Refactoring, initial implementation of token generation

Author: Forceu

build/go-generate/minifyStaticContent.go

@@ -137,6 +137,6 @@ func fileExists(filename string) bool {
 // Auto-generated content below, do not modify
 // Version codes can be changed in updateVersionNumbers.go
 
-const jsAdminVersion = 13
+const jsAdminVersion = 14
 const jsE2EVersion = 8
 const cssMainVersion = 5

build/go-generate/updateVersionNumbers.go

@@ -11,7 +11,7 @@ import (
 	"strings"
 )
 
-const versionJsAdmin = 13
+const versionJsAdmin = 14
 const versionJsDropzone = 5
 const versionJsE2EAdmin = 8
 const versionCssMain = 5

docs/setup.rst

@@ -283,6 +283,21 @@ This option disables Gokapis internal authentication completely, except for API
 
 - ``/admin``
 - ``/apiKeys``
+- ``/auth/token``
+- ``/changePassword``
+- ``/e2eSetup``
+- ``/logs``
+- ``/uploadChunk``
+- ``/uploadStatus``
+- ``/users``
+- ``/auth/token``
+- ``/changePassword``
+- ``/e2eSetup``
+- ``/logs``
+- ``/uploadChunk``
+- ``/uploadStatus``
+- ``/users``
+- ``/auth/token``
 - ``/changePassword``
 - ``/e2eSetup``
 - ``/logs``

internal/configuration/setup/ProtectedUrls.go

@@ -1,25 +1,27 @@
 package models
 
 import (
+	"errors"
+	"strings"
 	"time"
 )
 
 const (
-	// ApiPermView is the permission for viewing metadata of all uploaded files
+	// ApiPermView is the permission for viewing metadata of all uploaded files PERM_VIEW
 	ApiPermView ApiPermission = 1 << iota
-	// ApiPermUpload is the permission for creating new files
+	// ApiPermUpload is the permission for creating new files PERM_UPLOAD
 	ApiPermUpload
-	// ApiPermDelete is the permission for deleting files
+	// ApiPermDelete is the permission for deleting files PERM_DELETE
 	ApiPermDelete
-	// ApiPermApiMod is the permission for adding / removing API key permissions
+	// ApiPermApiMod is the permission for adding / removing API key permissions PERM_API_MOD
 	ApiPermApiMod
-	// ApiPermEdit is the permission for editing parameters of uploaded files
+	// ApiPermEdit is the permission for editing parameters of uploaded files PERM_EDIT
 	ApiPermEdit
-	// ApiPermReplace is the permission for replacing the content of uploaded files
+	// ApiPermReplace is the permission for replacing the content of uploaded files PERM_REPLACE
 	ApiPermReplace
-	// ApiPermManageUsers is the permission for managing users
+	// ApiPermManageUsers is the permission for managing users PERM_MANAGE_USERS
 	ApiPermManageUsers
-	// ApiPermManageLogs is the permission required for managing the log file
+	// ApiPermManageLogs is the permission required for managing the log file PERM_MANAGE_LOGS
 	ApiPermManageLogs
 )
 
@@ -48,6 +50,29 @@ type ApiKey struct {
 // ApiPermission contains zero or more permissions as an uint8 format
 type ApiPermission uint8
 
+func ApiPermissionFromString(permString string) (ApiPermission, error) {
+	switch strings.ToUpper(permString) {
+	case "PERM_VIEW":
+		return ApiPermView, nil
+	case "PERM_UPLOAD":
+		return ApiPermUpload, nil
+	case "PERM_DELETE":
+		return ApiPermDelete, nil
+	case "PERM_API_MOD":
+		return ApiPermApiMod, nil
+	case "PERM_EDIT":
+		return ApiPermEdit, nil
+	case "PERM_REPLACE":
+		return ApiPermReplace, nil
+	case "PERM_MANAGE_USERS":
+		return ApiPermManageUsers, nil
+	case "PERM_MANAGE_LOGS":
+		return ApiPermManageLogs, nil
+	default:
+		return 0, errors.New("invalid permission")
+	}
+}
+
 // GetReadableDate returns the date as YYYY-MM-DD HH:MM:SS
 func (key *ApiKey) GetReadableDate() string {
 	if key.LastUsed == 0 {

