enigma-bbs/core/user.js

918 lines
29 KiB
JavaScript
Raw Normal View History

2014-10-20 05:30:44 +00:00
/* jslint node: true */
'use strict';
// ENiGMA½
const userDb = require('./database.js').dbs.user;
const Config = require('./config.js').get;
const userGroup = require('./user_group.js');
const { Errors, ErrorReasons } = require('./enig_error.js');
const Events = require('./events.js');
const UserProps = require('./user_property.js');
const Log = require('./logger.js').log;
const StatLog = require('./stat_log.js');
// deps
const crypto = require('crypto');
const assert = require('assert');
const async = require('async');
const _ = require('lodash');
const moment = require('moment');
const sanatizeFilename = require('sanitize-filename');
const ssh2 = require('ssh2');
exports.isRootUserId = function (id) {
return 1 === id;
};
2016-08-30 03:03:48 +00:00
module.exports = class User {
constructor() {
this.userId = 0;
this.username = '';
this.properties = {}; // name:value
this.groups = []; // group membership(s)
this.authFactor = User.AuthFactors.None;
}
// static property accessors
static get RootUserID() {
return 1;
}
2019-04-10 02:07:19 +00:00
static get AuthFactors() {
return {
None: 0, // Not yet authenticated in any way
Factor1: 1, // username + password/pubkey/etc. checked out
Factor2: 2, // validated with 2FA of some sort such as OTP
2019-04-10 02:07:19 +00:00
};
}
static get PBKDF2() {
return {
iterations: 1000,
keyLen: 128,
saltLen: 32,
};
}
static get StandardPropertyGroups() {
return {
auth: [
UserProps.PassPbkdf2Salt,
UserProps.PassPbkdf2Dk,
2019-04-10 02:07:19 +00:00
UserProps.AuthPubKey,
],
};
}
static get AccountStatus() {
return {
disabled: 0, // +op disabled
inactive: 1, // inactive, aka requires +op approval/activation
active: 2, // standard, active
locked: 3, // locked out (too many bad login attempts, etc.)
};
}
isAuthenticated() {
return true === this.authenticated;
}
isValid() {
if (this.userId <= 0 || this.username.length < Config().users.usernameMin) {
return false;
}
return this.hasValidPasswordProperties();
}
hasValidPasswordProperties() {
const salt = this.getProperty(UserProps.PassPbkdf2Salt);
const dk = this.getProperty(UserProps.PassPbkdf2Dk);
if (
!salt ||
!dk ||
salt.length !== User.PBKDF2.saltLen * 2 ||
dk.length !== User.PBKDF2.keyLen * 2
) {
return false;
}
return true;
}
isRoot() {
return User.isRootUserId(this.userId);
}
isSysOp() {
// alias to isRoot()
return this.isRoot();
}
isGroupMember(groupNames) {
if (_.isString(groupNames)) {
groupNames = [groupNames];
}
const isMember = groupNames.some(gn => -1 !== this.groups.indexOf(gn));
return isMember;
}
getSanitizedName(type = 'username') {
const name =
'real' === type ? this.getProperty(UserProps.RealName) : this.username;
return sanatizeFilename(name) || `user${this.userId.toString()}`;
}
getLegacySecurityLevel() {
if (this.isRoot() || this.isGroupMember('sysops')) {
return 100;
}
if (this.isGroupMember('users')) {
return 30;
}
return 10; // :TODO: Is this what we want?
