From 526c2364b9ad685d1c000fc8a168bf1305aaa8b7 Mon Sep 17 00:00:00 2001 From: vman Date: Fri, 18 Nov 2022 16:08:51 -0500 Subject: Add project files. --- .gitignore | 477 +++++++++++++++++++++ .../AccountAdminEntry.cs | 67 +++ .../Endpoints/UsersEndpoint.cs | 77 ++++ .../Helpers/LocalNetworkProtectedEndpoint.cs | 30 ++ .../Model/User.cs | 26 ++ .../Model/UserContext.cs | 17 + .../Model/UserStore.cs | 48 +++ .../VNLib.Plugins.Essentials.Accounts.Admin.csproj | 29 ++ .../.gitattributes | 63 +++ .../.gitignore | 352 +++++++++++++++ .../readme.md | 0 .../src/AccountValidations.cs | 109 +++++ .../src/EmailSystemConfig.cs | 126 ++++++ .../src/Endpoints/RegRequestMessage.cs | 16 + .../src/Endpoints/RegistrationEntpoint.cs | 367 ++++++++++++++++ .../src/RegistrationEntryPoint.cs | 42 ++ .../src/TokenRevocation/RevocationContext.cs | 14 + .../src/TokenRevocation/RevokedToken.cs | 19 + .../src/TokenRevocation/RevokedTokenStore.cs | 77 ++++ ...Plugins.Essentials.Accounts.Registration.csproj | 62 +++ .../AccountValidations.cs | 84 ++++ .../AccountsEntryPoint.cs | 180 ++++++++ .../Endpoints/KeepAliveEndpoint.cs | 40 ++ .../Endpoints/LoginEndpoint.cs | 381 ++++++++++++++++ .../Endpoints/LogoutEndpoint.cs | 34 ++ .../Endpoints/MFAEndpoint.cs | 258 +++++++++++ .../Endpoints/PasswordResetEndpoint.cs | 116 +++++ .../Endpoints/ProfileEndpoint.cs | 108 +++++ VNLib.Plugins.Essentials.Accounts/LICENSE.txt | 339 +++++++++++++++ .../MFA/FidoAuthenticatorSelection.cs | 16 + .../MFA/FidoRegClientData.cs | 16 + .../MFA/FidoRegistrationMessage.cs | 28 ++ VNLib.Plugins.Essentials.Accounts/MFA/MFAConfig.cs | 78 ++++ VNLib.Plugins.Essentials.Accounts/MFA/MFAType.cs | 7 + .../MFA/MFAUpgrade.cs | 41 ++ .../MFA/UserMFAExtensions.cs | 395 +++++++++++++++++ VNLib.Plugins.Essentials.Accounts/README.md | 3 + .../VNLib.Plugins.Essentials.Accounts.csproj | 54 +++ .../Validators/LoginMessageValidation.cs | 46 ++ .../Model/Route.cs | 47 ++ .../Model/RouteStore.cs | 44 ++ .../Model/RoutingContext.cs | 17 + .../PageRouterEntry.cs | 44 ++ .../RouteComparer.cs | 53 +++ VNLib.Plugins.Essentials.Content.Routing/Router.cs | 139 ++++++ ...VNLib.Plugins.Essentials.Content.Routing.csproj | 47 ++ VNLib.Plugins.Essentials.SocialOauth | 1 + 47 files changed, 4634 insertions(+) create mode 100644 .gitignore create mode 100644 VNLib.Plugins.Essentials.Accounts.Admin/AccountAdminEntry.cs create mode 100644 VNLib.Plugins.Essentials.Accounts.Admin/Endpoints/UsersEndpoint.cs create mode 100644 VNLib.Plugins.Essentials.Accounts.Admin/Helpers/LocalNetworkProtectedEndpoint.cs create mode 100644 VNLib.Plugins.Essentials.Accounts.Admin/Model/User.cs create mode 100644 VNLib.Plugins.Essentials.Accounts.Admin/Model/UserContext.cs create mode 100644 VNLib.Plugins.Essentials.Accounts.Admin/Model/UserStore.cs create mode 100644 VNLib.Plugins.Essentials.Accounts.Admin/VNLib.Plugins.Essentials.Accounts.Admin.csproj create mode 100644 VNLib.Plugins.Essentials.Accounts.Registration/.gitattributes create mode 100644 VNLib.Plugins.Essentials.Accounts.Registration/.gitignore create mode 100644 VNLib.Plugins.Essentials.Accounts.Registration/readme.md create mode 100644 VNLib.Plugins.Essentials.Accounts.Registration/src/AccountValidations.cs create mode 100644 VNLib.Plugins.Essentials.Accounts.Registration/src/EmailSystemConfig.cs create mode 100644 VNLib.Plugins.Essentials.Accounts.Registration/src/Endpoints/RegRequestMessage.cs create mode 100644 VNLib.Plugins.Essentials.Accounts.Registration/src/Endpoints/RegistrationEntpoint.cs create mode 100644 VNLib.Plugins.Essentials.Accounts.Registration/src/RegistrationEntryPoint.cs create mode 100644 VNLib.Plugins.Essentials.Accounts.Registration/src/TokenRevocation/RevocationContext.cs create mode 100644 VNLib.Plugins.Essentials.Accounts.Registration/src/TokenRevocation/RevokedToken.cs create mode 100644 VNLib.Plugins.Essentials.Accounts.Registration/src/TokenRevocation/RevokedTokenStore.cs create mode 100644 VNLib.Plugins.Essentials.Accounts.Registration/src/VNLib.Plugins.Essentials.Accounts.Registration.csproj create mode 100644 VNLib.Plugins.Essentials.Accounts/AccountValidations.cs create mode 100644 VNLib.Plugins.Essentials.Accounts/AccountsEntryPoint.cs create mode 100644 VNLib.Plugins.Essentials.Accounts/Endpoints/KeepAliveEndpoint.cs create mode 100644 VNLib.Plugins.Essentials.Accounts/Endpoints/LoginEndpoint.cs create mode 100644 VNLib.Plugins.Essentials.Accounts/Endpoints/LogoutEndpoint.cs create mode 100644 VNLib.Plugins.Essentials.Accounts/Endpoints/MFAEndpoint.cs create mode 100644 VNLib.Plugins.Essentials.Accounts/Endpoints/PasswordResetEndpoint.cs create mode 100644 VNLib.Plugins.Essentials.Accounts/Endpoints/ProfileEndpoint.cs create mode 100644 VNLib.Plugins.Essentials.Accounts/LICENSE.txt create mode 100644 VNLib.Plugins.Essentials.Accounts/MFA/FidoAuthenticatorSelection.cs create mode 100644 VNLib.Plugins.Essentials.Accounts/MFA/FidoRegClientData.cs create mode 100644 VNLib.Plugins.Essentials.Accounts/MFA/FidoRegistrationMessage.cs create mode 100644 VNLib.Plugins.Essentials.Accounts/MFA/MFAConfig.cs create mode 100644 VNLib.Plugins.Essentials.Accounts/MFA/MFAType.cs create mode 100644 VNLib.Plugins.Essentials.Accounts/MFA/MFAUpgrade.cs create mode 100644 VNLib.Plugins.Essentials.Accounts/MFA/UserMFAExtensions.cs create mode 100644 VNLib.Plugins.Essentials.Accounts/README.md create mode 100644 VNLib.Plugins.Essentials.Accounts/VNLib.Plugins.Essentials.Accounts.csproj create mode 100644 VNLib.Plugins.Essentials.Accounts/Validators/LoginMessageValidation.cs create mode 100644 VNLib.Plugins.Essentials.Content.Routing/Model/Route.cs create mode 100644 VNLib.Plugins.Essentials.Content.Routing/Model/RouteStore.cs create mode 100644 VNLib.Plugins.Essentials.Content.Routing/Model/RoutingContext.cs create mode 100644 VNLib.Plugins.Essentials.Content.Routing/PageRouterEntry.cs create mode 100644 VNLib.Plugins.Essentials.Content.Routing/RouteComparer.cs create mode 100644 VNLib.Plugins.Essentials.Content.Routing/Router.cs create mode 100644 VNLib.Plugins.Essentials.Content.Routing/VNLib.Plugins.Essentials.Content.Routing.csproj create mode 160000 VNLib.Plugins.Essentials.SocialOauth diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..3b1d57d --- /dev/null +++ b/.gitignore @@ -0,0 +1,477 @@ +# Created by https://www.toptal.com/developers/gitignore/api/c,c++,visualstudio +# Edit at https://www.toptal.com/developers/gitignore?templates=c,c++,visualstudio + +### C ### +# Prerequisites +*.d + +# Object files +*.o +*.ko +*.obj +*.elf + +# Linker output +*.ilk +*.map +*.exp + +# Precompiled Headers +*.gch +*.pch + +# Libraries +*.lib +*.a +*.la +*.lo + +# Shared objects (inc. Windows DLLs) +*.dll +*.so +*.so.* +*.dylib + +# Executables +*.exe +*.out +*.app +*.i*86 +*.x86_64 +*.hex + +# Debug files +*.dSYM/ +*.su +*.idb +*.pdb + +# Kernel Module Compile Results +*.mod* +*.cmd +.tmp_versions/ +modules.order +Module.symvers +Mkfile.old +dkms.conf + +### C++ ### +# Prerequisites + +# Compiled Object files +*.slo + +# Precompiled Headers + +# Compiled Dynamic libraries + +# Fortran module files +*.mod +*.smod + +# Compiled Static libraries +*.lai + +# Executables + +### VisualStudio ### +## Ignore Visual Studio temporary files, build results, and +## files generated by popular Visual Studio add-ons. +## +## Get latest from https://github.com/github/gitignore/blob/main/VisualStudio.gitignore + +# User-specific files +*.rsuser +*.suo +*.user +*.userosscache +*.sln.docstates + +# User-specific files (MonoDevelop/Xamarin Studio) +*.userprefs + +# Mono auto generated files +mono_crash.* + +# Build results +[Dd]ebug/ +[Dd]ebugPublic/ +[Rr]elease/ +[Rr]eleases/ +x64/ +x86/ +[Ww][Ii][Nn]32/ +[Aa][Rr][Mm]/ +[Aa][Rr][Mm]64/ +bld/ +[Bb]in/ +[Oo]bj/ +[Ll]og/ +[Ll]ogs/ + +# Visual Studio 2015/2017 cache/options directory +.vs/ +# Uncomment if you have tasks that create the project's static files in wwwroot +#wwwroot/ + +# Visual Studio 2017 auto generated files +Generated\ Files/ + +# MSTest test Results +[Tt]est[Rr]esult*/ +[Bb]uild[Ll]og.* + +# NUnit +*.VisualState.xml +TestResult.xml +nunit-*.xml + +# Build Results of an ATL Project +[Dd]ebugPS/ +[Rr]eleasePS/ +dlldata.c + +# Benchmark Results +BenchmarkDotNet.Artifacts/ + +# .NET Core +project.lock.json +project.fragment.lock.json +artifacts/ + +# ASP.NET Scaffolding +ScaffoldingReadMe.txt + +# StyleCop +StyleCopReport.xml + +# Files built by Visual Studio +*_i.c +*_p.c +*_h.h +*.meta +*.iobj +*.ipdb +*.pgc +*.pgd +*.rsp +*.sbr +*.tlb +*.tli +*.tlh +*.tmp +*.tmp_proj +*_wpftmp.csproj +*.log +*.tlog +*.vspscc +*.vssscc +.builds +*.pidb +*.svclog +*.scc + +# Chutzpah Test files +_Chutzpah* + +# Visual C++ cache files +ipch/ +*.aps +*.ncb +*.opendb +*.opensdf +*.sdf +*.cachefile +*.VC.db +*.VC.VC.opendb + +# Visual Studio profiler +*.psess +*.vsp +*.vspx +*.sap + +# Visual Studio Trace Files +*.e2e + +# TFS 2012 Local Workspace +$tf/ + +# Guidance Automation Toolkit +*.gpState + +# ReSharper is a .NET coding add-in +_ReSharper*/ +*.[Rr]e[Ss]harper +*.DotSettings.user + +# TeamCity is a build add-in +_TeamCity* + +# DotCover is a Code Coverage Tool +*.dotCover + +# AxoCover is a Code Coverage Tool +.axoCover/* +!.axoCover/settings.json + +# Coverlet is a free, cross platform Code Coverage Tool +coverage*.json +coverage*.xml +coverage*.info + +# Visual Studio code coverage results +*.coverage +*.coveragexml + +# NCrunch +_NCrunch_* +.*crunch*.local.xml +nCrunchTemp_* + +# MightyMoose +*.mm.* +AutoTest.Net/ + +# Web workbench (sass) +.sass-cache/ + +# Installshield output folder +[Ee]xpress/ + +# DocProject is a documentation generator add-in +DocProject/buildhelp/ +DocProject/Help/*.HxT +DocProject/Help/*.HxC +DocProject/Help/*.hhc +DocProject/Help/*.hhk +DocProject/Help/*.hhp +DocProject/Help/Html2 +DocProject/Help/html + +# Click-Once directory +publish/ + +# Publish Web Output +*.[Pp]ublish.xml +*.azurePubxml +# Note: Comment the next line if you want to checkin your web deploy settings, +# but database connection strings (with potential passwords) will be unencrypted +*.pubxml +*.publishproj + +# Microsoft Azure Web App publish settings. Comment the next line if you want to +# checkin your Azure Web App publish settings, but sensitive information contained +# in these scripts will be unencrypted +PublishScripts/ + +# NuGet Packages +*.nupkg +# NuGet Symbol Packages +*.snupkg +# The packages folder can be ignored because of Package Restore +**/[Pp]ackages/* +# except build/, which is used as an MSBuild target. +!**/[Pp]ackages/build/ +# Uncomment if necessary however generally it will be regenerated when needed +#!**/[Pp]ackages/repositories.config +# NuGet v3's project.json files produces more ignorable files +*.nuget.props +*.nuget.targets + +# Microsoft Azure Build Output +csx/ +*.build.csdef + +# Microsoft Azure Emulator +ecf/ +rcf/ + +# Windows Store app package directories and files +AppPackages/ +BundleArtifacts/ +Package.StoreAssociation.xml +_pkginfo.txt +*.appx +*.appxbundle +*.appxupload + +# Visual Studio cache files +# files ending in .cache can be ignored +*.[Cc]ache +# but keep track of directories ending in .cache +!?*.[Cc]ache/ + +# Others +ClientBin/ +~$* +*~ +*.dbmdl +*.dbproj.schemaview +*.jfm +*.pfx +*.publishsettings +orleans.codegen.cs + +# Including strong name files can present a security risk +# (https://github.com/github/gitignore/pull/2483#issue-259490424) +#*.snk + +# Since there are multiple workflows, uncomment next line to ignore bower_components +# (https://github.com/github/gitignore/pull/1529#issuecomment-104372622) +#bower_components/ + +# RIA/Silverlight projects +Generated_Code/ + +# Backup & report files from converting an old project file +# to a newer Visual Studio version. Backup files are not needed, +# because we have git ;-) +_UpgradeReport_Files/ +Backup*/ +UpgradeLog*.XML +UpgradeLog*.htm +ServiceFabricBackup/ +*.rptproj.bak + +# SQL Server files +*.mdf +*.ldf +*.ndf + +# Business Intelligence projects +*.rdl.data +*.bim.layout +*.bim_*.settings +*.rptproj.rsuser +*- [Bb]ackup.rdl +*- [Bb]ackup ([0-9]).rdl +*- [Bb]ackup ([0-9][0-9]).rdl + +# Microsoft Fakes +FakesAssemblies/ + +# GhostDoc plugin setting file +*.GhostDoc.xml + +# Node.js Tools for Visual Studio +.ntvs_analysis.dat +node_modules/ + +# Visual Studio 6 build log +*.plg + +# Visual Studio 6 workspace options file +*.opt + +# Visual Studio 6 auto-generated workspace file (contains which files were open etc.) +*.vbw + +# Visual Studio 6 auto-generated project file (contains which files were open etc.) +*.vbp + +# Visual Studio 6 workspace and project file (working project files containing files to include in project) +*.dsw +*.dsp + +# Visual Studio 6 technical files + +# Visual Studio LightSwitch build output +**/*.HTMLClient/GeneratedArtifacts +**/*.DesktopClient/GeneratedArtifacts +**/*.DesktopClient/ModelManifest.xml +**/*.Server/GeneratedArtifacts +**/*.Server/ModelManifest.xml +_Pvt_Extensions + +# Paket dependency manager +.paket/paket.exe +paket-files/ + +# FAKE - F# Make +.fake/ + +# CodeRush personal settings +.cr/personal + +# Python Tools for Visual Studio (PTVS) +__pycache__/ +*.pyc + +# Cake - Uncomment if you are using it +# tools/** +# !tools/packages.config + +# Tabs Studio +*.tss + +# Telerik's JustMock configuration file +*.jmconfig + +# BizTalk build output +*.btp.cs +*.btm.cs +*.odx.cs +*.xsd.cs + +# OpenCover UI analysis results +OpenCover/ + +# Azure Stream Analytics local run output +ASALocalRun/ + +# MSBuild Binary and Structured Log +*.binlog + +# NVidia Nsight GPU debugger configuration file +*.nvuser + +# MFractors (Xamarin productivity tool) working folder +.mfractor/ + +# Local History for Visual Studio +.localhistory/ + +# Visual Studio History (VSHistory) files +.vshistory/ + +# BeatPulse healthcheck temp database +healthchecksdb + +# Backup folder for Package Reference Convert tool in Visual Studio 2017 +MigrationBackup/ + +# Ionide (cross platform F# VS Code tools) working folder +.ionide/ + +# Fody - auto-generated XML schema +FodyWeavers.xsd + +# VS Code files for those working on multiple tools +.vscode/* +!.vscode/settings.json +!.vscode/tasks.json +!.vscode/launch.json +!.vscode/extensions.json +*.code-workspace + +# Local History for Visual Studio Code +.history/ + +# Windows Installer files from build outputs +*.cab +*.msi +*.msix +*.msm +*.msp + +# JetBrains Rider +*.sln.iml + +### VisualStudio Patch ### +# Additional files built by Visual Studio + +# End of https://www.toptal.com/developers/gitignore/api/c,c++,visualstudio +/VNLib.Utils + +*.json \ No newline at end of file diff --git a/VNLib.Plugins.Essentials.Accounts.Admin/AccountAdminEntry.cs b/VNLib.Plugins.Essentials.Accounts.Admin/AccountAdminEntry.cs new file mode 100644 index 0000000..008307c --- /dev/null +++ b/VNLib.Plugins.Essentials.Accounts.Admin/AccountAdminEntry.cs @@ -0,0 +1,67 @@ +using System; +using System.Text.Json; +using System.Runtime.CompilerServices; + +using VNLib.Utils.Logging; +using VNLib.Plugins.Essentials.Sessions; + +namespace VNLib.Plugins.Essentials.Accounts.Admin +{ + + internal static class Constants + { + public const ushort ADMIN_GROUP_ID = 0x1fff; + [Flags] + enum AdminLevelMask + { + + } + /// + /// Determines if the current session belongs to an admin account + /// + /// + /// True if the current user has administrator permissions + [MethodImpl(MethodImplOptions.AggressiveInlining)] + public static bool IsAdmin(this in SessionInfo session) => session.HasGroup(ADMIN_GROUP_ID); + + /// + /// Gets the plugin config local-only flag + /// + /// + /// True if the config demands all requests happen on the local network only + public static bool LocalOnlyEnabled(this PluginBase plugin) + { + return plugin.PluginConfig.TryGetProperty("local_only", out JsonElement el) && el.GetBoolean(); + } + } + + public sealed class AccountAdminEntry : PluginBase + { + public override string PluginName => "Essentials.Admin"; + + protected override void OnLoad() + { + try + { + + } + catch (KeyNotFoundException knf) + { + Log.Error("Missing required account configuration variables {mess}", knf.Message); + return; + } + //Write loaded to log + Log.Information("Plugin loaded"); + } + + protected override void OnUnLoad() + { + Log.Information("Plugin unloaded"); + } + + protected override void ProcessHostCommand(string cmd) + { + Log.Debug(cmd); + } + } +} \ No newline at end of file diff --git a/VNLib.Plugins.Essentials.Accounts.Admin/Endpoints/UsersEndpoint.cs b/VNLib.Plugins.Essentials.Accounts.Admin/Endpoints/UsersEndpoint.cs new file mode 100644 index 0000000..9f29a29 --- /dev/null +++ b/VNLib.Plugins.Essentials.Accounts.Admin/Endpoints/UsersEndpoint.cs @@ -0,0 +1,77 @@ +using System; +using System.Linq; +using System.Net; +using System.Text.Json; + +using VNLib.Utils; +using VNLib.Plugins.Essentials.Users; +using VNLib.Plugins.Essentials.Extensions; +using VNLib.Plugins.Essentials.Accounts.Admin.Model; +using VNLib.Plugins.Extensions.Data; +using VNLib.Plugins.Extensions.Loading.Sql; +using VNLib.Plugins.Extensions.Loading.Users; +using VNLib.Plugins.Essentials.Accounts.Admin.Helpers; +using VNLib.Plugins.Extensions.Loading; + +namespace VNLib.Plugins.Essentials.Accounts.Admin.Endpoints +{ + [ConfigurationName("users")] + internal class UsersEndpoint : LocalNetworkProtectedEndpoint + { + + readonly IUserManager Manager; + readonly UserStore UserStore; + + public UsersEndpoint(PluginBase plugin, Dictionary config) + { + this.LocalOnly = plugin.LocalOnlyEnabled(); + string? path = config["path"].GetString(); + //Store user-manager + Manager = plugin.GetUserManager(); + //Create the indirect user context store + UserStore = new(plugin.GetContextOptions()); + + InitPathAndLog(path, plugin.Log); + } + + + protected override ERRNO PreProccess(HttpEntity entity) + { + return base.PreProccess(entity) && entity.Session.IsAdmin(); + } + + protected override async ValueTask GetAsync(HttpEntity entity) + { + //Get single account + if(entity.QueryArgs.TryGetNonEmptyValue("id", out string? userId)) + { + //Load account + using IUser? user = await Manager.GetUserFromIDAsync(userId); + AccountData? acc = user?.GetProfile(); + //If account not found, return 404 + if(acc == null) + { + entity.CloseResponse(HttpStatusCode.NotFound); + } + else + { + entity.CloseResponseJson(HttpStatusCode.OK, acc); + } + } + else + { + //Get a user page + int page = entity.QueryArgs.GetPageOrDefault(0); + int limit = entity.QueryArgs.GetLimitOrDefault(50, 0, 200); + //Rent list and get the requested page + List rental = UserStore.ListRental.Rent(); + _ = await UserStore.GetPageAsync(rental, page, limit); + //Set response + entity.CloseResponseJson(HttpStatusCode.OK, rental); + //Return list to store + UserStore.ListRental.Return(rental); + } + return VfReturnType.VirtualSkip; + } + } +} diff --git a/VNLib.Plugins.Essentials.Accounts.Admin/Helpers/LocalNetworkProtectedEndpoint.cs b/VNLib.Plugins.Essentials.Accounts.Admin/Helpers/LocalNetworkProtectedEndpoint.cs new file mode 100644 index 0000000..3812337 --- /dev/null +++ b/VNLib.Plugins.Essentials.Accounts.Admin/Helpers/LocalNetworkProtectedEndpoint.cs @@ -0,0 +1,30 @@ +using System; + +using VNLib.Utils; +using VNLib.Plugins.Essentials.Endpoints; + +namespace VNLib.Plugins.Essentials.Accounts.Admin.Helpers +{ + /// + /// Provides an endpoint that provides optional protection against requests outside the local network + /// + internal abstract class LocalNetworkProtectedEndpoint : ProtectedWebEndpoint + { + private bool _localOnly; + + /// + /// Specifies if requests outside of the local network are allowed. + /// + protected bool LocalOnly + { + get => _localOnly; + set => _localOnly = value; + } + + protected override ERRNO PreProccess(HttpEntity entity) + { + return (!