garm/auth/auth.go

// Copyright 2022 Cloudbase Solutions SRL
//
//    Licensed under the Apache License, Version 2.0 (the "License"); you may
//    not use this file except in compliance with the License. You may obtain
//    a copy of the License at
//
//         http://www.apache.org/licenses/LICENSE-2.0
//
//    Unless required by applicable law or agreed to in writing, software
//    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
//    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
//    License for the specific language governing permissions and limitations
//    under the License.

package auth

import (
	"context"
	"errors"
	"fmt"
	"time"

	jwt "github.com/golang-jwt/jwt/v5"
	"github.com/nbutton23/zxcvbn-go"
	"golang.org/x/crypto/bcrypt"

	runnerErrors "github.com/cloudbase/garm-provider-common/errors"
	"github.com/cloudbase/garm-provider-common/util"
	"github.com/cloudbase/garm/config"
	"github.com/cloudbase/garm/database/common"
	"github.com/cloudbase/garm/params"
)

func NewAuthenticator(cfg config.JWTAuth, store common.Store) *Authenticator {
	return &Authenticator{
		cfg:   cfg,
		store: store,
	}
}

type Authenticator struct {
	store common.Store
	cfg   config.JWTAuth
}

func (a *Authenticator) IsInitialized() bool {
	return a.store.HasAdminUser(context.Background())
}

func (a *Authenticator) GetJWTToken(ctx context.Context) (string, error) {
	tokenID, err := util.GetRandomString(16)
	if err != nil {
		return "", fmt.Errorf("error generating random string: %w", err)
	}
	expireToken := time.Now().Add(a.cfg.TimeToLive.Duration())
	expires := &jwt.NumericDate{
		Time: expireToken,
	}
	generation := PasswordGeneration(ctx)
	claims := JWTClaims{
		RegisteredClaims: jwt.RegisteredClaims{
			ExpiresAt: expires,
			// nolint:golangci-lint,godox
			// TODO: make this configurable
			Issuer: "garm",
		},
		UserID:     UserID(ctx),
		TokenID:    tokenID,
		IsAdmin:    IsAdmin(ctx),
		FullName:   FullName(ctx),
		Generation: generation,
	}
	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
	tokenString, err := token.SignedString([]byte(a.cfg.Secret))
	if err != nil {
		return "", fmt.Errorf("error fetching token string: %w", err)
	}

	return tokenString, nil
}

// GetJWTMetricsToken returns a JWT token that can be used to read metrics.
// This token is not tied to a user, no user is stored in the db.
func (a *Authenticator) GetJWTMetricsToken(ctx context.Context) (string, error) {
	if !IsAdmin(ctx) {
		return "", runnerErrors.ErrUnauthorized
	}

	tokenID, err := util.GetRandomString(16)
	if err != nil {
		return "", fmt.Errorf("error generating random string: %w", err)
	}
	// nolint:golangci-lint,godox
	// TODO: currently this is the same TTL as the normal Token
	// maybe we should make this configurable
	// it's usually pretty nasty if the monitoring fails because the token expired
	expireToken := time.Now().Add(a.cfg.TimeToLive.Duration())
	expires := &jwt.NumericDate{
		Time: expireToken,
	}
	claims := JWTClaims{
		RegisteredClaims: jwt.RegisteredClaims{
			ExpiresAt: expires,
			// nolint:golangci-lint,godox
			// TODO: make this configurable
			Issuer: "garm",
		},
		TokenID:     tokenID,
		IsAdmin:     false,
		ReadMetrics: true,
	}
	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
	tokenString, err := token.SignedString([]byte(a.cfg.Secret))
	if err != nil {
		return "", fmt.Errorf("error fetching token string: %w", err)
	}

	return tokenString, nil
}

func (a *Authenticator) InitController(ctx context.Context, param params.NewUserParams) (params.User, error) {
	_, err := a.store.ControllerInfo()
	if err != nil {
		if !errors.Is(err, runnerErrors.ErrNotFound) {
			return params.User{}, fmt.Errorf("error initializing controller: %w", err)
		}
	}
	if a.store.HasAdminUser(ctx) {
		return params.User{}, runnerErrors.ErrNotFound
	}

	if param.Email == "" || param.Username == "" {
		return params.User{}, runnerErrors.NewBadRequestError("missing username or email")
	}

	if !util.IsValidEmail(param.Email) {
		return params.User{}, runnerErrors.NewBadRequestError("invalid email address")
	}

