aerogramme/src/login/static_provider.rs

use std::collections::HashMap;
use std::sync::Arc;
use std::path::PathBuf;

use anyhow::{anyhow, bail, Result};
use async_trait::async_trait;

use crate::config::*;
use crate::cryptoblob::{Key, SecretKey};
use crate::login::*;
use crate::storage;

pub struct StaticLoginProvider {
    user_list: PathBuf,
    users: HashMap<String, Arc<UserEntry>>,
    users_by_email: HashMap<String, Arc<UserEntry>>,
}

impl StaticLoginProvider {
    pub fn new(config: LoginStaticConfig) -> Result<Self> {
        let mut lp = Self {
            user_list: config.user_list.clone(),
            users: HashMap::new(),
            users_by_email: HashMap::new(),
        };

        lp
            .update_user_list()
            .context(
                format!(
                    "failed to read {:?}, make sure it exists and it's correctly formatted", 
                    config.user_list))?;

        Ok(lp)
    }

    pub fn update_user_list(&mut self) -> Result<()> {
        let ulist: UserList = read_config(self.user_list.clone())?;

        self.users = ulist
            .into_iter()
            .map(|(k, v)| (k, Arc::new(v)))
            .collect::<HashMap<_, _>>();

        self.users_by_email.clear();
        for (_, u) in self.users.iter() {
            for m in u.email_addresses.iter() {
                if self.users_by_email.contains_key(m) {
                    bail!("Several users have same email address: {}", m);
                }
                self.users_by_email.insert(m.clone(), u.clone());
            }
        }
        Ok(())
    }
}

#[async_trait]
impl LoginProvider for StaticLoginProvider {
    async fn login(&self, username: &str, password: &str) -> Result<Credentials> {
        tracing::debug!(user=%username, "login");
        let user = match self.users.get(username) {
            None => bail!("User {} does not exist", username),
            Some(u) => u,
        };

        tracing::debug!(user=%username, "verify password");
        if !verify_password(password, &user.password)? {
            bail!("Wrong password");
        }

        tracing::debug!(user=%username, "fetch keys");
        let storage: storage::Builders = match &user.storage {
            StaticStorage::InMemory => Box::new(storage::in_memory::FullMem {}),
            StaticStorage::Garage(grgconf) => Box::new(storage::garage::GrgCreds {
                region: grgconf.aws_region.clone(),
                k2v_endpoint: grgconf.k2v_endpoint.clone(),
                s3_endpoint: grgconf.s3_endpoint.clone(),
                aws_access_key_id: grgconf.aws_access_key_id.clone(),
                aws_secret_access_key: grgconf.aws_secret_access_key.clone(),
                bucket: grgconf.bucket.clone(),
            }),
        };

        let keys = match &user.crypto_root { /*(&user.master_key, &user.secret_key) {*/
            CryptographyRoot::ClearText { master_key: m, secret_key: s } => {
                let master_key =
                    Key::from_slice(&base64::decode(m)?).ok_or(anyhow!("Invalid master key"))?;
                let secret_key = SecretKey::from_slice(&base64::decode(s)?)
                    .ok_or(anyhow!("Invalid secret key"))?;
                CryptoKeys::open_without_password(&storage, &master_key, &secret_key).await?
            }
            CryptographyRoot::PasswordProtected { root_blob } => {
                CryptoKeys::open(password, root_blob).await?
            }
            CryptographyRoot::Keyring => unimplemented!(),
        };

        tracing::debug!(user=%username, "logged");
        Ok(Credentials { storage, keys })
    }

    async fn public_login(&self, email: &str) -> Result<PublicCredentials> {
        let user = match self.users_by_email.get(email) {
            None => bail!("No user for email address {}", email),
            Some(u) => u,
        };