_localOnly || entity.IsLocalConnection) && base.PreProccess(entity); + } + + } +} diff --git a/VNLib.Plugins.Essentials.Accounts.Admin/Model/User.cs b/VNLib.Plugins.Essentials.Accounts.Admin/Model/User.cs new file mode 100644 index 0000000..866cff1 --- /dev/null +++ b/VNLib.Plugins.Essentials.Accounts.Admin/Model/User.cs @@ -0,0 +1,26 @@ +using System; +using System.ComponentModel.DataAnnotations.Schema; + +using VNLib.Plugins.Extensions.Data; +using VNLib.Plugins.Extensions.Data.Abstractions; + +namespace VNLib.Plugins.Essentials.Accounts.Admin.Model +{ + internal class User : DbModelBase, IUserEntity + { + public string? UserId { get; set; } + //Users's do not have unique id values + [NotMapped] + public override string Id + { + get => UserId!; + set => UserId = value; + } + public override DateTime Created { get; set; } + //Do not map the last modified, user table does not have a last modified field. + [NotMapped] + public override DateTime LastModified { get; set; } + + public ulong Privilages { get; set; } + } +} diff --git a/VNLib.Plugins.Essentials.Accounts.Admin/Model/UserContext.cs b/VNLib.Plugins.Essentials.Accounts.Admin/Model/UserContext.cs new file mode 100644 index 0000000..6409b7d --- /dev/null +++ b/VNLib.Plugins.Essentials.Accounts.Admin/Model/UserContext.cs @@ -0,0 +1,17 @@ + +using Microsoft.EntityFrameworkCore; + +using VNLib.Plugins.Extensions.Data; + +namespace VNLib.Plugins.Essentials.Accounts.Admin.Model +{ + internal class UserContext : TransactionalDbContext + { + public DbSet Users { get; set; } +#nullable disable + public UserContext(DbContextOptions options):base(options) + { + + } + } +} diff --git a/VNLib.Plugins.Essentials.Accounts.Admin/Model/UserStore.cs b/VNLib.Plugins.Essentials.Accounts.Admin/Model/UserStore.cs new file mode 100644 index 0000000..b3e5c23 --- /dev/null +++ b/VNLib.Plugins.Essentials.Accounts.Admin/Model/UserStore.cs @@ -0,0 +1,48 @@ +using System; +using System.Collections.Generic; +using System.Linq; +using System.Text; +using System.Threading.Tasks; + +using Microsoft.EntityFrameworkCore; + +using VNLib.Plugins.Extensions.Data; + +namespace VNLib.Plugins.Essentials.Accounts.Admin.Model +{ + + internal class UserStore : DbStore + { + private readonly DbContextOptions Options; + + public UserStore(DbContextOptions options) + { + this.Options = options; + } + + //Item id's are not used + public override string RecordIdBuilder => ""; + + protected override IQueryable GetCollectionQueryBuilder(TransactionalDbContext context, params string[] constraints) + { + return (from user in context.Set() + orderby user.Created descending + select user); + } + + protected override IQueryable GetSingleQueryBuilder(TransactionalDbContext context, params string[] constraints) + { + string userId = constraints[0]; + return (from user in context.Set() + where user.UserId == userId + select user); + } + + public override TransactionalDbContext NewContext() => new UserContext(Options); + + protected override void OnRecordUpdate(User newRecord, User currentRecord) + { + currentRecord.Privilages = currentRecord.Privilages; + } + } +} diff --git a/VNLib.Plugins.Essentials.Accounts.Admin/VNLib.Plugins.Essentials.Accounts.Admin.csproj b/VNLib.Plugins.Essentials.Accounts.Admin/VNLib.Plugins.Essentials.Accounts.Admin.csproj new file mode 100644 index 0000000..6dbd219 --- /dev/null +++ b/VNLib.Plugins.Essentials.Accounts.Admin/VNLib.Plugins.Essentials.Accounts.Admin.csproj @@ -0,0 +1,29 @@ + + + + net6.0 + enable + enable + x64 + AnyCPU;x64 + + + + + all + runtime; build; native; contentfiles; analyzers; buildtransitive + + + all + runtime; build; native; contentfiles; analyzers; buildtransitive + + + + + + + + + + + diff --git a/VNLib.Plugins.Essentials.Accounts.Registration/.gitattributes b/VNLib.Plugins.Essentials.Accounts.Registration/.gitattributes new file mode 100644 index 0000000..1ff0c42 --- /dev/null +++ b/VNLib.Plugins.Essentials.Accounts.Registration/.gitattributes @@ -0,0 +1,63 @@ +############################################################################### +# Set default behavior to automatically normalize line endings. +############################################################################### +* text=auto + +############################################################################### +# Set default behavior for command prompt diff. +# +# This is need for earlier builds of msysgit that does not have it on by +# default for csharp files. +# Note: This is only used by command line +############################################################################### +#*.cs diff=csharp + +############################################################################### +# Set the merge driver for project and solution files +# +# Merging from the command prompt will add diff markers to the files if there +# are conflicts (Merging from VS is not affected by the settings below, in VS +# the diff markers are never inserted). Diff markers may cause the following +# file extensions to fail to load in VS. An alternative would be to treat +# these files as binary and thus will always conflict and require user +# intervention with every merge. To do so, just uncomment the entries below +############################################################################### +#*.sln merge=binary +#*.csproj merge=binary +#*.vbproj merge=binary +#*.vcxproj merge=binary +#*.vcproj merge=binary +#*.dbproj merge=binary +#*.fsproj merge=binary +#*.lsproj merge=binary +#*.wixproj merge=binary +#*.modelproj merge=binary +#*.sqlproj merge=binary +#*.wwaproj merge=binary + +############################################################################### +# behavior for image files +# +# image files are treated as binary by default. +############################################################################### +#*.jpg binary +#*.png binary +#*.gif binary + +############################################################################### +# diff behavior for common document formats +# +# Convert binary document formats to text before diffing them. This feature +# is only available from the command line. Turn it on by uncommenting the +# entries below. +############################################################################### +#*.doc diff=astextplain +#*.DOC diff=astextplain +#*.docx diff=astextplain +#*.DOCX diff=astextplain +#*.dot diff=astextplain +#*.DOT diff=astextplain +#*.pdf diff=astextplain +#*.PDF diff=astextplain +#*.rtf diff=astextplain +#*.RTF diff=astextplain diff --git a/VNLib.Plugins.Essentials.Accounts.Registration/.gitignore b/VNLib.Plugins.Essentials.Accounts.Registration/.gitignore new file mode 100644 index 0000000..f17dcd9 --- /dev/null +++ b/VNLib.Plugins.Essentials.Accounts.Registration/.gitignore @@ -0,0 +1,352 @@ +## Ignore Visual Studio temporary files, build results, and +## files generated by popular Visual Studio add-ons. +## +## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore + +# User-specific files +*.rsuser +*.suo +*.user +*.userosscache +*.sln.docstates + +# User-specific files (MonoDevelop/Xamarin Studio) +*.userprefs + +# Mono auto generated files +mono_crash.* + +# Build results +[Dd]ebug/ +[Dd]ebugPublic/ +[Rr]elease/ +[Rr]eleases/ +x64/ +x86/ +[Aa][Rr][Mm]/ +[Aa][Rr][Mm]64/ +bld/ +[Bb]in/ +[Oo]bj/ +[Ll]og/ +[Ll]ogs/ + +# Visual Studio 2015/2017 cache/options directory +.vs/ +# Uncomment if you have tasks that create the project's static files in wwwroot +#wwwroot/ + +# Visual Studio 2017 auto generated files +Generated\ Files/ + +# MSTest test Results +[Tt]est[Rr]esult*/ +[Bb]uild[Ll]og.* + +# NUnit +*.VisualState.xml +TestResult.xml +nunit-*.xml + +# Build Results of an ATL Project +[Dd]ebugPS/ +[Rr]eleasePS/ +dlldata.c + +# Benchmark Results +BenchmarkDotNet.Artifacts/ + +# .NET Core +project.lock.json +project.fragment.lock.json +artifacts/ + +# StyleCop +StyleCopReport.xml + +# Files built by Visual Studio +*_i.c +*_p.c +*_h.h +*.ilk +*.meta +*.obj +*.iobj +*.pch +*.pdb +*.ipdb +*.pgc +*.pgd +*.rsp +*.sbr +*.tlb +*.tli +*.tlh +*.tmp +*.tmp_proj +*_wpftmp.csproj +*.log +*.vspscc +*.vssscc +.builds +*.pidb +*.svclog +*.scc + +# Chutzpah Test files +_Chutzpah* + +# Visual C++ cache files +ipch/ +*.aps +*.ncb +*.opendb +*.opensdf +*.sdf +*.cachefile +*.VC.db +*.VC.VC.opendb + +# Visual Studio profiler +*.psess +*.vsp +*.vspx +*.sap + +# Visual Studio Trace Files +*.e2e + +# TFS 2012 Local Workspace +$tf/ + +# Guidance Automation Toolkit +*.gpState + +# ReSharper is a .NET coding add-in +_ReSharper*/ +*.[Rr]e[Ss]harper +*.DotSettings.user + +# TeamCity is a build add-in +_TeamCity* + +# DotCover is a Code Coverage Tool +*.dotCover + +# AxoCover is a Code Coverage Tool +.axoCover/* +!.axoCover/settings.json + +# Visual Studio code coverage results +*.coverage +*.coveragexml + +# NCrunch +_NCrunch_* +.*crunch*.local.xml +nCrunchTemp_* + +# MightyMoose +*.mm.* +AutoTest.Net/ + +# Web workbench (sass) +.sass-cache/ + +# Installshield output folder +[Ee]xpress/ + +# DocProject is a documentation generator add-in +DocProject/buildhelp/ +DocProject/Help/*.HxT +DocProject/Help/*.HxC +DocProject/Help/*.hhc +DocProject/Help/*.hhk +DocProject/Help/*.hhp +DocProject/Help/Html2 +DocProject/Help/html + +# Click-Once directory +publish/ + +# Publish Web Output +*.[Pp]ublish.xml +*.azurePubxml +# Note: Comment the next line if you want to checkin your web deploy settings, +# but database connection strings (with potential passwords) will be unencrypted +*.pubxml +*.publishproj + +# Microsoft Azure Web App publish settings. Comment the next line if you want to +# checkin your Azure Web App publish settings, but sensitive information contained +# in these scripts will be unencrypted +PublishScripts/ + +# NuGet Packages +*.nupkg +# NuGet Symbol Packages +*.snupkg +# The packages folder can be ignored because of Package Restore +**/[Pp]ackages/* +# except build/, which is used as an MSBuild target. +!**/[Pp]ackages/build/ +# Uncomment if necessary however generally it will be regenerated when needed +#!**/[Pp]ackages/repositories.config +# NuGet v3's project.json files produces more ignorable files +*.nuget.props +*.nuget.targets + +# Microsoft Azure Build Output +csx/ +*.build.csdef + +# Microsoft Azure Emulator +ecf/ +rcf/ + +# Windows Store app package directories and files +AppPackages/ +BundleArtifacts/ +Package.StoreAssociation.xml +_pkginfo.txt +*.appx +*.appxbundle +*.appxupload + +# Visual Studio cache files +# files ending in .cache can be ignored +*.[Cc]ache +# but keep track of directories ending in .cache +!?*.[Cc]ache/ + +# Others +ClientBin/ +~$* +*~ +*.dbmdl +*.dbproj.schemaview +*.jfm +*.pfx +*.publishsettings +orleans.codegen.cs + +# Including strong name files can present a security risk +# (https://github.com/github/gitignore/pull/2483#issue-259490424) +#*.snk + +# Since there are multiple workflows, uncomment next line to ignore bower_components +# (https://github.com/github/gitignore/pull/1529#issuecomment-104372622) +#bower_components/ + +# RIA/Silverlight projects +Generated_Code/ + +# Backup & report files from converting an old project file +# to a newer Visual Studio version. Backup files are not needed, +# because we have git ;-) +_UpgradeReport_Files/ +Backup*/ +UpgradeLog*.XML +UpgradeLog*.htm +ServiceFabricBackup/ +*.rptproj.bak + +# SQL Server files +*.mdf +*.ldf +*.ndf + +# Business Intelligence projects +*.rdl.data +*.bim.layout +*.bim_*.settings +*.rptproj.rsuser +*- [Bb]ackup.rdl +*- [Bb]ackup ([0-9]).rdl +*- [Bb]ackup ([0-9][0-9]).rdl + +# Microsoft Fakes +FakesAssemblies/ + +# GhostDoc plugin setting file +*.GhostDoc.xml + +# Node.js Tools for Visual Studio +.ntvs_analysis.dat +node_modules/ + +# Visual Studio 6 build log +*.plg + +# Visual Studio 6 workspace options file +*.opt + +# Visual Studio 6 auto-generated workspace file (contains which files were open etc.) +*.vbw + +# Visual Studio LightSwitch build output +**/*.HTMLClient/GeneratedArtifacts +**/*.DesktopClient/GeneratedArtifacts +**/*.DesktopClient/ModelManifest.xml +**/*.Server/GeneratedArtifacts +**/*.Server/ModelManifest.xml +_Pvt_Extensions + +# Paket dependency manager +.paket/paket.exe +paket-files/ + +# FAKE - F# Make +.fake/ + +# CodeRush personal settings +.cr/personal + +# Python Tools for Visual Studio (PTVS) +__pycache__/ +*.pyc + +# Cake - Uncomment if you are using it +# tools/** +# !tools/packages.config + +# Tabs Studio +*.tss + +# Telerik's JustMock configuration file +*.jmconfig + +# BizTalk build output +*.btp.cs +*.btm.cs +*.odx.cs +*.xsd.cs + +# OpenCover UI analysis results +OpenCover/ + +# Azure Stream Analytics local run output +ASALocalRun/ + +# MSBuild Binary and Structured Log +*.binlog + +# NVidia Nsight GPU debugger configuration file +*.nvuser + +# MFractors (Xamarin productivity tool) working folder +.mfractor/ + +# Local History for Visual Studio +.localhistory/ + +# BeatPulse healthcheck temp database +healthchecksdb + +# Backup folder for Package Reference Convert tool in Visual Studio 2017 +MigrationBackup/ + +# Ionide (cross platform F# VS Code tools) working folder +.ionide/ + +.json diff --git a/VNLib.Plugins.Essentials.Accounts.Registration/readme.md b/VNLib.Plugins.Essentials.Accounts.Registration/readme.md new file mode 100644 index 0000000..e69de29 diff --git a/VNLib.Plugins.Essentials.Accounts.Registration/src/AccountValidations.cs b/VNLib.Plugins.Essentials.Accounts.Registration/src/AccountValidations.cs new file mode 100644 index 0000000..839bc27 --- /dev/null +++ b/VNLib.Plugins.Essentials.Accounts.Registration/src/AccountValidations.cs @@ -0,0 +1,109 @@ + +using FluentValidation; + +using VNLib.Plugins.Essentials.Accounts.Registration.Endpoints; +using VNLib.Plugins.Extensions.Validation; + +namespace VNLib.Plugins.Essentials.Accounts.Registration +{ + internal static class AccountValidations + { + /// + /// Central password requirement validator + /// + public static IValidator PasswordValidator { get; } = GetPassVal(); + + public static IValidator AccountDataValidator { get; } = GetAcVal(); + + /// + /// A validator used to validate new registration request messages + /// + public static IValidator RegRequestValidator { get; } = GetRequestValidator(); + + static IValidator GetPassVal() + { + InlineValidator passVal = new(); + + passVal.RuleFor(static password => password) + .NotEmpty() + .Length(min: 8, max: 100) + .Password() + .WithMessage(errorMessage: "Password does not meet minium requirements"); + + return passVal; + } + + static IValidator GetAcVal() + { + InlineValidator adv = new (); + + //Validate city + + adv.RuleFor(t => t.City) + .MaximumLength(35) + .AlphaOnly() + .When(t => t.City?.Length > 0); + + adv.RuleFor(t => t.Company) + .MaximumLength(50) + .SpecialCharacters() + .When(t => t.Company?.Length > 0); + + //Require a first and last names to be set together + adv.When(t => t.First?.Length > 0 || t.Last?.Length > 0, () => + { + adv.RuleFor(t => t.First) + .Length(1, 35) + .AlphaOnly(); + adv.RuleFor(t => t.Last) + .Length(1, 35) + .AlphaOnly(); + }); + + adv.RuleFor(t => t.PhoneNumber) + .PhoneNumber() + .When(t => t.PhoneNumber?.Length > 0) + .OverridePropertyName("Phone"); + + //State must be 2 characters for us states if set + adv.RuleFor(t => t.State) + .Length(2) + .When(t => t.State?.Length > 0); + + adv.RuleFor(t => t.Street) + .AlphaNumericOnly() + .MaximumLength(50) + .When(t => t.Street?.Length > 0); + + //Allow empty zip codes, but if one is defined, is must be less than 7 characters + adv.RuleFor(t => t.Zip) + .NumericOnly() + .MaximumLength(7) + .When(t => t.Zip?.Length > 0); + + return adv; + } + + static IValidator GetRequestValidator() + { + InlineValidator reqVal = new(); + + reqVal.RuleFor(static s => s.ClientId) + .NotEmpty() + .IllegalCharacters() + .Length(1, 100); + + //Convert to universal time before validating + reqVal.RuleFor(static s => s.Timestamp.ToUniversalTime()) + .Must(t => t > DateTimeOffset.UtcNow.AddSeconds(-60) && t < DateTimeOffset.UtcNow.AddSeconds(60)); + + reqVal.RuleFor(static s => s.UserName) + .NotEmpty() + .EmailAddress() + .IllegalCharacters() + .Length(5, 50); + + return reqVal; + } + } +} diff --git a/VNLib.Plugins.Essentials.Accounts.Registration/src/EmailSystemConfig.cs b/VNLib.Plugins.Essentials.Accounts.Registration/src/EmailSystemConfig.cs new file mode 100644 index 0000000..a0333c0 --- /dev/null +++ b/VNLib.Plugins.Essentials.Accounts.Registration/src/EmailSystemConfig.cs @@ -0,0 +1,126 @@ +using System; +using System.Text; +using