feat: add optional token hashing (#25982)

Add optional token hashing with `--use-hashed-tokens` command line option.

Author: gwossum

auth.go

@@ -20,7 +20,8 @@ var ErrUnableToCreateToken = &errors.Error{
 // Authorization is an authorization. 🎉
 type Authorization struct {
 	ID          platform.ID  `json:"id"`
-	Token       string       `json:"token"`
+	Token       string       `json:"token,omitempty"`
+	HashedToken string       `json:"hashedToken,omitempty"`
 	Status      Status       `json:"status"`
 	Description string       `json:"description"`
 	OrgID       platform.ID  `json:"orgID"`
@@ -35,7 +36,60 @@ type AuthorizationUpdate struct {
 	Description *string `json:"description,omitempty"`
 }
 
+const (
+	// authTokenClearValue is used to indicate Token or HashedToken are cleared (not set).
+	authTokenClearValue = ""
+)
+
+// IsAuthTokenSet returns true if token is considered set. Applies
+// to be both unhashed tokens (Authorization.Token) and
+// hashed tokens (Authorization.HashedToken).
+func IsAuthTokenSet(token string) bool {
+	return token != authTokenClearValue
+}
+
+// IsTokenSet returns true if Token is set.
+func (a *Authorization) IsTokenSet() bool {
+	return IsAuthTokenSet(a.Token)
+}
+
+// IsTokenClear returns true if Token is unset.
+func (a *Authorization) IsTokenClear() bool {
+	return !a.IsTokenSet()
+}
+
+// ClearToken clears Token.
+func (a *Authorization) ClearToken() {
+	a.Token = authTokenClearValue
+}
+
+// IsHashedTokenSet returns true if HashedToken is set.
+func (a *Authorization) IsHashedTokenSet() bool {
+	return IsAuthTokenSet(a.HashedToken)
+}
+
+// IsHashedTokenClear returns true if Token is unset.
+func (a *Authorization) IsHashedTokenClear() bool {
+	return !a.IsHashedTokenSet()
+}
+
+// ClearToken clears HashedToken.
+func (a *Authorization) ClearHashedToken() {
+	a.HashedToken = authTokenClearValue
+}
+
+// NoTokensSet returns true if neither Token nor HashedToken is set.
+func (a *Authorization) NoTokensSet() bool {
+	return a.IsTokenClear() && a.IsHashedTokenClear()
+}
+
+// BothTokensSet returns true if both Token and Hashed token is set.
+func (a *Authorization) BothTokensSet() bool {
+	return a.IsTokenSet() && a.IsHashedTokenSet()
+}
+
 // Valid ensures that the authorization is valid.
+// Valid does not check if tokens are set properly.
 func (a *Authorization) Valid() error {
 	for _, p := range a.Permissions {
 		if p.Resource.OrgID != nil && *p.Resource.OrgID != a.OrgID {

authorization/error.go

@@ -50,12 +50,12 @@ func ErrInvalidAuthIDError(err error) *errors.Error {
 	}
 }
 
-// UnexpectedAuthIndexError is used when the error comes from an internal system.
-func UnexpectedAuthIndexError(err error) *errors.Error {
+// UnexpectedAuthBucketError is used when the error comes from an internal system.
+func UnexpectedAuthBucketError(index []byte, err error) *errors.Error {
 	var e *errors.Error
 	if !errors2.As(err, &e) {
 		e = &errors.Error{
-			Msg:  fmt.Sprintf("unexpected error retrieving auth index; Err: %v", err),
+			Msg:  fmt.Sprintf("unexpected error retrieving auth bucket %q; Err: %v", index, err),
 			Code: errors.EInternal,
 			Err:  err,
 		}

