shellhub-io
diff --git a/‎api/Dockerfile‎
Lines changed: 1 addition & 0 deletions b/‎api/Dockerfile‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎api/go.mod‎
Lines changed: 1 addition & 0 deletions b/‎api/go.mod‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎api/go.sum‎
Lines changed: 4 additions & 0 deletions b/‎api/go.sum‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎api/server.go‎
Lines changed: 1 addition & 1 deletion b/‎api/server.go‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎api/services/auth.go‎
Lines changed: 5 additions & 288 deletions b/‎api/services/auth.go‎
Lines changed: 5 additions & 288 deletions
@@ -54,6 +54,7 @@ COPY ./api/entrypoint-dev.sh /entrypoint.sh
 WORKDIR $GOPATH/src/github.com/shellhub-io/shellhub/api
 
 RUN mkdir -p /templates
+RUN mkdir -p /migrations
 
 COPY ./install.sh /templates/install.sh
 
 
@@ -12,6 +12,7 @@ require (
 	github.com/jackc/pgx/v5 v5.5.4
 	github.com/labstack/echo/v4 v4.13.3
 	github.com/labstack/gommon v0.4.2
+	github.com/oiime/logrusbun v0.1.2-0.20241011112815-4df3a0fb0e11
 	github.com/pkg/errors v0.9.1
 	github.com/shellhub-io/mongotest v0.0.0-20230928124937-e33b07010742
 	github.com/shellhub-io/shellhub v0.13.4
 
@@ -270,6 +270,8 @@ github.com/nwaples/rardecode/v2 v2.0.0-beta.2/go.mod h1:yntwv/HfMc/Hbvtq9I19D1n5
 github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A=
 github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE=
 github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU=
+github.com/oiime/logrusbun v0.1.2-0.20241011112815-4df3a0fb0e11 h1:rAqW9sGcM0VsfBwgeBzHk0yebrRwfeSJFy9Egqi0fmM=
+github.com/oiime/logrusbun v0.1.2-0.20241011112815-4df3a0fb0e11/go.mod h1:HH9akx9teKgQPX41TYpLLRNxaL8q9R+ltzABnwUHfBM=
 github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk=
 github.com/onsi/ginkgo v1.16.4/go.mod h1:dX+/inL/fNMqNlz0e9LfyB9TswhZpCVdJM/Z6Vvnwo0=
@@ -326,6 +328,7 @@ github.com/shoenig/go-m1cpu v0.1.6 h1:nxdKQNcEB6vzgA2E2bvzKIYRuNj7XNJ4S/aRSwKzFt
 github.com/shoenig/go-m1cpu v0.1.6/go.mod h1:1JJMcUBvfNwpq05QDQVAnx3gUHr9IYF7GNg9SUEw2VQ=
 github.com/shoenig/test v0.6.4 h1:kVTaSd7WLz5WZ2IaoM0RSzRsUD+m8wRR+5qvntpn4LU=
 github.com/shoenig/test v0.6.4/go.mod h1:byHiCGXqrVaflBLAMq/srcZIHynQPQgeyvkvXnjqq0k=
+github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
 github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
 github.com/spf13/cast v1.3.1 h1:nFm6S0SMdyzrzcmThSipiEubIDy8WEXKNZ0UOgiRpng=
@@ -378,6 +381,7 @@ github.com/tmthrgd/go-hex v0.0.0-20190904060850-447a3041c3bc/go.mod h1:bciPuU6GH
 github.com/ulikunitz/xz v0.5.8/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14=
 github.com/ulikunitz/xz v0.5.11 h1:kpFauv27b6ynzBNT/Xy+1k+fK4WswhN/6PN5WhFAGw8=
 github.com/ulikunitz/xz v0.5.11/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14=
+github.com/uptrace/bun v0.3.9/go.mod h1:aL6D9vPw8DXaTQTwGrEPtUderBYXx7ShUmPfnxnqscw=
 github.com/uptrace/bun v1.2.11 h1:l9dTymsdZZAoSZ1+Qo3utms0RffgkDbIv+1UGk8N1wQ=
 github.com/uptrace/bun v1.2.11/go.mod h1:ww5G8h59UrOnCHmZ8O1I/4Djc7M/Z3E+EWFS2KLB6dQ=
 github.com/uptrace/bun/dialect/pgdialect v1.2.11 h1:n0VKWm1fL1dwJK5TRxYYLaRKRe14BOg2+AQgpvqzG/M=
 