System.Text.Json; + +using RestSharp; + +using Emails.Transactional.Client; + +using VNLib.Utils.Extensions; +using VNLib.Net.Rest.Client; +using VNLib.Net.Rest.Client.OAuth2; +using VNLib.Plugins.Extensions.Loading; + +namespace VNLib.Plugins.Essentials.Accounts.Registration +{ + /// + /// An extended configuration + /// object that contains a pool for making + /// transactions + /// + internal sealed class EmailSystemConfig : TransactionalEmailConfig + { + public const string REG_TEMPLATE_NAME = "Registration"; + + public EmailSystemConfig(PluginBase pbase) + { + IReadOnlyDictionary conf = pbase.GetConfig("email"); + EmailFromName = conf["from_name"].GetString() ?? throw new KeyNotFoundException(""); + EmailFromAddress = conf["from_address"].GetString() ?? throw new KeyNotFoundException(""); + Uri baseServerPath = new(conf["base_url"].GetString()!, UriKind.RelativeOrAbsolute); + Uri tokenServerBase = new(conf["token_server_url"].GetString()!, UriKind.RelativeOrAbsolute); + Uri transactionEndpoint = new(conf["transaction_path"].GetString()!, UriKind.RelativeOrAbsolute); + //Load templates + Dictionary templates = conf["templates"].EnumerateObject().ToDictionary(jp => jp.Name, jp => jp.Value.GetString()!); + //Init base config + WithTemplates(templates) + .WithUrl(transactionEndpoint); + //Load credentials + string authEndpoint = conf["token_path"].GetString() ?? throw new KeyNotFoundException(); + int maxClients = conf["max_clients"].GetInt32(); + + + //Load oauth secrets from vault + Task oauth2ClientID = pbase.TryGetSecretAsync("oauth2_client_id"); + Task oauth2Password = pbase.TryGetSecretAsync("oauth2_client_secret"); + + //Lazy cred loaded, tasks should be loaded before this method will ever get called + Credential lazyCredentialGet() + { + //Load the results + string cliendId = oauth2ClientID.Result ?? throw new KeyNotFoundException("Missing required oauth2 client id"); + string password = oauth2Password.Result ?? throw new KeyNotFoundException("Missing required oauth2 client secret"); + + return Credential.Create(cliendId, password); + } + + + //Init client creation options + RestClientOptions poolOptions = new() + { + AllowMultipleDefaultParametersWithSameName = true, + AutomaticDecompression = System.Net.DecompressionMethods.All, + PreAuthenticate = true, + Encoding = Encoding.UTF8, + MaxTimeout = conf["request_timeout_ms"].GetInt32(), + UserAgent = "Essentials.EmailRegistation", + FollowRedirects = false, + BaseUrl = baseServerPath + }; + //Options for auth token endpoint + RestClientOptions oAuth2ClientOptions = new() + { + AllowMultipleDefaultParametersWithSameName = true, + AutomaticDecompression = System.Net.DecompressionMethods.All, + PreAuthenticate = false, + Encoding = Encoding.UTF8, + MaxTimeout = conf["request_timeout_ms"].GetInt32(), + UserAgent = "Essentials.EmailRegistation", + FollowRedirects = false, + BaseUrl = baseServerPath + }; + + //Init Oauth authenticator + OAuth2Authenticator authenticator = new(oAuth2ClientOptions, lazyCredentialGet, authEndpoint); + //Store pool + RestClientPool = new(maxClients, poolOptions, authenticator:authenticator); + + void Cleanup() + { + authenticator.Dispose(); + RestClientPool.Dispose(); + } + + //register password cleanup + _ = pbase.UnloadToken.RegisterUnobserved(Cleanup); + } + + /// + /// A shared for renting configuraed + /// + /// + public RestClientPool RestClientPool { get; } + /// + /// A global from email address name + /// + public string EmailFromName { get; } + /// + /// A global from email address + /// + public string EmailFromAddress { get; } + + /// + /// Prepares a new registration email transaction request + /// + /// The prepared object + public EmailTransactionRequest GetRegistrationMessage() + { + EmailTransactionRequest req = GetTemplateRequest(REG_TEMPLATE_NAME); + req.FromAddress = EmailFromAddress; + req.FromName = EmailFromName; + //set reg subject + req.Subject = "One more step to register"; + return req; + } + } +} \ No newline at end of file diff --git a/VNLib.Plugins.Essentials.Accounts.Registration/src/Endpoints/RegRequestMessage.cs b/VNLib.Plugins.Essentials.Accounts.Registration/src/Endpoints/RegRequestMessage.cs new file mode 100644 index 0000000..a151a86 --- /dev/null +++ b/VNLib.Plugins.Essentials.Accounts.Registration/src/Endpoints/RegRequestMessage.cs @@ -0,0 +1,16 @@ +using System.Text.Json.Serialization; + +namespace VNLib.Plugins.Essentials.Accounts.Registration.Endpoints +{ + internal class RegRequestMessage + { + [JsonPropertyName("localtime")] + public DateTimeOffset Timestamp { get; set; } + + [JsonPropertyName("username")] + public string? UserName { get; set; } + + [JsonPropertyName("clientid")] + public string? ClientId { get; set; } + } +} \ No newline at end of file diff --git a/VNLib.Plugins.Essentials.Accounts.Registration/src/Endpoints/RegistrationEntpoint.cs b/VNLib.Plugins.Essentials.Accounts.Registration/src/Endpoints/RegistrationEntpoint.cs new file mode 100644 index 0000000..2551fbb --- /dev/null +++ b/VNLib.Plugins.Essentials.Accounts.Registration/src/Endpoints/RegistrationEntpoint.cs @@ -0,0 +1,367 @@ +using System; +using System.Net; +using System.Text.Json; +using System.Threading.Tasks; +using System.Security.Cryptography; + +using FluentValidation; + +using Emails.Transactional.Client; +using Emails.Transactional.Client.Exceptions; + +using VNLib.Hashing; +using VNLib.Utils.Memory; +using VNLib.Utils.Logging; +using VNLib.Utils.Extensions; +using VNLib.Hashing.IdentityUtility; +using VNLib.Net.Rest.Client; +using VNLib.Net.Rest.Client.OAuth2; +using VNLib.Plugins.Essentials.Users; +using VNLib.Plugins.Essentials.Endpoints; +using VNLib.Plugins.Essentials.Extensions; +using VNLib.Plugins.Extensions.Loading; +using VNLib.Plugins.Extensions.Loading.Sql; +using VNLib.Plugins.Extensions.Loading.Events; +using VNLib.Plugins.Extensions.Loading.Users; +using VNLib.Plugins.Extensions.Validation; +using VNLib.Plugins.Essentials.Accounts.Registration.TokenRevocation; +using static VNLib.Plugins.Essentials.Accounts.AccountManager; + + +namespace VNLib.Plugins.Essentials.Accounts.Registration.Endpoints +{ + + [ConfigurationName("registration")] + internal sealed class RegistrationEntpoint : UnprotectedWebEndpoint, IIntervalScheduleable + { + /// + /// Generates a CNG random buffer to use as a nonce + /// + private static string EntropyNonce => RandomHash.GetRandomHex(16); + + const string FAILED_AUTH_ERR = "Your registration does not exist, you should try to regisiter again."; + const string REG_ERR_MESSAGE = "Please check your email inbox."; + + private HMAC SigAlg => new HMACSHA256(RegSignatureKey.Result); + + private readonly IUserManager Users; + private readonly IValidator RegJwtValdidator; + private readonly PasswordHashing Passwords; + private readonly RevokedTokenStore RevokedTokens; + private readonly EmailSystemConfig Emails; + private readonly Task RegSignatureKey; + private readonly TimeSpan RegExpiresSec; + + /// + /// Creates back-end functionality for a "registration" or "sign-up" page that integrates with the plugin + /// + /// The path identifier + /// + public RegistrationEntpoint(PluginBase plugin, IReadOnlyDictionary config) + { + string? path = config["path"].GetString(); + + InitPathAndLog(path, plugin.Log); + + RegExpiresSec = config["reg_expires_sec"].GetTimeSpan(TimeParseType.Seconds); + + //Init reg jwt validator + RegJwtValdidator = GetJwtValidator(); + + Passwords = plugin.GetPasswords(); + Users = plugin.GetUserManager(); + RevokedTokens = new(plugin.GetContextOptions()); + Emails = new(plugin); + + //Begin the async op to get the signature key from the vault + RegSignatureKey = plugin.TryGetSecretAsync("reg_sig_key").ContinueWith((ts) => { + + _ = ts.Result ?? throw new KeyNotFoundException("Missing required key 'reg_sig_key' in 'registration' configuration"); + return Convert.FromBase64String(ts.Result); + }); + + //Register timeout for cleanup + _ = plugin.ScheduleInterval(this, TimeSpan.FromSeconds(60)); + } + + private static IValidator GetJwtValidator() + { + InlineValidator val = new(); + + val.RuleFor(static s => s) + .NotEmpty() + //Must contain 2 periods for jwt limitation + .Must(static s => s.Count(s => s == '.') == 2) + //Guard length + .Length(20, 500) + .IllegalCharacters(); + return val; + } + + + protected override async ValueTask PostAsync(HttpEntity entity) + { + ValErrWebMessage webm = new(); + //Get the json request data from client + using JsonDocument? request = await entity.GetJsonFromFileAsync(); + + if(webm.Assert(request != null, "No request data present")) + { + entity.CloseResponseJson(HttpStatusCode.BadRequest, webm); + return VfReturnType.VirtualSkip; + } + + //Get the jwt string from client + string? regJwt = request.RootElement.GetPropString("token"); + using PrivateString? password = (PrivateString?)request.RootElement.GetPropString("password"); + + //validate inputs + { + if (webm.Assert(regJwt != null, FAILED_AUTH_ERR)) + { + entity.CloseResponse(webm); + return VfReturnType.VirtualSkip; + } + + if (webm.Assert(password != null, "You must specify a password.")) + { + entity.CloseResponse(webm); + return VfReturnType.VirtualSkip; + } + //validate new password + if(!AccountValidations.PasswordValidator.Validate((string)password, webm)) + { + entity.CloseResponse(webm); + return VfReturnType.VirtualSkip; + } + //Validate jwt + if (webm.Assert(RegJwtValdidator.Validate(regJwt).IsValid, FAILED_AUTH_ERR)) + { + entity.CloseResponse(webm); + return VfReturnType.VirtualSkip; + } + } + + //Verify jwt has not been revoked + if(await RevokedTokens.IsRevokedAsync(regJwt, entity.EventCancellation)) + { + webm.Result = FAILED_AUTH_ERR; + entity.CloseResponse(webm); + return VfReturnType.VirtualSkip; + } + + string emailAddress; + try + { + //get jwt + using JsonWebToken jwt = JsonWebToken.Parse(regJwt); + //verify signature + using (HMAC hmac = SigAlg) + { + bool verified = jwt.Verify(hmac); + + if (webm.Assert(verified, FAILED_AUTH_ERR)) + { + entity.CloseResponse(webm); + return VfReturnType.VirtualSkip; + } + } + + //recover iat and email address + using JsonDocument reg = jwt.GetPayload(); + emailAddress = reg.RootElement.GetPropString("email")!; + DateTimeOffset iat = DateTimeOffset.FromUnixTimeSeconds(reg.RootElement.GetProperty("iat").GetInt64()); + + //Verify IAT against expiration at second resolution + if (webm.Assert(iat.Add(RegExpiresSec) > DateTimeOffset.UtcNow, FAILED_AUTH_ERR)) + { + entity.CloseResponse(webm); + return VfReturnType.VirtualSkip; + } + } + catch (FormatException fe) + { + Log.Debug(fe); + webm.Result = FAILED_AUTH_ERR; + entity.CloseResponse(webm); + return VfReturnType.VirtualSkip; + } + + + //Always hash the new password, even if failed + using PrivateString passHash = Passwords.Hash(password); + + try + { + //Generate userid from email + string uid = GetRandomUserId(); + + //Create the new user + using IUser user = await Users.CreateUserAsync(uid, emailAddress, MINIMUM_LEVEL, passHash, entity.EventCancellation); + + //Set active status + user.Status = UserStatus.Active; + //set local account origin + user.SetAccountOrigin(LOCAL_ACCOUNT_ORIGIN); + + //set user verification + await user.ReleaseAsync(); + + //Revoke token now complete + _ = RevokedTokens.RevokeAsync(regJwt, CancellationToken.None).ConfigureAwait(false); + + webm.Result = "Successfully created your new account. You may now log in"; + webm.Success = true; + entity.CloseResponse(webm); + return VfReturnType.VirtualSkip; + } + //Capture creation failed, this may be a replay + catch (UserExistsException) + { + } + catch(UserCreationFailedException) + { + } + + webm.Result = FAILED_AUTH_ERR; + entity.CloseResponse(webm); + return VfReturnType.VirtualSkip; + } + + + private static readonly IReadOnlyDictionary JWT_HEADER = new Dictionary() + { + { "typ", "JWT" }, + { "alg", "HS256" } + }; + + protected override async ValueTask PutAsync(HttpEntity entity) + { + ValErrWebMessage webm = new(); + + //Get the request + RegRequestMessage? request = await entity.GetJsonFromFileAsync(); + if (webm.Assert(request != null, "Request is invalid")) + { + entity.CloseResponseJson(HttpStatusCode.BadRequest, webm); + return VfReturnType.VirtualSkip; + } + + //Validate the request + if (!AccountValidations.RegRequestValidator.Validate(request, webm)) + { + entity.CloseResponseJson(HttpStatusCode.UnprocessableEntity, webm); + return VfReturnType.VirtualSkip; + } + + //Create psudo contant time delay + Task delay = Task.Delay(200); + + //See if a user account already exists + using (IUser? user = await Users.GetUserFromEmailAsync(request.UserName!, entity.EventCancellation)) + { + if (user != null) + { + goto Exit; + } + } + + //Get exact timestamp + DateTimeOffset timeStamp = DateTimeOffset.UtcNow; + + //generate random nonce for entropy + string entropy = EntropyNonce; + + //Init client jwt + string jwtData; + using (JsonWebToken emailJwt = new()) + { + + emailJwt.WriteHeader(JWT_HEADER); + + //Init new claim stack, include the same iat time, nonce for entropy, and descriptor storage id + emailJwt.InitPayloadClaim(3) + .AddClaim("iat", timeStamp.ToUnixTimeSeconds()) + .AddClaim("n", entropy) + .AddClaim("email", request.UserName) + .CommitClaims(); + + //sign the jwt + using (HMAC hmac = SigAlg) + { + emailJwt.Sign(hmac); + } + //Compile to encoded string + jwtData = emailJwt.Compile(); + } + + string regUrl = $"https://{entity.Server.RequestUri.Authority}{Path}?t={jwtData}"; + + //Send email to user in background task and do not await it + _ = SendRegEmailAsync(request.UserName!, regUrl).ConfigureAwait(false); + + Exit: + //await sort of constant time delay + await delay; + + //Notify user + webm.Result = REG_ERR_MESSAGE; + webm.Success = true; + + entity.CloseResponse(webm); + return VfReturnType.VirtualSkip; + } + + + private async Task SendRegEmailAsync(string emailAddress, string url) + { + try + { + //Get a new registration template + EmailTransactionRequest emailTemplate = Emails.GetRegistrationMessage(); + //Add the user's to address + emailTemplate.AddToAddress(emailAddress); + emailTemplate.AddVariable("username", emailAddress); + //Set the security code variable string + emailTemplate.AddVariable("reg_url", url); + emailTemplate.AddVariable("date", DateTimeOffset.UtcNow.ToString("f")); + + //Get a new client contract + using ClientContract client = Emails.RestClientPool.Lease(); + //Send the email + TransactionResult result = await client.Resource.SendEmailAsync(emailTemplate); + if (!result.Success) + { + Log.Debug("Registration email failed to send, SMTP status code: {smtp}", result.SmtpStatus); + } + else + { + Log.Verbose("Registration email sent to user. Status {smtp}", result.SmtpStatus); + } + } + catch (ValidationFailedException vf) + { + //This should only occur if there is a bug in our reigration code that allowed an invalid value pass + Log.Debug(vf, "Registration email failed to send to user because data validation failed"); + } + catch (InvalidAuthorizationException iae) + { + Log.Warn(iae, "Registration email failed to send due to an authentication error"); + } + catch (OAuth2AuthenticationException o2e) + { + Log.Warn(o2e, "Registration email failed to send due to an authentication error"); + } + catch (Exception ex) + { + Log.Error(ex); + } + } + + async Task IIntervalScheduleable.OnIntervalAsync(ILogProvider log, CancellationToken cancellationToken) + { + //Cleanup tokens + await RevokedTokens.CleanTableAsync(RegExpiresSec, cancellationToken); + } + } +} \ No newline at end of file diff --git a/VNLib.Plugins.Essentials.Accounts.Registration/src/RegistrationEntryPoint.cs b/VNLib.Plugins.Essentials.Accounts.Registration/src/RegistrationEntryPoint.cs new file mode 100644 index 0000000..000c9bd --- /dev/null +++ b/VNLib.Plugins.Essentials.Accounts.Registration/src/RegistrationEntryPoint.cs @@ -0,0 +1,42 @@ + +using VNLib.Utils.Logging; + +using VNLib.Plugins.Extensions.Loading; +using VNLib.Plugins.Extensions.Loading.Routing; +using VNLib.Plugins.Essentials.Accounts.Registration.Endpoints; + +namespace VNLib.Plugins.Essentials.Accounts.Registration +{ + public sealed class RegistrationEntryPoint : PluginBase + { + public override string PluginName => "Essentials.EmailRegistration"; + + protected override void OnLoad() + { + try + { + //Route reg endpoint + this.Route(); + + Log.Information("Plugin loaded"); + } + catch(KeyNotFoundException kne) + { + Log.Error("Missing required configuration variables: {ex}", kne.Message); + } + } + + protected override void OnUnLoad() + { + Log.Information("Plugin unloaded"); + } + + protected override void ProcessHostCommand(string cmd) + { + if (!this.IsDebug()) + { + return; + } + } + } +} \ No newline at end of file diff --git a/VNLib.Plugins.Essentials.Accounts.Registration/src/TokenRevocation/RevocationContext.cs b/VNLib.Plugins.Essentials.Accounts.Registration/src/TokenRevocation/RevocationContext.cs new file mode 100644 index 0000000..71921c2 --- /dev/null +++ b/VNLib.Plugins.Essentials.Accounts.Registration/src/TokenRevocation/RevocationContext.cs @@ -0,0 +1,14 @@ +using Microsoft.EntityFrameworkCore; + +using VNLib.Plugins.Extensions.Data; + +namespace VNLib.Plugins.Essentials.Accounts.Registration.TokenRevocation +{ + internal class RevocationContext : TransactionalDbContext + { + public DbSet RevokedRegistrationTokens { get; set; } + + public RevocationContext(DbContextOptions options) : base(options) + {} + } +} \ No newline at end of file diff --git a/VNLib.Plugins.Essentials.Accounts.Registration/src/TokenRevocation/RevokedToken.cs b/VNLib.Plugins.Essentials.Accounts.Registration/src/TokenRevocation/RevokedToken.cs new file mode 100644 index 0000000..ac0fc9a --- /dev/null +++ b/VNLib.Plugins.Essentials.Accounts.Registration/src/TokenRevocation/RevokedToken.cs @@ -0,0 +1,19 @@ +using System; +using System.ComponentModel.DataAnnotations; + +namespace VNLib.Plugins.Essentials.Accounts.Registration.TokenRevocation +{ + + internal class RevokedToken + { + /// + /// The time the token was revoked. + /// + public DateTime Created { get; set; } + /// + /// The token that was revoked. + /// + [Key] + public