chore: Cleanup

Signed-off-by: jay-dee7 <[email protected]>
containerish · Sep 24, 2023 · 31942ae · 31942ae
1 parent bb0bf98
commit 31942ae
Show file tree

Hide file tree

Showing 40 changed files with 1,733 additions and 431 deletions.
diff --git a/auth/basic_auth.go b/auth/basic_auth.go
@@ -48,7 +48,14 @@ func (a *auth) buildBasicAuthenticationHeader(repoNamespace string) string {
 	)
 }
 
-func (a *auth) checkJWT(authHeader string) bool {
+func (a *auth) checkJWT(authHeader string, cookies []*http.Cookie) bool {
+	for _, cookie := range cookies {
+		if cookie.Name == AccessCookieKey {
+			// early return if access_token is found in cookies
+			return true
+		}
+	}
+
 	parts := strings.Split(authHeader, " ")
 	if len(parts) != 2 {
 		return false
@@ -154,7 +161,7 @@ func (a *auth) SkipBasicAuth(ctx echo.Context) bool {
 	authHeader := ctx.Request().Header.Get(AuthorizationHeaderKey)
 
 	// if Authorization header contains JWT, we skip basic auth and perform a JWT validation
-	if ok := a.checkJWT(authHeader); ok {
+	if ok := a.checkJWT(authHeader, ctx.Request().Cookies()); ok {
 		ctx.Set(JWT_AUTH_KEY, true)
 		return true
 	}

diff --git a/auth/github.go b/auth/github.go
@@ -271,8 +271,8 @@ func (a *auth) finishGitHubCallback(ctx echo.Context, user *v2_types.User, oauth
 	val := fmt.Sprintf("%s:%s", sessionId, user.ID)
 
 	sessionCookie := a.createCookie(ctx, "session_id", val, false, time.Now().Add(time.Hour*750))
-	accessCookie := a.createCookie(ctx, "access_token", accessToken, true, time.Now().Add(time.Hour*750))
-	refreshCookie := a.createCookie(ctx, "refresh_token", refreshToken, true, time.Now().Add(time.Hour*750))
+	accessCookie := a.createCookie(ctx, AccessCookieKey, accessToken, true, time.Now().Add(time.Hour*750))
+	refreshCookie := a.createCookie(ctx, RefreshCookKey, refreshToken, true, time.Now().Add(time.Hour*750))
 
 	ctx.SetCookie(accessCookie)
 	ctx.SetCookie(refreshCookie)

diff --git a/auth/helpers.go b/auth/helpers.go
@@ -138,11 +138,11 @@ type CreateClaimOptions struct {
 func CreateClaims(opts *CreateClaimOptions) Claims {
 	tokenLife := time.Now().Add(time.Minute * 10)
 	switch opts.TokeType {
-	case "access_token":
+	case AccessCookieKey:
 		// TODO (jay-dee7)
 		// token can live for month now, but must be addressed when we implement PASETO
 		tokenLife = time.Now().Add(time.Hour * 750)
-	case "refresh_token":
+	case RefreshCookKey:
 		tokenLife = time.Now().Add(time.Hour * 750)
 	case "service":
 		tokenLife = time.Now().Add(time.Hour * 750)

diff --git a/auth/jwt.go b/auth/jwt.go
@@ -236,7 +236,7 @@ func (a *auth) newToken(u *types.User) (string, error) {
 		Audience: a.c.Registry.FQDN,
 		Issuer:   OpenRegistryIssuer,
 		Id:       u.ID.String(),
-		TokeType: "access_token",
+		TokeType: AccessCookieKey,
 		Acl:      acl,
 	}
 	claims := CreateClaims(opts)

diff --git a/auth/jwt_middleware.go b/auth/jwt_middleware.go
@@ -15,8 +15,8 @@ import (
 )
 
 const (
-	AccessCookieKey = "access"
-	RefreshCookKey  = "refresh"
+	AccessCookieKey = "access_token"
+	RefreshCookKey  = "refresh_token"
 	QueryToken      = "token"
 )
 
@@ -28,6 +28,10 @@ func (a *auth) JWT() echo.MiddlewareFunc {
 				return false
 			}
 
