := p.db.Exec(p.sqlInsertIdentityVerificationToken, token)
	return err
}

// RemoveIdentityVerificationToken remove an identity verification token from the DB.
func (p *SQLProvider) RemoveIdentityVerificationToken(token string) error {
	_, err := p.db.Exec(p.sqlDeleteIdentityVerificationToken, token)
	return err
}

// SaveTOTPSecret save a TOTP secret of a given user.
func (p *SQLProvider) SaveTOTPSecret(username string, secret string) error {
	_, err := p.db.Exec(p.sqlUpsertTOTPSecret, username, secret)
	return err
}

// LoadTOTPSecret load a TOTP secret given a username.
func (p *SQLProvider) LoadTOTPSecret(username string) (string, error) {
	var secret string
	if err := p.db.QueryRow(p.sqlGetTOTPSecretByUsername, username).Scan(&secret); err != nil {
		if err == sql.ErrNoRows {
			return "", ErrNoTOTPSecret
		}
		return "", err
	}
	return secret, nil
}

// DeleteTOTPSecret delete a TOTP secret given a username.
func (p *SQLProvider) DeleteTOTPSecret(username string) error {
	_, err := p.db.Exec(p.sqlDeleteTOTPSecret, username)
	return err
}

// SaveU2FDeviceHandle save a registered U2F device registration blob.
func (p *SQLProvider) SaveU2FDeviceHandle(username string, keyHandle []byte, publicKey []byte) error {
	_, err := p.db.Exec(p.sqlUpsertU2FDeviceHandle,
		username,
		base64.StdEncoding.EncodeToString(keyHandle),
		base64.StdEncoding.EncodeToString(publicKey))
	return err
}

// LoadU2FDeviceHandle load a U2F device registration blob for a given username.
func (p *SQLProvider) LoadU2FDeviceHandle(username string) ([]byte, []byte, error) {
	var keyHandleBase64, publicKeyBase64 string
	if err := p.db.QueryRow(p.sqlGetU2FDeviceHandleByUsername, username).Scan(&keyHandleBase64, &publicKeyBase64); err != nil {
		if err == sql.ErrNoRows {
			return nil, nil, ErrNoU2FDeviceHandle
		}
		return nil, nil, err
	}

	keyHandle, err := base64.StdEncoding.DecodeString(keyHandleBase64)

	if err != nil {
		return nil, nil, err
	}

	publicKey, err := base64.StdEncoding.DecodeString(publicKeyBase64)

	if err != nil {
		return nil, nil, err
	}

	return keyHandle, publicKey, nil
}

// AppendAuthenticationLog append a mark to the authentication log.
func (p *SQLProvider) AppendAuthenticationLog(attempt models.AuthenticationAttempt) error {
	_, err := p.db.Exec(p.sqlInsertAuthenticationLog, attempt.Username, attempt.Successful, attempt.Time.Unix())
	return err
}

// LoadLatestAuthenticationLogs retrieve the latest marks from the authentication log.
func (p *SQLProvider) LoadLatestAuthenticationLogs(username string, fromDate time.Time) ([]models.AuthenticationAttempt, error) {
	rows, err := p.db.Query(p.sqlGetLatestAuthenticationLogs, fromDate.Unix(), username)

	if err != nil {
		return nil, err
	}

	attempts := make([]models.AuthenticationAttempt, 0, 10)
	for rows.Next() {
		attempt := models.AuthenticationAttempt{
			Username: username,
		}
		var t int64
		err = rows.Scan(&attempt.Successful, &t)
		attempt.Time = time.Unix(t, 0)

		if err != nil {
			return nil, err
		}
		attempts = append(attempts, attempt)
	}
	return attempts, nil
}
Deprecate mongo and add mariadb as storage backend option. 2019-11-16 10:38:21 +00:00			`package storage`

			`import (`
			`"database/sql"`
Add support for PostgreSQL. 2019-11-16 19:50:58 +00:00			`"encoding/base64"`
			`"fmt"`
Deprecate mongo and add mariadb as storage backend option. 2019-11-16 10:38:21 +00:00			`"time"`

Rename org from clems4ever to authelia Also fix references from config.yml to configuration.yml 2019-12-24 02:14:52 +00:00			`"github.com/authelia/authelia/internal/models"`
Deprecate mongo and add mariadb as storage backend option. 2019-11-16 10:38:21 +00:00			`)`