        let storage: storage::Builders = match &user.storage {
            StaticStorage::InMemory => Box::new(storage::in_memory::FullMem {}),
            StaticStorage::Garage(grgconf) => Box::new(storage::garage::GrgCreds {
                region: grgconf.aws_region.clone(),
                k2v_endpoint: grgconf.k2v_endpoint.clone(),
                s3_endpoint: grgconf.s3_endpoint.clone(),
                aws_access_key_id: grgconf.aws_access_key_id.clone(),
                aws_secret_access_key: grgconf.aws_secret_access_key.clone(),
                bucket: grgconf.bucket.clone(),
            }),
        };

        let k2v_client = storage.row_store()?;
        let (_, public_key) = CryptoKeys::load_salt_and_public(&k2v_client).await?;

        Ok(PublicCredentials {
            storage,
            public_key,
        })
    }
}

pub fn hash_password(password: &str) -> Result<String> {
    use argon2::{
        password_hash::{rand_core::OsRng, PasswordHasher, SaltString},
        Argon2,
    };
    let salt = SaltString::generate(&mut OsRng);
    let argon2 = Argon2::default();
    Ok(argon2
        .hash_password(password.as_bytes(), &salt)
        .map_err(|e| anyhow!("Argon2 error: {}", e))?
        .to_string())
}

pub fn verify_password(password: &str, hash: &str) -> Result<bool> {
    use argon2::{
        password_hash::{PasswordHash, PasswordVerifier},
        Argon2,
    };
    let parsed_hash =
        PasswordHash::new(hash).map_err(|e| anyhow!("Invalid hashed password: {}", e))?;
    Ok(Argon2::default()
        .verify_password(password.as_bytes(), &parsed_hash)
        .is_ok())
}
More construction of things 2022-05-19 10:10:48 +00:00			`use std::collections::HashMap;`
Implement public_login 2022-05-31 13:30:32 +00:00			`use std::sync::Arc;`
WIP refactor 2023-12-06 19:57:25 +00:00			`use std::path::PathBuf;`
More construction of things 2022-05-19 10:10:48 +00:00
			`use anyhow::{anyhow, bail, Result};`
			`use async_trait::async_trait;`

			`use crate::config::*;`
Some refactoring 2022-05-19 12:33:49 +00:00			`use crate::cryptoblob::{Key, SecretKey};`
More construction of things 2022-05-19 10:10:48 +00:00			`use crate::login::*;`
integrate storage choice in config 2023-11-17 15:42:25 +00:00			`use crate::storage;`
More construction of things 2022-05-19 10:10:48 +00:00
			`pub struct StaticLoginProvider {`
WIP refactor 2023-12-06 19:57:25 +00:00			`user_list: PathBuf,`
			`users: HashMap<String, Arc<UserEntry>>,`
			`users_by_email: HashMap<String, Arc<UserEntry>>,`
More construction of things 2022-05-19 10:10:48 +00:00			`}`

			`impl StaticLoginProvider {`
WIP provider config 2023-11-17 17:46:22 +00:00			`pub fn new(config: LoginStaticConfig) -> Result<Self> {`
WIP refactor 2023-12-06 19:57:25 +00:00			`let mut lp = Self {`
rework static login provider 2023-12-08 17:13:00 +00:00			`user_list: config.user_list.clone(),`
WIP refactor 2023-12-06 19:57:25 +00:00			`users: HashMap::new(),`
			`users_by_email: HashMap::new(),`
			`};`

rework static login provider 2023-12-08 17:13:00 +00:00			`lp`
			`.update_user_list()`
			`.context(`
			`format!(`
			`"failed to read {:?}, make sure it exists and it's correctly formatted",`
			`config.user_list))?;`
WIP refactor 2023-12-06 19:57:25 +00:00
			`Ok(lp)`
			`}`