	// username is varchar(64)
	if len(param.Username) > 64 || !util.IsAlphanumeric(param.Username) {
		return params.User{}, runnerErrors.NewBadRequestError("invalid username")
	}

	param.IsAdmin = true
	param.Enabled = true

	passwordStenght := zxcvbn.PasswordStrength(param.Password, nil)
	if passwordStenght.Score < 4 {
		return params.User{}, runnerErrors.NewBadRequestError("password is too weak")
	}

	hashed, err := util.PaswsordToBcrypt(param.Password)
	if err != nil {
		return params.User{}, fmt.Errorf("error creating user: %w", err)
	}

	param.Password = hashed

	return a.store.CreateUser(ctx, param)
}

func (a *Authenticator) AuthenticateUser(ctx context.Context, info params.PasswordLoginParams) (context.Context, error) {
	if info.Username == "" || info.Password == "" {
		return ctx, runnerErrors.ErrUnauthorized
	}

	user, err := a.store.GetUser(ctx, info.Username)
	if err != nil {
		if errors.Is(err, runnerErrors.ErrNotFound) {
			return ctx, runnerErrors.ErrUnauthorized
		}
		return ctx, fmt.Errorf("error authenticating: %w", err)
	}

	if !user.Enabled {
		return ctx, runnerErrors.ErrUnauthorized
	}

	if user.Password == "" {
		return ctx, runnerErrors.ErrUnauthorized
	}

	if err := bcrypt.CompareHashAndPassword([]byte(user.Password), []byte(info.Password)); err != nil {
		return ctx, runnerErrors.ErrUnauthorized
	}

	return PopulateContext(ctx, user, nil), nil
}
Add license headers 2022-05-05 13:25:50 +00:00			`// Copyright 2022 Cloudbase Solutions SRL`
			`//`
			`// Licensed under the Apache License, Version 2.0 (the "License"); you may`
			`// not use this file except in compliance with the License. You may obtain`
			`// a copy of the License at`
			`//`
			`// http://www.apache.org/licenses/LICENSE-2.0`
			`//`
			`// Unless required by applicable law or agreed to in writing, software`
			`// distributed under the License is distributed on an "AS IS" BASIS, WITHOUT`
			`// WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the`
			`// License for the specific language governing permissions and limitations`
			`// under the License.`

Add some basic auth 2022-04-28 16:13:20 +00:00			`package auth`

			`import (`
			`"context"`
Switch to fmt.Errorf Replace all instances of errors.Wrap() with fmt.Errorf. Signed-off-by: Gabriel Adrian Samfira <gsamfira@cloudbasesolutions.com> 2025-08-16 19:31:58 +00:00			`"errors"`
			`"fmt"`
Add some basic auth 2022-04-28 16:13:20 +00:00			`"time"`

fix: gci section warnings Signed-off-by: Mario Constanti <mario.constanti@mercedes-benz.com> 2024-02-22 07:31:51 +01:00			`jwt "github.com/golang-jwt/jwt/v5"`
			`"github.com/nbutton23/zxcvbn-go"`
			`"golang.org/x/crypto/bcrypt"`

Move errors to external package Signed-off-by: Gabriel Adrian Samfira <gsamfira@cloudbasesolutions.com> 2023-07-22 22:26:47 +00:00			`runnerErrors "github.com/cloudbase/garm-provider-common/errors"`
Move most of util package Signed-off-by: Gabriel Adrian Samfira <gsamfira@cloudbasesolutions.com> 2023-07-22 22:39:17 +00:00			`"github.com/cloudbase/garm-provider-common/util"`
Rename module This change renames the module from "garm" to "github.com/cloudbase/garm". This will make it easier to consume public functions defined in garm, by external applications, without having to resort to replace. Signed-off-by: Gabriel Adrian Samfira <gsamfira@cloudbasesolutions.com> 2023-03-12 16:01:49 +02:00			`"github.com/cloudbase/garm/config"`
			`"github.com/cloudbase/garm/database/common"`
			`"github.com/cloudbase/garm/params"`
Add some basic auth 2022-04-28 16:13:20 +00:00			`)`