@@ -84,7 +84,7 @@ func (s *Server) Setup(ctx context.Context) error {
 	log.Debug("Redis cache initialized successfully")
 
 	uri := pg.URI(s.env.PostgresHost, s.env.PostgresPort, s.env.PostgresUser, s.env.PostgresPassword, s.env.PostgresDB)
-	store, err := pg.New(ctx, uri, options.Migrate())
+	store, err := pg.New(ctx, uri, options.Migrate(), options.Log("DEBUG", true))
 	if err != nil {
 		return err
 	}
 
@@ -2,25 +2,11 @@ package services
 
 import (
 	"context"
-	"crypto"
-	"crypto/rand"
 	"crypto/rsa"
-	"crypto/sha256"
-	"crypto/x509"
-	"encoding/base64"
-	"encoding/hex"
-	"encoding/pem"
-	"slices"
-	"strings"
 	"time"
 
-	"github.com/shellhub-io/shellhub/pkg/api/authorizer"
-	"github.com/shellhub-io/shellhub/pkg/api/jwttoken"
 	"github.com/shellhub-io/shellhub/pkg/api/requests"
-	"github.com/shellhub-io/shellhub/pkg/clock"
 	"github.com/shellhub-io/shellhub/pkg/models"
-	"github.com/shellhub-io/shellhub/pkg/uuid"
-	log "github.com/sirupsen/logrus"
 )
 
 type AuthService interface {
@@ -68,292 +54,23 @@ func (s *service) AuthDevice(ctx context.Context, req requests.DeviceAuth, remot
 }
 
 func (s *service) AuthLocalUser(ctx context.Context, req *requests.AuthLocalUser, sourceIP string) (*models.UserAuthResponse, int64, string, error) {
-	if s, err := s.store.SystemGet(ctx); err != nil || !s.Authentication.Local.Enabled {
-		return nil, 0, "", NewErrAuthMethodNotAllowed(models.UserAuthMethodLocal.String())
-	}
-
-	var err error
-	var user *models.User
-
-	if req.Identifier.IsEmail() {
-		user, err = s.store.UserGetByEmail(ctx, strings.ToLower(string(req.Identifier)))
-	} else {
-		user, err = s.store.UserGetByUsername(ctx, strings.ToLower(string(req.Identifier)))
-	}
-
-	if err != nil {
-		return nil, 0, "", NewErrAuthUnathorized(nil)
-	}
-
-	if !slices.Contains(user.Preferences.AuthMethods, models.UserAuthMethodLocal) {
-		return nil, 0, "", NewErrAuthUnathorized(nil)
-	}
-
-	switch user.Status {
-	case models.UserStatusInvited:
-		return nil, 0, "", NewErrAuthUnathorized(nil)
-	case models.UserStatusNotConfirmed:
-		return nil, 0, "", NewErrUserNotConfirmed(nil)
-	default:
-		break
-	}
-
-	// Checks whether the user is currently blocked from new login attempts
-	if lockout, attempt, _ := s.cache.HasAccountLockout(ctx, sourceIP, user.ID); lockout > 0 {
-		log.
-			WithFields(log.Fields{
-				"lockout":   lockout,
-				"attempt":   attempt,
-				"source_ip": sourceIP,
-				"user_id":   user.ID,
-			}).
-			Warn("attempt to login blocked")
-
-		return nil, lockout, "", NewErrAuthUnathorized(nil)
-	}
-
-	if !user.Password.Compare(req.Password) {
-		lockout, _, err := s.cache.StoreLoginAttempt(ctx, sourceIP, user.ID)
-		if err != nil {
-			log.WithError(err).
-				WithField("source_ip", sourceIP).
-				WithField("user_id", user.ID).
-				Warn("unable to store login attempt")
-		}
-
-		return nil, lockout, "", NewErrAuthUnathorized(nil)
-	}
-
-	// Reset the attempt and timeout values when succeeds
-	if err := s.cache.ResetLoginAttempts(ctx, sourceIP, user.ID); err != nil {
-		log.WithError(err).
-			WithField("source_ip", sourceIP).
-			WithField("user_id", user.ID).
-			Warn("unable to reset authentication attempts")
-	}
-
-	// Users with MFA enabled must authenticate to the cloud instead of community.
-	if user.MFA.Enabled {
-		mfaToken := uuid.Generate()
-		if err := s.cache.Set(ctx, "mfa-token={"+mfaToken+"}", user.ID, 30*time.Minute); err != nil {
-			log.WithError(err).
-				WithField("source_ip", sourceIP).
-				WithField("user_id", user.ID).
-				Warn("unable to store mfa-token")
-		}
-
-		return nil, 0, mfaToken, nil
-	}
-
-	tenantID := ""
-	role := ""
-	// Populate the tenant and role when the user is associated with a namespace. If the member status is pending, we
-	// ignore the namespace.
-	if ns, _ := s.store.NamespaceGetPreferred(ctx, user.ID); ns != nil && ns.TenantID != "" {
-		if m, _ := ns.FindMember(user.ID); m.Status != models.MemberStatusPending {
-			tenantID = ns.TenantID
-			role = m.Role.String()
-		}
-	}
-
-	claims := authorizer.UserClaims{
-		ID:       user.ID,
-		Origin:   user.Origin.String(),
-		TenantID: tenantID,
-		Username: user.Username,
-		MFA:      user.MFA.Enabled,
-	}
-
-	token, err := jwttoken.EncodeUserClaims(claims, s.privKey)
-	if err != nil {
-		return nil, 0, "", NewErrTokenSigned(err)
-	}
-
-	// Updates last_login and the hash algorithm to bcrypt if still using SHA256
-	changes := &models.UserChanges{LastLogin: clock.Now(), PreferredNamespace: &tenantID}
-	if !strings.HasPrefix(user.Password.Hash, "$") {
-		if neo, _ := models.HashUserPassword(req.Password); neo.Hash != "" {
-			changes.Password = neo.Hash
-		}
-	}
-
-	// TODO: evaluate make this update in a go routine.
-	if err := s.store.UserUpdate(ctx, user.ID, changes); err != nil {
-		return nil, 0, "", NewErrUserUpdate(user, err)
-	}
-
-	if err := s.AuthCacheToken(ctx, tenantID, user.ID, token); err != nil {
-		log.WithError(err).
-			WithFields(log.Fields{"id": user.ID}).
-			Warn("unable to cache the authentication token")
-	}
-
-	res := &models.UserAuthResponse{
-		ID:            user.ID,
-		Origin:        user.Origin.String(),
-		AuthMethods:   user.Preferences.AuthMethods,
-		User:          user.Username,
-		Name:          user.Name,
-		Email:         user.Email,
-		RecoveryEmail: user.RecoveryEmail,
-		MFA:           user.MFA.Enabled,
-		Tenant:        tenantID,
-		Role:          role,
-		Token:         token,
-		MaxNamespaces: user.MaxNamespaces,
-	}
-
-	return res, 0, "", nil
+	return nil, 0, "", nil
 }
 
