rat-0006: Initial implementation for auth in server and web

.gitignore

@@ -1,5 +1,3 @@
-
-
 logs.log
 content
 test-graph
@@ -17,7 +15,6 @@ fe/target
 # Icon must end with two \r
 Icon
 
-
 # Thumbnails
 ._*
 

src/go.mod

@@ -7,13 +7,16 @@ require (
 	github.com/fatih/color v1.15.0
 	github.com/go-git/go-git/v5 v5.8.1
 	github.com/gofrs/uuid v4.2.0+incompatible
+	github.com/golang-jwt/jwt/v5 v5.0.0
 	github.com/gomarkdown/markdown v0.0.0-20230922105210-14b16010c2ee
 	github.com/google/go-cmp v0.5.9
 	github.com/gorilla/mux v1.8.0
+	github.com/mitchellh/mapstructure v1.5.0
 	github.com/pkg/errors v0.9.1
 	github.com/sahilm/fuzzy v0.1.0
 	github.com/spf13/cobra v1.7.0
 	github.com/spf13/pflag v1.0.5
+	golang.org/x/crypto v0.12.0
 	gopkg.in/validator.v2 v2.0.1
 	gopkg.in/yaml.v2 v2.4.0
 )
@@ -62,10 +65,9 @@ require (
 	github.com/stretchr/testify v1.8.3 // indirect
 	github.com/xanzy/ssh-agent v0.3.3 // indirect
 	go.etcd.io/bbolt v1.3.7 // indirect
-	golang.org/x/crypto v0.11.0 // indirect
 	golang.org/x/mod v0.8.0 // indirect
 	golang.org/x/net v0.12.0 // indirect
-	golang.org/x/sys v0.10.0 // indirect
+	golang.org/x/sys v0.11.0 // indirect
 	golang.org/x/tools v0.6.0 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
 )

src/go.sum

@@ -73,6 +73,8 @@ github.com/go-git/go-git/v5 v5.8.1 h1:Zo79E4p7TRk0xoRgMq0RShiTHGKcKI4+DI6BfJc/Q+
 github.com/go-git/go-git/v5 v5.8.1/go.mod h1:FHFuoD6yGz5OSKEBK+aWN9Oah0q54Jxl0abmj6GnqAo=
 github.com/gofrs/uuid v4.2.0+incompatible h1:yyYWMnhkhrKwwr8gAOcOCYxOOscHgDS9yZgBrnJfGa0=
 github.com/gofrs/uuid v4.2.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM=
+github.com/golang-jwt/jwt/v5 v5.0.0 h1:1n1XNM9hk7O9mnQoNBGolZvzebBQ7p93ULHRc28XJUE=
+github.com/golang-jwt/jwt/v5 v5.0.0/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
 github.com/golang/geo v0.0.0-20210211234256-740aa86cb551 h1:gtexQ/VGyN+VVFRXSFiguSNcXmS6rkKT+X7FdIrTtfo=
 github.com/golang/geo v0.0.0-20210211234256-740aa86cb551/go.mod h1:QZ0nwyI2jOfgRAoBvP+ab5aRr7c9x7lhGEJrKvBwjWI=
 github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE=
@@ -114,6 +116,8 @@ github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovk
 github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
 github.com/mattn/go-isatty v0.0.17 h1:BTarxUcIeDqL27Mc+vyvdWYSL28zpIhv3RoTdsLMPng=
 github.com/mattn/go-isatty v0.0.17/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
+github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=
+github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
 github.com/mschoch/smat v0.2.0 h1:8imxQsjDm8yFEAVBe7azKmKSgzSkZXDuKkSq9374khM=
 github.com/mschoch/smat v0.2.0/go.mod h1:kc9mz7DoBKqDyiRL7VZN8KvXQMWeTaVnttLRXOlotKw=
 github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
@@ -153,8 +157,8 @@ golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5y
 golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.3.1-0.20221117191849-2c476679df9a/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
 golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU=
-golang.org/x/crypto v0.11.0 h1:6Ewdq3tDic1mg5xRO4milcWCfMVQhI4NkqWWvqejpuA=
-golang.org/x/crypto v0.11.0/go.mod h1:xgJhtzW8F9jGdVFWZESrid1U1bjeNy4zgy5cRr/CIio=
+golang.org/x/crypto v0.12.0 h1:tFM/ta59kqch6LlvYnPa0yx5a83cL2nHflFhYKvv9Yk=
+golang.org/x/crypto v0.12.0/go.mod h1:NF0Gs7EO5K4qLn+Ylc+fih8BSTeIjAP05siRnAh98yw=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/mod v0.8.0 h1:LUYupSeNrTNCGzR/hVBk2NHZO4hXcVaW1k4Qx7rjPx8=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
@@ -185,24 +189,24 @@ golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.10.0 h1:SqMFp9UcQJZa+pmYuAKjd9xq1f0j5rLcDIk0mj4qAsA=
-golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.11.0 h1:eG7RXZHdqOJ1i+0lgLgCpSXAp6M3LYlAo6osgSi0xOM=
+golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
 golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U=
-golang.org/x/term v0.10.0 h1:3R7pNqamzBraeqj/Tj8qt1aQ2HpmlC+Cx/qL/7hn4/c=
-golang.org/x/term v0.10.0/go.mod h1:lpqdcUyK/oCiQxvxVrppt5ggO2KCZ5QblwqPnfZ6d5o=
+golang.org/x/term v0.11.0 h1:F9tnn/DA/Im8nCwm+fX+1/eBwi4qFjRT++MhtVC4ZX0=
+golang.org/x/term v0.11.0/go.mod h1:zC9APTIj3jG3FdV/Ons+XE1riIZXG4aZ4GTHiPZJPIU=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
-golang.org/x/text v0.11.0 h1:LAntKIrcmeSKERyiOh0XMV39LXS8IE9UL2yP7+f5ij4=
-golang.org/x/text v0.11.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
+golang.org/x/text v0.12.0 h1:k+n5B8goJNdU7hSvEtMUz3d1Q6D/XW4COJSJR6fN0mc=
+golang.org/x/text v0.12.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=

