Authentication (#33)

* removed JSON file creation, showing only JSON blob

* updated makefile

* changed DB_CONN_STR to env variable

* Add ENV vars for checkmake (#15)

* Added auth for using the collector

* linting changes

* using password salting

* modifeid send-to-collector.sh

* modified send-to-collector

* Changed password type in index.html

---------

Co-authored-by: Shir Moran <[email protected]>
Co-authored-by: Brandon Palm <[email protected]>

Author: 3 people

README.md

@@ -28,6 +28,12 @@ Cleanup after:
 
 From collector's repo root directory, use the following command:
 
-`./send-to-collector.sh "path/to/claim.json" "enter_executed_by" "enter_partner_name"`
+`./send-to-collector.sh "path/to/claim.json" "enter_executed_by" "enter_partner_name(optional)" "enter_password(optinal)`
+
+# Instructions for running get-from-collector.sh
+
+From collector's repo root directory, use the following command:
+
+`./get-from-collector.sh "enter_partner_name" "enter_password"`
 
 

actions/authenticator.go

@@ -0,0 +1,66 @@
+package actions
+
+import (
+	"database/sql"
+	"fmt"
+	"net/http"
+
+	"golang.org/x/crypto/bcrypt"
+)
+
+func authenticatePostRequest(r *http.Request, tx *sql.Tx) (string, error) {
+	partnerName := r.FormValue(PartnerNameInputName)
+	decodedPassword := r.FormValue(DedcodedPasswordInputName)
+
+	// If partner name or password are empty, make partner anonymous
+	if partnerName == "" || decodedPassword == "" {
+		return "", nil
+	}
+
+	// Search for partner in authenticator talbe
+	var encodedPassword string
+	searchPartnerErr := tx.QueryRow(ExtractPartnerAndPasswordCmd, partnerName).Scan(&encodedPassword)
+	// Encode given decoded password
+	encodedDecodedPassword, err := bcrypt.GenerateFromPassword([]byte(decodedPassword), bcrypt.MinCost)
+
+	// If partner name is not recorded, add partner with encoded password
+	if searchPartnerErr == sql.ErrNoRows {
+		_, txErr := tx.Exec(InsertPartnerToAuthSQLCmd, partnerName, encodedDecodedPassword)
+		if txErr != nil {
+			handleTransactionRollback(tx, AuthError, err)
+			return "", txErr
+		}
+		return partnerName, nil
+	}
+	if err != nil {
+		handleTransactionRollback(tx, AuthError, err)
+		return "", err
+	}
+
+	// If partner is recorded and password is wrong throw data
+	err = bcrypt.CompareHashAndPassword([]byte(encodedPassword), []byte(decodedPassword))
+	if err != nil {
+		return "", fmt.Errorf(InvalidPasswordErr)
+	}
+	return partnerName, nil
+}
+
+func authenticateGetRequest(r *http.Request, db *sql.DB) (string, error) {
+	partnerName := r.FormValue(PartnerNameInputName)
+	decodedPassword := r.FormValue(DedcodedPasswordInputName)
+
+	// Search for partner in authenticator talbe
+	var encodedPassword string
+	err := db.QueryRow(ExtractPartnerAndPasswordCmd, partnerName).Scan(&encodedPassword)
+	if err != nil {
+		return "", err
+	}
+
+	// Compare encoded and given passwords
+	err = bcrypt.CompareHashAndPassword([]byte(encodedPassword), []byte(decodedPassword))
+	if err != nil {
+		return "", fmt.Errorf(InvalidPasswordErr)
+	}
+
+	return partnerName, nil
+}