 func (s *service) CreateUserToken(ctx context.Context, req *requests.CreateUserToken) (*models.UserAuthResponse, error) {
-	user, _, err := s.store.UserGetByID(ctx, req.UserID, false)
-	if err != nil {
-		return nil, NewErrUserNotFound(req.UserID, err)
-	}
-
-	tenantID := ""
-	role := ""
-
-	switch req.TenantID {
-	case "":
-		// A user may not have a preferred namespace. In such cases, we create a token without it.
-		namespace, err := s.store.NamespaceGetPreferred(ctx, user.ID)
-		if err != nil {
-			break
-		}
-
-		member, ok := namespace.FindMember(user.ID)
-		if !ok {
-			return nil, NewErrNamespaceMemberNotFound(user.ID, nil)
-		}
-
-		if member.Status != models.MemberStatusPending {
-			tenantID = namespace.TenantID
-			role = member.Role.String()
-		}
-	default:
-		namespace, err := s.store.NamespaceGet(ctx, req.TenantID)
-		if err != nil {
-			return nil, NewErrNamespaceNotFound(req.TenantID, err)
-		}
-
-		member, ok := namespace.FindMember(user.ID)
-		if !ok {
-			return nil, NewErrNamespaceMemberNotFound(user.ID, nil)
-		}
-
-		if member.Status == models.MemberStatusPending {
-			return nil, NewErrNamespaceMemberNotFound(user.ID, nil)
-		}
-
-		tenantID = namespace.TenantID
-		role = member.Role.String()
-
-		if user.Preferences.PreferredNamespace != namespace.TenantID {
-			_ = s.store.UserUpdate(ctx, user.ID, &models.UserChanges{PreferredNamespace: &tenantID})
-		}
-	}
-
-	claims := authorizer.UserClaims{
-		ID:       user.ID,
-		Origin:   user.Origin.String(),
-		TenantID: tenantID,
-		Username: user.Username,
-		MFA:      user.MFA.Enabled,
-	}
-
-	token, err := jwttoken.EncodeUserClaims(claims, s.privKey)
-	if err != nil {
-		return nil, NewErrTokenSigned(err)
-	}
-
-	if err := s.AuthCacheToken(ctx, tenantID, user.ID, token); err != nil {
-		log.WithError(err).Warn("unable to cache the user's auth token")
-	}
-
-	return &models.UserAuthResponse{
-		ID:            user.ID,
-		Origin:        user.Origin.String(),
-		AuthMethods:   user.Preferences.AuthMethods,
-		User:          user.Username,
-		Name:          user.Name,
-		Email:         user.Email,
-		RecoveryEmail: user.RecoveryEmail,
-		MFA:           user.MFA.Enabled,
-		Tenant:        tenantID,
-		Role:          role,
-		Token:         token,
-		MaxNamespaces: user.MaxNamespaces,
-	}, nil
+	return nil, nil
 }
 