src/graph/graph.go

@@ -1,12 +1,14 @@
 package graph
 
 import (
+	"fmt"
 	"regexp"
 	"sort"
 	"strings"
 
 	"github.com/gofrs/uuid"
 	"github.com/pkg/errors"
+	"rat/graph/services/auth"
 	"rat/graph/util"
 	pathutil "rat/graph/util/path"
 )
@@ -23,7 +25,6 @@ var allowedPathNameSymbols = regexp.MustCompile(`[a-zA-Z0-9_\-]`)
 
 // Node describes a single node.
 type Node struct {
-	// Name    string            `json:"name"`
 	Path    pathutil.NodePath `json:"path"`
 	Header  NodeHeader        `json:"header"`
 	Content string            `json:"content"`
@@ -32,6 +33,7 @@ type Node struct {
 // NodeHeader describes info stored in nodes header.
 type NodeHeader struct {
 	ID       uuid.UUID      `yaml:"id"`
+	Domain   auth.Domain    `yaml:"domain"`
 	Name     string         `yaml:"name,omitempty"`
 	Weight   int            `yaml:"weight,omitempty"`
 	Template *NodeTemplate  `yaml:"template,omitempty"`
@@ -61,6 +63,21 @@ func (n *Node) Name() string {
 	return n.Path.Name()
 }
 
+func (n *Node) Domain(p Provider) (auth.Domain, error) {
+	if n.Header.Domain != "" {
+		return n.Header.Domain, nil
+	}
+
+	parent, err := n.Parent(p)
+	if err != nil {
+		return "", errors.Wrap(err, "failed to get parent")
+	}
+
+	fmt.Printf("parent: %v\n", parent.Path)
+
+	return parent.Domain(p)
+}
+
 // GetLeafs returns all leafs of node.
 func (n *Node) GetLeafs(r Reader) ([]*Node, error) {
 	leafs, err := r.GetLeafs(n.Path)

src/graph/graph_test.go

@@ -1,6 +1,7 @@
 package graph
 
 import (
+	pathutil "rat/graph/util/path"
 	"testing"
 
 	"github.com/google/go-cmp/cmp"
@@ -56,3 +57,36 @@ func Test_parsePathName(t *testing.T) {
 		})
 	}
 }
+
+func TestNode_Name(t *testing.T) {
+	t.Parallel()
+
+	type fields struct {
+		Path    pathutil.NodePath
+		Header  NodeHeader
+		Content string
+	}
+	tests := []struct {
+		name   string
+		fields fields
+		want   string
+	}{
+		// TODO: Add test cases.
+	}
+	for _, tt := range tests {
+		tt := tt
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+
+			n := &Node{
+				Path:    tt.fields.Path,
+				Header:  tt.fields.Header,
+				Content: tt.fields.Content,
+			}
+			got := n.Name()
+			if diff := cmp.Diff(tt.want, got); diff != "" {
+				t.Fatalf("Node.Name() = %s", diff)
+			}
+		})
+	}
+}