string? Token { get; set; } + } +} \ No newline at end of file diff --git a/VNLib.Plugins.Essentials.Accounts.Registration/src/TokenRevocation/RevokedTokenStore.cs b/VNLib.Plugins.Essentials.Accounts.Registration/src/TokenRevocation/RevokedTokenStore.cs new file mode 100644 index 0000000..ccc7b37 --- /dev/null +++ b/VNLib.Plugins.Essentials.Accounts.Registration/src/TokenRevocation/RevokedTokenStore.cs @@ -0,0 +1,77 @@ +using System.Collections; + +using Microsoft.EntityFrameworkCore; + +using VNLib.Utils; + +namespace VNLib.Plugins.Essentials.Accounts.Registration.TokenRevocation +{ + internal class RevokedTokenStore + { + private readonly DbContextOptions Options; + + public RevokedTokenStore(DbContextOptions options) + { + Options = options; + } + + public async Task IsRevokedAsync(string token, CancellationToken cancellation) + { + await using RevocationContext context = new (Options); + await context.OpenTransactionAsync(cancellation); + + //Select any that match tokens + bool any = await (from t in context.RevokedRegistrationTokens + where t.Token == token + select t).AnyAsync(cancellation); + + await context.CommitTransactionAsync(cancellation); + return any; + } + + public async Task RevokeAsync(string token, CancellationToken cancellation) + { + await using RevocationContext context = new (Options); + await context.OpenTransactionAsync(cancellation); + + //Add to table + context.RevokedRegistrationTokens.Add(new RevokedToken() + { + Created = DateTime.UtcNow, + Token = token + }); + + //Save changes and commit transaction + await context.SaveChangesAsync(cancellation); + await context.CommitTransactionAsync(cancellation); + } + + /// + /// Removes expired records from the store + /// + /// The time a token is valid for + /// A token that cancels the async operation + /// The number of records evicted from the store + public async Task CleanTableAsync(TimeSpan validFor, CancellationToken cancellation) + { + DateTime expiredBefore = DateTime.UtcNow.Subtract(validFor); + + await using RevocationContext context = new (Options); + await context.OpenTransactionAsync(cancellation); + + //Select any that match tokens + RevokedToken[] expired = await context.RevokedRegistrationTokens.Where(t => t.Created < expiredBefore) + .Select(static t => t) + .ToArrayAsync(cancellation); + + + context.RevokedRegistrationTokens.RemoveRange(expired); + + ERRNO count =await context.SaveChangesAsync(cancellation); + + await context.CommitTransactionAsync(cancellation); + + return count; + } + } +} \ No newline at end of file diff --git a/VNLib.Plugins.Essentials.Accounts.Registration/src/VNLib.Plugins.Essentials.Accounts.Registration.csproj b/VNLib.Plugins.Essentials.Accounts.Registration/src/VNLib.Plugins.Essentials.Accounts.Registration.csproj new file mode 100644 index 0000000..5f6a23c --- /dev/null +++ b/VNLib.Plugins.Essentials.Accounts.Registration/src/VNLib.Plugins.Essentials.Accounts.Registration.csproj @@ -0,0 +1,62 @@ + + + + net6.0 + enable + enable + x64 + False + VNLib.Plugins.Essentials.Accounts.Registration + Vaughn Nugent + Copyright © 2022 Vaughn Nugent + www.vaughnnugent.com/resources + False + False + 1.0.0.1 + Essentials.EmailRegistration + AnyCPU;x64 + + + + + + true + + + + True + + + + True + + + + True + + + + True + + + + + + + + + + + + + + + PreserveNewest + + + + + + + + diff --git a/VNLib.Plugins.Essentials.Accounts/AccountValidations.cs b/VNLib.Plugins.Essentials.Accounts/AccountValidations.cs new file mode 100644 index 0000000..2c1243c --- /dev/null +++ b/VNLib.Plugins.Essentials.Accounts/AccountValidations.cs @@ -0,0 +1,84 @@ + +using FluentValidation; + +using VNLib.Plugins.Extensions.Validation; + +#nullable enable + +namespace VNLib.Plugins.Essentials.Accounts +{ + public static class AccountValidations + { + /// + /// Central password requirement validator + /// + public static IValidator PasswordValidator { get; } = GetPassVal(); + + public static IValidator AccountDataValidator { get; } = GetAcVal(); + + + static IValidator GetPassVal() + { + InlineValidator passVal = new(); + + passVal.RuleFor(static password => password) + .NotEmpty() + .Length(min: 8, max: 100) + .Password() + .WithMessage(errorMessage: "Password does not meet minium requirements"); + + return passVal; + } + + static IValidator GetAcVal() + { + InlineValidator adv = new (); + + //Validate city + + adv.RuleFor(t => t.City) + .MaximumLength(35) + .AlphaOnly() + .When(t => t.City?.Length > 0); + + adv.RuleFor(t => t.Company) + .MaximumLength(50) + .SpecialCharacters() + .When(t => t.Company?.Length > 0); + + //Require a first and last names to be set together + adv.When(t => t.First?.Length > 0 || t.Last?.Length > 0, () => + { + adv.RuleFor(t => t.First) + .Length(1, 35) + .AlphaOnly(); + adv.RuleFor(t => t.Last) + .Length(1, 35) + .AlphaOnly(); + }); + + adv.RuleFor(t => t.PhoneNumber) + .PhoneNumber() + .When(t => t.PhoneNumber?.Length > 0) + .OverridePropertyName("Phone"); + + //State must be 2 characters for us states if set + adv.RuleFor(t => t.State) + .Length(2) + .When(t => t.State?.Length > 0); + + adv.RuleFor(t => t.Street) + .AlphaNumericOnly() + .MaximumLength(50) + .When(t => t.Street?.Length > 0); + + //Allow empty zip codes, but if one is defined, is must be less than 7 characters + adv.RuleFor(t => t.Zip) + .NumericOnly() + .MaximumLength(7) + .When(t => t.Zip?.Length > 0); + + return adv; + } + } +} diff --git a/VNLib.Plugins.Essentials.Accounts/AccountsEntryPoint.cs b/VNLib.Plugins.Essentials.Accounts/AccountsEntryPoint.cs new file mode 100644 index 0000000..6e0f338 --- /dev/null +++ b/VNLib.Plugins.Essentials.Accounts/AccountsEntryPoint.cs @@ -0,0 +1,180 @@ +using System; +using System.Linq; +using System.Collections.Generic; + +using VNLib.Utils.Memory; +using VNLib.Utils.Logging; +using VNLib.Plugins.Essentials.Users; +using VNLib.Plugins.Essentials.Accounts.Endpoints; +using VNLib.Plugins.Extensions.Loading; +using VNLib.Plugins.Extensions.Loading.Users; +using VNLib.Plugins.Extensions.Loading.Routing; + +namespace VNLib.Plugins.Essentials.Accounts +{ + public sealed class AccountsEntryPoint : PluginBase + { + + public override string PluginName => "Essentials.Accounts"; + + protected override void OnLoad() + { + try + { + //Route endpoints + this.Route(); + + this.Route(); + + this.Route(); + + this.Route(); + + this.Route(); + + this.Route(); + + //Write loaded to log + Log.Information("Plugin loaded"); + } + catch (KeyNotFoundException knf) + { + Log.Error("Missing required account configuration variables {mess}", knf.Message); + } + catch (UriFormatException uri) + { + Log.Error("Invalid endpoint URI {message}", uri.Message); + } + } + + + + protected override void OnUnLoad() + { + //Write closing messsage and dispose the log + Log.Information("Plugin unloaded"); + } + + protected override async void ProcessHostCommand(string cmd) + { + //Only process commands if the plugin is in debug mode + if (!this.IsDebug()) + { + return; + } + try + { + IUserManager Users = this.GetUserManager(); + PasswordHashing Passwords = this.GetPasswords(); + + //get args as a list + List args = cmd.Split(' ').ToList(); + if (args.Count < 3) + { + Log.Warn("No command specified"); + } + switch (args[2].ToLower()) + { + //Create new user + case "create": + { + int uid = args.IndexOf("-u"); + int pwd = args.IndexOf("-p"); + if (uid < 0 || pwd < 0) + { + Log.Warn("You are missing required argument values. Format 'create -u -p '"); + return; + } + string username = args[uid + 1].Trim(); + string randomUserId = AccountManager.GetRandomUserId(); + //Password as privatestring DANGEROUS to refs + using (PrivateString password = (PrivateString)args[pwd + 1].Trim()!) + { + //Hash the password + using PrivateString passHash = Passwords.Hash(password); + //Create the user + using IUser user = await Users.CreateUserAsync(randomUserId, username, AccountManager.MINIMUM_LEVEL, passHash); + //Set active flag + user.Status = UserStatus.Active; + //Set local account + user.SetAccountOrigin(AccountManager.LOCAL_ACCOUNT_ORIGIN); + + await user.ReleaseAsync(); + } + Log.Information("Successfully created user {id}", username); + + } + break; + case "reset": + { + int uid = args.IndexOf("-u"); + int pwd = args.IndexOf("-p"); + if (uid < 0 || pwd < 0) + { + Log.Warn("You are missing required argument values. Format 'reset -u -p '"); + return; + } + string username = args[uid + 1].Trim(); + //Password as privatestring DANGEROUS to refs + using (PrivateString password = (PrivateString)args[pwd + 1].Trim()!) + { + //Hash the password + using PrivateString passHash = Passwords.Hash(password); + //Get the user + using IUser? user = await Users.GetUserFromEmailAsync(username); + + if(user == null) + { + Log.Warn("The specified user does not exist"); + break; + } + + //Set the password + await Users.UpdatePassAsync(user, passHash); + } + Log.Information("Successfully reset password for {id}", username); + } + break; + case "delete": + { + //get user-id + string userId = args[3].Trim(); + //Get user + using IUser? user = await Users.GetUserFromEmailAsync(userId); + + if (user == null) + { + Log.Warn("The specified user does not exist"); + break; + } + + //delete user + user.Delete(); + //Release user + await user.ReleaseAsync(); + } + break; + default: + Log.Warn("Uknown command"); + break; + } + } + catch (UserExistsException) + { + Log.Error("User already exists"); + } + catch(UserCreationFailedException) + { + Log.Error("Failed to create the new user"); + } + catch (ArgumentOutOfRangeException) + { + Log.Error("You are missing required command arguments"); + } + catch(Exception ex) + { + Log.Error(ex); + } + } + } +} \ No newline at end of file diff --git a/VNLib.Plugins.Essentials.Accounts/Endpoints/KeepAliveEndpoint.cs b/VNLib.Plugins.Essentials.Accounts/Endpoints/KeepAliveEndpoint.cs new file mode 100644 index 0000000..eec1a33 --- /dev/null +++ b/VNLib.Plugins.Essentials.Accounts/Endpoints/KeepAliveEndpoint.cs @@ -0,0 +1,40 @@ +using System; +using System.Net; +using System.Text.Json; +using System.Collections.Generic; + +using VNLib.Plugins.Essentials.Endpoints; +using VNLib.Plugins.Extensions.Loading; + +namespace VNLib.Plugins.Essentials.Accounts.Endpoints +{ + [ConfigurationName("keepalive_endpoint")] + internal sealed class KeepAliveEndpoint : ProtectedWebEndpoint + { + /* + * Endpoint does not use a log, so IniPathAndLog is never called + * and path verification happens verbosly + */ + public KeepAliveEndpoint(PluginBase pbase, IReadOnlyDictionary config) + { + string? path = config["path"].GetString(); + + InitPathAndLog(path, pbase.Log); + } + + protected override VfReturnType Get(HttpEntity entity) + { + //Return okay + entity.CloseResponse(HttpStatusCode.OK); + return VfReturnType.VirtualSkip; + } + + //Allow post to update user's credentials + protected override VfReturnType Post(HttpEntity entity) + { + //Return okay + entity.CloseResponse(HttpStatusCode.OK); + return VfReturnType.VirtualSkip; + } + } +} \ No newline at end of file diff --git a/VNLib.Plugins.Essentials.Accounts/Endpoints/LoginEndpoint.cs b/VNLib.Plugins.Essentials.Accounts/Endpoints/LoginEndpoint.cs new file mode 100644 index 0000000..0518454 --- /dev/null +++ b/VNLib.Plugins.Essentials.Accounts/Endpoints/LoginEndpoint.cs @@ -0,0 +1,381 @@ +using System; +using System.Net; +using System.Text.Json; +using System.Threading.Tasks; +using System.Collections.Generic; +using System.Security.Cryptography; +using System.Text.Json.Serialization; + +using VNLib.Hashing; +using VNLib.Utils; +using VNLib.Utils.Memory; +using VNLib.Utils.Logging; +using VNLib.Utils.Extensions; +using VNLib.Plugins.Essentials.Users; +using VNLib.Plugins.Essentials.Endpoints; +using VNLib.Plugins.Essentials.Extensions; +using VNLib.Plugins.Extensions.Validation; +using VNLib.Plugins.Essentials.Accounts.MFA; +using VNLib.Plugins.Essentials.Accounts.Validators; +using VNLib.Plugins.Extensions.Loading; +using VNLib.Plugins.Extensions.Loading.Users; +using static VNLib.Plugins.Essentials.Statics; +using static VNLib.Plugins.Essentials.Accounts.AccountManager; + + +namespace VNLib.Plugins.Essentials.Accounts.Endpoints +{ + + /// + /// Provides an authentication endpoint for user-accounts + /// + [ConfigurationName("login_endpoint")] + internal sealed class LoginEndpoint : UnprotectedWebEndpoint + { + public const string INVALID_MESSAGE = "Please check your email or password."; + public const string LOCKED_ACCOUNT_MESSAGE = "You have been timed out, please try again later"; + public const string MFA_ERROR_MESSAGE = "Invalid or expired request."; + + private static readonly LoginMessageValidation LmValidator = new(); + + private readonly PasswordHashing Passwords; + private readonly MFAConfig? MultiFactor; + private readonly IUserManager Users; + private readonly uint MaxFailedLogins; + private readonly TimeSpan FailedCountTimeout; + + /// + protected override ProtectionSettings EndpointProtectionSettings { get; } = new(); + + public LoginEndpoint(PluginBase pbase, IReadOnlyDictionary config) + { + string? path = config["path"].GetString(); + FailedCountTimeout = config["failed_count_timeout_sec"].GetTimeSpan(TimeParseType.Seconds); + MaxFailedLogins = config["failed_count_max"].GetUInt32(); + + InitPathAndLog(path, pbase.Log); + + Passwords = pbase.GetPasswords(); + Users = pbase.GetUserManager(); + MultiFactor = pbase.GetMfaConfig(); + } + + private class MfaUpgradeWebm : ValErrWebMessage + { + [JsonPropertyName("pwtoken")] + public string? PasswordToken { get; set; } + + [JsonPropertyName("mfa")] + public bool? MultiFactorUpgrade { get; set; } = null; + } + + + protected async override ValueTask PostAsync(HttpEntity entity) + { + //Conflict if user is logged in + if (entity.LoginCookieMatches() || entity.TokenMatches()) + { + entity.CloseResponse(HttpStatusCode.Conflict); + return VfReturnType.VirtualSkip; + } + + //If mfa is enabled, allow processing via mfa + if (MultiFactor != null) + { + if (entity.QueryArgs.ContainsKey("mfa")) + { + return await ProcessMfaAsync(entity); + } + } + return await ProccesLoginAsync(entity); + } + + + private async ValueTask ProccesLoginAsync(HttpEntity entity) + { + MfaUpgradeWebm webm = new(); + try + { + //Make sure the id is regenerated (or upgraded if successful login) + entity.Session.RegenID(); + + using LoginMessage? loginMessage = await entity.GetJsonFromFileAsync(SR_OPTIONS); + + if (webm.Assert(loginMessage != null, "Invalid request data")) + { + entity.CloseResponseJson(HttpStatusCode.BadRequest, webm); + return VfReturnType.VirtualSkip; + } + + //validate the message + if (!LmValidator.Validate(loginMessage, webm)) + { + entity.CloseResponseJson(HttpStatusCode.UnprocessableEntity, webm); + return VfReturnType.VirtualSkip; + } + + //Time to get the user + using IUser? user = await Users.GetUserAndPassFromEmailAsync(loginMessage.UserName); + //Make sure account exists + if (webm.Assert(user != null, INVALID_MESSAGE)) + { + entity.CloseResponse(webm); + return VfReturnType.VirtualSkip; + } + + //Make sure the account has not been locked out + if (webm.Assert(!UserLoginLocked(user), LOCKED_ACCOUNT_MESSAGE)) + { + goto Cleanup; + } + + //Only allow local accounts + if (user.IsLocalAccount() && !PrivateString.IsNullOrEmpty(user.PassHash)) + { + //If login return true, the response has been set and we should return + if (LoginUser(entity, loginMessage, user, webm)) + { + goto Cleanup; + } + } + + //Inc failed login count + user.FailedLoginIncrement(); + webm.Result = INVALID_MESSAGE; + + Cleanup: + await user.ReleaseAsync(); + entity.CloseResponse(webm); + return VfReturnType.VirtualSkip; + } + catch (UserUpdateException uue) + { + Log.Warn(uue); + return VfReturnType.Error; + } + } + + private bool LoginUser(HttpEntity entity, LoginMessage loginMessage, IUser user, MfaUpgradeWebm webm) + { + //Verify password before we tell the user the status of their account for security reasons + if (!Passwords.Verify(user.PassHash, new PrivateString(loginMessage.Password, false))) + { + return false; + } + //Reset flc for account + user.FailedLoginCount(0); + try + { + switch (user.Status) + { + case UserStatus.Active: + { + //Is the account restricted to a local network connection? + if (user.LocalOnly && !entity.IsLocalConnection) + { + Log.Information("User {uid} attempted a login from a non-local network with the correct password. Access was denied", user.UserID); + return false; + } + //Gen and store the pw secret + byte[] pwSecret = entity.Session.GenPasswordChallenge(new(loginMessage.Password, false)); + //Encrypt and convert to base64 + string clientPwSecret = EncryptSecret(loginMessage.ClientPublicKey, pwSecret); + //get the new upgrade jwt string + Tuple? message = user.MFAGetUpgradeIfEnabled(MultiFactor, loginMessage, clientPwSecret); + //if message is null, mfa was not enabled or could not be prepared + if (message != null) + { + //Store the base64 signature + entity.Session.MfaUpgradeSignature(message.Item2); + //send challenge message to client + webm.Result = message.Item1; + webm.Success = true; + webm.MultiFactorUpgrade = true; + break; + } + //Set password token + webm.PasswordToken = clientPwSecret; + //Elevate the login status of the session to reflect the user's status + webm.Token = entity.GenerateAuthorization(loginMessage, user); + //Send the Username (since they already have it) + webm.Result = new AccountData() + { + EmailAddress = user.EmailAddress, + }; + webm.Success = true; + //Write to log + Log.Verbose("Successful login for user {uid}...", user.UserID[..8]); + } + break; + default: + //This is an unhandled case, and should never happen, but just incase write a warning to the log + Log.Warn("Account {uid} has invalid status key and a login was attempted from {ip}", user.UserID, entity.TrustedRemoteIp); + return false; + } + } + /* + * Account auhorization may throw excetpions if the configuration does not + * match the client, or the client sent invalid or malicous data and + * it could not grant authorization + */ + catch (OutOfMemoryException) + { + webm.Result = "Your browser sent malformatted security information"; + } + catch (CryptographicException ce) + { + webm.Result = "Your browser sent malformatted security information"; + Log.Debug(ce); + } + return true; + } + + + private async ValueTask ProcessMfaAsync(HttpEntity entity) + { + MfaUpgradeWebm webm = new(); + //Recover request message + using JsonDocument? request = await entity.GetJsonFromFileAsync(); + if (webm.Assert(request != null, "Invalid request data")) + { + entity.CloseResponseJson(HttpStatusCode.BadRequest, webm); + return VfReturnType.VirtualSkip; + } + //Recover upgrade jwt + string? upgradeJwt = request.RootElement.GetPropString("upgrade"); + if (webm.Assert(upgradeJwt != null, "Missing required upgrade data")) + { + entity.CloseResponseJson(HttpStatusCode.UnprocessableEntity, webm); + return VfReturnType.VirtualSkip; + } + + //Recover stored signature + string? storedSig = entity.Session.MfaUpgradeSignature(); + if(webm.Assert(!string.IsNullOrWhiteSpace(storedSig), MFA_ERROR_MESSAGE)) + { + entity.CloseResponse(webm); + return VfReturnType.VirtualSkip; + } + + //Recover upgrade data from upgrade message + if (!MultiFactor!.RecoverUpgrade(upgradeJwt, storedSig, out MFAUpgrade? upgrade)) + { + webm.Result = MFA_ERROR_MESSAGE; + entity.CloseResponse(webm); + return VfReturnType.VirtualSkip; + } + + //recover user account + using IUser? user = await Users.GetUserFromEmailAsync(upgrade.UserName!); + + if (webm.Assert(user != null, MFA_ERROR_MESSAGE)) + { + entity.CloseResponse(webm); + return VfReturnType.VirtualSkip; + } + + //Wipe session signature + entity.Session.MfaUpgradeSignature(null); + + //Make sure the account has not been locked out + if (!webm.Assert(!UserLoginLocked(user), LOCKED_ACCOUNT_MESSAGE)) + { + //process mfa login + LoginMfa(entity, user, request, upgrade, webm); + } + + //Update user on clean process + await user.ReleaseAsync(); + //Close rseponse + entity.CloseResponse(webm); + return VfReturnType.VirtualSkip; + } + + private void LoginMfa(HttpEntity entity, IUser user, JsonDocument request, MFAUpgrade upgrade, MfaUpgradeWebm webm) + { + //Recover the user's local time + DateTimeOffset localTime = request.RootElement.GetProperty("localtime").GetDateTimeOffset(); + + //Check mode + switch (upgrade.Type) + { + case MFAType.TOTP: + { + //get totp code from request + uint code = request.RootElement.GetProperty("code").GetUInt32(); + //Verify totp code + if (!MultiFactor!.VerifyTOTP(user, code)) + { + webm.Result = "Please check your code."; + //Increment flc and update the user in the store + user.FailedLoginIncrement(); + return; + } + //Valid, complete + } + break; + case MFAType.GPG: + { } + break; + default: + { + webm.Result = MFA_ERROR_MESSAGE; + } + return; + } + //build login message from upgrade + LoginMessage loginMessage = new() + { + ClientID = upgrade.ClientID, + ClientPublicKey = upgrade.Base64PubKey, + LocalLanguage = upgrade.ClientLocalLanguage, + LocalTime = localTime, + UserName = upgrade.UserName + }; + //Elevate the login status of the session to reflect the user's status + webm.Token = entity.GenerateAuthorization(loginMessage, user); + //Set the password token as the password field of the login message + webm.PasswordToken = upgrade.PwClientData; + //Send the Username (since they already have it) + webm.Result = new AccountData() + { + EmailAddress = user.EmailAddress, + }; + webm.Success = true; + //Write to log + Log.Verbose("Successful login for user {uid}...", user.UserID[..8]); + } + + private static string EncryptSecret(string pubKey, byte[] secret) + { + //Alloc buffer for secret + using IMemoryHandle buffer = Memory.SafeAlloc(4096); + //Try to encrypt the data + ERRNO count = TryEncryptClientData(pubKey, secret, buffer.Span); + //Clear secret + RandomHash.GetRandomBytes(secret); + //Convert to base64 string + return Convert.ToBase64String(buffer.Span[..(int)count]); + } + + public bool UserLoginLocked(IUser user) + { + //Recover last counter value + TimestampedCounter flc = user.FailedLoginCount(); + if(flc.Count < MaxFailedLogins) + { + //Period exceeded + return false; + } + //See if the flc timeout period has expired + if (flc.LastModified.Add(FailedCountTimeout) < DateTimeOffset.UtcNow) + { + //clear flc flag + user.FailedLoginCount(0); + return false; + } + //Count has been exceeded, and has not timed out yet + return true; + } + } +} \ No newline at end of file diff --git a/VNLib.Plugins.Essentials.Accounts/Endpoints/LogoutEndpoint.cs b/VNLib.Plugins.Essentials.Accounts/Endpoints/LogoutEndpoint.cs new file mode 100644 index 0000000..c52eef5 --- /dev/null +++ b/VNLib.Plugins.Essentials.Accounts/Endpoints/LogoutEndpoint.cs @@ -0,0 +1,34 @@ +using System; +using System.Net; +using System.Text.Json; +using System.Collections.Generic; + +using VNLib.Plugins.Extensions.Loading; +using VNLib.Plugins.Essentials.Endpoints; + +namespace VNLib.Plugins.Essentials.Accounts.Endpoints +{ + [ConfigurationName("logout_endpoint")] + internal class LogoutEndpoint : ProtectedWebEndpoint + { + //Use default ep protection (most strict) + + /// + protected override ProtectionSettings EndpointProtectionSettings { get; } = new(); + + + public LogoutEndpoint(PluginBase pbase, IReadOnlyDictionary config) + { + string? path = config["path"].GetString(); + InitPathAndLog(path, pbase.Log); + } + + + protected override VfReturnType Post(HttpEntity entity) + { + entity.InvalidateLogin(); + entity.CloseResponse(HttpStatusCode.OK); + return VfReturnType.VirtualSkip; + } + } +} diff --git a/VNLib.Plugins.Essentials.Accounts/Endpoints/MFAEndpoint.cs b/VNLib.Plugins.Essentials.Accounts/Endpoints/MFAEndpoint.cs new file mode 100644 index 0000000..be6aee3 --- /dev/null +++ b/VNLib.Plugins.Essentials.Accounts/Endpoints/MFAEndpoint.cs @@ -0,0 +1,258 @@ +using System; +using System.Net; +using System.Text.Json; +using System.Threading.Tasks; +using System.Collections.Generic; +using System.Text.Json.Serialization; + +using VNLib.Hashing; +using VNLib.Utils; +using VNLib.Utils.Memory; +using VNLib.Utils.Logging; +using VNLib.Utils.Extensions; +using VNLib.Plugins.Essentials.Users; +using VNLib.Plugins.Essentials.Extensions; +using VNLib.Plugins.Essentials.Accounts.MFA; +using VNLib.Plugins.Extensions.Validation; +using VNLib.Plugins.Essentials.Endpoints; +using VNLib.Plugins.Extensions.Loading; +using VNLib.Plugins.Extensions.Loading.Users; + +namespace VNLib.Plugins.Essentials.Accounts.Endpoints +{ + [ConfigurationName("mfa_endpoint")] + internal sealed class MFAEndpoint : ProtectedWebEndpoint + { + public const int TOTP_URL_MAX_CHARS = 1024; + + private readonly IUserManager Users; + private readonly MFAConfig? MultiFactor; + + public MFAEndpoint(PluginBase pbase, IReadOnlyDictionary config) + { + string? path = config["path"].GetString(); + InitPathAndLog(path, pbase.Log); + + Users = pbase.GetUserManager(); + MultiFactor = pbase.GetMfaConfig(); + } + + private class TOTPUpdateMessage + { + [JsonPropertyName("issuer")] + public string? Issuer { get; set; } + [JsonPropertyName("digits")] + public int Digits { get; set; } + [JsonPropertyName("period")] + public int Period { get; set; } + [JsonPropertyName("secret")] + public string? Base64EncSecret { get; set; } + [JsonPropertyName("algorithm")] + public string? Algorithm { get; set; } + } + + protected override async ValueTask GetAsync(HttpEntity entity) + { + List enabledModes = new(2); + //Load the MFA entry for the user + using IUser? user = await Users.GetUserFromIDAsync(entity.Session.UserID); + //Set the TOTP flag if set + if (!string.IsNullOrWhiteSpace(user?.MFAGetTOTPSecret())) + { + enabledModes.Add("totp"); + } + //TODO Set fido flag if enabled + if (!string.IsNullOrWhiteSpace("")) + { + enabledModes.Add("fido"); + } + //Return mfa modes as an array + entity.CloseResponseJson(HttpStatusCode.OK, enabledModes); + return VfReturnType.VirtualSkip; + } + + protected override async ValueTask PutAsync(HttpEntity entity) + { + WebMessage webm = new(); + + //Get the request message + using JsonDocument? mfaRequest = await entity.GetJsonFromFileAsync(); + if (webm.Assert(mfaRequest != null, "Invalid request")) + { + entity.CloseResponseJson(HttpStatusCode.BadRequest, webm); + return VfReturnType.VirtualSkip; + } + + //Get the type argument + string? mfaType = mfaRequest.RootElement.GetPropString("type"); + if (string.IsNullOrWhiteSpace(mfaType)) + { + webm.Result = "MFA type was not specified"; + entity.CloseResponseJson(HttpStatusCode.UnprocessableEntity, webm); + return VfReturnType.VirtualSkip; + } + + //Make sure the user's account origin is a local account + if (webm.Assert(entity.Session.HasLocalAccount(), "Your account uses external authentication and MFA cannot be enabled")) + { + entity.CloseResponse(webm); + return VfReturnType.VirtualSkip; + } + + //Make sure mfa is loaded + if (webm.Assert(MultiFactor != null, "MFA is not enabled on this server")) + { + entity.CloseResponse(webm); + return VfReturnType.VirtualSkip; + } + + //get the user's password challenge + using (PrivateString? password = (PrivateString?)mfaRequest.RootElement.GetPropString("challenge")) + { + if (PrivateString.IsNullOrEmpty(password)) + { + webm.Result = "Please check your password"; + entity.CloseResponseJson(HttpStatusCode.Unauthorized, webm); + return VfReturnType.VirtualSkip; + } + //Verify challenge + if (!entity.Session.VerifyChallenge(password)) + { + webm.Result = "Please check your password"; + entity.CloseResponseJson(HttpStatusCode.Unauthorized, webm); + return VfReturnType.VirtualSkip; + } + } + //Get the user entry + using IUser? user = await Users.GetUserFromIDAsync(entity.Session.UserID); + if (webm.Assert(user != null, "Please log-out and try again.")) + { + entity.CloseResponse(webm); + return VfReturnType.VirtualSkip; + } + switch (mfaType.ToLower()) + { + //Process a Time based one time password(TOTP) creation/regeneration + case "totp": + { + //generate a new secret (passing the buffer which will get copied to an array because the pw bytes can be modified during encryption) + byte[] secretBuffer = user.MFAGenreateTOTPSecret(MultiFactor); + //Alloc output buffer + UnsafeMemoryHandle outputBuffer = Memory.UnsafeAlloc(4096, true); + try + { + //Encrypt the secret for the client + ERRNO count = entity.Session.TryEncryptClientData(secretBuffer, outputBuffer.Span); + if (!count) + { + webm.Result = "There was an error updating your credentials"; + //If this code is running, the client should have a valid public key stored, but log it anyway + Log.Warn("TOTP secret encryption failed, for requested user {uid}", entity.Session.UserID); + break; + } + webm.Result = new TOTPUpdateMessage() + { + Issuer = MultiFactor.IssuerName, + Digits = MultiFactor.TOTPDigits, + Period = (int)MultiFactor.TOTPPeriod.TotalSeconds, + Algorithm = MultiFactor.TOTPAlg.ToString(), + //Convert the secret to base64 string to send to client + Base64EncSecret = Convert.ToBase64String(outputBuffer.Span[..(int)count]) + }; + //set success flag + webm.Success = true; + } + finally + { + //dispose the output buffer + outputBuffer.Dispose(); + RandomHash.GetRandomBytes(secretBuffer); + } + //Only write changes to the db of operation was successful + await user.ReleaseAsync(); + } + break; + default: + webm.Result = "The server does not support the specified MFA type"; + break; + } + //Close response + entity.CloseResponse(webm); + return VfReturnType.VirtualSkip; + } + + protected override async ValueTask PostAsync(HttpEntity entity) + { + WebMessage webm = new(); + try + { + //Check account type + if (!entity.Session.HasLocalAccount()) + { + webm.Result = "You are using external authentication. Operation failed."; + entity.CloseResponseJson(HttpStatusCode.BadRequest, webm); + return VfReturnType.VirtualSkip; + } + + //get the request + using JsonDocument? request = await entity.GetJsonFromFileAsync(); + if (webm.Assert(request != null, "Invalid request.")) + { + entity.CloseResponseJson(HttpStatusCode.BadRequest, webm); + return VfReturnType.VirtualSkip; + } + /* + * An MFA upgrade requires a challenge to be verified because + * it can break the user's ability to access their account + */ + string? challenge = request.RootElement.GetProperty("challenge").GetString(); + string? mfaType = request.RootElement.GetProperty("type").GetString(); + if (!entity.Session.VerifyChallenge(challenge)) + { + webm.Result = "Please check your password"; + //return unauthorized + entity.CloseResponseJson(HttpStatusCode.Unauthorized, webm); + return VfReturnType.VirtualSkip; + } + //get the user + using IUser? user = await Users.GetUserFromIDAsync(entity.Session.UserID); + if (user == null) + { + return VfReturnType.NotFound; + } + //Check for totp disable + if ("totp".Equals(mfaType, StringComparison.OrdinalIgnoreCase)) + { + //Clear the TOTP secret + user.MFASetTOTPSecret(null); + //write changes + await user.ReleaseAsync(); + webm.Result = "Successfully disabled your TOTP authentication"; + webm.Success = true; + } + else if ("fido".Equals(mfaType, StringComparison.OrdinalIgnoreCase)) + { + //Clear webauthn changes + + //write changes + await user.ReleaseAsync(); + webm.Result = "Successfully disabled your FIDO authentication"; + webm.Success = true; + } + else + { + webm.Result = "Invalid MFA type"; + } + //Must write response while password is in scope + entity.CloseResponse(webm); + return VfReturnType.VirtualSkip; + } + catch (KeyNotFoundException) + { + webm.Result = "The request was is missing required fields"; + entity.CloseResponseJson(HttpStatusCode.UnprocessableEntity, webm); + return VfReturnType.BadRequest; + } + } + } +} \ No newline at end of file diff --git a/VNLib.Plugins.Essentials.Accounts/Endpoints/PasswordResetEndpoint.cs b/VNLib.Plugins.Essentials.Accounts/Endpoints/PasswordResetEndpoint.cs new file mode 100644 index 0000000..81bba51 --- /dev/null +++ b/VNLib.Plugins.Essentials.Accounts/Endpoints/PasswordResetEndpoint.cs @@ -0,0 +1,116 @@ +using System; +using System.Net; +using System.Text.Json; +using System.Threading.Tasks; +using System.Collections.Generic; + +using FluentValidation; + +using VNLib.Utils.Memory; +using VNLib.Utils.Extensions; +using VNLib.Plugins.Essentials.Users; +using VNLib.Plugins.Essentials.Extensions; +using VNLib.Plugins.Extensions.Validation; +using VNLib.Plugins.Extensions.Loading; +using VNLib.Plugins.Extensions.Loading.Users; +using VNLib.Plugins.Essentials.Endpoints; + +namespace VNLib.Plugins.Essentials.Accounts.Endpoints +{ + + /// + /// Password reset for user's that are logged in and know + /// their passwords to reset their MFA methods + /// + [ConfigurationName("password_endpoint")] + internal sealed class PasswordChangeEndpoint : ProtectedWebEndpoint + { + private readonly IUserManager Users; + private readonly PasswordHashing Passwords; + + public PasswordChangeEndpoint(PluginBase pbase, IReadOnlyDictionary config) + { + string? path = config["path"].GetString(); + InitPathAndLog(path, pbase.Log); + + Users = pbase.GetUserManager(); + Passwords = pbase.GetPasswords(); + } + + protected override async ValueTask PostAsync(HttpEntity entity) + { + ValErrWebMessage webm = new(); + //get the request body + using JsonDocument? request = await entity.GetJsonFromFileAsync(); + if (request == null) + { + webm.Result = "No request specified"; + entity.CloseResponseJson(HttpStatusCode.BadRequest, webm); + return VfReturnType.VirtualSkip; + } + //get the user's old password + using PrivateString? currentPass = (PrivateString?)request.RootElement.GetPropString("current"); + //Get password as a private string + using PrivateString? newPass = (PrivateString?)request.RootElement.GetPropString("new_password"); + if (PrivateString.IsNullOrEmpty(currentPass)) + { + webm.Result = "You must specifiy your current password."; + entity.CloseResponseJson(HttpStatusCode.UnprocessableEntity, webm); + return VfReturnType.VirtualSkip; + } + if (PrivateString.IsNullOrEmpty(newPass)) + { + webm.Result = "You must specifiy a new password."; + entity.CloseResponseJson(HttpStatusCode.UnprocessableEntity, webm); + return VfReturnType.VirtualSkip; + } + //Test the password against minimum + if (!AccountValidations.PasswordValidator.Validate((string)newPass, webm)) + { + entity.CloseResponse(webm); + return VfReturnType.VirtualSkip; + } + if (webm.Assert(!currentPass.Equals(newPass), "Passwords cannot be the same.")) + { + entity.CloseResponse(webm); + return VfReturnType.VirtualSkip; + } + //get the user's entry in the table + using IUser? user = await Users.GetUserAndPassFromIDAsync(entity.Session.UserID); + if(webm.Assert(user != null, "An error has occured, please log-out and try again")) + { + entity.CloseResponse(webm); + return VfReturnType.VirtualSkip; + } + //Make sure the account's origin is a local profile + if (webm.Assert(user.IsLocalAccount(), "External accounts cannot be modified")) + { + entity.CloseResponse(webm); + return VfReturnType.VirtualSkip; + } + //Verify the user's old password + if (!Passwords.Verify(user.PassHash, currentPass)) + { + webm.Result = "Please check your current password"; + entity.CloseResponse(webm); + return VfReturnType.VirtualSkip; + } + //Hash the user's new password + using PrivateString newPassHash = Passwords.Hash(newPass); + //Update the user's password + if (!await Users.UpdatePassAsync(user, newPassHash)) + { + //error + webm.Result = "Your password could not be updated"; + entity.CloseResponse(webm); + return VfReturnType.VirtualSkip; + } + await user.ReleaseAsync(); + //delete the user's MFA entry so they can re-enable it + webm.Result = "Your password has been updated"; + webm.Success = true; + entity.CloseResponse(webm); + return VfReturnType.VirtualSkip; + } + } +} diff --git a/VNLib.Plugins.Essentials.Accounts/Endpoints/ProfileEndpoint.cs b/VNLib.Plugins.Essentials.Accounts/Endpoints/ProfileEndpoint.cs new file mode 100644 index 0000000..c0d86b6 --- /dev/null +++ b/VNLib.Plugins.Essentials.Accounts/Endpoints/ProfileEndpoint.cs @@ -0,0 +1,108 @@ +using System; +using System.Net; +using System.Text.Json; +using System.Threading.Tasks; +using System.Collections.Generic; + +using VNLib.Utils.Logging; +using VNLib.Plugins.Essentials.Users; +using VNLib.Plugins.Essentials.Endpoints; +using VNLib.Plugins.Essentials.Extensions; +using VNLib.Plugins.Extensions.Validation; +using VNLib.Plugins.Extensions.Loading; +using VNLib.Plugins.Extensions.Loading.Users; +using static VNLib.Plugins.Essentials.Statics; + + +namespace VNLib.Plugins.Essentials.Accounts.Endpoints +{ + /// + /// Provides an http endpoint for user account profile access + /// + [ConfigurationName("profile_endpoint")] + internal sealed class ProfileEndpoint : ProtectedWebEndpoint + { + private readonly IUserManager Users; + + public ProfileEndpoint(PluginBase pbase, IReadOnlyDictionary config) + { + string? path = config["path"].GetString(); + + InitPathAndLog(path, pbase.Log); + //Store user system + Users = pbase.GetUserManager(); + } + + protected override async ValueTask GetAsync(HttpEntity entity) + { + //get user data from database + using IUser? user = await Users.GetUserFromIDAsync(entity.Session.UserID); + //Make sure the account exists + if (user == null || user.Status != UserStatus.Active) + { + //Account was not found + entity.CloseResponse(HttpStatusCode.NotFound); + return VfReturnType.VirtualSkip; + } + //Get the stored profile + AccountData? profile = user.GetProfile(); + //No profile found, so return an empty "profile" + profile ??