			`// SQLProvider is a storage provider persisting data in a SQL database.`
			`type SQLProvider struct {`
			`db *sql.DB`
Add support for PostgreSQL. 2019-11-16 19:50:58 +00:00
			`sqlGetPreferencesByUsername string`
			`sqlUpsertSecondFactorPreference string`

			`sqlTestIdentityVerificationTokenExistence string`
			`sqlInsertIdentityVerificationToken string`
			`sqlDeleteIdentityVerificationToken string`

			`sqlGetTOTPSecretByUsername string`
			`sqlUpsertTOTPSecret string`
Test user does see the not registered message. When a user use Authelia for the first time no device is enrolled in DB. Now we test that the user does see the "not registered" message when no device is enrolled and see the standard 2FA method when a device is already enrolled. 2019-12-07 17:14:26 +00:00			`sqlDeleteTOTPSecret string`
Add support for PostgreSQL. 2019-11-16 19:50:58 +00:00
			`sqlGetU2FDeviceHandleByUsername string`
			`sqlUpsertU2FDeviceHandle string`

			`sqlInsertAuthenticationLog string`
			`sqlGetLatestAuthenticationLogs string`
Deprecate mongo and add mariadb as storage backend option. 2019-11-16 10:38:21 +00:00			`}`

			`func (p SQLProvider) initialize(db sql.DB) error {`
			`p.db = db`

Fix second_factor_method creation length - mobile_push is 11 characters long, but db init sets it to 10. 2019-12-19 03:56:16 +00:00			`_, err := db.Exec(fmt.Sprintf("CREATE TABLE IF NOT EXISTS %s (username VARCHAR(100) PRIMARY KEY, second_factor_method VARCHAR(11))", preferencesTableName))`
Deprecate mongo and add mariadb as storage backend option. 2019-11-16 10:38:21 +00:00			`if err != nil {`
			`return err`
			`}`

Add support for PostgreSQL. 2019-11-16 19:50:58 +00:00			`_, err = db.Exec(fmt.Sprintf("CREATE TABLE IF NOT EXISTS %s (token VARCHAR(512))", identityVerificationTokensTableName))`
Deprecate mongo and add mariadb as storage backend option. 2019-11-16 10:38:21 +00:00			`if err != nil {`
			`return err`
			`}`

Add support for PostgreSQL. 2019-11-16 19:50:58 +00:00			`_, err = db.Exec(fmt.Sprintf("CREATE TABLE IF NOT EXISTS %s (username VARCHAR(100) PRIMARY KEY, secret VARCHAR(64))", totpSecretsTableName))`
Deprecate mongo and add mariadb as storage backend option. 2019-11-16 10:38:21 +00:00			`if err != nil {`
			`return err`
			`}`

Provide commands to migrate database from v3 to v4. 2019-11-17 01:05:46 +00:00			`// keyHandle and publicKey are stored in base64 format`
			`_, err = db.Exec(fmt.Sprintf("CREATE TABLE IF NOT EXISTS %s (username VARCHAR(100) PRIMARY KEY, keyHandle TEXT, publicKey TEXT)", u2fDeviceHandlesTableName))`
Deprecate mongo and add mariadb as storage backend option. 2019-11-16 10:38:21 +00:00			`if err != nil {`
			`return err`
			`}`

Add support for PostgreSQL. 2019-11-16 19:50:58 +00:00			`_, err = db.Exec(fmt.Sprintf("CREATE TABLE IF NOT EXISTS %s (username VARCHAR(100), successful BOOL, time INTEGER)", authenticationLogsTableName))`
Deprecate mongo and add mariadb as storage backend option. 2019-11-16 10:38:21 +00:00			`if err != nil {`
			`return err`
			`}`

Add support for PostgreSQL. 2019-11-16 19:50:58 +00:00			`_, err = db.Exec(fmt.Sprintf("CREATE INDEX IF NOT EXISTS time ON %s (time);", authenticationLogsTableName))`
Deprecate mongo and add mariadb as storage backend option. 2019-11-16 10:38:21 +00:00			`if err != nil {`
			`return err`
			`}`

Add support for PostgreSQL. 2019-11-16 19:50:58 +00:00			`_, err = db.Exec(fmt.Sprintf("CREATE INDEX IF NOT EXISTS username ON %s (username);", authenticationLogsTableName))`
Deprecate mongo and add mariadb as storage backend option. 2019-11-16 10:38:21 +00:00			`if err != nil {`
			`return err`
			`}`
			`return nil`
			`}`