actions/constants.go

@@ -8,23 +8,25 @@ const FormFileErr = "Error found while forming file: %s"
 const ReadingFileErr = "Error found while reading claim file: %s"
 const UnmarshalErr = "Error found while trying to unmarshal claim file: %s"
 const MarshalErr = "Error found while marshaling claim file: %s"
-const MalformedClaimFileErr = "Malformed claim file: "
-const ClaimFieldMissingErr = MalformedClaimFileErr + "claim field is missing."
-const VersionsFieldMissingErr = MalformedClaimFileErr + "versions field is missing."
-const OcpFieldMissingErr = MalformedClaimFileErr + "ocp subfield of versions field is missing."
-const TestMissingErr = MalformedClaimFileErr + "%s subfield of results field is missing."
-const TestTestIDMissingErr = MalformedClaimFileErr + "testID subfield of %s test is missing."
-const TestStateMissingErr = MalformedClaimFileErr + "state subfield of %s test is missing."
-const TestIDSuiteMissingErr = MalformedClaimFileErr + "suite subfield of %s's testID field is missing."
-const TestIDIDMissingErr = MalformedClaimFileErr + "id subfield of %s's testID field is missing."
-const ResultsFieldMissingErr = MalformedClaimFileErr + "results field is missing."
-const ExecutedByMissingErr = MalformedClaimFileErr + "executed by value is missing."
+const MalformedClaimFileErr = "Malformed claim file: %s"
+const ClaimFieldMissingErr = "claim field is missing."
+const VersionsFieldMissingErr = "versions field is missing."
+const OcpFieldMissingErr = "ocp subfield of versions field is missing."
+const TestTestIDMissingErr = "testID subfield of %s test is missing."
+const TestStateMissingErr = "state subfield of %s test is missing."
+const TestIDSuiteMissingErr = "suite subfield of %s's testID field is missing."
+const TestIDIDMissingErr = "id subfield of %s's testID field is missing."
+const ResultsFieldMissingErr = "results field is missing."
+const ExecutedByMissingErr = "Executed by value is missing."
 const MalformedJSONFileErr = "Malformed json file."
+const InvalidPasswordErr = "invalid password to given partner's name"
 const RollbackErr = "Error found while Rollbacking transaction: %s"
 const ExecQueryErr = "Error found while executing a mysql query: %s"
 const ScanDBFieldErr = "Error found while scanning db field: %s"
 const BeginTxErr = "Error found while beginning transaction: %s"
 const CommitTxErr = "Error found while committing transaction: %s"
+const AuthError = "Error found while authenticating partner's password: %s"
+const EncodingPasswordError = "Failed encoding password." // #nosec
 
 // parser.go constants
 const ClaimTag = "claim"
@@ -33,6 +35,7 @@ const ResultsTag = "results"
 const ClaimFileInputName = "claimFile"
 const ExecutedByInputName = "executed_by"
 const PartnerNameInputName = "partner_name"
+const DedcodedPasswordInputName = "decoded_password"
 
 const UseCollectorSQLCmd = `USE cnf; `
 const InsertToClaimSQLCmd = `INSERT INTO claim 
@@ -42,11 +45,18 @@ const InsertToClaimResSQLCmd = `INSERT INTO claim_result
 							(claim_id, suite_name, test_id, test_status)
 							VALUES (?, ?, ?, ?);`
 const ExtractLastClaimID = `SELECT id FROM cnf.claim ORDER BY id DESC LIMIT 1;`
+const ExtractPartnerAndPasswordCmd = `SELECT encoded_password FROM cnf.authenticator WHERE partner_name = ?`
+const InsertPartnerToAuthSQLCmd = `INSERT INTO cnf.authenticator (partner_name, encoded_password) VALUES (?, ?)`
 const ParseLowerBound = 10
 const ParseUpperBound = 20
 
 const SuccessUploadingFileMSG = "File was uploaded successfully!"
 
 // results.go constants
+const SelectAllFromClaimByPartner = "SELECT * FROM cnf.claim WHERE partner_name = ?"
 const SelectAllFromClaim = "SELECT * FROM cnf.claim"
+const SelectAllClaimIDsByPartner = "SELECT id FROM cnf.claim WHERE partner_name = ?"
+const SelectAllFromClaimResultByClaimIDs = "SELECT * FROM cnf.claim_result WHERE claim_id IN (%s)"
 const SelectAllFromClaimResult = "SELECT * FROM cnf.claim_result"
+const InvalidUserOrPasswordErr = "Invalid user name or password." // #nosec
+const AdminUserName = "admin"

actions/parser.go

@@ -12,39 +12,39 @@ import (
 	"github.com/sirupsen/logrus"
 )
 