= new() + { + //set email address + EmailAddress = user.EmailAddress, + //created time in rfc1123 gmt time + Created = user.Created.ToString("R") + }; + //Serialize the profile and return to user + entity.CloseResponseJson(HttpStatusCode.OK, profile); + return VfReturnType.VirtualSkip; + } + protected override async ValueTask PostAsync(HttpEntity entity) + { + ValErrWebMessage webm = new(); + try + { + //Recover the update message form the client + AccountData? updateMessage = await entity.GetJsonFromFileAsync(SR_OPTIONS); + if (webm.Assert(updateMessage != null, "Malformatted payload")) + { + entity.CloseResponseJson(HttpStatusCode.BadRequest, webm); + return VfReturnType.VirtualSkip; + } + //Validate the new account data + if (!AccountValidations.AccountDataValidator.Validate(updateMessage, webm)) + { + entity.CloseResponseJson(HttpStatusCode.UnprocessableEntity, webm); + return VfReturnType.VirtualSkip; + } + //Get the user from database + using IUser? user = await Users.GetUserFromIDAsync(entity.Session.UserID); + //Make sure the user exists + if (webm.Assert(user != null, "Account does not exist")) + { + //Should probably log the user out here + entity.CloseResponseJson(HttpStatusCode.NotFound, webm); + return VfReturnType.VirtualSkip; + } + //Overwite the current profile data (will also sanitize inputs) + user.SetProfile(updateMessage); + //Update the user only if successful + await user.ReleaseAsync(); + webm.Result = "Successfully updated account"; + webm.Success = true; + entity.CloseResponse(webm); + return VfReturnType.VirtualSkip; + } + //Catch an account update exception + catch (UserUpdateException uue) + { + Log.Error(uue, "An error occured while the user account is being updated"); + //Return message to client + webm.Result = "An error occured while updating your account, try again later"; + entity.CloseResponseJson(HttpStatusCode.InternalServerError, webm); + return VfReturnType.VirtualSkip; + } + } + } +} \ No newline at end of file diff --git a/VNLib.Plugins.Essentials.Accounts/LICENSE.txt b/VNLib.Plugins.Essentials.Accounts/LICENSE.txt new file mode 100644 index 0000000..d159169 --- /dev/null +++ b/VNLib.Plugins.Essentials.Accounts/LICENSE.txt @@ -0,0 +1,339 @@ + GNU GENERAL PUBLIC LICENSE + Version 2, June 1991 + + Copyright (C) 1989, 1991 Free Software Foundation, Inc., + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The licenses for most software are designed to take away your +freedom to share and change it. By contrast, the GNU General Public +License is intended to guarantee your freedom to share and change free +software--to make sure the software is free for all its users. This +General Public License applies to most of the Free Software +Foundation's software and to any other program whose authors commit to +using it. (Some other Free Software Foundation software is covered by +the GNU Lesser General Public License instead.) You can apply it to +your programs, too. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +this service if you wish), that you receive source code or can get it +if you want it, that you can change the software or use pieces of it +in new free programs; and that you know you can do these things. + + To protect your rights, we need to make restrictions that forbid +anyone to deny you these rights or to ask you to surrender the rights. +These restrictions translate to certain responsibilities for you if you +distribute copies of the software, or if you modify it. + + For example, if you distribute copies of such a program, whether +gratis or for a fee, you must give the recipients all the rights that +you have. You must make sure that they, too, receive or can get the +source code. And you must show them these terms so they know their +rights. + + We protect your rights with two steps: (1) copyright the software, and +(2) offer you this license which gives you legal permission to copy, +distribute and/or modify the software. + + Also, for each author's protection and ours, we want to make certain +that everyone understands that there is no warranty for this free +software. If the software is modified by someone else and passed on, we +want its recipients to know that what they have is not the original, so +that any problems introduced by others will not reflect on the original +authors' reputations. + + Finally, any free program is threatened constantly by software +patents. We wish to avoid the danger that redistributors of a free +program will individually obtain patent licenses, in effect making the +program proprietary. To prevent this, we have made it clear that any +patent must be licensed for everyone's free use or not licensed at all. + + The precise terms and conditions for copying, distribution and +modification follow. + + GNU GENERAL PUBLIC LICENSE + TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION + + 0. This License applies to any program or other work which contains +a notice placed by the copyright holder saying it may be distributed +under the terms of this General Public License. The "Program", below, +refers to any such program or work, and a "work based on the Program" +means either the Program or any derivative work under copyright law: +that is to say, a work containing the Program or a portion of it, +either verbatim or with modifications and/or translated into another +language. (Hereinafter, translation is included without limitation in +the term "modification".) Each licensee is addressed as "you". + +Activities other than copying, distribution and modification are not +covered by this License; they are outside its scope. The act of +running the Program is not restricted, and the output from the Program +is covered only if its contents constitute a work based on the +Program (independent of having been made by running the Program). +Whether that is true depends on what the Program does. + + 1. You may copy and distribute verbatim copies of the Program's +source code as you receive it, in any medium, provided that you +conspicuously and appropriately publish on each copy an appropriate +copyright notice and disclaimer of warranty; keep intact all the +notices that refer to this License and to the absence of any warranty; +and give any other recipients of the Program a copy of this License +along with the Program. + +You may charge a fee for the physical act of transferring a copy, and +you may at your option offer warranty protection in exchange for a fee. + + 2. You may modify your copy or copies of the Program or any portion +of it, thus forming a work based on the Program, and copy and +distribute such modifications or work under the terms of Section 1 +above, provided that you also meet all of these conditions: + + a) You must cause the modified files to carry prominent notices + stating that you changed the files and the date of any change. + + b) You must cause any work that you distribute or publish, that in + whole or in part contains or is derived from the Program or any + part thereof, to be licensed as a whole at no charge to all third + parties under the terms of this License. + + c) If the modified program normally reads commands interactively + when run, you must cause it, when started running for such + interactive use in the most ordinary way, to print or display an + announcement including an appropriate copyright notice and a + notice that there is no warranty (or else, saying that you provide + a warranty) and that users may redistribute the program under + these conditions, and telling the user how to view a copy of this + License. (Exception: if the Program itself is interactive but + does not normally print such an announcement, your work based on + the Program is not required to print an announcement.) + +These requirements apply to the modified work as a whole. If +identifiable sections of that work are not derived from the Program, +and can be reasonably considered independent and separate works in +themselves, then this License, and its terms, do not apply to those +sections when you distribute them as separate works. But when you +distribute the same sections as part of a whole which is a work based +on the Program, the distribution of the whole must be on the terms of +this License, whose permissions for other licensees extend to the +entire whole, and thus to each and every part regardless of who wrote it. + +Thus, it is not the intent of this section to claim rights or contest +your rights to work written entirely by you; rather, the intent is to +exercise the right to control the distribution of derivative or +collective works based on the Program. + +In addition, mere aggregation of another work not based on the Program +with the Program (or with a work based on the Program) on a volume of +a storage or distribution medium does not bring the other work under +the scope of this License. + + 3. You may copy and distribute the Program (or a work based on it, +under Section 2) in object code or executable form under the terms of +Sections 1 and 2 above provided that you also do one of the following: + + a) Accompany it with the complete corresponding machine-readable + source code, which must be distributed under the terms of Sections + 1 and 2 above on a medium customarily used for software interchange; or, + + b) Accompany it with a written offer, valid for at least three + years, to give any third party, for a charge no more than your + cost of physically performing source distribution, a complete + machine-readable copy of the corresponding source code, to be + distributed under the terms of Sections 1 and 2 above on a medium + customarily used for software interchange; or, + + c) Accompany it with the information you received as to the offer + to distribute corresponding source code. (This alternative is + allowed only for noncommercial distribution and only if you + received the program in object code or executable form with such + an offer, in accord with Subsection b above.) + +The source code for a work means the preferred form of the work for +making modifications to it. For an executable work, complete source +code means all the source code for all modules it contains, plus any +associated interface definition files, plus the scripts used to +control compilation and installation of the executable. However, as a +special exception, the source code distributed need not include +anything that is normally distributed (in either source or binary +form) with the major components (compiler, kernel, and so on) of the +operating system on which the executable runs, unless that component +itself accompanies the executable. + +If distribution of executable or object code is made by offering +access to copy from a designated place, then offering equivalent +access to copy the source code from the same place counts as +distribution of the source code, even though third parties are not +compelled to copy the source along with the object code. + + 4. You may not copy, modify, sublicense, or distribute the Program +except as expressly provided under this License. Any attempt +otherwise to copy, modify, sublicense or distribute the Program is +void, and will automatically terminate your rights under this License. +However, parties who have received copies, or rights, from you under +this License will not have their licenses terminated so long as such +parties remain in full compliance. + + 5. You are not required to accept this License, since you have not +signed it. However, nothing else grants you permission to modify or +distribute the Program or its derivative works. These actions are +prohibited by law if you do not accept this License. Therefore, by +modifying or distributing the Program (or any work based on the +Program), you indicate your acceptance of this License to do so, and +all its terms and conditions for copying, distributing or modifying +the Program or works based on it. + + 6. Each time you redistribute the Program (or any work based on the +Program), the recipient automatically receives a license from the +original licensor to copy, distribute or modify the Program subject to +these terms and conditions. You may not impose any further +restrictions on the recipients' exercise of the rights granted herein. +You are not responsible for enforcing compliance by third parties to +this License. + + 7. If, as a consequence of a court judgment or allegation of patent +infringement or for any other reason (not limited to patent issues), +conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot +distribute so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you +may not distribute the Program at all. For example, if a patent +license would not permit royalty-free redistribution of the Program by +all those who receive copies directly or indirectly through you, then +the only way you could satisfy both it and this License would be to +refrain entirely from distribution of the Program. + +If any portion of this section is held invalid or unenforceable under +any particular circumstance, the balance of the section is intended to +apply and the section as a whole is intended to apply in other +circumstances. + +It is not the purpose of this section to induce you to infringe any +patents or other property right claims or to contest validity of any +such claims; this section has the sole purpose of protecting the +integrity of the free software distribution system, which is +implemented by public license practices. Many people have made +generous contributions to the wide range of software distributed +through that system in reliance on consistent application of that +system; it is up to the author/donor to decide if he or she is willing +to distribute software through any other system and a licensee cannot +impose that choice. + +This section is intended to make thoroughly clear what is believed to +be a consequence of the rest of this License. + + 8. If the distribution and/or use of the Program is restricted in +certain countries either by patents or by copyrighted interfaces, the +original copyright holder who places the Program under this License +may add an explicit geographical distribution limitation excluding +those countries, so that distribution is permitted only in or among +countries not thus excluded. In such case, this License incorporates +the limitation as if written in the body of this License. + + 9. The Free Software Foundation may publish revised and/or new versions +of the General Public License from time to time. Such new versions will +be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + +Each version is given a distinguishing version number. If the Program +specifies a version number of this License which applies to it and "any +later version", you have the option of following the terms and conditions +either of that version or of any later version published by the Free +Software Foundation. If the Program does not specify a version number of +this License, you may choose any version ever published by the Free Software +Foundation. + + 10. If you wish to incorporate parts of the Program into other free +programs whose distribution conditions are different, write to the author +to ask for permission. For software which is copyrighted by the Free +Software Foundation, write to the Free Software Foundation; we sometimes +make exceptions for this. Our decision will be guided by the two goals +of preserving the free status of all derivatives of our free software and +of promoting the sharing and reuse of software generally. + + NO WARRANTY + + 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY +FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN +OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES +PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED +OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS +TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE +PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, +REPAIR OR CORRECTION. + + 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR +REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, +INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING +OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED +TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY +YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER +PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE +POSSIBILITY OF SUCH DAMAGES. + + END OF TERMS AND CONDITIONS + + How to Apply These Terms to Your New Programs + + If you develop a new program, and you want it to be of the greatest +possible use to the public, the best way to achieve this is to make it +free software which everyone can redistribute and change under these terms. + + To do so, attach the following notices to the program. It is safest +to attach them to the start of each source file to most