			`func NewAuthenticator(cfg config.JWTAuth, store common.Store) *Authenticator {`
			`return &Authenticator{`
			`cfg: cfg,`
			`store: store,`
			`}`
			`}`

			`type Authenticator struct {`
			`store common.Store`
			`cfg config.JWTAuth`
			`}`

			`func (a *Authenticator) IsInitialized() bool {`
Fixed a bunch of linting issues Signed-off-by: Gabriel Adrian Samfira <gsamfira@cloudbasesolutions.com> 2023-01-20 22:19:54 +02:00			`return a.store.HasAdminUser(context.Background())`
Add some basic auth 2022-04-28 16:13:20 +00:00			`}`

			`func (a *Authenticator) GetJWTToken(ctx context.Context) (string, error) {`
			`tokenID, err := util.GetRandomString(16)`
			`if err != nil {`
Switch to fmt.Errorf Replace all instances of errors.Wrap() with fmt.Errorf. Signed-off-by: Gabriel Adrian Samfira <gsamfira@cloudbasesolutions.com> 2025-08-16 19:31:58 +00:00			`return "", fmt.Errorf("error generating random string: %w", err)`
Add some basic auth 2022-04-28 16:13:20 +00:00			`}`
Update to latest jwt Signed-off-by: Gabriel Adrian Samfira <gsamfira@cloudbasesolutions.com> 2023-12-18 16:06:03 +00:00			`expireToken := time.Now().Add(a.cfg.TimeToLive.Duration())`
			`expires := &jwt.NumericDate{`
			`Time: expireToken,`
			`}`
Refactor the websocket client and add fixes The websocket client and hub interaction has been simplified a bit. The hub now acts only as a tee writer to the various clients that register. Clients must register and unregister explicitly. The hub is no longer passed in to the client. Websocket clients now watch for password changes or jwt token expiration times. Clients are disconnected if auth token expires or if the password is changed. Various aditional safety checks have been added. Signed-off-by: Gabriel Adrian Samfira <gsamfira@cloudbasesolutions.com> 2024-07-02 22:26:12 +00:00			`generation := PasswordGeneration(ctx)`
Add some basic auth 2022-04-28 16:13:20 +00:00			`claims := JWTClaims{`
Update to latest jwt Signed-off-by: Gabriel Adrian Samfira <gsamfira@cloudbasesolutions.com> 2023-12-18 16:06:03 +00:00			`RegisteredClaims: jwt.RegisteredClaims{`
			`ExpiresAt: expires,`
fix: godoc linter warnings (TODOs) Signed-off-by: Mario Constanti <mario.constanti@mercedes-benz.com> 2024-02-22 09:30:20 +01:00			`// nolint:golangci-lint,godox`
Add some basic auth 2022-04-28 16:13:20 +00:00			`// TODO: make this configurable`
Rename project to garm Project renamed to garm (Github Actions Runner Manager) 2022-05-04 11:44:10 +00:00			`Issuer: "garm",`
Add some basic auth 2022-04-28 16:13:20 +00:00			`},`
Refactor the websocket client and add fixes The websocket client and hub interaction has been simplified a bit. The hub now acts only as a tee writer to the various clients that register. Clients must register and unregister explicitly. The hub is no longer passed in to the client. Websocket clients now watch for password changes or jwt token expiration times. Clients are disconnected if auth token expires or if the password is changed. Various aditional safety checks have been added. Signed-off-by: Gabriel Adrian Samfira <gsamfira@cloudbasesolutions.com> 2024-07-02 22:26:12 +00:00			`UserID: UserID(ctx),`
			`TokenID: tokenID,`
			`IsAdmin: IsAdmin(ctx),`
			`FullName: FullName(ctx),`
			`Generation: generation,`
Add some basic auth 2022-04-28 16:13:20 +00:00			`}`
			`token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)`
			`tokenString, err := token.SignedString([]byte(a.cfg.Secret))`
			`if err != nil {`
Switch to fmt.Errorf Replace all instances of errors.Wrap() with fmt.Errorf. Signed-off-by: Gabriel Adrian Samfira <gsamfira@cloudbasesolutions.com> 2025-08-16 19:31:58 +00:00			`return "", fmt.Errorf("error fetching token string: %w", err)`
feat: add prometheus metrics & endpoint 2023-01-17 17:32:28 +01:00			`}`

