etcd-io__etcd/etcdserver/security/security.go

// Copyright 2015 CoreOS, Inc.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package security

import (
	"encoding/json"
	"fmt"
	"path"
	"sort"
	"time"

	"github.com/coreos/etcd/Godeps/_workspace/src/golang.org/x/crypto/bcrypt"
	"github.com/coreos/etcd/Godeps/_workspace/src/golang.org/x/net/context"
	"github.com/coreos/etcd/etcdserver"
	"github.com/coreos/etcd/etcdserver/etcdserverpb"
	"github.com/coreos/etcd/pkg/types"
)

const (
	// StorePermsPrefix is the internal prefix of the storage layer dedicated to storing user data.
	StorePermsPrefix = "/2"
)

type doer interface {
	Do(context.Context, etcdserverpb.Request) (etcdserver.Response, error)
}

type Store struct {
	server  doer
	timeout time.Duration
	enabled bool
}

type User struct {
	User     string   `json:"user"`
	Password string   `json:"password,omitempty"`
	Roles    []string `json:"roles"`
	Grant    []string `json:"grant,omitempty"`
	Revoke   []string `json:"revoke,omitempty"`
}

type Role struct {
	Role        string       `json:"role"`
	Permissions Permissions  `json:"permissions"`
	Grant       *Permissions `json:"grant,omitempty"`
	Revoke      *Permissions `json:"revoke,omitempty"`
}

type Permissions struct {
	KV rwPermission `json:"kv"`
}

type rwPermission struct {
	Read  []string `json:"read"`
	Write []string `json:"write"`
}

type MergeError struct {
	errmsg string
}

func (m MergeError) Error() string { return m.errmsg }

func mergeErr(s string, v ...interface{}) MergeError {
	return MergeError{fmt.Sprintf(s, v...)}
}

func NewStore(server doer, timeout time.Duration) *Store {
	s := &Store{
		server:  server,
		timeout: timeout,
	}
	s.enabled = s.detectSecurity()
	return s
}

func (s *Store) AllUsers() ([]string, error) {
	resp, err := s.requestResource("/users/", false)
	if err != nil {
		return nil, err
	}
	var nodes []string
	for _, n := range resp.Event.Node.Nodes {
		_, user := path.Split(n.Key)
		nodes = append(nodes, user)
	}
	sort.Strings(nodes)
	return nodes, nil
}

func (s *Store) GetUser(name string) (User, error) {
	resp, err := s.requestResource("/users/"+name, false)
	if err != nil {
		return User{}, err
	}
	var u User
	err = json.Unmarshal([]byte(*resp.Event.Node.Value), &u)
	if err != nil {
		return u, err
	}

	return u, nil
}

func (s *Store) CreateOrUpdateUser(user User) (User, error) {
	user, err := s.GetUser(user.User)
	if err == nil {
		// Remove the update-user roles from updating downstream.
		// Roles are granted or revoked, not changed directly.
		user.Roles = nil
		return s.UpdateUser(user)
	}
	return user, s.CreateUser(user)
}

func (s *Store) CreateUser(user User) error {
	if user.User == "root" {
		return mergeErr("Cannot create root user; enable security to set root.")
	}
	return s.createUserInternal(user)
}

func (s *Store) createUserInternal(user User) error {
	hash, err := bcrypt.GenerateFromPassword([]byte(user.Password), bcrypt.DefaultCost)
	if err != nil {
		return err
	}
	user.Password = string(hash)

	_, err = s.createResource("/users/"+user.User, user)
	return err
}

func (s *Store) DeleteUser(name string) error {
	if name == "root" {
		return mergeErr("Can't delete root user; disable security instead.")
	}
	_, err := s.deleteResource("/users/" + name)
	return err
}

func (s *Store) UpdateUser(user User) (User, error) {
	old, err := s.GetUser(user.User)
	if err != nil {
		return old, err
	}
	newUser, err := old.Merge(user)
	if err != nil {
		return old, err
	}
	_, err = s.updateResource("/users/"+user.User, newUser)
	if err != nil {
		return newUser, err
	}
	return newUser, nil
}

func (s *Store) AllRoles() ([]string, error) {
	resp, err := s.requestResource("/roles/", false)
	if err != nil {
		return nil, err
	}
	var nodes []string
	for _, n := range resp.Event.Node.Nodes {
		_, role := path.Split(n.Key)
		nodes = append(nodes, role)
	}
	sort.Strings(nodes)
	return nodes, nil
}

func (s *Store) GetRole(name string) (Role, error) {
	// TODO(barakmich): Possibly add a cache
	resp, err := s.requestResource("/roles/"+name, false)
	if err != nil {
		return Role{}, err
	}
	var r Role
	err = json.Unmarshal([]byte(*resp.Event.Node.Value), &r)
	if err != nil {
		return r, err
	}

	return r, nil
}

func (s *Store) CreateOrUpdateRole(role Role) (Role, error) {
	_, err := s.GetRole(role.Role)
	if err == nil {
		return s.UpdateRole(role)
	}
	return role, s.CreateRole(role)
}

func (s *Store) CreateRole(role Role) error {
	_, err := s.createResource("/roles/"+role.Role, role)
	return err
}

func (s *Store) DeleteRole(name string) error {
	_, err := s.deleteResource("/roles/" + name)
	return err
}

func (s *Store) UpdateRole(role Role) (Role, error) {
	old, err := s.GetRole(role.Role)
	if err != nil {
		return old, err
	}
	newRole, err := old.Merge(role)
	if err != nil {
		return old, err
	}
	_, err = s.updateResource("/roles/"+role.Role, newRole)
	if err != nil {
		return newRole, err
	}
	return newRole, nil
}

func (s *Store) SecurityEnabled() bool {
	return s.enabled
}

func (s *Store) EnableSecurity(rootUser User) error {
	err := s.ensureSecurityDirectories()
	if err != nil {
		return err
	}
	if rootUser.User != "root" {
		mergeErr("Trying to create root user not named root")
	}
	err = s.createUserInternal(rootUser)
	if err == nil {
		s.enabled = true
	}
	return err
}

func (s *Store) DisableSecurity() error {
	err := s.DeleteUser("root")
	if err == nil {
		s.enabled = false
	}
	return err
}