-func handleTransactionRollback(tx *sql.Tx, err error, context string) {
+func handleTransactionRollback(tx *sql.Tx, context string, err error) {
 	txErr := tx.Rollback()
 	if txErr != nil {
 		logrus.Errorf(RollbackErr, txErr)
 	}
 	logrus.Errorf(context, err)
 }
 
-func writeResponse(w http.ResponseWriter, context, response string) {
-	_, writeErr := w.Write([]byte(response + "\n"))
+func writeError(w http.ResponseWriter, context, err string) {
+	_, writeErr := w.Write([]byte(err + "\n"))
 	if writeErr != nil {
 		logrus.Errorf(WritingResponseErr, writeErr)
 	}
-	logrus.Errorf(context, response)
+	logrus.Errorf(context, err)
 }
 
 func readClaimFile(w http.ResponseWriter, r *http.Request) []byte {
 	err := r.ParseMultipartForm(ParseLowerBound << ParseUpperBound)
 	if err != nil {
-		writeResponse(w, RequestContentTypeErr, err.Error())
+		writeError(w, RequestContentTypeErr, err.Error())
 		return nil
 	}
 
 	claimFile, _, err := r.FormFile(ClaimFileInputName)
 	if err != nil {
-		writeResponse(w, FormFileErr, err.Error())
+		writeError(w, FormFileErr, err.Error())
 		return nil
 	}
 	defer claimFile.Close()
 
 	claimFileBytes, err := io.ReadAll(claimFile)
 	if err != nil {
-		writeResponse(w, ReadingFileErr, err.Error())
+		writeError(w, ReadingFileErr, err.Error())
 		return nil
 	}
 
@@ -61,13 +61,13 @@ func uploadAndConvertClaimFile(w http.ResponseWriter, r *http.Request) map[strin
 	var claimFileMap map[string]interface{}
 	err := json.Unmarshal(claimFileBytes, &claimFileMap)
 	if err != nil {
-		writeResponse(w, UnmarshalErr, err.Error())
+		writeError(w, UnmarshalErr, err.Error())
 		return nil
 	}
 
 	_, keyExists := claimFileMap[ClaimTag]
 	if !keyExists {
-		writeResponse(w, "%s", ClaimFieldMissingErr)
+		writeError(w, MalformedClaimFileErr, ClaimFieldMissingErr)
 		return nil
 	}
 	return claimFileMap[ClaimTag].(map[string]interface{})
@@ -76,37 +76,36 @@ func uploadAndConvertClaimFile(w http.ResponseWriter, r *http.Request) map[strin
 func validateClaimKeys(w http.ResponseWriter, claimFileMap map[string]interface{}) map[string]interface{} {
 	versions, keyExists := claimFileMap[VersionsTag].(map[string]interface{})
 	if !keyExists {
-		writeResponse(w, "%s", VersionsFieldMissingErr)
+		writeError(w, MalformedClaimFileErr, VersionsFieldMissingErr)
 		return nil
 	}
 
 	_, keyExists = versions["ocp"]
 	if !keyExists {
-		writeResponse(w, "%s", OcpFieldMissingErr)
+		writeError(w, MalformedClaimFileErr, OcpFieldMissingErr)
 		return nil
 	}
 
 	return versions
 }
 
-func insertToClaimTable(w http.ResponseWriter, r *http.Request, tx *sql.Tx, claimFileMap map[string]interface{}) bool {
+func insertToClaimTable(w http.ResponseWriter, r *http.Request, tx *sql.Tx, claimFileMap map[string]interface{}, partnerName string) bool {
 	versions := validateClaimKeys(w, claimFileMap)
 	if versions == nil {
 		return false
 	}
 
 	// saving users input referring to who executed claim file and partner's name
 	executedBy := r.FormValue(ExecutedByInputName)
-	partnerName := r.FormValue(PartnerNameInputName)
 
 	if executedBy == "" {
-		writeResponse(w, "%s", ExecutedByMissingErr)
+		writeError(w, "%s", ExecutedByMissingErr)
 		return false
 	}
 
