You can not select more than 25 topics
			Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
		
		
		
		
		
			
		
			
				
					
					
						
							261 lines
						
					
					
						
							6.0 KiB
						
					
					
				
			
		
		
		
			
			
			
		
		
	
	
							261 lines
						
					
					
						
							6.0 KiB
						
					
					
				| package user | |
| 
 | |
| import ( | |
| 	"crypto/subtle" | |
| 	"encoding/json" | |
| 	"fmt" | |
| 	"os" | |
| 	"sync" | |
| 
 | |
| 	"golang.org/x/crypto/ssh" | |
| ) | |
| 
 | |
| // FileStore implements Store using a JSON file | |
| type FileStore struct { | |
| 	filePath string | |
| 	users    map[string]*User | |
| 	mu       sync.RWMutex | |
| } | |
| 
 | |
| // Store defines the interface for user storage and retrieval | |
| type Store interface { | |
| 	// GetUser retrieves a user by username | |
| 	GetUser(username string) (*User, error) | |
| 
 | |
| 	// ValidatePassword checks if the password is valid for the user | |
| 	ValidatePassword(username string, password []byte) bool | |
| 
 | |
| 	// ValidatePublicKey checks if the public key is valid for the user | |
| 	ValidatePublicKey(username string, keyData string) bool | |
| 
 | |
| 	// GetUserPermissions returns the permissions for a user on a path | |
| 	GetUserPermissions(username string, path string) []string | |
| 
 | |
| 	// SaveUser saves or updates a user | |
| 	SaveUser(user *User) error | |
| 
 | |
| 	// DeleteUser removes a user | |
| 	DeleteUser(username string) error | |
| 
 | |
| 	// ListUsers returns all usernames | |
| 	ListUsers() ([]string, error) | |
| } | |
| 
 | |
| // UserNotFoundError is returned when a user is not found | |
| type UserNotFoundError struct { | |
| 	Username string | |
| } | |
| 
 | |
| func (e *UserNotFoundError) Error() string { | |
| 	return fmt.Sprintf("user not found: %s", e.Username) | |
| } | |
| 
 | |
| // NewFileStore creates a new user store from a JSON file | |
| func NewFileStore(filePath string) (*FileStore, error) { | |
| 	store := &FileStore{ | |
| 		filePath: filePath, | |
| 		users:    make(map[string]*User), | |
| 	} | |
| 
 | |
| 	// Create the file if it doesn't exist | |
| 	if _, err := os.Stat(filePath); os.IsNotExist(err) { | |
| 		// Create an empty users array | |
| 		if err := os.WriteFile(filePath, []byte("[]"), 0600); err != nil { | |
| 			return nil, fmt.Errorf("failed to create user store file: %w", err) | |
| 		} | |
| 	} | |
| 
 | |
| 	if err := store.loadUsers(); err != nil { | |
| 		return nil, err | |
| 	} | |
| 
 | |
| 	return store, nil | |
| } | |
| 
 | |
| // loadUsers loads users from the JSON file | |
| func (s *FileStore) loadUsers() error { | |
| 	s.mu.Lock() | |
| 	defer s.mu.Unlock() | |
| 
 | |
| 	data, err := os.ReadFile(s.filePath) | |
| 	if err != nil { | |
| 		return fmt.Errorf("failed to read user store file: %w", err) | |
| 	} | |
| 
 | |
| 	var users []*User | |
| 	if err := json.Unmarshal(data, &users); err != nil { | |
| 		return fmt.Errorf("failed to parse user store file: %w", err) | |
| 	} | |
| 
 | |
| 	// Clear existing users and add the loaded ones | |
| 	s.users = make(map[string]*User) | |
| 	for _, user := range users { | |
| 		// Process public keys to ensure they're in the correct format | |
| 		for i, keyData := range user.PublicKeys { | |
| 			// Try to parse the key as an authorized key format | |
| 			pubKey, _, _, _, err := ssh.ParseAuthorizedKey([]byte(keyData)) | |
| 			if err == nil { | |
| 				// If successful, store the marshaled binary format | |
| 				user.PublicKeys[i] = string(pubKey.Marshal()) | |
| 			} | |
| 		} | |
| 		s.users[user.Username] = user | |
| 
 | |
| 	} | |
| 
 | |
| 	return nil | |
| } | |
| 
 | |
| // saveUsers saves users to the JSON file | |
| func (s *FileStore) saveUsers() error { | |
| 	s.mu.RLock() | |
| 	defer s.mu.RUnlock() | |
| 
 | |
| 	// Convert map to slice for JSON serialization | |
| 	var users []*User | |
| 	for _, user := range s.users { | |
| 		users = append(users, user) | |
| 	} | |
| 
 | |
| 	data, err := json.MarshalIndent(users, "", "  ") | |