effectively +convey the exclusion of warranty; and each file should have at least +the "copyright" line and a pointer to where the full notice is found. + + + Copyright (C) + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License along + with this program; if not, write to the Free Software Foundation, Inc., + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + +Also add information on how to contact you by electronic and paper mail. + +If the program is interactive, make it output a short notice like this +when it starts in an interactive mode: + + Gnomovision version 69, Copyright (C) year name of author + Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. + This is free software, and you are welcome to redistribute it + under certain conditions; type `show c' for details. + +The hypothetical commands `show w' and `show c' should show the appropriate +parts of the General Public License. Of course, the commands you use may +be called something other than `show w' and `show c'; they could even be +mouse-clicks or menu items--whatever suits your program. + +You should also get your employer (if you work as a programmer) or your +school, if any, to sign a "copyright disclaimer" for the program, if +necessary. Here is a sample; alter the names: + + Yoyodyne, Inc., hereby disclaims all copyright interest in the program + `Gnomovision' (which makes passes at compilers) written by James Hacker. + + , 1 April 1989 + Ty Coon, President of Vice + +This General Public License does not permit incorporating your program into +proprietary programs. If your program is a subroutine library, you may +consider it more useful to permit linking proprietary applications with the +library. If this is what you want to do, use the GNU Lesser General +Public License instead of this License. diff --git a/VNLib.Plugins.Essentials.Accounts/MFA/FidoAuthenticatorSelection.cs b/VNLib.Plugins.Essentials.Accounts/MFA/FidoAuthenticatorSelection.cs new file mode 100644 index 0000000..7e97fc7 --- /dev/null +++ b/VNLib.Plugins.Essentials.Accounts/MFA/FidoAuthenticatorSelection.cs @@ -0,0 +1,16 @@ +using System.Text.Json.Serialization; + +#nullable enable + +namespace VNLib.Plugins.Essentials.Accounts.MFA +{ + class FidoAuthenticatorSelection + { + [JsonPropertyName("requireResidentKey")] + public bool RequireResidentKey { get; set; } = false; + [JsonPropertyName("authenticatorAttachment")] + public string? AuthenticatorAttachment { get; set; } = "cross-platform"; + [JsonPropertyName("userVerification")] + public string? UserVerification { get; set; } = "required"; + } +} diff --git a/VNLib.Plugins.Essentials.Accounts/MFA/FidoRegClientData.cs b/VNLib.Plugins.Essentials.Accounts/MFA/FidoRegClientData.cs new file mode 100644 index 0000000..bc05d04 --- /dev/null +++ b/VNLib.Plugins.Essentials.Accounts/MFA/FidoRegClientData.cs @@ -0,0 +1,16 @@ +using System.Text.Json.Serialization; + +#nullable enable + +namespace VNLib.Plugins.Essentials.Accounts.MFA +{ + internal class FidoRegClientData + { + [JsonPropertyName("challenge")] + public string? Challenge { get; set; } + [JsonPropertyName("origin")] + public string? Origin { get; set; } + [JsonPropertyName("type")] + public string? Type { get; set; } + } +} diff --git a/VNLib.Plugins.Essentials.Accounts/MFA/FidoRegistrationMessage.cs b/VNLib.Plugins.Essentials.Accounts/MFA/FidoRegistrationMessage.cs new file mode 100644 index 0000000..670eccc --- /dev/null +++ b/VNLib.Plugins.Essentials.Accounts/MFA/FidoRegistrationMessage.cs @@ -0,0 +1,28 @@ +using System.Text.Json.Serialization; + +#nullable enable + +namespace VNLib.Plugins.Essentials.Accounts.MFA +{ + /// + /// Represents a fido device registration message to be sent + /// to a currently signed in user + /// + class FidoRegistrationMessage + { + [JsonPropertyName("id")] + public string? GuidUserId { get; set; } + [JsonPropertyName("challenge")] + public string? Base64Challenge { get; set; } = null; + [JsonPropertyName("timeout")] + public int Timeout { get; set; } = 60000; + [JsonPropertyName("cose_alg")] + public int CoseAlgNumber { get; set; } + [JsonPropertyName("rp_name")] + public string? SiteName { get; set; } + [JsonPropertyName("attestation")] + public string? AttestationType { get; set; } = "none"; + [JsonPropertyName("authenticatorSelection")] + public FidoAuthenticatorSelection? AuthSelection { get; set; } = new(); + } +} diff --git a/VNLib.Plugins.Essentials.Accounts/MFA/MFAConfig.cs b/VNLib.Plugins.Essentials.Accounts/MFA/MFAConfig.cs new file mode 100644 index 0000000..8d1c2c1 --- /dev/null +++ b/VNLib.Plugins.Essentials.Accounts/MFA/MFAConfig.cs @@ -0,0 +1,78 @@ +using System; +using System.Linq; +using System.Text.Json; +using System.Collections.Generic; + +using VNLib.Hashing; +using VNLib.Utils.Extensions; + +namespace VNLib.Plugins.Essentials.Accounts.MFA +{ + internal class MFAConfig + { + public byte[]? MFASecret { get; set; } = null; + + public bool TOTPEnabled { get; } = false; + public string? IssuerName { get; } + public TimeSpan TOTPPeriod { get; } + public HashAlg TOTPAlg { get; } + public int TOTPDigits { get; } + public int TOTPSecretBytes { get; } + public int TOTPTimeWindowSteps { get; } + + + public bool FIDOEnabled { get; } + public int FIDOChallangeSize { get; } + public int FIDOTimeout { get; } + public string? FIDOSiteName { get; } + public string? FIDOAttestationType { get; } + public FidoAuthenticatorSelection? FIDOAuthSelection { get; } + + public TimeSpan UpgradeValidFor { get; } + public int NonceLenBytes { get; } + + public MFAConfig(IReadOnlyDictionary conf) + { + UpgradeValidFor = conf["upgrade_expires_secs"].GetTimeSpan(TimeParseType.Seconds); + NonceLenBytes = conf["nonce_size"].GetInt32(); + string siteName = conf["site_name"].GetString() ?? throw new KeyNotFoundException("Missing required key 'site_name' in 'mfa' config"); + + //Totp setup + if (conf.TryGetValue("totp", out JsonElement totpEl)) + { + IReadOnlyDictionary totp = totpEl.EnumerateObject().ToDictionary(k => k.Name, k => k.Value); + + //Get totp config + IssuerName = siteName; + //Get alg name + string TOTPAlgName = totp["algorithm"].GetString()?.ToUpper() ?? throw new KeyNotFoundException("Missing required key 'algorithm' in plugin 'mfa' config"); + //Parse from enum string + TOTPAlg = Enum.Parse(TOTPAlgName); + + + TOTPDigits = totp["digits"].GetInt32(); + TOTPPeriod = TimeSpan.FromSeconds(totp["period_secs"].GetInt32()); + TOTPSecretBytes = totp["secret_size"].GetInt32(); + TOTPTimeWindowSteps = totp["window_size"].GetInt32(); + //Set enabled flag + TOTPEnabled = true; + } + //Fido setup + if(conf.TryGetValue("fido", out JsonElement fidoEl)) + { + IReadOnlyDictionary fido = fidoEl.EnumerateObject().ToDictionary(k => k.Name, k => k.Value); + FIDOChallangeSize = fido["challenge_size"].GetInt32(); + FIDOAttestationType = fido["attestation"].GetString(); + FIDOTimeout = fido["timeout"].GetInt32(); + FIDOSiteName = siteName; + //Deserailze a + if(fido.TryGetValue("authenticatorSelection", out JsonElement authSel)) + { + FIDOAuthSelection = authSel.Deserialize(); + } + //Set enabled flag + FIDOEnabled = true; + } + } + } +} diff --git a/VNLib.Plugins.Essentials.Accounts/MFA/MFAType.cs b/VNLib.Plugins.Essentials.Accounts/MFA/MFAType.cs new file mode 100644 index 0000000..31714a3 --- /dev/null +++ b/VNLib.Plugins.Essentials.Accounts/MFA/MFAType.cs @@ -0,0 +1,7 @@ +namespace VNLib.Plugins.Essentials.Accounts.MFA +{ + public enum MFAType + { + TOTP, FIDO, GPG + } +} diff --git a/VNLib.Plugins.Essentials.Accounts/MFA/MFAUpgrade.cs b/VNLib.Plugins.Essentials.Accounts/MFA/MFAUpgrade.cs new file mode 100644 index 0000000..d18671e --- /dev/null +++ b/VNLib.Plugins.Essentials.Accounts/MFA/MFAUpgrade.cs @@ -0,0 +1,41 @@ +using System.Text.Json.Serialization; + +#nullable enable + +namespace VNLib.Plugins.Essentials.Accounts.MFA +{ + internal class MFAUpgrade + { + /// + /// The login's client id specifier + /// + [JsonPropertyName("cid")] + public string? ClientID { get; set; } + /// + /// The id of the user that is requesting a login + /// + [JsonPropertyName("uname")] + public string? UserName{ get; set; } + /// + /// The of the upgrade request + /// + [JsonPropertyName("type")] + public MFAType Type { get; set; } + /// + /// The a base64 encoded string of the user's + /// public key + /// + [JsonPropertyName("pubkey")] + public string? Base64PubKey { get; set; } + /// + /// The user's specified language + /// + [JsonPropertyName("lang")] + public string? ClientLocalLanguage { get; set; } + /// + /// The encrypted password token for the client + /// + [JsonPropertyName("cd")] + public string? PwClientData { get; set; } + } +} diff --git a/VNLib.Plugins.Essentials.Accounts/MFA/UserMFAExtensions.cs b/VNLib.Plugins.Essentials.Accounts/MFA/UserMFAExtensions.cs new file mode 100644 index 0000000..d719788 --- /dev/null +++ b/VNLib.Plugins.Essentials.Accounts/MFA/UserMFAExtensions.cs @@ -0,0 +1,395 @@ +using System; +using System.Linq; +using System.Text.Json; +using System.Collections.Generic; +using System.Security.Cryptography; +using System.Text.Json.Serialization; +using System.Diagnostics.CodeAnalysis; +using System.Runtime.CompilerServices; + +using VNLib.Hashing; +using VNLib.Utils; +using VNLib.Utils.Memory; +using VNLib.Utils.Logging; +using VNLib.Utils.Extensions; +using VNLib.Hashing.IdentityUtility; +using VNLib.Plugins.Essentials.Users; +using VNLib.Plugins.Essentials.Sessions; +using VNLib.Plugins.Extensions.Loading; + +namespace VNLib.Plugins.Essentials.Accounts.MFA +{ + + internal static class UserMFAExtensions + { + public const string WEBAUTHN_KEY_ENTRY = "mfa.fido"; + public const string TOTP_KEY_ENTRY = "mfa.totp"; + public const string PGP_PUB_KEY = "mfa.pgpp"; + public const string SESSION_SIG_KEY = "mfa.sig"; + + /// + /// Determines if the user account has an + /// + /// + /// True if any form of MFA is enabled for the user account + public static bool MFAEnabled(this IUser user) + { + return !(string.IsNullOrWhiteSpace(user[TOTP_KEY_ENTRY]) && string.IsNullOrWhiteSpace(user[WEBAUTHN_KEY_ENTRY])); + } + + #region totp + + /// + /// Recovers the base32 encoded TOTP secret for the current user + /// + /// + /// The base32 encoded TOTP secret, or an emtpy string (user spec) if not set + public static string MFAGetTOTPSecret(this IUser user) => user[TOTP_KEY_ENTRY]; + + /// + /// Stores or removes the current user's TOTP secret, stored in base32 format + /// + /// + /// The base32 encoded TOTP secret + public static void MFASetTOTPSecret(this IUser user, string? secret) => user[TOTP_KEY_ENTRY] = secret!; + + + /// + /// Generates/overwrites the current user's TOTP secret entry and returns a + /// byte array of the generated secret bytes + /// + /// The to modify the TOTP configuration of + /// The raw secret that was encrypted and stored in the , to send to the client + /// + public static byte[] MFAGenreateTOTPSecret(this IUser user, MFAConfig config) + { + //Generate a random key + byte[] newSecret = RandomHash.GetRandomBytes(config.TOTPSecretBytes); + //Store secret in user storage + user.MFASetTOTPSecret(VnEncoding.ToBase32String(newSecret, false)); + //return the raw secret bytes + return newSecret; + } + + /// + /// Verfies the supplied TOTP code against the current user's totp codes + /// This method should not be used for verifying TOTP codes for authentication + /// + /// The user account to verify the TOTP code against + /// The code to verify + /// A readonly referrence to the MFA configuration structure + /// True if the user has TOTP configured and code matches against its TOTP secret entry, false otherwise + /// + /// + public static bool VerifyTOTP(this MFAConfig config, IUser user, uint code) + { + //Get the base32 TOTP secret for the user and make sure its actually set + string base32Secret = user.MFAGetTOTPSecret(); + if (string.IsNullOrWhiteSpace(base32Secret)) + { + return false; + } + //Alloc buffer with zero o + using UnsafeMemoryHandle buffer = Memory.UnsafeAlloc(base32Secret.Length, true); + ERRNO count = VnEncoding.TryFromBase32Chars(base32Secret, buffer); + //Verify the TOTP using the decrypted secret + return count && VerifyTOTP(code, buffer.AsSpan(0, count), config); + } + + private static bool VerifyTOTP(uint totpCode, ReadOnlySpan userSecret, MFAConfig config) + { + //Calc hash size for allocating bufffer + int hashSize = config.TOTPAlg switch + { + HashAlg.MD5 => (160 / 8), + HashAlg.SHA1 => (160 / 8), + HashAlg.SHA512 => (512 / 8), + HashAlg.SHA384 => (384 / 8), + HashAlg.SHA256 => (256 / 8), + _ => throw new ArgumentException("Invalid hash algorithm"), + }; + //A basic attempt at a constant time TOTP verification, run the calculation a fixed number of times, regardless of the resutls + bool codeMatches = false; + + //cache current time + DateTimeOffset currentUtc = DateTimeOffset.UtcNow; + //Start the current window with the minimum window + int currenStep = -config.TOTPTimeWindowSteps; + Span stepBuffer = stackalloc byte[sizeof(long)]; + Span hashBuffer = stackalloc byte[hashSize]; + //Run the loop at least once to allow a 0 step tight window + do + { + //Calculate the window by multiplying the window by the current step, then add it to the current time offset to produce a new window + DateTimeOffset window = currentUtc.Add(config.TOTPPeriod.Multiply(currenStep)); + //calculate the time step + long timeStep = (long)Math.Floor(window.ToUnixTimeSeconds() / config.TOTPPeriod.TotalSeconds); + //try to compute the hash + _ = BitConverter.TryWriteBytes(stepBuffer, timeStep) ? 0 : throw new Exception("Failed to format TOTP time step"); + //If platform is little endian, reverse the byte order + if (BitConverter.IsLittleEndian) + { + stepBuffer.Reverse(); + } + ERRNO result = ManagedHash.ComputeHmac(userSecret, stepBuffer, hashBuffer, config.TOTPAlg); + //try to compute the hash of the time step + if (result < 1) + { + throw new OutOfMemoryException("Failed to compute TOTP time step hash because the buffer was too small"); + } + //Hash bytes + ReadOnlySpan hash = hashBuffer[..(int)result]; + //compute the TOTP code and compare it to the supplied, then store the result + codeMatches |= (totpCode == CalcTOTPCode(hash, config)); + //next step + currenStep++; + } while (currenStep <= config.TOTPTimeWindowSteps); + + return codeMatches; + } + + private static uint CalcTOTPCode(ReadOnlySpan hash, MFAConfig config) + { + //Calculate the offset, RFC defines, the lower 4 bits of the last byte in the hash output + byte offset = (byte)(hash[^1] & 0x0Fu); + + uint TOTPCode; + if (BitConverter.IsLittleEndian) + { + //Store the code components + TOTPCode = (hash[offset] & 0x7Fu) << 24 | (hash[offset + 1] & 0xFFu) << 16 | (hash[offset + 2] & 0xFFu) << 8 | hash[offset + 3] & 0xFFu; + } + else + { + //Store the code components (In reverse order for big-endian machines) + TOTPCode = (hash[offset + 3] & 0x7Fu) << 24 | (hash[offset + 2] & 0xFFu) << 16 | (hash[offset + 1] & 0xFFu) << 8 | hash[offset] & 0xFFu; + } + //calculate the modulus value + TOTPCode %= (uint)Math.Pow(10, config.TOTPDigits); + return TOTPCode; + } + + #endregion + + #region loading + + const string MFA_CONFIG_KEY = "mfa"; + + private static readonly ConditionalWeakTable> _lazyMfaConfigs = new(); + + /// + /// Gets the plugins ambient if loaded, or loads it if required. This class will + /// be unloaded when the plugin us unloaded. + /// + /// + /// The ambient + /// + /// + /// + public static MFAConfig? GetMfaConfig(this PluginBase plugin) + { + static Lazy LoadMfaConfig(PluginBase pbase) + { + //Lazy load func + MFAConfig? Load() + { + //Try to get the configuration object + IReadOnlyDictionary? conf = pbase.TryGetConfig(MFA_CONFIG_KEY); + + if (conf == null) + { + return null; + } + //Init mfa config + MFAConfig mfa = new(conf); + + //Recover secret from config and dangerous 'lazy load' + _ = pbase.TryGetSecretAsync("mfa_secret").ContinueWith(t => { + + if(t.IsFaulted) + { + pbase.Log.Error(t.Exception!.InnerException, "Failed to load MFA signing secret"); + } + else + { + mfa.MFASecret = t.Result != null ? Convert.FromBase64String(t.Result) : null; + } + }); + + return mfa; + } + //Return new lazy for + return new(Load); + } + + plugin.ThrowIfUnloaded(); + //Get/load the passwords one time only + return _lazyMfaConfigs.GetValue(plugin, LoadMfaConfig).Value; + } + + #endregion + + #region pgp + + private class PgpMfaCred + { + [JsonPropertyName("p")] + public string? SpkiPublicKey { get; set; } + + [JsonPropertyName("c")] + public string? CurveFriendlyName { get; set; } + } + + + /// + /// Gets the stored PGP public key for the user + /// + /// + /// The stored PGP signature key + public static string MFAGetPGPPubKey(this IUser user) => user[PGP_PUB_KEY]; + + public static void MFASetPGPPubKey(this IUser user, string? pubKey) => user[PGP_PUB_KEY] = pubKey!; + + public static void VerifySignedData(string data) + { + + } + + #endregion + + #region webauthn + + private static readonly IReadOnlyDictionary JWTHeader = new Dictionary + { + { "alg", "HS384" }, + { "typ" , "JWT"} + }; + + #endregion + + /// + /// Recovers a signed MFA upgrade JWT and verifies its authenticity, and confrims its not expired, + /// then recovers the upgrade mssage + /// + /// + /// The signed JWT upgrade message + /// The recovered upgrade + /// The stored base64 encoded signature from the session that requested an upgrade + /// True if the upgrade was verified, not expired, and was recovered from the signed message, false otherwise + public static bool RecoverUpgrade(this MFAConfig config, string upgradeJwtString, string base64sessionSig, [NotNullWhen(true)] out MFAUpgrade? upgrade) + { + //Verifies a jwt stored signature against the actual signature + static bool VerifyStoredSig(string base64string, ReadOnlySpan signature) + { + using UnsafeMemoryHandle buffer = Memory.UnsafeAlloc(base64string.Length, true); + //Recover base64 + ERRNO count = VnEncoding.TryFromBase64Chars(base64string, buffer.Span); + //Compare + return CryptographicOperations.FixedTimeEquals(signature, buffer.Span[..