Fix spelling errors 2020-01-05 23:03:16 +00:00			`// LoadPreferred2FAMethod load the preferred method for 2FA from sqlite db.`
			`func (p *SQLProvider) LoadPreferred2FAMethod(username string) (string, error) {`
Add support for PostgreSQL. 2019-11-16 19:50:58 +00:00			`rows, err := p.db.Query(p.sqlGetPreferencesByUsername, username)`
Deprecate mongo and add mariadb as storage backend option. 2019-11-16 10:38:21 +00:00			`defer rows.Close()`
			`if err != nil {`
			`return "", err`
			`}`
			`if rows.Next() {`
			`var method string`
			`err = rows.Scan(&method)`
			`if err != nil {`
			`return "", err`
			`}`
			`return method, nil`
			`}`
			`return "", nil`
			`}`

Fix spelling errors 2020-01-05 23:03:16 +00:00			`// SavePreferred2FAMethod save the preferred method for 2FA in sqlite db.`
			`func (p *SQLProvider) SavePreferred2FAMethod(username string, method string) error {`
Add support for PostgreSQL. 2019-11-16 19:50:58 +00:00			`_, err := p.db.Exec(p.sqlUpsertSecondFactorPreference, username, method)`
Deprecate mongo and add mariadb as storage backend option. 2019-11-16 10:38:21 +00:00			`return err`
			`}`

			`// FindIdentityVerificationToken look for an identity verification token in DB.`
			`func (p *SQLProvider) FindIdentityVerificationToken(token string) (bool, error) {`
Add support for PostgreSQL. 2019-11-16 19:50:58 +00:00			`var found bool`
			`err := p.db.QueryRow(p.sqlTestIdentityVerificationTokenExistence, token).Scan(&found)`
Deprecate mongo and add mariadb as storage backend option. 2019-11-16 10:38:21 +00:00			`if err != nil {`
			`return false, err`
			`}`
Add support for PostgreSQL. 2019-11-16 19:50:58 +00:00			`return found, nil`
Deprecate mongo and add mariadb as storage backend option. 2019-11-16 10:38:21 +00:00			`}`

			`// SaveIdentityVerificationToken save an identity verification token in DB.`
			`func (p *SQLProvider) SaveIdentityVerificationToken(token string) error {`
Add support for PostgreSQL. 2019-11-16 19:50:58 +00:00			`_, err := p.db.Exec(p.sqlInsertIdentityVerificationToken, token)`
Deprecate mongo and add mariadb as storage backend option. 2019-11-16 10:38:21 +00:00			`return err`
			`}`

			`// RemoveIdentityVerificationToken remove an identity verification token from the DB.`
			`func (p *SQLProvider) RemoveIdentityVerificationToken(token string) error {`
Add support for PostgreSQL. 2019-11-16 19:50:58 +00:00			`_, err := p.db.Exec(p.sqlDeleteIdentityVerificationToken, token)`
Deprecate mongo and add mariadb as storage backend option. 2019-11-16 10:38:21 +00:00			`return err`
			`}`

			`// SaveTOTPSecret save a TOTP secret of a given user.`
			`func (p *SQLProvider) SaveTOTPSecret(username string, secret string) error {`
Add support for PostgreSQL. 2019-11-16 19:50:58 +00:00			`_, err := p.db.Exec(p.sqlUpsertTOTPSecret, username, secret)`
Deprecate mongo and add mariadb as storage backend option. 2019-11-16 10:38:21 +00:00			`return err`
			`}`

			`// LoadTOTPSecret load a TOTP secret given a username.`
			`func (p *SQLProvider) LoadTOTPSecret(username string) (string, error) {`
			`var secret string`
Add support for PostgreSQL. 2019-11-16 19:50:58 +00:00			`if err := p.db.QueryRow(p.sqlGetTOTPSecretByUsername, username).Scan(&secret); err != nil {`
Deprecate mongo and add mariadb as storage backend option. 2019-11-16 10:38:21 +00:00			`if err == sql.ErrNoRows {`
Introduce hasU2F and hasTOTP in user info. 2019-12-07 11:18:22 +00:00			`return "", ErrNoTOTPSecret`
Deprecate mongo and add mariadb as storage backend option. 2019-11-16 10:38:21 +00:00			`}`
			`return "", err`
			`}`
			`return secret, nil`
			`}`