internal/models/ApiKey.go

@@ -17,6 +17,7 @@ import (
 	"log"
 	"net/http"
 	"sort"
+	"strconv"
 	"strings"
 	templatetext "text/template"
 	"time"
@@ -33,6 +34,7 @@ import (
 	"github.com/forceu/gokapi/internal/webserver/authentication"
 	"github.com/forceu/gokapi/internal/webserver/authentication/oauth"
 	"github.com/forceu/gokapi/internal/webserver/authentication/sessionmanager"
+	"github.com/forceu/gokapi/internal/webserver/authentication/tokengeneration"
 	"github.com/forceu/gokapi/internal/webserver/favicon"
 	"github.com/forceu/gokapi/internal/webserver/fileupload"
 	"github.com/forceu/gokapi/internal/webserver/sse"
@@ -91,6 +93,7 @@ func Start() {
 	loadExpiryImage()
 
 	mux.Handle("/", filesystemHandler(webserverDir))
+	mux.HandleFunc("/auth/token", requireLogin(handleGenerateAuthToken, false, false))
 	mux.HandleFunc("/admin", requireLogin(showAdminMenu, true, false))
 	mux.HandleFunc("/api/", processApi)
 	mux.HandleFunc("/apiKeys", requireLogin(showApiAdmin, true, false))
@@ -278,6 +281,25 @@ func showIndex(w http.ResponseWriter, r *http.Request) {
 	helper.CheckIgnoreTimeout(err)
 }
 
+func handleGenerateAuthToken(w http.ResponseWriter, r *http.Request) {
+	user, err := authentication.GetUserFromRequest(r)
+	if err != nil {
+		panic(err)
+	}
+	permString := r.Header.Get("permission")
+	permission, err := models.ApiPermissionFromString(permString)
+	if err != nil {
+		http.Error(w, "Invalid permission", http.StatusBadRequest)
+		return
+	}
+	token, expiry, err := tokengeneration.Generate(user, permission)
+	if err != nil {
+		http.Error(w, "Invalid permission", http.StatusBadRequest)
+		return
+	}
+	_, _ = w.Write([]byte("{\"key\":\"" + token + "\",\"expiry\":" + strconv.FormatInt(expiry, 10) + "}"))
+}
+
 // Handling of /changePassword
 func changePassword(w http.ResponseWriter, r *http.Request) {
 	var errMessage string

internal/webserver/Webserver.go

@@ -3,6 +3,11 @@ package api
 import (
 	"encoding/json"
 	"errors"
+	"io"
+	"net/http"
+	"strings"
+	"time"
+
 	"github.com/forceu/gokapi/internal/configuration"
 	"github.com/forceu/gokapi/internal/configuration/database"
 	"github.com/forceu/gokapi/internal/encryption"
@@ -11,14 +16,10 @@ import (
 	"github.com/forceu/gokapi/internal/models"
 	"github.com/forceu/gokapi/internal/storage"
 	"github.com/forceu/gokapi/internal/webserver/fileupload"
-	"io"
-	"net/http"
-	"strings"
-	"time"
 )
 
-const lengthPublicId = 35
-const lengthApiKey = 30
+const LengthPublicId = 35
+const LengthApiKey = 30
 const minLengthUser = 2
 
 // Process parses the request and executes the API call or returns an error message to the sender
@@ -109,8 +110,8 @@ func generateNewKey(defaultPermissions bool, userId int, friendlyName string) mo
 		friendlyName = "Unnamed key"
 	}
 	newKey := models.ApiKey{
-		Id:           helper.GenerateRandomString(lengthApiKey),
-		PublicId:     helper.GenerateRandomString(lengthPublicId),
+		Id:           helper.GenerateRandomString(LengthApiKey),
+		PublicId:     helper.GenerateRandomString(LengthPublicId),
 		FriendlyName: friendlyName,
 		Permissions:  models.ApiPermDefault,
 		IsSystemKey:  false,
@@ -144,8 +145,8 @@ func newSystemKey(userId int) string {
 	}
 
 	newKey := models.ApiKey{
-		Id:           helper.GenerateRandomString(lengthApiKey),
-		PublicId:     helper.GenerateRandomString(lengthPublicId),
+		Id:           helper.GenerateRandomString(LengthApiKey),
+		PublicId:     helper.GenerateRandomString(LengthPublicId),
 		FriendlyName: "Internal System Key",
 		Permissions:  tempKey.Permissions,
 		Expiry:       time.Now().Add(time.Hour * 48).Unix(),
@@ -812,7 +813,7 @@ func sendError(w http.ResponseWriter, errorInt int, errorMessage string) {
 // publicKeyToApiKey tries to convert a (possible) public key to a private key
 // If not a public key or if invalid, the original value is returned
 func publicKeyToApiKey(publicKey string) string {
-	if len(publicKey) == lengthPublicId {
+	if len(publicKey) == LengthPublicId {
 		privateApiKey, ok := database.GetApiKeyByPublicKey(publicKey)
 		if ok {
 			return privateApiKey