}
processFailedLogin(userId, cb) {
async.waterfall(
[
callback => {
return User.getUser(userId, callback);
},
(tempUser, callback) => {
return StatLog.incrementUserStat(
tempUser,
UserProps.FailedLoginAttempts,
1,
(err, failedAttempts) => {
return callback(null, tempUser, failedAttempts);
}
);
},
(tempUser, failedAttempts, callback) => {
const lockAccount = _.get(Config(), 'users.failedLogin.lockAccount');
if (lockAccount > 0 && failedAttempts >= lockAccount) {
const props = {
[UserProps.AccountStatus]: User.AccountStatus.locked,
[UserProps.AccountLockedTs]: StatLog.now,
};
if (
!_.has(tempUser.properties, UserProps.AccountLockedPrevStatus)
) {
props[UserProps.AccountLockedPrevStatus] =
tempUser.getProperty(UserProps.AccountStatus);
}
Log.info(
{ userId, failedAttempts },
'(Re)setting account to locked due to failed logins'
);
return tempUser.persistProperties(props, callback);
}
return cb(null);
},
],
err => {
return cb(err);
}
);
}
unlockAccount(cb) {
const prevStatus = this.getProperty(UserProps.AccountLockedPrevStatus);
if (!prevStatus) {
return cb(null); // nothing to do
}
this.persistProperty(UserProps.AccountStatus, prevStatus, err => {
if (err) {
return cb(err);
}
return this.removeProperties(
[UserProps.AccountLockedPrevStatus, UserProps.AccountLockedTs],
cb
);
});
}
static get AuthFactor1Types() {
return {
SSHPubKey: 'sshPubKey',
Password: 'password',
TLSClient: 'tlsClientAuth',
};
}
authenticateFactor1(authInfo, cb) {
const username = authInfo.username;
const self = this;
const tempAuthInfo = {};
const validatePassword = (props, callback) => {
User.generatePasswordDerivedKey(
authInfo.password,
props[UserProps.PassPbkdf2Salt],
(err, dk) => {
if (err) {
return callback(err);
}
//
// Use constant time comparison here for security feel-goods
//
const passDkBuf = Buffer.from(dk, 'hex');
const propsDkBuf = Buffer.from(props[UserProps.PassPbkdf2Dk], 'hex');
return callback(
crypto.timingSafeEqual(passDkBuf, propsDkBuf)
? null
: Errors.AccessDenied('Invalid password')
);
}
);
};
const validatePubKey = (props, callback) => {
2019-04-10 02:07:19 +00:00
const pubKeyActual = ssh2.utils.parseKey(props[UserProps.AuthPubKey]);
if (!pubKeyActual) {
return callback(Errors.AccessDenied('Invalid public key'));
}
if (
authInfo.pubKey.key.algo != pubKeyActual.type ||
!crypto.timingSafeEqual(
authInfo.pubKey.key.data,
pubKeyActual.getPublicSSH()
)
) {
return callback(Errors.AccessDenied('Invalid public key'));
}
return callback(null);
};
async.waterfall(
[
function fetchUserId(callback) {
// get user ID
User.getUserIdAndName(username, (err, uid, un) => {
tempAuthInfo.userId = uid;
tempAuthInfo.username = un;
return callback(err);
});
},
function getRequiredAuthProperties(callback) {
// fetch properties required for authentication
User.loadProperties(
tempAuthInfo.userId,
{ names: User.StandardPropertyGroups.auth },
(err, props) => {
return callback(err, props);
}
);
},
function validatePassOrPubKey(props, callback) {
if (User.AuthFactor1Types.SSHPubKey === authInfo.type) {
return validatePubKey(props, callback);
}
return validatePassword(props, callback);
},
function initProps(callback) {
User.loadProperties(tempAuthInfo.userId, (err, allProps) => {
if (!err) {
tempAuthInfo.properties = allProps;
}
return callback(err);
});
},
function checkAccountStatus(callback) {
const accountStatus = parseInt(
tempAuthInfo.properties[UserProps.AccountStatus],
10
);
if (User.AccountStatus.disabled === accountStatus) {
return callback(
Errors.AccessDenied('Account disabled', ErrorReasons.Disabled)
);
}
if (User.AccountStatus.inactive === accountStatus) {
return callback(
Errors.AccessDenied('Account inactive', ErrorReasons.Inactive)
);
}
if (User.AccountStatus.locked === accountStatus) {
const autoUnlockMinutes = _.get(
Config(),
'users.failedLogin.autoUnlockMinutes'
);
const lockedTs = moment(
tempAuthInfo.properties[UserProps.AccountLockedTs]
);
if (autoUnlockMinutes && lockedTs.isValid()) {
const minutesSinceLocked = moment().diff(lockedTs, 'minutes');
if (minutesSinceLocked >= autoUnlockMinutes) {
// allow the login - we will clear any lock there
2018-11-23 18:44:46 +00:00
Log.info(
{
username,
userId: tempAuthInfo.userId,
lockedAt: lockedTs.format(),
},
2018-11-23 18:44:46 +00:00
'Locked account will now be unlocked due to auto-unlock minutes policy'
);
return callback(null);
}
}
return callback(
Errors.AccessDenied('Account is locked', ErrorReasons.Locked)
);
}
// anything else besides active is still not allowed
if (User.AccountStatus.active !== accountStatus) {
return callback(Errors.AccessDenied('Account is not active'));
}
return callback(null);
},
function initGroups(callback) {
userGroup.getGroupsForUser(tempAuthInfo.userId, (err, groups) => {
if (!err) {
tempAuthInfo.groups = groups;
}
return callback(err);
});
},
],
err => {
if (err) {
//
// If we failed login due to something besides an inactive or disabled account,
// we need to update failure status and possibly lock the account.