// Merge applies the properties of the passed-in User to the User on which it
// is called and returns a new User with these modifications applied. Think of
// all Users as immutable sets of data. Merge allows you to perform the set
// operations (desired grants and revokes) atomically
func (u User) Merge(n User) (User, error) {
	var out User
	if u.User != n.User {
		return out, mergeErr("Merging user data with conflicting usernames: %s %s", u.User, n.User)
	}
	out.User = u.User
	if n.Password != "" {
		hash, err := bcrypt.GenerateFromPassword([]byte(n.Password), bcrypt.DefaultCost)
		if err != nil {
			return out, err
		}
		out.Password = string(hash)
	} else {
		out.Password = u.Password
	}
	currentRoles := types.NewUnsafeSet(u.Roles...)
	for _, g := range n.Grant {
		if currentRoles.Contains(g) {
			return out, mergeErr("Granting duplicate role %s for user %s", g, n.User)
		}
		currentRoles.Add(g)
	}
	for _, r := range n.Revoke {
		if !currentRoles.Contains(r) {
			return out, mergeErr("Revoking ungranted role %s for user %s", r, n.User)
		}
		currentRoles.Remove(r)
	}
	out.Roles = currentRoles.Values()
	return out, nil
}

func (u User) CheckPassword(password string) bool {
	err := bcrypt.CompareHashAndPassword([]byte(u.Password), []byte(password))
	return err == nil
}

// Merge for a role works the same as User above -- atomic Role application to
// each of the substructures.
func (r Role) Merge(n Role) (Role, error) {
	var out Role
	var err error
	if r.Role != n.Role {
		return out, mergeErr("Merging role with conflicting names: %s %s", r.Role, n.Role)
	}
	out.Role = r.Role
	out.Permissions, err = r.Permissions.Grant(n.Grant)
	if err != nil {
		return out, err
	}
	out.Permissions, err = out.Permissions.Revoke(n.Revoke)
	if err != nil {
		return out, err
	}
	return out, nil
}

func (r Role) HasKeyAccess(key string, write bool) bool {
	return r.Permissions.KV.HasAccess(key, write)
}

// Grant adds a set of permissions to the permission object on which it is called,
// returning a new permission object.
func (p Permissions) Grant(n *Permissions) (Permissions, error) {
	var out Permissions
	var err error
	if n == nil {
		return p, nil
	}
	out.KV, err = p.KV.Grant(n.KV)
	return out, err
}

// Revoke removes a set of permissions to the permission object on which it is called,
// returning a new permission object.
func (p Permissions) Revoke(n *Permissions) (Permissions, error) {
	var out Permissions
	var err error
	if n == nil {
		return p, nil
	}
	out.KV, err = p.KV.Revoke(n.KV)
	return out, err
}

// Grant adds a set of permissions to the permission object on which it is called,
// returning a new permission object.
func (rw rwPermission) Grant(n rwPermission) (rwPermission, error) {
	var out rwPermission
	currentRead := types.NewUnsafeSet(rw.Read...)
	for _, r := range n.Read {
		if currentRead.Contains(r) {
			return out, mergeErr("Granting duplicate read permission %s", r)
		}
		currentRead.Add(r)
	}
	currentWrite := types.NewUnsafeSet(rw.Write...)
	for _, w := range n.Write {
		if currentWrite.Contains(w) {
			return out, mergeErr("Granting duplicate write permission %s", w)
		}
		currentWrite.Add(w)
	}
	out.Read = currentRead.Values()
	out.Write = currentWrite.Values()
	return out, nil
}

// Revoke removes a set of permissions to the permission object on which it is called,
// returning a new permission object.
func (rw rwPermission) Revoke(n rwPermission) (rwPermission, error) {
	var out rwPermission
	currentRead := types.NewUnsafeSet(rw.Read...)
	for _, r := range n.Read {
		if !currentRead.Contains(r) {
			return out, mergeErr("Revoking ungranted read permission %s", r)
		}
		currentRead.Remove(r)
	}
	currentWrite := types.NewUnsafeSet(rw.Write...)
	for _, w := range n.Write {
		if !currentWrite.Contains(w) {
			return out, mergeErr("Revoking ungranted write permission %s", w)
		}
		currentWrite.Remove(w)
	}
	out.Read = currentRead.Values()
	out.Write = currentWrite.Values()
	return out, nil
}

func (rw rwPermission) HasAccess(key string, write bool) bool {
	var list []string
	if write {
		list = rw.Write
	} else {
		list = rw.Read
	}
	for _, pat := range list {
		match, err := path.Match(pat, key)
		if err == nil && match {
			return true
		}
	}
	return false
}