 func (s *service) AuthAPIKey(ctx context.Context, key string) (*models.APIKey, error) {
-	apiKey := new(models.APIKey)
-	if err := s.cache.Get(ctx, "api-key={"+key+"}", apiKey); err != nil {
-		return nil, err
-	}
-
-	if apiKey.ID == "" {
-		keySum := sha256.Sum256([]byte(key))
-		hashedKey := hex.EncodeToString(keySum[:])
-
-		var err error
-		if apiKey, err = s.store.APIKeyGet(ctx, hashedKey); err != nil {
-			return nil, NewErrAPIKeyNotFound("", err)
-		}
-	}
-
-	if !apiKey.IsValid() {
-		return nil, NewErrAPIKeyInvalid(apiKey.Name)
-	}
-
-	if err := s.cache.Set(ctx, "api-key={"+key+"}", apiKey, 2*time.Minute); err != nil {
-		log.WithError(err).Info("Unable to set the api-key in cache")
-	}
-
-	return apiKey, nil
+	return nil, nil
 }
 
 func (s *service) AuthPublicKey(ctx context.Context, req requests.PublicKeyAuth) (*models.PublicKeyAuthResponse, error) {
-	privKey, err := s.store.PrivateKeyGet(ctx, req.Fingerprint)
-	if err != nil {
-		return nil, NewErrPublicKeyNotFound(req.Fingerprint, err)
-	}
-
-	block, _ := pem.Decode(privKey.Data)
-	if block == nil {
-		return nil, err
-	}
-
-	key, err := x509.ParsePKCS1PrivateKey(block.Bytes)
-	if err != nil {
-		return nil, err
-	}
-
-	digest := sha256.Sum256([]byte(req.Data))
-	signature, err := rsa.SignPKCS1v15(rand.Reader, key, crypto.SHA256, digest[:])
-	if err != nil {
-		return nil, err
-	}
-
-	return &models.PublicKeyAuthResponse{
-		Signature: base64.StdEncoding.EncodeToString(signature),
-	}, nil
+	return nil, nil
 }
 
 func (s *service) GetUserRole(ctx context.Context, tenantID, userID string) (string, error) {
-	ns, err := s.store.NamespaceGet(ctx, tenantID)
-	if err != nil {
-		return "", err
-	}
-
-	member, ok := ns.FindMember(userID)
-	if !ok {
-		return "", NewErrNamespaceMemberNotFound(userID, nil)
-	}
-
-	return member.Role.String(), nil
+	return "", nil
 }
 
 func (s *service) PublicKey() *rsa.PublicKey {
Original file line number	Diff line number	Diff line change
`@@ -84,7 +84,7 @@ func (s *Server) Setup(ctx context.Context) error {`
`84`	`84`	`log.Debug("Redis cache initialized successfully")`
`85`	`85`
`86`	`86`	`uri := pg.URI(s.env.PostgresHost, s.env.PostgresPort, s.env.PostgresUser, s.env.PostgresPassword, s.env.PostgresDB)`
`87`		`- store, err := pg.New(ctx, uri, options.Migrate())`
	`87`	`+ store, err := pg.New(ctx, uri, options.Migrate(), options.Log("DEBUG", true))`
`88`	`88`	`if err != nil {`
`89`	`89`	`return err`
`90`	`90`	`}`