//
// If locked already, update the lock timestamp -- ie, extend the lockout period.
//
if (
![ErrorReasons.Disabled, ErrorReasons.Inactive].includes(
err.reasonCode
) &&
tempAuthInfo.userId
) {
self.processFailedLogin(tempAuthInfo.userId, persistErr => {
if (persistErr) {
Log.warn(
{ error: persistErr.message },
'Failed to persist failed login information'
);
}
return cb(err); // pass along original error
});
} else {
return cb(err);
}
} else {
// everything checks out - load up info
self.userId = tempAuthInfo.userId;
self.username = tempAuthInfo.username;
self.properties = tempAuthInfo.properties;
self.groups = tempAuthInfo.groups;
self.authFactor = User.AuthFactors.Factor1;
2019-04-10 02:07:19 +00:00
//
// If 2FA/OTP is required, this user is not quite authenticated yet.
//
self.authenticated = !(self.getProperty(UserProps.AuthFactor2OTP)
? true
: false);
self.removeProperty(UserProps.FailedLoginAttempts);
//
// We need to *revert* any locked status back to
// the user's previous status & clean up props.
//
self.unlockAccount(unlockErr => {
if (unlockErr) {
Log.warn(
{ error: unlockErr.message },
'Failed to unlock account'
);
}
return cb(null);
});
}
}
);
}
create(createUserInfo, cb) {
assert(0 === this.userId);
const config = Config();
if (
this.username.length < config.users.usernameMin ||
this.username.length > config.users.usernameMax
) {
return cb(Errors.Invalid('Invalid username length'));
}
const self = this;
// :TODO: set various defaults, e.g. default activation status, etc.
self.properties[UserProps.AccountStatus] = config.users.requireActivation
? User.AccountStatus.inactive
: User.AccountStatus.active;
async.waterfall(
[
function beginTransaction(callback) {
return userDb.beginTransaction(callback);
},
function createUserRec(trans, callback) {
trans.run(
`INSERT INTO user (user_name)
VALUES (?);`,
[self.username],
function inserted(err) {
// use classic function for |this|
if (err) {
return callback(err);
}
self.userId = this.lastID;
// Do not require activation for userId 1 (root/admin)
if (User.RootUserID === self.userId) {
self.properties[UserProps.AccountStatus] =
User.AccountStatus.active;
}
return callback(null, trans);
}
);
},
function genAuthCredentials(trans, callback) {
User.generatePasswordDerivedKeyAndSalt(
createUserInfo.password,
(err, info) => {
if (err) {
return callback(err);
}
self.properties[UserProps.PassPbkdf2Salt] = info.salt;
self.properties[UserProps.PassPbkdf2Dk] = info.dk;
return callback(null, trans);
}
);
},
function setInitialGroupMembership(trans, callback) {
2020-02-18 16:35:23 +00:00
// Assign initial groups. Must perform a clone: #235 - All users are sysops (and I can't un-sysop them)
self.groups = [...config.users.defaultGroups];
if (User.RootUserID === self.userId) {
// root/SysOp?