			`return tokenString, nil`
			`}`

			`// GetJWTMetricsToken returns a JWT token that can be used to read metrics.`
			`// This token is not tied to a user, no user is stored in the db.`
			`func (a *Authenticator) GetJWTMetricsToken(ctx context.Context) (string, error) {`
metrics: fix review findings 2023-01-26 14:02:53 +01:00			`if !IsAdmin(ctx) {`
			`return "", runnerErrors.ErrUnauthorized`
			`}`

feat: add prometheus metrics & endpoint 2023-01-17 17:32:28 +01:00			`tokenID, err := util.GetRandomString(16)`
			`if err != nil {`
Switch to fmt.Errorf Replace all instances of errors.Wrap() with fmt.Errorf. Signed-off-by: Gabriel Adrian Samfira <gsamfira@cloudbasesolutions.com> 2025-08-16 19:31:58 +00:00			`return "", fmt.Errorf("error generating random string: %w", err)`
feat: add prometheus metrics & endpoint 2023-01-17 17:32:28 +01:00			`}`
fix: godoc linter warnings (TODOs) Signed-off-by: Mario Constanti <mario.constanti@mercedes-benz.com> 2024-02-22 09:30:20 +01:00			`// nolint:golangci-lint,godox`
feat: add prometheus metrics & endpoint 2023-01-17 17:32:28 +01:00			`// TODO: currently this is the same TTL as the normal Token`
			`// maybe we should make this configurable`
			`// it's usually pretty nasty if the monitoring fails because the token expired`
Update to latest jwt Signed-off-by: Gabriel Adrian Samfira <gsamfira@cloudbasesolutions.com> 2023-12-18 16:06:03 +00:00			`expireToken := time.Now().Add(a.cfg.TimeToLive.Duration())`
			`expires := &jwt.NumericDate{`
			`Time: expireToken,`
			`}`
feat: add prometheus metrics & endpoint 2023-01-17 17:32:28 +01:00			`claims := JWTClaims{`
Update to latest jwt Signed-off-by: Gabriel Adrian Samfira <gsamfira@cloudbasesolutions.com> 2023-12-18 16:06:03 +00:00			`RegisteredClaims: jwt.RegisteredClaims{`
			`ExpiresAt: expires,`
fix: godoc linter warnings (TODOs) Signed-off-by: Mario Constanti <mario.constanti@mercedes-benz.com> 2024-02-22 09:30:20 +01:00			`// nolint:golangci-lint,godox`
feat: add prometheus metrics & endpoint 2023-01-17 17:32:28 +01:00			`// TODO: make this configurable`
			`Issuer: "garm",`
			`},`
			`TokenID: tokenID,`
			`IsAdmin: false,`
			`ReadMetrics: true,`
			`}`
			`token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)`
			`tokenString, err := token.SignedString([]byte(a.cfg.Secret))`
			`if err != nil {`
Switch to fmt.Errorf Replace all instances of errors.Wrap() with fmt.Errorf. Signed-off-by: Gabriel Adrian Samfira <gsamfira@cloudbasesolutions.com> 2025-08-16 19:31:58 +00:00			`return "", fmt.Errorf("error fetching token string: %w", err)`
Add some basic auth 2022-04-28 16:13:20 +00:00			`}`

			`return tokenString, nil`
			`}`

			`func (a *Authenticator) InitController(ctx context.Context, param params.NewUserParams) (params.User, error) {`
			`_, err := a.store.ControllerInfo()`
			`if err != nil {`
			`if !errors.Is(err, runnerErrors.ErrNotFound) {`
Switch to fmt.Errorf Replace all instances of errors.Wrap() with fmt.Errorf. Signed-off-by: Gabriel Adrian Samfira <gsamfira@cloudbasesolutions.com> 2025-08-16 19:31:58 +00:00			`return params.User{}, fmt.Errorf("error initializing controller: %w", err)`
Add some basic auth 2022-04-28 16:13:20 +00:00			`}`
			`}`
			`if a.store.HasAdminUser(ctx) {`
			`return params.User{}, runnerErrors.ErrNotFound`
			`}`