+			if strings.HasPrefix(ctx.Request().RequestURI, "/v2/ext") {
+				return false
+			}
+
 			// if JWT_AUTH is not set, we don't need to perform JWT authentication
 			jwtAuth, ok := ctx.Get(JWT_AUTH_KEY).(bool)
 			if !ok {
@@ -59,8 +63,12 @@ func (a *auth) JWT() echo.MiddlewareFunc {
 					user, _ := a.pgStore.GetUserByID(ctx.Request().Context(), uuid.MustParse(claims.ID))
 					ctx.Set(string(types.UserClaimsContextKey), claims)
 					ctx.Set(string(types.UserContextKey), user)
+					a.logger.Debug().Str("method", "jwt_success_handler").Bool("success", true).Send()
+					return
 				}
 			}
+
+			a.logger.Debug().Str("method", "jwt_success_handler").Bool("success", false).Send()
 		},
 		SigningKey:    a.c.Registry.Auth.JWTSigningPrivateKey,
 		SigningKeys:   map[string]interface{}{},

diff --git a/auth/renew.go b/auth/renew.go
@@ -80,7 +80,7 @@ func (a *auth) RenewAccessToken(ctx echo.Context) error {
 	opts := &WebLoginJWTOptions{
 		Id:        userId,
 		Username:  user.Username,
-		TokenType: "access_token",
+		TokenType: AccessCookieKey,
 		Audience:  a.c.Registry.FQDN,
 		Privkey:   a.c.Registry.Auth.JWTSigningPrivateKey,
 		Pubkey:    a.c.Registry.Auth.JWTSigningPubKey,
@@ -95,7 +95,7 @@ func (a *auth) RenewAccessToken(ctx echo.Context) error {
 		return echoErr
 	}
 
-	accessCookie := a.createCookie(ctx, "access_token", tokenString, true, time.Now().Add(time.Hour))
+	accessCookie := a.createCookie(ctx, AccessCookieKey, tokenString, true, time.Now().Add(time.Hour))
 	ctx.SetCookie(accessCookie)
 	err = ctx.NoContent(http.StatusNoContent)
 	a.logger.Log(ctx, err).Send()

diff --git a/auth/reset_password.go b/auth/reset_password.go
@@ -250,7 +250,7 @@ func (a *auth) ForgotPassword(ctx echo.Context) error {
 	opts := &WebLoginJWTOptions{
 		Id:        user.ID,
 		Username:  user.Username,
-		TokenType: "access_token",
+		TokenType: AccessCookieKey,
 		Audience:  a.c.Registry.FQDN,
 		Privkey:   a.c.Registry.Auth.JWTSigningPrivateKey,
 		Pubkey:    a.c.Registry.Auth.JWTSigningPubKey,

diff --git a/auth/server/webauthn_server.go b/auth/server/webauthn_server.go
@@ -151,23 +151,23 @@ func (wa *webauthn_server) BeginRegistration(ctx echo.Context) error {
 			// If we encounter an error here, we need to do the following:
 			// 1. Rollback the session data (since this session data is irrelevant from this point onwards)
 			// 2. Rollback the webauthn user store txn
-			if werr := wa.webauthn.RemoveSessionData(ctx.Request().Context(), user.ID); werr != nil {
-				echoErr := ctx.JSON(http.StatusInternalServerError, echo.Map{
-					"error":   werr.Error(),
-					"message": "failed to rollback stale session data",
-				})
-				wa.logger.Log(ctx, wErr).Send()
-				return echoErr
-			}
-
-			if rollbackErr := txn.Rollback(); rollbackErr != nil {
-				echoErr := ctx.JSON(http.StatusInternalServerError, echo.Map{
-					"error":   rollbackErr.Error(),
-					"message": "failed to rollback webauthn user txn",
-				})
-				wa.logger.Log(ctx, wErr).Send()
-				return echoErr
-			}
+			// if werr := wa.webauthn.RemoveSessionData(ctx.Request().Context(), user.ID); werr != nil {
+			// 	echoErr := ctx.JSON(http.StatusInternalServerError, echo.Map{
+			// 		"error":   werr.Error(),
+			// 		"message": "failed to rollback stale session data",
+			// 	})
+			// 	wa.logger.Log(ctx, wErr).Send()
+			// 	return echoErr
+			// }
+
+			// if rollbackErr := txn.Rollback(); rollbackErr != nil {
+			// 	echoErr := ctx.JSON(http.StatusInternalServerError, echo.Map{
+			// 		"error":   rollbackErr.Error(),
+			// 		"message": "failed to rollback webauthn user txn",
+			// 	})
+			// 	wa.logger.Log(ctx, wErr).Send()
+			// 	return echoErr
+			// }
 