			`pub fn update_user_list(&mut self) -> Result<()> {`
now compile again 2023-12-08 14:23:50 +00:00			`let ulist: UserList = read_config(self.user_list.clone())?;`
WIP refactor 2023-12-06 19:57:25 +00:00
rework static login provider 2023-12-08 17:13:00 +00:00			`self.users = ulist`
Implement public_login 2022-05-31 13:30:32 +00:00			`.into_iter()`
			`.map(\|(k, v)\| (k, Arc::new(v)))`
			`.collect::<HashMap<_, _>>();`
rework static login provider 2023-12-08 17:13:00 +00:00
			`self.users_by_email.clear();`
			`for (_, u) in self.users.iter() {`
Implement public_login 2022-05-31 13:30:32 +00:00			`for m in u.email_addresses.iter() {`
rework static login provider 2023-12-08 17:13:00 +00:00			`if self.users_by_email.contains_key(m) {`
Implement public_login 2022-05-31 13:30:32 +00:00			`bail!("Several users have same email address: {}", m);`
			`}`
rework static login provider 2023-12-08 17:13:00 +00:00			`self.users_by_email.insert(m.clone(), u.clone());`
Implement public_login 2022-05-31 13:30:32 +00:00			`}`
			`}`
WIP refactor 2023-12-06 19:57:25 +00:00			`Ok(())`
More construction of things 2022-05-19 10:10:48 +00:00			`}`
			`}`

			`#[async_trait]`
			`impl LoginProvider for StaticLoginProvider {`
			`async fn login(&self, username: &str, password: &str) -> Result<Credentials> {`
WIP login 2022-06-03 12:00:19 +00:00			`tracing::debug!(user=%username, "login");`
Implement public_login 2022-05-31 13:30:32 +00:00			`let user = match self.users.get(username) {`
More construction of things 2022-05-19 10:10:48 +00:00			`None => bail!("User {} does not exist", username),`
Implement public_login 2022-05-31 13:30:32 +00:00			`Some(u) => u,`
			`};`
Some refactoring 2022-05-19 12:33:49 +00:00
Add LMTP support 2022-06-15 16:40:39 +00:00			`tracing::debug!(user=%username, "verify password");`
Implement public_login 2022-05-31 13:30:32 +00:00			`if !verify_password(password, &user.password)? {`
			`bail!("Wrong password");`
			`}`
Add LMTP support 2022-06-15 16:40:39 +00:00
			`tracing::debug!(user=%username, "fetch keys");`
it compiles! 2023-11-23 16:19:35 +00:00			`let storage: storage::Builders = match &user.storage {`
WIP provider config 2023-11-17 17:46:22 +00:00			`StaticStorage::InMemory => Box::new(storage::in_memory::FullMem {}),`
it compiles! 2023-11-23 16:19:35 +00:00			`StaticStorage::Garage(grgconf) => Box::new(storage::garage::GrgCreds {`
			`region: grgconf.aws_region.clone(),`
			`k2v_endpoint: grgconf.k2v_endpoint.clone(),`
			`s3_endpoint: grgconf.s3_endpoint.clone(),`
			`aws_access_key_id: grgconf.aws_access_key_id.clone(),`
			`aws_secret_access_key: grgconf.aws_secret_access_key.clone(),`
			`bucket: grgconf.bucket.clone(),`
			`}),`
WIP provider config 2023-11-17 17:46:22 +00:00			`};`

now compile again 2023-12-08 14:23:50 +00:00			`let keys = match &user.crypto_root { /(&user.master_key, &user.secret_key) {/`
WIP 2023-12-12 08:17:59 +00:00			`CryptographyRoot::ClearText { master_key: m, secret_key: s } => {`
Implement public_login 2022-05-31 13:30:32 +00:00			`let master_key =`
			`Key::from_slice(&base64::decode(m)?).ok_or(anyhow!("Invalid master key"))?;`
			`let secret_key = SecretKey::from_slice(&base64::decode(s)?)`
			`.ok_or(anyhow!("Invalid secret key"))?;`
			`CryptoKeys::open_without_password(&storage, &master_key, &secret_key).await?`
More construction of things 2022-05-19 10:10:48 +00:00			`}`
WIP 2023-12-12 08:17:59 +00:00			`CryptographyRoot::PasswordProtected { root_blob } => {`
			`CryptoKeys::open(password, root_blob).await?`
Implement public_login 2022-05-31 13:30:32 +00:00			`}`
WIP refactor 2023-12-06 19:57:25 +00:00			`CryptographyRoot::Keyring => unimplemented!(),`
Implement public_login 2022-05-31 13:30:32 +00:00			`};`

