feat: add basic local login handler in dev cli

pkg/module/auth/http/passwd/argon2id/hasher.go

@@ -0,0 +1,136 @@
+package argon2id
+
+import (
+	"crypto/rand"
+	"crypto/subtle"
+	"encoding/base64"
+	"fmt"
+	"strings"
+
+	"forge.cadoles.com/arcad/edge/pkg/module/auth/http/passwd"
+	"github.com/pkg/errors"
+	"golang.org/x/crypto/argon2"
+)
+
+const (
+	Algo passwd.Algo = "argon2id"
+)
+
+func init() {
+	passwd.Register(Algo, &Hasher{})
+}
+
+var (
+	ErrInvalidHash         = errors.New("invalid hash")
+	ErrIncompatibleVersion = errors.New("incompatible version")
+)
+
+type params struct {
+	memory      uint32
+	iterations  uint32
+	parallelism uint8
+	saltLength  uint32
+	keyLength   uint32
+}
+
+var defaultParams = params{
+	memory:      64 * 1024,
+	iterations:  3,
+	parallelism: 2,
+	saltLength:  16,
+	keyLength:   32,
+}
+
+type Hasher struct{}
+
+// Hash implements passwd.Hasher
+func (*Hasher) Hash(plaintext string) (string, error) {
+	salt, err := generateRandomBytes(defaultParams.saltLength)
+	if err != nil {
+		return "", errors.WithStack(err)
+	}
+
+	hash := argon2.IDKey([]byte(plaintext), salt, defaultParams.iterations, defaultParams.memory, defaultParams.parallelism, defaultParams.keyLength)
+
+	// Base64 encode the salt and hashed password.
+	b64Salt := base64.RawStdEncoding.EncodeToString(salt)
+	b64Hash := base64.RawStdEncoding.EncodeToString(hash)
+
+	// Return a string using the standard encoded hash representation.
+	encodedHash := fmt.Sprintf("$argon2id$v=%d$m=%d,t=%d,p=%d$%s$%s", argon2.Version, defaultParams.memory, defaultParams.iterations, defaultParams.parallelism, b64Salt, b64Hash)
+
+	return encodedHash, nil
+}
+
+// Match implements passwd.Hasher.
+func (*Hasher) Match(plaintext string, hash string) (bool, error) {
+	matches, err := comparePasswordAndHash(plaintext, hash)
+	if err != nil {
+		return false, errors.WithStack(err)
+	}
+
+	return matches, nil
+}
+
+var _ passwd.Hasher = &Hasher{}
+
+func generateRandomBytes(n uint32) ([]byte, error) {
+	buf := make([]byte, n)
+
+	if _, err := rand.Read(buf); err != nil {
+		return nil, errors.WithStack(err)
+	}
+
+	return buf, nil
+}
+
+func comparePasswordAndHash(password, encodedHash string) (match bool, err error) {
+	p, salt, hash, err := decodeHash(encodedHash)
+	if err != nil {
+		return false, errors.WithStack(err)
+	}
+
+	otherHash := argon2.IDKey([]byte(password), salt, p.iterations, p.memory, p.parallelism, p.keyLength)
+
+	if subtle.ConstantTimeCompare(hash, otherHash) == 1 {
+		return true, nil
+	}
+
+	return false, nil
+}
+
+func decodeHash(encodedHash string) (p *params, salt, hash []byte, err error) {
+	vals := strings.Split(encodedHash, "$")
+	if len(vals) != 6 {
+		return nil, nil, nil, ErrInvalidHash
+	}
+
+	var version int
+	_, err = fmt.Sscanf(vals[2], "v=%d", &version)
+	if err != nil {
+		return nil, nil, nil, err
+	}
+	if version != argon2.Version {
+		return nil, nil, nil, ErrIncompatibleVersion
+	}
+
+	p = &params{}
+	_, err = fmt.Sscanf(vals[3], "m=%d,t=%d,p=%d", &p.memory, &p.iterations, &p.parallelism)
+	if err != nil {
+		return nil, nil, nil, err
+	}
+
+	salt, err = base64.RawStdEncoding.Strict().DecodeString(vals[4])
+	if err != nil {
+		return nil, nil, nil, err
+	}
+	p.saltLength = uint32(len(salt))
+
+	hash, err = base64.RawStdEncoding.Strict().DecodeString(vals[5])
+	if err != nil {
+		return nil, nil, nil, err
+	}
+	p.keyLength = uint32(len(hash))
+
+	return p, salt, hash, nil
+}