self.groups.push('sysops');
}
return callback(null, trans);
},
function saveAll(trans, callback) {
self.persistWithTransaction(trans, err => {
return callback(err, trans);
});
},
function sendEvent(trans, callback) {
Events.emit(Events.getSystemEvents().NewUser, {
user: Object.assign({}, self, {
sessionId: createUserInfo.sessionId,
}),
});
return callback(null, trans);
},
],
(err, trans) => {
if (trans) {
trans[err ? 'rollback' : 'commit'](transErr => {
return cb(err ? err : transErr);
});
} else {
return cb(err);
}
}
);
}
persistWithTransaction(trans, cb) {
assert(this.userId > 0);
const self = this;
async.series(
[
function saveProps(callback) {
self.persistProperties(self.properties, trans, err => {
return callback(err);
});
},
function saveGroups(callback) {
userGroup.addUserToGroups(self.userId, self.groups, trans, err => {
return callback(err);
});
},
],
err => {
return cb(err);
}
);
}
static persistPropertyByUserId(userId, propName, propValue, cb) {
userDb.run(
`REPLACE INTO user_property (user_id, prop_name, prop_value)
VALUES (?, ?, ?);`,
[userId, propName, propValue],
err => {
if (cb) {
return cb(err, propValue);
}
}
);
}
setProperty(propName, propValue) {
this.properties[propName] = propValue;
}
incrementProperty(propName, incrementBy) {
incrementBy = incrementBy || 1;
let newValue = parseInt(this.getProperty(propName));
if (newValue) {
newValue += incrementBy;
} else {
newValue = incrementBy;
}
this.setProperty(propName, newValue);
return newValue;
}
getProperty(propName) {
return this.properties[propName];
}
getPropertyAsNumber(propName) {
return parseInt(this.getProperty(propName), 10);
}
persistProperty(propName, propValue, cb) {
// update live props
this.properties[propName] = propValue;
return User.persistPropertyByUserId(this.userId, propName, propValue, cb);
}
removeProperty(propName, cb) {
// update live
delete this.properties[propName];
userDb.run(
`DELETE FROM user_property
WHERE user_id = ? AND prop_name = ?;`,
[this.userId, propName],
err => {
if (cb) {
return cb(err);
}
}
);
}
removeProperties(propNames, cb) {
async.each(
propNames,
(name, next) => {
return this.removeProperty(name, next);
},
err => {
if (cb) {
return cb(err);
}
2018-11-28 05:01:14 +00:00
}
);
}
persistProperties(properties, transOrDb, cb) {
if (!_.isFunction(cb) && _.isFunction(transOrDb)) {
cb = transOrDb;
transOrDb = userDb;
}
const self = this;
// update live props
_.merge(this.properties, properties);
const stmt = transOrDb.prepare(
`REPLACE INTO user_property (user_id, prop_name, prop_value)
VALUES (?, ?, ?);`
);
async.each(
Object.keys(properties),
(propName, nextProp) => {
stmt.run(self.userId, propName, properties[propName], err => {
return nextProp(err);
});
},
err => {
if (err) {
return cb(err);
}
stmt.finalize(() => {
return cb(null);
});
}
);
}
setNewAuthCredentials(password, cb) {
User.generatePasswordDerivedKeyAndSalt(password, (err, info) => {
if (err) {
return cb(err);
}
const newProperties = {
[UserProps.PassPbkdf2Salt]: info.salt,
[UserProps.PassPbkdf2Dk]: info.dk,
};
this.persistProperties(newProperties, err => {
return cb(err);
});
});
}
getAge() {
const birthdate = this.getProperty(UserProps.Birthdate);
if (birthdate) {
return moment().diff(birthdate, 'years');
}
}
static getUser(userId, cb) {
async.waterfall(
[
function fetchUserId(callback) {
User.getUserName(userId, (err, userName) => {
return callback(null, userName);
});
},
function initProps(userName, callback) {
User.loadProperties(userId, (err, properties) => {
return callback(err, userName, properties);
});
},
function initGroups(userName, properties, callback) {
userGroup.getGroupsForUser(userId, (err, groups) => {
return callback(null, userName, properties, groups);
});
},
],
(err, userName, properties, groups) => {
const user = new User();
user.userId = userId;
user.username = userName;
user.properties = properties;
user.groups = groups;
2019-04-10 02:07:19 +00:00
// explicitly NOT an authenticated user!
user.authenticated = false;
user.authFactor = User.AuthFactors.None;
return cb(err, user);
}
);
}
static isRootUserId(userId) {
return User.RootUserID === userId;
}
static getUserIdAndName(username, cb) {
userDb.get(
`SELECT id, user_name
FROM user
WHERE user_name LIKE ?;`,
[username],
(err, row) => {
if (err) {
return cb(err);
}
if (row) {
return cb(null, row.id, row.user_name);
}
return cb(Errors.DoesNotExist('No matching username'));
}
);
}
static getUserIdAndNameByRealName(realName, cb) {
userDb.get(
`SELECT id, user_name
FROM user
WHERE id = (
SELECT user_id
FROM user_property
2018-11-24 05:18:15 +00:00
WHERE prop_name='${UserProps.RealName}' AND prop_value LIKE ?