 			echoErr := ctx.JSON(http.StatusInternalServerError, echo.Map{
 				"error":   wErr.Error(),
@@ -407,7 +407,7 @@ func (wa *webauthn_server) FinishLogin(ctx echo.Context) error {
 	accessTokenOpts := &auth.WebLoginJWTOptions{
 		Id:        user.ID,
 		Username:  username,
-		TokenType: "access_token",
+		TokenType: auth.AccessCookieKey,
 		Audience:  wa.cfg.Registry.FQDN,
 		Privkey:   wa.cfg.Registry.Auth.JWTSigningPrivateKey,
 		Pubkey:    wa.cfg.Registry.Auth.JWTSigningPubKey,
@@ -416,7 +416,7 @@ func (wa *webauthn_server) FinishLogin(ctx echo.Context) error {
 	refreshTokenOpts := &auth.WebLoginJWTOptions{
 		Id:        user.ID,
 		Username:  username,
-		TokenType: "refresh_token",
+		TokenType: auth.RefreshCookKey,
 		Audience:  wa.cfg.Registry.FQDN,
 		Privkey:   wa.cfg.Registry.Auth.JWTSigningPrivateKey,
 		Pubkey:    wa.cfg.Registry.Auth.JWTSigningPubKey,
@@ -472,7 +472,7 @@ func (wa *webauthn_server) FinishLogin(ctx echo.Context) error {
 
 	accessTokenCookie := auth.CreateCookie(&auth.CreateCookieOptions{
 		ExpiresAt:   time.Now().Add(time.Hour * 750),
-		Name:        "access_token",
+		Name:        auth.AccessCookieKey,
 		Value:       accessToken,
 		FQDN:        domain,
 		Environment: wa.cfg.Environment,
@@ -481,7 +481,7 @@ func (wa *webauthn_server) FinishLogin(ctx echo.Context) error {
 
 	refreshTokenCookie := auth.CreateCookie(&auth.CreateCookieOptions{
 		ExpiresAt:   time.Now().Add(time.Hour * 750), //one month
-		Name:        "refresh_token",
+		Name:        auth.RefreshCookKey,
 		Value:       refreshToken,
 		FQDN:        domain,
 		Environment: wa.cfg.Environment,

diff --git a/auth/signin.go b/auth/signin.go
@@ -109,7 +109,7 @@ func (a *auth) SignIn(ctx echo.Context) error {
 	accessTokenOpts := &WebLoginJWTOptions{
 		Id:        userFromDb.ID,
 		Username:  userFromDb.Username,
-		TokenType: "access_token",
+		TokenType: AccessCookieKey,
 		Audience:  a.c.Registry.FQDN,
 		Privkey:   a.c.Registry.Auth.JWTSigningPrivateKey,
 		Pubkey:    a.c.Registry.Auth.JWTSigningPubKey,
@@ -127,7 +127,7 @@ func (a *auth) SignIn(ctx echo.Context) error {
 	refreshTokenOpts := &WebLoginJWTOptions{
 		Id:        userFromDb.ID,
 		Username:  userFromDb.Username,
-		TokenType: "refresh_token",
+		TokenType: RefreshCookKey,
 		Audience:  a.c.Registry.FQDN,
 		Privkey:   a.c.Registry.Auth.JWTSigningPrivateKey,
 		Pubkey:    a.c.Registry.Auth.JWTSigningPubKey,
@@ -163,8 +163,8 @@ func (a *auth) SignIn(ctx echo.Context) error {
 
 	sessionId := fmt.Sprintf("%s:%s", id, userFromDb.ID)
 	sessionCookie := a.createCookie(ctx, "session_id", sessionId, false, time.Now().Add(time.Hour*750))
-	accessCookie := a.createCookie(ctx, "access_token", access, true, time.Now().Add(time.Hour*750))
-	refreshCookie := a.createCookie(ctx, "refresh_token", refresh, true, time.Now().Add(time.Hour*750))
+	accessCookie := a.createCookie(ctx, AccessCookieKey, access, true, time.Now().Add(time.Hour*750))
+	refreshCookie := a.createCookie(ctx, RefreshCookKey, refresh, true, time.Now().Add(time.Hour*750))
 
 	ctx.SetCookie(accessCookie)
 	ctx.SetCookie(refreshCookie)

diff --git a/auth/signout.go b/auth/signout.go
@@ -73,8 +73,8 @@ func (a *auth) SignOut(ctx echo.Context) error {
 		return echoErr
 	}
 