authorization/hasher.go

@@ -0,0 +1,148 @@
+package authorization
+
+import (
+	"errors"
+	"fmt"
+
+	"github.com/go-crypt/crypt"
+	"github.com/go-crypt/crypt/algorithm"
+	influxdb2_algo "github.com/influxdata/influxdb/v2/pkg/crypt/algorithm/influxdb2"
+)
+
+var (
+	ErrNoDecoders = errors.New("no authorization decoders specified")
+)
+
+type AuthorizationHasher struct {
+	// hasher encodes tokens into hashed PHC-encoded tokens.
+	hasher algorithm.Hash
+
+	// decoder decodes hashed PHC-encoded tokens into crypt.Digest objects.
+	decoder *crypt.Decoder
+
+	// allHashers is the list of all hashers which could be used for hashed index lookup.
+	allHashers []algorithm.Hash
+}
+
+const (
+	DefaultHashVariant     = influxdb2_algo.VariantSHA256
+	DefaultHashVariantName = influxdb2_algo.VariantIdentifierSHA256
+
+	// HashVariantNameUnknown is the placeholder name used for unknown or unsupported hash variants.
+	HashVariantNameUnknown = "N/A"
+)
+
+type authorizationHasherOptions struct {
+	hasherVariant   influxdb2_algo.Variant
+	decoderVariants []influxdb2_algo.Variant
+}
+
+type AuthorizationHasherOption func(o *authorizationHasherOptions)
+
+func WithHasherVariant(variant influxdb2_algo.Variant) AuthorizationHasherOption {
+	return func(o *authorizationHasherOptions) {
+		o.hasherVariant = variant
+	}
+}
+
+func WithDecoderVariants(variants []influxdb2_algo.Variant) AuthorizationHasherOption {
+	return func(o *authorizationHasherOptions) {
+		o.decoderVariants = variants
+	}
+}
+
+// NewAuthorizationHasher creates an AuthorizationHasher for influxdb2 algorithm hashed tokens.
+// variantName specifies which token hashing variant to use, with blank indicating to use the default
+// hashing variant. By default, all variants of the influxdb2 hashing scheme are supported for
+// maximal compatibility.
+func NewAuthorizationHasher(opts ...AuthorizationHasherOption) (*AuthorizationHasher, error) {
+	options := authorizationHasherOptions{
+		hasherVariant:   DefaultHashVariant,
+		decoderVariants: influxdb2_algo.AllVariants,
+	}
+
+	for _, o := range opts {
+		o(&options)
+	}
+
+	if len(options.decoderVariants) == 0 {
+		return nil, fmt.Errorf("error in NewAuthorizationHasher: %w", ErrNoDecoders)
+	}
+
+	// Create the hasher used for hashing new tokens before storage.
+	hasher, err := influxdb2_algo.New(influxdb2_algo.WithVariant(options.hasherVariant))
+	if err != nil {
+		return nil, fmt.Errorf("creating hasher %s for AuthorizationHasher: %w", options.hasherVariant.Prefix(), err)
+	}
+
+	// Create decoder and register all requested decoder variants.
+	decoder := crypt.NewDecoder()
+	for _, variant := range options.decoderVariants {
+		if err := variant.RegisterDecoder(decoder); err != nil {
+			return nil, fmt.Errorf("registering variant %s with decoder: %w", variant.Prefix(), err)
+		}
+	}
+
+	// Create all variant hashers needed for requested decoder variants. This is required for operations where
+	// all potential variations of a raw token must be hashed, such as looking up a hash in the hashed token index.
+	var allHashers []algorithm.Hash
+	for _, variant := range options.decoderVariants {
+		h, err := influxdb2_algo.New(influxdb2_algo.WithVariant(variant))
+		if err != nil {
+			return nil, fmt.Errorf("creating hasher %s for authorization service index lookups: %w", variant.Prefix(), err)
+		}
+		allHashers = append(allHashers, h)
+	}
+
+	return &AuthorizationHasher{
+		hasher:     hasher,
+		decoder:    decoder,
+		allHashers: allHashers,
+	}, nil
+}
+
+// Hash generates a PHC-encoded hash of token using the selected hash algorithm variant.
+func (h *AuthorizationHasher) Hash(token string) (string, error) {
+	digest, err := h.hasher.Hash(token)
+	if err != nil {
+		return "", fmt.Errorf("hashing raw token failed: %w", err)
+	}
+	return digest.Encode(), nil
+}
+
+// AllHashes generates a list of PHC-encoded hashes of token for all deterministic (i.e. non-salted) supported hashes.
+func (h *AuthorizationHasher) AllHashes(token string) ([]string, error) {
+	hashes := make([]string, len(h.allHashers))
+	for idx, hasher := range h.allHashers {
+		digest, err := hasher.Hash(token)
+		if err != nil {
+			variantName := HashVariantNameUnknown
+			if influxdb_hasher, ok := hasher.(*influxdb2_algo.Hasher); ok {
+				variantName = influxdb_hasher.Variant().Prefix()
+			}
+			return nil, fmt.Errorf("hashing raw token failed (variant=%s): %w", variantName, err)
+		}
+		hashes[idx] = digest.Encode()
+	}
+	return hashes, nil
+}
+
+// AllHashesCount returns the number of hash variants available through AllHashes.
+func (h *AuthorizationHasher) AllHashesCount() int {
+	return len(h.allHashers)
+}
+
+// Decode decodes a PHC-encoded hash into a Digest object that can be matched.
+func (h *AuthorizationHasher) Decode(phc string) (algorithm.Digest, error) {
+	return h.decoder.Decode(phc)
+}
+
+// Match determines if a raw token matches a PHC-encoded token.
+func (h *AuthorizationHasher) Match(phc string, token string) (bool, error) {
+	digest, err := h.Decode(phc)
+	if err != nil {
+		return false, err
+	}
+
+	return digest.MatchAdvanced(token)
+}

authorization/hasher_test.go

@@ -0,0 +1,45 @@
+package authorization_test
+
+import (
+	"testing"
+
+	"github.com/go-crypt/crypt/algorithm"
+	"github.com/influxdata/influxdb/v2/authorization"
+	influxdb2_algo "github.com/influxdata/influxdb/v2/pkg/crypt/algorithm/influxdb2"
+	"github.com/stretchr/testify/require"
+)
+
+func Test_NewAuthorizationHasher_EmptyDecoderVariants(t *testing.T) {
+	hasher, err := authorization.NewAuthorizationHasher(
+		authorization.WithDecoderVariants([]influxdb2_algo.Variant{}),
+	)
+
+	require.ErrorIs(t, err, authorization.ErrNoDecoders)
+	require.Nil(t, hasher)
+}
+
+func TestNewAuthorizationHasher_WithInvalidDecoderVariant(t *testing.T) {
+	// Test that using an invalid decoder variant returns an error
+	hasher, err := authorization.NewAuthorizationHasher(
+		authorization.WithDecoderVariants([]influxdb2_algo.Variant{
+			influxdb2_algo.Variant(-1), // Invalid variant
+		}),
+	)
+
+	// Should return an error and nil hasher
+	require.ErrorIs(t, err, algorithm.ErrParameterInvalid)
+	require.Contains(t, err.Error(), "registering variant")
+	require.Nil(t, hasher)
+}
+
+func TestNewAuthorizationHasher_WithHasherVariantInvalid(t *testing.T) {
+	// Test that using VariantNone returns an error
+	hasher, err := authorization.NewAuthorizationHasher(
+		authorization.WithHasherVariant(influxdb2_algo.Variant(-1)),
+	)
+
+	// Should return an error and nil hasher
+	require.ErrorIs(t, err, algorithm.ErrParameterInvalid)
+	require.ErrorContains(t, err, "creating hasher")
+	require.Nil(t, hasher)
+}