Test user does see the not registered message. When a user use Authelia for the first time no device is enrolled in DB. Now we test that the user does see the "not registered" message when no device is enrolled and see the standard 2FA method when a device is already enrolled. 2019-12-07 17:14:26 +00:00			`// DeleteTOTPSecret delete a TOTP secret given a username.`
			`func (p *SQLProvider) DeleteTOTPSecret(username string) error {`
			`_, err := p.db.Exec(p.sqlDeleteTOTPSecret, username)`
			`return err`
			`}`

Deprecate mongo and add mariadb as storage backend option. 2019-11-16 10:38:21 +00:00			`// SaveU2FDeviceHandle save a registered U2F device registration blob.`
Provide commands to migrate database from v3 to v4. 2019-11-17 01:05:46 +00:00			`func (p *SQLProvider) SaveU2FDeviceHandle(username string, keyHandle []byte, publicKey []byte) error {`
			`_, err := p.db.Exec(p.sqlUpsertU2FDeviceHandle,`
			`username,`
			`base64.StdEncoding.EncodeToString(keyHandle),`
			`base64.StdEncoding.EncodeToString(publicKey))`
Deprecate mongo and add mariadb as storage backend option. 2019-11-16 10:38:21 +00:00			`return err`
			`}`

			`// LoadU2FDeviceHandle load a U2F device registration blob for a given username.`
Provide commands to migrate database from v3 to v4. 2019-11-17 01:05:46 +00:00			`func (p *SQLProvider) LoadU2FDeviceHandle(username string) ([]byte, []byte, error) {`
			`var keyHandleBase64, publicKeyBase64 string`
			`if err := p.db.QueryRow(p.sqlGetU2FDeviceHandleByUsername, username).Scan(&keyHandleBase64, &publicKeyBase64); err != nil {`
Deprecate mongo and add mariadb as storage backend option. 2019-11-16 10:38:21 +00:00			`if err == sql.ErrNoRows {`
Provide commands to migrate database from v3 to v4. 2019-11-17 01:05:46 +00:00			`return nil, nil, ErrNoU2FDeviceHandle`
Deprecate mongo and add mariadb as storage backend option. 2019-11-16 10:38:21 +00:00			`}`
Provide commands to migrate database from v3 to v4. 2019-11-17 01:05:46 +00:00			`return nil, nil, err`
			`}`

			`keyHandle, err := base64.StdEncoding.DecodeString(keyHandleBase64)`

			`if err != nil {`
			`return nil, nil, err`
			`}`

			`publicKey, err := base64.StdEncoding.DecodeString(publicKeyBase64)`

			`if err != nil {`
			`return nil, nil, err`
Deprecate mongo and add mariadb as storage backend option. 2019-11-16 10:38:21 +00:00			`}`
Add support for PostgreSQL. 2019-11-16 19:50:58 +00:00
Provide commands to migrate database from v3 to v4. 2019-11-17 01:05:46 +00:00			`return keyHandle, publicKey, nil`
Deprecate mongo and add mariadb as storage backend option. 2019-11-16 10:38:21 +00:00			`}`

			`// AppendAuthenticationLog append a mark to the authentication log.`
			`func (p *SQLProvider) AppendAuthenticationLog(attempt models.AuthenticationAttempt) error {`
Add support for PostgreSQL. 2019-11-16 19:50:58 +00:00			`_, err := p.db.Exec(p.sqlInsertAuthenticationLog, attempt.Username, attempt.Successful, attempt.Time.Unix())`
Deprecate mongo and add mariadb as storage backend option. 2019-11-16 10:38:21 +00:00			`return err`
			`}`

			`// LoadLatestAuthenticationLogs retrieve the latest marks from the authentication log.`
			`func (p *SQLProvider) LoadLatestAuthenticationLogs(username string, fromDate time.Time) ([]models.AuthenticationAttempt, error) {`
Add support for PostgreSQL. 2019-11-16 19:50:58 +00:00			`rows, err := p.db.Query(p.sqlGetLatestAuthenticationLogs, fromDate.Unix(), username)`
Deprecate mongo and add mariadb as storage backend option. 2019-11-16 10:38:21 +00:00
			`if err != nil {`
			`return nil, err`
			`}`

			`attempts := make([]models.AuthenticationAttempt, 0, 10)`
			`for rows.Next() {`
			`attempt := models.AuthenticationAttempt{`
			`Username: username,`
			`}`
			`var t int64`
			`err = rows.Scan(&attempt.Successful, &t)`
			`attempt.Time = time.Unix(t, 0)`

			`if err != nil {`
			`return nil, err`
			`}`
			`attempts = append(attempts, attempt)`
			`}`
			`return attempts, nil`
			`}`