-	ctx.SetCookie(a.createCookie(ctx, "access_token", "", true, time.Now().Add(-time.Hour*750)))
-	ctx.SetCookie(a.createCookie(ctx, "refresh_token", "", true, time.Now().Add(-time.Hour*750)))
+	ctx.SetCookie(a.createCookie(ctx, AccessCookieKey, "", true, time.Now().Add(-time.Hour*750)))
+	ctx.SetCookie(a.createCookie(ctx, RefreshCookKey, "", true, time.Now().Add(-time.Hour*750)))
 	ctx.SetCookie(a.createCookie(ctx, "session_id", "", true, time.Now().Add(-time.Hour*750)))
 	err = ctx.JSON(http.StatusAccepted, echo.Map{
 		"message": "session deleted successfully",

diff --git a/auth/verify_email.go b/auth/verify_email.go
@@ -79,7 +79,7 @@ func (a *auth) VerifyEmail(ctx echo.Context) error {
 	accesssTokenOpts := &WebLoginJWTOptions{
 		Id:        userId,
 		Username:  user.Username,
-		TokenType: "access_token",
+		TokenType: AccessCookieKey,
 		Audience:  a.c.Registry.FQDN,
 		Privkey:   a.c.Registry.Auth.JWTSigningPrivateKey,
 		Pubkey:    a.c.Registry.Auth.JWTSigningPubKey,
@@ -98,7 +98,7 @@ func (a *auth) VerifyEmail(ctx echo.Context) error {
 	refreshTokenOpts := &WebLoginJWTOptions{
 		Id:        userId,
 		Username:  user.Username,
-		TokenType: "refresh_token",
+		TokenType: RefreshCookKey,
 		Audience:  a.c.Registry.FQDN,
 		Privkey:   a.c.Registry.Auth.JWTSigningPrivateKey,
 		Pubkey:    a.c.Registry.Auth.JWTSigningPubKey,
@@ -133,8 +133,8 @@ func (a *auth) VerifyEmail(ctx echo.Context) error {
 
 	sessionId := fmt.Sprintf("%s:%s", id, userId)
 	sessionCookie := a.createCookie(ctx, "session_id", sessionId, false, time.Now().Add(time.Hour*750))
-	accessCookie := a.createCookie(ctx, "access_token", access, true, time.Now().Add(time.Hour))
-	refreshCookie := a.createCookie(ctx, "refresh_token", refresh, true, time.Now().Add(time.Hour*750))
+	accessCookie := a.createCookie(ctx, AccessCookieKey, access, true, time.Now().Add(time.Hour))
+	refreshCookie := a.createCookie(ctx, RefreshCookKey, refresh, true, time.Now().Add(time.Hour*750))
 
 	ctx.SetCookie(accessCookie)
 	ctx.SetCookie(refreshCookie)

diff --git a/auth/webauthn/types.go b/auth/webauthn/types.go
@@ -50,9 +50,13 @@ func (u *WebAuthnUser) WebAuthnCredentials() []webauthn.Credential {
 
 func (u *WebAuthnUser) AddWebAuthNCredential(creds *webauthn.Credential) {
 	// initialised to non-nil value in case of first attempt
-	if u.credentials == nil || len(u.credentials) == 0 {
-		return
+	if u.credentials == nil {
+		if creds == nil || len(creds.ID) == 0 {
+			return
+		}
+		u.credentials = make([]webauthn.Credential, 0)
 	}
+
 	u.credentials = append(u.credentials, *creds)
 }
 

diff --git a/auth/webauthn/webauthn.go b/auth/webauthn/webauthn.go
@@ -2,18 +2,17 @@ package webauthn
 
 import (
 	"context"
-	"errors"
 	"fmt"
 	"io"
 	"log"
+	"strings"
 