internal/webserver/api/Api.go

@@ -4,12 +4,13 @@ import (
 	"encoding/base64"
 	"encoding/json"
 	"errors"
-	"github.com/forceu/gokapi/internal/models"
-	"github.com/forceu/gokapi/internal/storage"
-	"github.com/forceu/gokapi/internal/storage/chunking"
 	"net/http"
 	"strconv"
 	"strings"
+
+	"github.com/forceu/gokapi/internal/models"
+	"github.com/forceu/gokapi/internal/storage"
+	"github.com/forceu/gokapi/internal/storage/chunking"
 )
 
 type apiRoute struct {
@@ -323,26 +324,11 @@ type paramAuthModify struct {
 }
 
 func (p *paramAuthModify) ProcessParameter(_ *http.Request) error {
-	switch strings.ToUpper(p.permissionRaw) {
-	case "PERM_VIEW":
-		p.Permission = models.ApiPermView
-	case "PERM_UPLOAD":
-		p.Permission = models.ApiPermUpload
-	case "PERM_DELETE":
-		p.Permission = models.ApiPermDelete
-	case "PERM_API_MOD":
-		p.Permission = models.ApiPermApiMod
-	case "PERM_EDIT":
-		p.Permission = models.ApiPermEdit
-	case "PERM_REPLACE":
-		p.Permission = models.ApiPermReplace
-	case "PERM_MANAGE_USERS":
-		p.Permission = models.ApiPermManageUsers
-	case "PERM_MANAGE_LOGS":
-		p.Permission = models.ApiPermManageLogs
-	default:
-		return errors.New("invalid permission")
+	permission, err := models.ApiPermissionFromString(p.permissionRaw)
+	if err != nil {
+		return err
 	}
+	p.Permission = permission
 	switch strings.ToUpper(p.permissionModifier) {
 	case "GRANT":
 		p.GrantPermission = true

internal/webserver/api/routing.go

@@ -0,0 +1,39 @@
+package tokengeneration
+
+import (
+	"errors"
+	"time"
+
+	"github.com/forceu/gokapi/internal/configuration/database"
+	"github.com/forceu/gokapi/internal/helper"
+	"github.com/forceu/gokapi/internal/models"
+	"github.com/forceu/gokapi/internal/webserver/api"
+)
+
+func containsApiPermission(requestedPermissions models.ApiPermission, containsPermission models.ApiPermission) bool {
+	return containsPermission&requestedPermissions == containsPermission
+}
+
+func Generate(user models.User, permission models.ApiPermission) (string, int64, error) {
+	if containsApiPermission(permission, models.ApiPermReplace) && !user.HasPermissionReplace() {
+		return "", 0, errors.New("user does not have permission to generate a token with PERM_REPLACE")
+	}
+	if containsApiPermission(permission, models.ApiPermManageUsers) && !user.HasPermissionManageUsers() {
+		return "", 0, errors.New("user does not have permission to generate a token with PERM_MANAGE_USERS")
+	}
+	if containsApiPermission(permission, models.ApiPermManageLogs) && !user.HasPermissionManageLogs() {
+		return "", 0, errors.New("user does not have permission to generate a token with PERM_MANAGE_LOGS")
+	}
+
+	key := models.ApiKey{
+		Id:           helper.GenerateRandomString(api.LengthApiKey),
+		PublicId:     helper.GenerateRandomString(api.LengthPublicId),
+		FriendlyName: "Temporary Token",
+		Permissions:  permission,
+		IsSystemKey:  true,
+		UserId:       user.Id,
+		Expiry:       time.Now().Add(time.Minute * 5).Unix(),
+	}
+	database.SaveApiKey(key)
+	return key.Id, key.Expiry, nil
+}

internal/webserver/authentication/tokengeneration/TokenGeneration.go

@@ -825,7 +825,7 @@
             "explode": false,
             "schema": {
               "type": "string",
-              "enum": ["PERM_VIEW", "PERM_UPLOAD", "PERM_EDIT", "PERM_DELETE", "PERM_REPLACE", "PERM_MANAGE_USERS", "PERM_API_MOD"]
+              "enum": ["PERM_VIEW", "PERM_UPLOAD", "PERM_EDIT", "PERM_DELETE", "PERM_REPLACE", "PERM_MANAGE_LOGS", "PERM_MANAGE_USERS", "PERM_API_MOD"]
             }
           },
           {