Add LMTP support 2022-06-15 16:40:39 +00:00			`tracing::debug!(user=%username, "logged");`
Implement public_login 2022-05-31 13:30:32 +00:00			`Ok(Credentials { storage, keys })`
			`}`

			`async fn public_login(&self, email: &str) -> Result<PublicCredentials> {`
			`let user = match self.users_by_email.get(email) {`
			`None => bail!("No user for email address {}", email),`
			`Some(u) => u,`
			`};`

it compiles! 2023-11-23 16:19:35 +00:00			`let storage: storage::Builders = match &user.storage {`
various fixes 2023-11-23 14:16:44 +00:00			`StaticStorage::InMemory => Box::new(storage::in_memory::FullMem {}),`
it compiles! 2023-11-23 16:19:35 +00:00			`StaticStorage::Garage(grgconf) => Box::new(storage::garage::GrgCreds {`
			`region: grgconf.aws_region.clone(),`
			`k2v_endpoint: grgconf.k2v_endpoint.clone(),`
			`s3_endpoint: grgconf.s3_endpoint.clone(),`
			`aws_access_key_id: grgconf.aws_access_key_id.clone(),`
			`aws_secret_access_key: grgconf.aws_secret_access_key.clone(),`
			`bucket: grgconf.bucket.clone(),`
			`}),`
Implement public_login 2022-05-31 13:30:32 +00:00			`};`

various fixes 2023-11-23 14:16:44 +00:00			`let k2v_client = storage.row_store()?;`
Implement public_login 2022-05-31 13:30:32 +00:00			`let (_, public_key) = CryptoKeys::load_salt_and_public(&k2v_client).await?;`

			`Ok(PublicCredentials {`
			`storage,`
			`public_key,`
			`})`
More construction of things 2022-05-19 10:10:48 +00:00			`}`
			`}`
CLI skeleton 2022-05-19 13:14:36 +00:00
implement hash_password and verify_password 2022-05-20 09:45:13 +00:00			`pub fn hash_password(password: &str) -> Result<String> {`
			`use argon2::{`
			`password_hash::{rand_core::OsRng, PasswordHasher, SaltString},`
			`Argon2,`
			`};`
			`let salt = SaltString::generate(&mut OsRng);`
			`let argon2 = Argon2::default();`
			`Ok(argon2`
			`.hash_password(password.as_bytes(), &salt)`
			`.map_err(\|e\| anyhow!("Argon2 error: {}", e))?`
			`.to_string())`
CLI skeleton 2022-05-19 13:14:36 +00:00			`}`

implement hash_password and verify_password 2022-05-20 09:45:13 +00:00			`pub fn verify_password(password: &str, hash: &str) -> Result<bool> {`
			`use argon2::{`
Implement some crypto 2022-05-20 10:49:53 +00:00			`password_hash::{PasswordHash, PasswordVerifier},`
implement hash_password and verify_password 2022-05-20 09:45:13 +00:00			`Argon2,`
			`};`
			`let parsed_hash =`
clippy lint fix 2023-05-15 16:23:23 +00:00			`PasswordHash::new(hash).map_err(\|e\| anyhow!("Invalid hashed password: {}", e))?;`
implement hash_password and verify_password 2022-05-20 09:45:13 +00:00			`Ok(Argon2::default()`
			`.verify_password(password.as_bytes(), &parsed_hash)`
			`.is_ok())`
CLI skeleton 2022-05-19 13:14:36 +00:00			`}`