 	"github.com/containerish/OpenRegistry/config"
 	webauthn_store "github.com/containerish/OpenRegistry/store/v2/webauthn"
 	"github.com/fatih/color"
 	"github.com/go-webauthn/webauthn/protocol"
 	"github.com/go-webauthn/webauthn/webauthn"
 	"github.com/google/uuid"
-	"github.com/jackc/pgx/v4"
 )
 
 type (
@@ -167,7 +166,7 @@ func (wa *webAuthnService) BeginRegistration(
 	user *WebAuthnUser,
 ) (*protocol.CredentialCreation, error) {
 	creds, err := wa.store.GetWebAuthnCredentials(ctx, user.ID)
-	if err != nil && errors.Unwrap(err) != pgx.ErrNoRows {
+	if err != nil && !strings.Contains(err.Error(), "no rows in result set") {
 		return nil, err
 	}
 
@@ -197,9 +196,12 @@ func (wa *webAuthnService) BeginRegistration(
 	if err != nil {
 		return nil, fmt.Errorf("ERR_WEB_AUTHN_BEGIN_REGISTRATION: %w", err)
 	}
+
+	sessionUserId, _ := uuid.ParseBytes(sessionData.UserID)
+	color.Cyan("Before storing session info: user=%#v\nsession=%#v", user.ID.String(), sessionUserId)
 	// store session data in DB
 	if err = wa.store.AddWebAuthSessionData(ctx, user.ID, sessionData, "registration"); err != nil {
-		return nil, err
+		return nil, fmt.Errorf("ERR_WEB_AUTHN_ADD_SESSION: %w", err)
 	}
 
 	return credentialCreation, err
@@ -225,6 +227,8 @@ func (wa *webAuthnService) FinishRegistration(ctx context.Context, opts *FinishR
 		return fmt.Errorf("ERR_WEBAUTHN_PARSE_CREATION_REQUEST: %w", err)
 	}
 
+	color.Yellow("userId=%s - sessionOwnerId=%s", opts.User.WebAuthnID(), sessionData.UserID)
+
 	credentials, err := wa.core.CreateCredential(opts.User, *sessionData, parsedResponse)
 	if err != nil {
 		return fmt.Errorf("ERR_WEBAUTHN_CREATE_CREDENTIAL: %w", err)

diff --git a/cmd/registry.go b/cmd/registry.go
@@ -15,8 +15,8 @@ import (
 	"github.com/containerish/OpenRegistry/router"
 	github_actions_server "github.com/containerish/OpenRegistry/services/kon/github_actions/v1/server"
 	"github.com/containerish/OpenRegistry/store/postgres"
-	build_automation_store "github.com/containerish/OpenRegistry/store/postgres/build_automation"
 	store_v2 "github.com/containerish/OpenRegistry/store/v2"
+	"github.com/containerish/OpenRegistry/store/v2/automation"
 	"github.com/containerish/OpenRegistry/store/v2/emails"
 	registry_store "github.com/containerish/OpenRegistry/store/v2/registry"
 	"github.com/containerish/OpenRegistry/store/v2/sessions"
@@ -92,7 +92,8 @@ func RunRegistryServer(ctx *cli.Context) {
 	webauthnStore := webauthn.NewStore(rawDB)
 	emailStore := emails.NewStore(rawDB)
 
-	buildAutomationStore, err := build_automation_store.New(&cfg.StoreConfig)
+	// buildAutomationStore, err := build_automation_store.New(&cfg.StoreConfig)
+	buildAutomationStore, err := automation.New(rawDB)
 	if err != nil {
 		color.Red("ERR_BUILD_AUTOMATION_PG_CONN: %s", err.Error())
 		return
@@ -118,6 +119,7 @@ func RunRegistryServer(ctx *cli.Context) {
 
 	router.Register(cfg, e, reg, authSvc, webauthnServer, ext, registryStore)
 	router.RegisterHealthCheckEndpoint(e, healthCheckHandler)
+
 	if cfg.Integrations.GetGithubConfig() != nil && cfg.Integrations.GetGithubConfig().Enabled {
 		ghApp, err := github.NewGithubApp(
 			cfg.Integrations.GetGithubConfig(),