			`if param.Email == "" \|\| param.Username == "" {`
			`return params.User{}, runnerErrors.NewBadRequestError("missing username or email")`
			`}`

			`if !util.IsValidEmail(param.Email) {`
			`return params.User{}, runnerErrors.NewBadRequestError("invalid email address")`
			`}`

			`// username is varchar(64)`
			`if len(param.Username) > 64 \|\| !util.IsAlphanumeric(param.Username) {`
			`return params.User{}, runnerErrors.NewBadRequestError("invalid username")`
			`}`

			`param.IsAdmin = true`
			`param.Enabled = true`

			`passwordStenght := zxcvbn.PasswordStrength(param.Password, nil)`
			`if passwordStenght.Score < 4 {`
			`return params.User{}, runnerErrors.NewBadRequestError("password is too weak")`
			`}`

			`hashed, err := util.PaswsordToBcrypt(param.Password)`
			`if err != nil {`
Switch to fmt.Errorf Replace all instances of errors.Wrap() with fmt.Errorf. Signed-off-by: Gabriel Adrian Samfira <gsamfira@cloudbasesolutions.com> 2025-08-16 19:31:58 +00:00			`return params.User{}, fmt.Errorf("error creating user: %w", err)`
Add some basic auth 2022-04-28 16:13:20 +00:00			`}`

			`param.Password = hashed`

			`return a.store.CreateUser(ctx, param)`
			`}`

			`func (a *Authenticator) AuthenticateUser(ctx context.Context, info params.PasswordLoginParams) (context.Context, error) {`
Slight cleanup * added interface for the github client. This will help mocking it out for testing. * removed some unused code * moved some code around Signed-off-by: Gabriel Adrian Samfira <gsamfira@cloudbasesolutions.com> 2022-07-07 16:48:00 +00:00			`if info.Username == "" \|\| info.Password == "" {`
Add some basic auth 2022-04-28 16:13:20 +00:00			`return ctx, runnerErrors.ErrUnauthorized`
			`}`

			`user, err := a.store.GetUser(ctx, info.Username)`
			`if err != nil {`
Add more CLI commands 2022-05-03 12:40:59 +00:00			`if errors.Is(err, runnerErrors.ErrNotFound) {`
Add some basic auth 2022-04-28 16:13:20 +00:00			`return ctx, runnerErrors.ErrUnauthorized`
			`}`
Switch to fmt.Errorf Replace all instances of errors.Wrap() with fmt.Errorf. Signed-off-by: Gabriel Adrian Samfira <gsamfira@cloudbasesolutions.com> 2025-08-16 19:31:58 +00:00			`return ctx, fmt.Errorf("error authenticating: %w", err)`
Add some basic auth 2022-04-28 16:13:20 +00:00			`}`
Slight cleanup * added interface for the github client. This will help mocking it out for testing. * removed some unused code * moved some code around Signed-off-by: Gabriel Adrian Samfira <gsamfira@cloudbasesolutions.com> 2022-07-07 16:48:00 +00:00
Add some basic auth 2022-04-28 16:13:20 +00:00			`if !user.Enabled {`
			`return ctx, runnerErrors.ErrUnauthorized`
			`}`

			`if user.Password == "" {`
			`return ctx, runnerErrors.ErrUnauthorized`
			`}`

			`if err := bcrypt.CompareHashAndPassword([]byte(user.Password), []byte(info.Password)); err != nil {`
			`return ctx, runnerErrors.ErrUnauthorized`
			`}`

Refactor the websocket client and add fixes The websocket client and hub interaction has been simplified a bit. The hub now acts only as a tee writer to the various clients that register. Clients must register and unregister explicitly. The hub is no longer passed in to the client. Websocket clients now watch for password changes or jwt token expiration times. Clients are disconnected if auth token expires or if the password is changed. Various aditional safety checks have been added. Signed-off-by: Gabriel Adrian Samfira <gsamfira@cloudbasesolutions.com> 2024-07-02 22:26:12 +00:00			`return PopulateContext(ctx, user, nil), nil`
Add some basic auth 2022-04-28 16:13:20 +00:00			`}`