);`,
[realName],
(err, row) => {
if (err) {
return cb(err);
}
if (row) {
return cb(null, row.id, row.user_name);
}
return cb(Errors.DoesNotExist('No matching real name'));
}
);
}
static getUserIdAndNameByLookup(lookup, cb) {
User.getUserIdAndName(lookup, (err, userId, userName) => {
if (err) {
User.getUserIdAndNameByRealName(lookup, (err, userId, userName) => {
return cb(err, userId, userName);
});
} else {
return cb(null, userId, userName);
}
});
}
static getUserName(userId, cb) {
userDb.get(
`SELECT user_name
FROM user
WHERE id = ?;`,
[userId],
(err, row) => {
if (err) {
return cb(err);
}
if (row) {
return cb(null, row.user_name);
}
return cb(Errors.DoesNotExist('No matching user ID'));
}
);
}
static loadProperties(userId, options, cb) {
if (!cb && _.isFunction(options)) {
cb = options;
options = {};
}
let sql = `SELECT prop_name, prop_value
FROM user_property
WHERE user_id = ?`;
if (options.names) {
sql += ` AND prop_name IN("${options.names.join('","')}");`;
} else {
sql += ';';
}
let properties = {};
userDb.each(
sql,
[userId],
(err, row) => {
if (err) {
return cb(err);
}
properties[row.prop_name] = row.prop_value;
},
err => {
return cb(err, err ? null : properties);
}
);
}
// :TODO: make this much more flexible - propValue should allow for case-insensitive compare, etc.
static getUserIdsWithProperty(propName, propValue, cb) {
let userIds = [];
userDb.each(
`SELECT user_id
FROM user_property
WHERE prop_name = ? AND prop_value = ?;`,
[propName, propValue],
(err, row) => {
if (row) {
userIds.push(row.user_id);
}
},
() => {
return cb(null, userIds);
}
);
}
static getUserList(options, cb) {
const userList = [];
2020-07-14 04:40:49 +00:00
options.properties = options.properties || [UserProps.RealName];
2020-07-14 04:40:49 +00:00
const asList = [];
const joinList = [];
for (let i = 0; i < options.properties.length; ++i) {
const dbProp = options.properties[i];
const propName = options.propsCamelCase ? _.camelCase(dbProp) : dbProp;
asList.push(`p${i}.prop_value AS ${propName}`);
joinList.push(
`LEFT OUTER JOIN user_property p${i} ON p${i}.user_id = u.id AND p${i}.prop_name = '${dbProp}'`
);
2020-07-14 04:40:49 +00:00
}
userDb.each(
2020-07-14 04:40:49 +00:00
`SELECT u.id as userId, u.user_name as userName, ${asList.join(', ')}
FROM user u ${joinList.join(' ')}
ORDER BY u.user_name;`,
(err, row) => {
2020-07-14 04:40:49 +00:00
if (err) {
return cb(err);
}
2020-07-14 04:40:49 +00:00
userList.push(row);
},
2020-07-14 04:40:49 +00:00
err => {
return cb(err, userList);
}
);
}
static generatePasswordDerivedKeyAndSalt(password, cb) {
async.waterfall(
[
function getSalt(callback) {
User.generatePasswordDerivedKeySalt((err, salt) => {
return callback(err, salt);
});
},
function getDk(salt, callback) {
User.generatePasswordDerivedKey(password, salt, (err, dk) => {
return callback(err, salt, dk);
});
},
],
(err, salt, dk) => {
return cb(err, { salt: salt, dk: dk });
}
);
}
static generatePasswordDerivedKeySalt(cb) {
crypto.randomBytes(User.PBKDF2.saltLen, (err, salt) => {
if (err) {
return cb(err);
}
return cb(null, salt.toString('hex'));
});
}
static generatePasswordDerivedKey(password, salt, cb) {
password = Buffer.from(password).toString('hex');
crypto.pbkdf2(
password,
salt,
User.PBKDF2.iterations,
User.PBKDF2.keyLen,
'sha1',
(err, dk) => {
if (err) {
return cb(err);
}
return cb(null, dk.toString('hex'));
}
);
}
};