pkg/module/auth/http/passwd/hasher.go

@@ -0,0 +1,8 @@
+package passwd
+
+type Algo string
+
+type Hasher interface {
+	Hash(plaintext string) (string, error)
+	Match(plaintext string, hash string) (bool, error)
+}

pkg/module/auth/http/passwd/plain/hasher.go

@@ -0,0 +1,31 @@
+package plain
+
+import (
+	"crypto/subtle"
+
+	"forge.cadoles.com/arcad/edge/pkg/module/auth/http/passwd"
+)
+
+const (
+	Algo passwd.Algo = "plain"
+)
+
+func init() {
+	passwd.Register(Algo, &Hasher{})
+}
+
+type Hasher struct{}
+
+// Hash implements passwd.Hasher
+func (*Hasher) Hash(plaintext string) (string, error) {
+	return plaintext, nil
+}
+
+// Match implements passwd.Hasher.
+func (*Hasher) Match(plaintext string, hash string) (bool, error) {
+	matches := subtle.ConstantTimeCompare([]byte(plaintext), []byte(hash)) == 1
+
+	return matches, nil
+}
+
+var _ passwd.Hasher = &Hasher{}

pkg/module/auth/http/passwd/registry.go

@@ -0,0 +1,87 @@
+package passwd
+
+import (
+	"github.com/pkg/errors"
+)
+
+var ErrAlgoNotFound = errors.New("algo not found")
+
+type Registry struct {
+	hashers map[Algo]Hasher
+}
+
+func (r *Registry) Register(algo Algo, hasher Hasher) {
+	r.hashers[algo] = hasher
+}
+
+func (r *Registry) Match(algo Algo, plaintext string, hash string) (bool, error) {
+	hasher, exists := r.hashers[algo]
+	if !exists {
+		return false, errors.WithStack(ErrAlgoNotFound)
+	}
+
+	matches, err := hasher.Match(plaintext, hash)
+	if err != nil {
+		return false, errors.WithStack(err)
+	}
+
+	return matches, nil
+}
+
+func (r *Registry) Hash(algo Algo, plaintext string) (string, error) {
+	hasher, exists := r.hashers[algo]
+	if !exists {
+		return "", errors.WithStack(ErrAlgoNotFound)
+	}
+
+	hash, err := hasher.Hash(plaintext)
+	if err != nil {
+		return "", errors.WithStack(err)
+	}
+
+	return hash, nil
+}
+
+func (r *Registry) Algorithms() []Algo {
+	algorithms := make([]Algo, 0, len(r.hashers))
+
+	for algo := range r.hashers {
+		algorithms = append(algorithms, algo)
+	}
+
+	return algorithms
+}
+
+func NewRegistry() *Registry {
+	return &Registry{
+		hashers: make(map[Algo]Hasher),
+	}
+}
+
+var defaultRegistry = NewRegistry()
+
+func Match(algo Algo, plaintext string, hash string) (bool, error) {
+	matches, err := defaultRegistry.Match(algo, plaintext, hash)
+	if err != nil {
+		return false, errors.WithStack(err)
+	}
+
+	return matches, nil
+}
+
+func Hash(algo Algo, plaintext string) (string, error) {
+	hash, err := defaultRegistry.Hash(algo, plaintext)
+	if err != nil {
+		return "", errors.WithStack(err)
+	}
+
+	return hash, nil
+}
+
+func Algorithms() []Algo {
+	return defaultRegistry.Algorithms()
+}
+
+func Register(algo Algo, hasher Hasher) {
+	defaultRegistry.Register(algo, hasher)
+}