(int)count]); + } + + //Verify config secret + _ = config.MFASecret ?? throw new InvalidOperationException("MFA config is missing required upgrade signing key"); + + upgrade = null; + //Parse jwt + using JsonWebToken jwt = JsonWebToken.Parse(upgradeJwtString); + //Verify the upgrade jwt + using (HMACSHA384 hmac = new(config.MFASecret)) + { + if (!jwt.Verify(hmac)) + { + return false; + } + } + + if(!VerifyStoredSig(base64sessionSig, jwt.SignatureData)) + { + return false; + } + + //get request body + using JsonDocument doc = jwt.GetPayload(); + //Recover issued at time + DateTimeOffset iat = DateTimeOffset.FromUnixTimeMilliseconds(doc.RootElement.GetProperty("iat").GetInt64()); + //Verify its not timed out + if (iat.Add(config.UpgradeValidFor) < DateTimeOffset.UtcNow) + { + //expired + return false; + } + + //Recover the upgrade message + upgrade = doc.RootElement.GetProperty("upgrade").Deserialize(); + return upgrade != null; + } + + + /// + /// Generates an upgrade for the requested user, using the highest prirotiy method + /// + /// The message from the user requesting the login + /// A signed upgrade message the client will pass back to the server after the MFA verification + /// + public static Tuple? MFAGetUpgradeIfEnabled(this IUser user, MFAConfig? conf, LoginMessage login, string pwClientData) + { + //Webauthn config + + + //Search for totp secret entry + string base32Secret = user.MFAGetTOTPSecret(); + + //Check totp entry + if (!string.IsNullOrWhiteSpace(base32Secret)) + { + //Verify config secret + _ = conf?.MFASecret ?? throw new InvalidOperationException("MFA config is missing required upgrade signing key"); + + //setup the upgrade + MFAUpgrade upgrade = new() + { + //Set totp upgrade type + Type = MFAType.TOTP, + //Store login message details + UserName = login.UserName, + ClientID = login.ClientID, + Base64PubKey = login.ClientPublicKey, + ClientLocalLanguage = login.LocalLanguage, + PwClientData = pwClientData + }; + + //Init jwt for upgrade + return GetUpgradeMessage(upgrade, conf.MFASecret, conf.UpgradeValidFor); + } + return null; + } + + private static Tuple GetUpgradeMessage(MFAUpgrade upgrade, byte[] secret, TimeSpan expires) + { + //Add some random entropy to the upgrade message, to help prevent forgery + string entropy = RandomHash.GetRandomBase32(16); + //Init jwt + using JsonWebToken upgradeJwt = new(); + upgradeJwt.WriteHeader(JWTHeader); + //Write claims + upgradeJwt.InitPayloadClaim() + .AddClaim("iat", DateTimeOffset.UtcNow.ToUnixTimeMilliseconds()) + .AddClaim("upgrade", upgrade) + .AddClaim("type", upgrade.Type.ToString().ToLower()) + .AddClaim("expires", expires.TotalSeconds) + .AddClaim("a", entropy) + .CommitClaims(); + //Sign + using (HMACSHA384 hmc = new(secret)) + { + upgradeJwt.Sign(hmc); + } + //compile and return jwt upgrade + return new(upgradeJwt.Compile(), Convert.ToBase64String(upgradeJwt.SignatureData)); + } + + public static void MfaUpgradeSignature(this in SessionInfo session, string? base64Signature) => session[SESSION_SIG_KEY] = base64Signature!; + + public static string? MfaUpgradeSignature(this in SessionInfo session) => session[SESSION_SIG_KEY]; + } +} diff --git a/VNLib.Plugins.Essentials.Accounts/README.md b/VNLib.Plugins.Essentials.Accounts/README.md new file mode 100644 index 0000000..fd1098c --- /dev/null +++ b/VNLib.Plugins.Essentials.Accounts/README.md @@ -0,0 +1,3 @@ +# VNLib.Plugins.Essentials.Accounts + +An essentials web plugin that provides endpoints for authenticating, registering, resetting, local user accounts including multi-factor authentication using TOTP (for now). \ No newline at end of file diff --git a/VNLib.Plugins.Essentials.Accounts/VNLib.Plugins.Essentials.Accounts.csproj b/VNLib.Plugins.Essentials.Accounts/VNLib.Plugins.Essentials.Accounts.csproj new file mode 100644 index 0000000..56c09bc --- /dev/null +++ b/VNLib.Plugins.Essentials.Accounts/VNLib.Plugins.Essentials.Accounts.csproj @@ -0,0 +1,54 @@ + + + + net6.0 + VNLib.Plugins.Essentials.Accounts + Copyright © 2022 Vaughn Nugent + Vaughn Nugent + 1.0.1.2 + 1.0.1.2 + Accounts + AnyCPU;x64 + VNLib.Plugins.Essentials.Accounts + 1.0.1 + www.vaughnnugent.com/resources + + + + + + + true + enable + + + + + all + runtime; build; native; contentfiles; analyzers; buildtransitive + + + all + runtime; build; native; contentfiles; analyzers; buildtransitive + + + + + + + + + + + + + + Always + + + + + + + + diff --git a/VNLib.Plugins.Essentials.Accounts/Validators/LoginMessageValidation.cs b/VNLib.Plugins.Essentials.Accounts/Validators/LoginMessageValidation.cs new file mode 100644 index 0000000..879dd42 --- /dev/null +++ b/VNLib.Plugins.Essentials.Accounts/Validators/LoginMessageValidation.cs @@ -0,0 +1,46 @@ +using System; + +using FluentValidation; + +using VNLib.Plugins.Extensions.Validation; + +namespace VNLib.Plugins.Essentials.Accounts.Validators +{ + + internal class LoginMessageValidation : AbstractValidator + { + public LoginMessageValidation() + { + RuleFor(static t => t.ClientID) + .Length(min: 10, max: 100) + .WithMessage(errorMessage: "Your browser is not sending required security information"); + + RuleFor(static t => t.ClientPublicKey) + .NotEmpty() + .Length(min: 50, max: 1000) + .WithMessage(errorMessage: "Your browser is not sending required security information"); + + /* Rules for user-input on passwords, set max length to avoid DOS */ + RuleFor(static t => t.Password) + .SetValidator(AccountValidations.PasswordValidator); + + //Username/email address + RuleFor(static t => t.UserName) + .Length(min: 1, max: 64) + .WithName(overridePropertyName: "Email") + .EmailAddress() + .WithName(overridePropertyName: "Email") + .IllegalCharacters() + .WithName(overridePropertyName: "Email"); + + RuleFor(static t => t.LocalLanguage) + .NotEmpty() + .IllegalCharacters() + .WithMessage(errorMessage: "Your language is not supported"); + + RuleFor(static t => t.LocalTime.ToUniversalTime()) + .Must(static time => time > DateTime.UtcNow.AddSeconds(-60) && time < DateTime.UtcNow.AddSeconds(60)) + .WithMessage(errorMessage: "Please check your system clock"); + } + } +} diff --git a/VNLib.Plugins.Essentials.Content.Routing/Model/Route.cs b/VNLib.Plugins.Essentials.Content.Routing/Model/Route.cs new file mode 100644 index 0000000..9af42f1 --- /dev/null +++ b/VNLib.Plugins.Essentials.Content.Routing/Model/Route.cs @@ -0,0 +1,47 @@ +using System; +using System.ComponentModel.DataAnnotations.Schema; + +using Microsoft.EntityFrameworkCore; + +using VNLib.Plugins.Extensions.Data; + +namespace VNLib.Plugins.Essentials.Content.Routing.Model +{ + [Index(nameof(Id), IsUnique = true)] + internal class Route : DbModelBase + { + public override string Id { get; set; } + public override DateTime Created { get; set; } + public override DateTime LastModified { get; set; } + + public string Hostname { get; set; } + public string MatchPath { get; set; } + [Column("Privilage")] + public long _privilage + { + get => (long)Privilage; + set => Privilage = (ulong)value; + } + [NotMapped] + public ulong Privilage { get; set; } + + public string Alternate { get; set; } + public FpRoutine Routine { get; set; } + + /// + /// The processing arguments that match the route + /// + [NotMapped] + public FileProcessArgs MatchArgs + { + get + { + return new FileProcessArgs() + { + Alternate = this.Alternate, + Routine = (FpRoutine) Routine + }; + } + } + } +} diff --git a/VNLib.Plugins.Essentials.Content.Routing/Model/RouteStore.cs b/VNLib.Plugins.Essentials.Content.Routing/Model/RouteStore.cs new file mode 100644 index 0000000..8650f30 --- /dev/null +++ b/VNLib.Plugins.Essentials.Content.Routing/Model/RouteStore.cs @@ -0,0 +1,44 @@ +using System; +using System.Linq; + +using Microsoft.EntityFrameworkCore; + +using VNLib.Plugins.Extensions.Data; + +namespace VNLib.Plugins.Essentials.Content.Routing.Model +{ + internal class RouteStore : DbStore + { + private readonly DbContextOptions Options; + + public RouteStore(DbContextOptions options) + { + Options = options; + } + + public override string RecordIdBuilder => Guid.NewGuid().ToString("N"); + + protected override IQueryable GetCollectionQueryBuilder(TransactionalDbContext context, params string[] constraints) + { + string hostname = constraints[0]; + return from route in context.Set() + where route.Hostname == hostname + select route; + } + + protected override IQueryable GetSingleQueryBuilder(TransactionalDbContext context, params string[] constraints) + { + string id = constraints[0]; + return from route in context.Set() + where route.Id == id + select route; + } + + public override TransactionalDbContext NewContext() => new RoutingContext(Options); + + protected override void OnRecordUpdate(Route newRecord, Route currentRecord) + { + throw new NotImplementedException(); + } + } +} diff --git a/VNLib.Plugins.Essentials.Content.Routing/Model/RoutingContext.cs b/VNLib.Plugins.Essentials.Content.Routing/Model/RoutingContext.cs new file mode 100644 index 0000000..da62342 --- /dev/null +++ b/VNLib.Plugins.Essentials.Content.Routing/Model/RoutingContext.cs @@ -0,0 +1,17 @@ +using System; + +using Microsoft.EntityFrameworkCore; + +using VNLib.Plugins.Extensions.Data; + +namespace VNLib.Plugins.Essentials.Content.Routing.Model +{ + internal class RoutingContext : TransactionalDbContext + { + public DbSet Routes { get; set; } + + public RoutingContext(DbContextOptions options) :base(options) + { + } + } +} diff --git a/VNLib.Plugins.Essentials.Content.Routing/PageRouterEntry.cs b/VNLib.Plugins.Essentials.Content.Routing/PageRouterEntry.cs new file mode 100644 index 0000000..d89b0e0 --- /dev/null +++ b/VNLib.Plugins.Essentials.Content.Routing/PageRouterEntry.cs @@ -0,0 +1,44 @@ +using System; +using System.Threading.Tasks; +using System.Collections.Generic; + +using VNLib.Utils.Logging; + +namespace VNLib.Plugins.Essentials.Content.Routing +{ + public sealed class PageRouterEntry : PluginBase, IPageRouter + { + public override string PluginName => "Essentials.Router"; + + private Router PageRouter; + public ValueTask RouteAsync(HttpEntity entity) => PageRouter.RouteAsync(entity); + + protected override void OnLoad() + { + try + { + //Init router + PageRouter = new(this); + Log.Information("Plugin loaded"); + } + catch (KeyNotFoundException knf) + { + Log.Error("Plugin failed to load, missing required configuration variables {err}", knf.Message); + } + } + + protected override void OnUnLoad() + { + Log.Information("Plugin unloaded"); + } + + protected override void ProcessHostCommand(string cmd) + { + if(cmd.Contains("reset")) + { + PageRouter?.ResetRoutes(); + Log.Information("Routing table reset"); + } + } + } +} diff --git a/VNLib.Plugins.Essentials.Content.Routing/RouteComparer.cs b/VNLib.Plugins.Essentials.Content.Routing/RouteComparer.cs new file mode 100644 index 0000000..ed455f5 --- /dev/null +++ b/VNLib.Plugins.Essentials.Content.Routing/RouteComparer.cs @@ -0,0 +1,53 @@ +using System.Collections.Generic; + +using VNLib.Plugins.Essentials.Content.Routing.Model; + +using static VNLib.Plugins.Essentials.Accounts.AccountManager; + +namespace VNLib.Plugins.Essentials.Content.Routing +{ + /// + /// Sorts routing rules based on closest match path/hostname routing along with privilage priority + /// + internal class RouteComparer : IComparer + { + //The idea is that hostnames without wildcards are exact, and hostnames with wildcards are "catch all" + public int Compare(Route x, Route y) + { + int val = 0; + //If x contains a wildcard in the hostname, then it is less than y + if (x.Hostname.Contains('*')) + { + val--; + } + //If y containts a wildcard, then y is less than x + if (y.Hostname.Contains('*')) + { + val++; + } + //If there was no wildcard, check paths + if (val == 0) + { + //If x containts a wildcard in the path, then x is less than y + if (x.MatchPath.Contains('*')) + { + val--; + } + //If y containts a wildcard in the path, then y is less than x + if (y.MatchPath.Contains('*')) + { + val++; + + } + } + //If hostnames and paths are stil equal, check privilage level + if (val == 0) + { + //Higher privilage routine is greater than lower privilage + val = (x.Privilage & LEVEL_MSK) > (y.Privilage & LEVEL_MSK) ? 1 : -1; + } + //If both contain (or are) wildcards, then they are equal + return val; + } + } +} diff --git a/VNLib.Plugins.Essentials.Content.Routing/Router.cs b/VNLib.Plugins.Essentials.Content.Routing/Router.cs new file mode 100644 index 0000000..7c67f4f --- /dev/null +++ b/VNLib.Plugins.Essentials.Content.Routing/Router.cs @@ -0,0 +1,139 @@ +using System; +using System.Linq; +using System.Buffers; +using System.Threading; +using System.Threading.Tasks; +using System.Collections.Generic; +using System.Collections.Concurrent; +using System.Collections.ObjectModel; + +using VNLib.Net.Http; +using VNLib.Utils.Logging; +using VNLib.Plugins.Extensions.Loading.Sql; +using VNLib.Plugins.Extensions.Loading.Events; +using VNLib.Plugins.Essentials.Content.Routing.Model; +using static VNLib.Plugins.Essentials.Accounts.AccountManager; + +#nullable enable + +namespace VNLib.Plugins.Essentials.Content.Routing +{ + internal class Router : IPageRouter, IIntervalScheduleable + { + private static readonly RouteComparer Comparer = new(); + + private readonly RouteStore Store; + + private readonly ConcurrentDictionary>> RouteTable; + + public Router(PluginBase plugin) + { + Store = new(plugin.GetContextOptions()); + _ = plugin.ScheduleInterval(this, TimeSpan.FromSeconds(30)); + RouteTable = new(); + } + + /// + public async ValueTask RouteAsync(HttpEntity entity) + { + ulong privilage = READ_MSK; + //Only select privilages for logged-in users + if (entity.Session.IsSet && entity.LoginCookieMatches() || entity.TokenMatches()) + { + privilage = entity.Session.Privilages; + } + //Get the routing table for the current host + ReadOnlyCollection routes = await RouteTable.GetOrAdd(entity.RequestedRoot, LoadRoutesAsync); + //Find the proper routine for the connection + return FindArgs(routes, entity.RequestedRoot.Hostname, entity.Server.Path, privilage); + } + + /// + /// Clears all cached routines from the database + /// + public void ResetRoutes() => RouteTable.Clear(); + + private async Task> LoadRoutesAsync(IWebRoot root) + { + List collection = new(); + //Load all routes + _ = await Store.GetPageAsync(collection, 0, int.MaxValue); + //Select only exact match routes, or wildcard routes + return (from r in collection + where r.Hostname.EndsWith(root.Hostname, StringComparison.OrdinalIgnoreCase) || r.Hostname == "*" + //Orderby path "specificity" longer pathts are generally more specific, so filter order + orderby r.MatchPath.Length ascending + select r) + .ToList() + .AsReadOnly(); + } + + + private static FileProcessArgs FindArgs(ReadOnlyCollection routes, string hostname, string path, ulong privilages) + { + //Rent an array to sort routes for the current user + Route[] matchArray = ArrayPool.Shared.Rent(routes.Count); + int count = 0; + //Search for routes that match + for(int i = 0; i < routes.Count; i++) + { + if(Matches(routes[i], hostname, path, privilages)) + { + //Add to sort array + matchArray[count++] = routes[i]; + } + } + //If no matches are found, return continue routine + if (count == 0) + { + //Return the array to the pool + ArrayPool.Shared.Return(matchArray); + return FileProcessArgs.Continue; + } + //Get sorting span for matches + Span found = matchArray.AsSpan(0, count); + //Sort the found rules + found.Sort(Comparer); + //Select the last element + Route selected = found[^1]; + //Return array to pool + ArrayPool.Shared.Return(matchArray); + return selected.MatchArgs; + } + + /// + /// Determines if a route can be matched to a hostname, resource path, and a + /// privilage level + /// + /// The route to test against + /// The hostname to test + /// The resource path to test + /// The privialge level to search for + /// True if the route can be matched to the resource and the privialge level + private static bool Matches(Route route, ReadOnlySpan hostname, ReadOnlySpan path, ulong privilages) + { + //Get span of hostname to stop string heap allocations during comparisons + ReadOnlySpan routineHost = route.Hostname; + ReadOnlySpan routinePath = route.MatchPath; + //Test if hostname hostname matches exactly (may be wildcard) or hostname begins with a wildcard and ends with the request hostname + bool hostMatch = routineHost.SequenceEqual(hostname) || (routineHost.Length > 1 && routineHost[0] == '*' && hostname.EndsWith(routineHost[1..])); + if (!hostMatch) + { + return false; + } + //Test if path is a wildcard, matches exactly, or if the path is a wildcard path, that the begining of the reqest path matches the routine path + bool pathMatch = routinePath == "*" || routinePath.SequenceEqual(path) || (routinePath.Length > 1 && routinePath[^1] == '*' && path.StartsWith(routinePath[..^1])); + if (!pathMatch) + { + return false; + } + //Test if the level and group privilages match for the current routine + return (privilages & LEVEL_MSK) >= (route.Privilage & LEVEL_MSK) && (route.Privilage & GROUP_MSK) == (privilages & GROUP_MSK); + } + + Task IIntervalScheduleable.OnIntervalAsync(ILogProvider log, CancellationToken cancellationToken) + { + return Task.CompletedTask; + } + } +} diff --git a/VNLib.Plugins.Essentials.Content.Routing/VNLib.Plugins.Essentials.Content.Routing.csproj b/VNLib.Plugins.Essentials.Content.Routing/VNLib.Plugins.Essentials.Content.Routing.csproj new file mode 100644 index 0000000..9d42c1e --- /dev/null +++ b/VNLib.Plugins.Essentials.Content.Routing/VNLib.Plugins.Essentials.Content.Routing.csproj @@ -0,0 +1,47 @@ + + + + net6.0 + Vaughn Nugent + 1.0.0.1 + Copyright © 2022 Vaughn Nugent + https://www.vaughnnugent.com + PageRouter + AnyCPU;x64 + + + + + + true + x64 + + + + all + runtime; build; native; contentfiles; analyzers; buildtransitive + + + all + runtime; build; native; contentfiles; analyzers; buildtransitive + + + + + + + + + + + + + Always + + + + + + + + diff --git a/VNLib.Plugins.Essentials.SocialOauth b/VNLib.Plugins.Essentials.SocialOauth new file mode 160000 index 0000000..c831fd9 --- /dev/null +++ b/VNLib.Plugins.Essentials.SocialOauth @@ -0,0 +1 @@ +Subproject commit c831fd93913aa856c6b5a030d5d90c7d6e72b5f4 -- cgit