| 	if err != nil { | |
| 		return fmt.Errorf("failed to serialize users: %w", err) | |
| 	} | |
| 
 | |
| 	if err := os.WriteFile(s.filePath, data, 0600); err != nil { | |
| 		return fmt.Errorf("failed to write user store file: %w", err) | |
| 	} | |
| 
 | |
| 	return nil | |
| } | |
| 
 | |
| // GetUser returns a user by username | |
| func (s *FileStore) GetUser(username string) (*User, error) { | |
| 	s.mu.RLock() | |
| 	defer s.mu.RUnlock() | |
| 
 | |
| 	user, ok := s.users[username] | |
| 	if !ok { | |
| 		return nil, &UserNotFoundError{Username: username} | |
| 	} | |
| 
 | |
| 	return user, nil | |
| } | |
| 
 | |
| // ValidatePassword checks if the password is valid for the user | |
| func (s *FileStore) ValidatePassword(username string, password []byte) bool { | |
| 	user, err := s.GetUser(username) | |
| 	if err != nil { | |
| 		return false | |
| 	} | |
| 
 | |
| 	// Compare plaintext password using constant time comparison for security | |
| 	return subtle.ConstantTimeCompare([]byte(user.Password), password) == 1 | |
| } | |
| 
 | |
| // ValidatePublicKey checks if the public key is valid for the user | |
| func (s *FileStore) ValidatePublicKey(username string, keyData string) bool { | |
| 	user, err := s.GetUser(username) | |
| 	if err != nil { | |
| 		return false | |
| 	} | |
| 
 | |
| 	for _, key := range user.PublicKeys { | |
| 		if subtle.ConstantTimeCompare([]byte(key), []byte(keyData)) == 1 { | |
| 			return true | |
| 		} | |
| 	} | |
| 
 | |
| 	return false | |
| } | |
| 
 | |
| // GetUserPermissions returns the permissions for a user on a path | |
| func (s *FileStore) GetUserPermissions(username string, path string) []string { | |
| 	user, err := s.GetUser(username) | |
| 	if err != nil { | |
| 		return nil | |
| 	} | |
| 
 | |
| 	// Check exact path match first | |
| 	if perms, ok := user.Permissions[path]; ok { | |
| 		return perms | |
| 	} | |
| 
 | |
| 	// Check parent directories | |
| 	var bestMatch string | |
| 	var bestPerms []string | |
| 
 | |
| 	for p, perms := range user.Permissions { | |
| 		if len(p) > len(bestMatch) && os.IsPathSeparator(p[len(p)-1]) && path[:len(p)] == p { | |
| 			bestMatch = p | |
| 			bestPerms = perms | |
| 		} | |
| 	} | |
| 
 | |
| 	return bestPerms | |
| } | |
| 
 | |
| // SaveUser saves or updates a user | |
| func (s *FileStore) SaveUser(user *User) error { | |
| 	s.mu.Lock() | |
| 	s.users[user.Username] = user | |
| 	s.mu.Unlock() | |
| 
 | |
| 	return s.saveUsers() | |
| } | |
| 
 | |
| // DeleteUser removes a user | |
| func (s *FileStore) DeleteUser(username string) error { | |
| 	s.mu.Lock() | |
| 	_, exists := s.users[username] | |
| 	if !exists { | |
| 		s.mu.Unlock() | |
| 		return &UserNotFoundError{Username: username} | |
| 	} | |
| 
 | |
| 	delete(s.users, username) | |
| 	s.mu.Unlock() | |
| 
 | |
| 	return s.saveUsers() | |
| } | |
| 
 | |
| // ListUsers returns all usernames | |
| func (s *FileStore) ListUsers() ([]string, error) { | |
| 	s.mu.RLock() | |
| 	defer s.mu.RUnlock() | |
| 
 | |
| 	usernames := make([]string, 0, len(s.users)) | |
| 	for username := range s.users { | |
| 		usernames = append(usernames, username) | |
| 	} | |
| 
 | |
| 	return usernames, nil | |
| } | |
| 
 | |
| // CreateUser creates a new user with the given username and password | |
| func (s *FileStore) CreateUser(username, password string) (*User, error) { | |
| 	s.mu.Lock() | |
| 	defer s.mu.Unlock() | |
| 
 | |
| 	// Check if user already exists | |
| 	if _, exists := s.users[username]; exists { | |
| 		return nil, fmt.Errorf("user already exists: %s", username) | |
| 	} | |
| 
 | |
| 	// Create new user | |
| 	user := NewUser(username) | |
| 
 | |
| 	// Store plaintext password | |
| 	user.Password = password | |
| 
 | |
| 	// Add default permissions | |
| 	user.Permissions[user.HomeDir] = []string{"all"} | |
| 
 | |
| 	// Save the user | |
| 	s.users[username] = user | |
| 	if err := s.saveUsers(); err != nil { | |
| 		return nil, err | |
| 	} | |
| 
 | |
| 	return user, nil | |
| }
 |