src/graph/services/auth/auth.go

@@ -0,0 +1,158 @@
+package auth
+
+import (
+	"encoding/json"
+	"time"
+
+	"github.com/golang-jwt/jwt/v5"
+	"github.com/pkg/errors"
+	"golang.org/x/crypto/bcrypt"
+	"rat/logr"
+)
+
+type ctxKey string
+
+const AuthTokenCtxKey ctxKey = "auth-token"
+
+// Config defines configuration params for authentication.
+type Config struct {
+	Users []*User           `yaml:"users"`
+	Roles map[Role][]*Scope `yaml:"roles"`
+	Token *TokenConfig      `yaml:"token" validate:"nonzero"`
+}
+
+// TokenConfig defines configuration params for JWT token generation.
+type TokenConfig struct {
+	Secret     string        `yaml:"secret" validate:"nonzero"`
+	Expiration time.Duration `yaml:"expiration" validate:"nonzero"`
+}
+
+// User defines a user with credentials and role.
+type User struct {
+	Credentials `yaml:",inline"`
+	Scopes      *Scopes `yaml:"scopes" validate:"nonzero"`
+}
+
+// Credentials defines users username and password.
+type Credentials struct {
+	Username string `yaml:"username" validate:"nonzero"`
+	Password string `yaml:"password" validate:"nonzero"`
+}
+
+type TokenControl struct {
+	users       map[string]*User
+	roles       map[Role][]*Scope
+	tokenConfig *TokenConfig
+	log         *logr.LogR
+}
+
+func NewTokenControl(config *Config, log *logr.LogR) (*TokenControl, error) {
+	log = log.Prefix("token-control")
+
+	lg := log.Group(logr.LogLevelInfo)
+	defer lg.Close()
+
+	lg.Log("users:")
+
+	users := make(map[string]*User)
+	for _, user := range config.Users {
+		users[user.Username] = user
+
+		b, err := json.MarshalIndent(
+			struct {
+				Username string   `json:"username"`
+				Scopes   []*Scope `json:"scopes"`
+			}{
+				Username: user.Username,
+				Scopes:   user.Scopes.Get(config.Roles),
+			},
+			"",
+			"  ",
+		)
+		if err != nil {
+			return nil, errors.Wrap(err, "failed to marshal user for log")
+		}
+
+		lg.Log("%s", string(b))
+
+	}
+
+	return &TokenControl{
+		users:       users,
+		roles:       config.Roles,
+		tokenConfig: config.Token,
+		log:         log,
+	}, nil
+}
+
+func (tc *TokenControl) Generate(
+	username, password string,
+) (string, *Token, error) {
+	user, ok := tc.users[username]
+	if !ok {
+		return "", nil, errors.Errorf("user %q not found", username)
+	}
+
+	err := bcrypt.CompareHashAndPassword(
+		[]byte(user.Password),
+		[]byte(password),
+	)
+	if err != nil {
+		return "", nil, errors.Wrap(err, "failed to authenticate user")
+	}
+
+	token := &Token{
+		Username: user.Username,
+		Expires:  time.Now().Add(tc.tokenConfig.Expiration).Unix(),
+		Scopes:   user.Scopes.Get(tc.roles),
+	}
+
+	signed, err := jwt.NewWithClaims(
+		jwt.SigningMethodHS512,
+		token.ToMapClaims(),
+	).
+		SignedString([]byte(tc.tokenConfig.Secret))
+	if err != nil {
+		return "", nil, errors.Wrap(err, "failed to sign token")
+	}
+
+	return signed, token, nil
+}
+
+func (tc *TokenControl) Validate(signed string) (*Token, error) {
+	token, err := jwt.Parse(
+		signed,
+		func(token *jwt.Token) (any, error) {
+			return []byte(tc.tokenConfig.Secret), nil
+		},
+		jwt.WithValidMethods([]string{"HS512"}),
+	)
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to parse token")
+	}
+
+	if !token.Valid {
+		return nil, errors.New("token not valid")
+	}
+
+	claims, ok := token.Claims.(jwt.MapClaims)
+	if !ok {
+		return nil, errors.New("failed to parse claims")
+	}
+
+	t, err := FromMapClaims(claims)
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to parse token from claims")
+	}
+
+	if t.Expired() {
+		return nil, errors.New("token expired")
+	}
+
+	_, ok = tc.users[t.Username]
+	if !ok {
+		return nil, errors.New("user not found")
+	}
+
+	return t, nil
+}