 	_, err := tx.Exec(InsertToClaimSQLCmd, versions["ocp"].(string), executedBy, time.Now(), partnerName)
 	if err != nil {
-		handleTransactionRollback(tx, err, ExecQueryErr)
+		handleTransactionRollback(tx, ExecQueryErr, err)
 		return false
 	}
 	return true
@@ -141,69 +140,83 @@ func validateInnerResultsKeys(results map[string]interface{}, testName string) (
 func insertToClaimResultTable(w http.ResponseWriter, tx *sql.Tx, claimFileMap map[string]interface{}) bool {
 	results, keyExists := claimFileMap[ResultsTag].(map[string]interface{})
 	if !keyExists {
-		writeResponse(w, "%s", ResultsFieldMissingErr)
+		writeError(w, MalformedClaimFileErr, ResultsFieldMissingErr)
 		return false
 	}
 
 	var claimID string
 	err := tx.QueryRow(ExtractLastClaimID).Scan(&claimID)
 	if err != nil {
-		handleTransactionRollback(tx, err, ScanDBFieldErr)
+		handleTransactionRollback(tx, ScanDBFieldErr, err)
 		return false
 	}
 
 	for testName := range results {
 		testData, testID, keyErr := validateInnerResultsKeys(results, testName)
 		if keyErr != "" {
-			writeResponse(w, "%s", keyErr)
+			writeError(w, MalformedClaimFileErr, keyErr)
 			return false
 		}
 		_, err = tx.Exec(InsertToClaimResSQLCmd, claimID, testID["suite"].(string),
 			testID["id"].(string), testData["state"].(string))
 		if err != nil {
-			handleTransactionRollback(tx, err, ExecQueryErr)
+			handleTransactionRollback(tx, ExecQueryErr, err)
 			return false
 		}
 	}
 	return true
 }
 
-func parseClaimFile(w http.ResponseWriter, r *http.Request, tx *sql.Tx, claimFileMap map[string]interface{}) bool {
+func parseClaimFile(w http.ResponseWriter, r *http.Request, tx *sql.Tx, claimFileMap map[string]interface{}, partnerName string) bool {
 	_, err := tx.Exec(UseCollectorSQLCmd)
 	if err != nil {
-		handleTransactionRollback(tx, err, ExecQueryErr)
+		handleTransactionRollback(tx, ExecQueryErr, err)
 		return false
 	}
 
-	if insertToClaimTable(w, r, tx, claimFileMap) && insertToClaimResultTable(w, tx, claimFileMap) {
+	if insertToClaimTable(w, r, tx, claimFileMap, partnerName) && insertToClaimResultTable(w, tx, claimFileMap) {
 		return true
 	}
 	return false
 }
 
 func ParserHandler(w http.ResponseWriter, r *http.Request, db *sql.DB) {
-	claimFileMap := uploadAndConvertClaimFile(w, r)
-	if claimFileMap == nil {
-		// error occurred while uploading\converting claim file.
-		return
-	}
 	// Beginning the transaction.
 	tx, err := db.Begin()
 	if err != nil {
 		logrus.Errorf(BeginTxErr, err)
 		return
 	}
 
+	// Authonticate partner name and password
+	partnerName, err := authenticatePostRequest(r, tx)
+	if err != nil {
+		writeError(w, AuthError, err.Error())
+		return
+	}
+
+	claimFileMap := uploadAndConvertClaimFile(w, r)
+	if claimFileMap == nil {
+		// error occurred while uploading\converting claim file.
+		return
+	}
+
 	// Check if an error occurred while parsing (which caused a Rollback).
-	if !parseClaimFile(w, r, tx, claimFileMap) {
+	if !parseClaimFile(w, r, tx, claimFileMap, partnerName) {
 		return
 	}
 
 	// If no error occurred, commit the transaction to make database changes.
 	err = tx.Commit()
 	if err != nil {
-		handleTransactionRollback(tx, err, CommitTxErr)
+		handleTransactionRollback(tx, CommitTxErr, err)
 		return
 	}
-	writeResponse(w, "%s", SuccessUploadingFileMSG)
+
+	// Succfully uploaded file
+	_, writeErr := w.Write([]byte(SuccessUploadingFileMSG + "\n"))
+	if writeErr != nil {
+		logrus.Errorf(WritingResponseErr, writeErr)
+	}
+	logrus.Info(SuccessUploadingFileMSG)
 }