Merge pull request #12 from ST2Projects/tk/9/api-keys-should-be-hashed-with-argon2

neo1908 · web-flow · commit 1562be872150 · 2022-08-27T16:25:52.000+01:00
Tk/9/api keys should be hashed with argon2
diff --git a/.gitignore b/.gitignore
@@ -171,3 +171,4 @@ fabric.properties
 
 resources
 dist/
+./ssh-sentinel-server
diff --git a/Makefile b/Makefile
@@ -8,7 +8,7 @@ doc:
 	godoc -http=:6060
 
 release:
-	shell goreleaser release
+	$(shell goreleaser release --rm-dist)
 
 release-dry:
 	$(shell goreleaser release --skip-publish)
diff --git a/crypto/argon_helper.go b/crypto/argon_helper.go
@@ -0,0 +1,69 @@
+package crypto
+
+import (
+	"crypto/rand"
+	"crypto/subtle"
+	"encoding/base64"
+	"fmt"
+	"golang.org/x/crypto/argon2"
+	"strings"
+)
+
+const hashFormat = "$argon2id$v=%d$m=%d,t=%d,p=%d$%s$%s"
+
+type PasswordConfig struct {
+	time    uint32
+	memory  uint32
+	threads uint8
+	keyLen  uint32
+}
+
+func (c PasswordConfig) DefaultConfig() *PasswordConfig {
+	return &PasswordConfig{
+		time:    1,
+		memory:  64 * 1024,
+		threads: 4,
+		keyLen:  32,
+	}
+}
+
+func GenerateHash(config *PasswordConfig, s string) (string, error) {
+	salt := make([]byte, 16)
+	if _, err := rand.Read(salt); err != nil {
+		return "", err
+	}
+
+	hash := argon2.IDKey([]byte(s), salt, config.time, config.memory, config.threads, config.keyLen)
+
+	saltB64 := base64.RawStdEncoding.EncodeToString(salt)
+	hashB64 := base64.RawStdEncoding.EncodeToString(hash)
+
+	finalHash := fmt.Sprintf(hashFormat, argon2.Version, config.memory, config.time, config.threads, saltB64, hashB64)
+
+	return finalHash, nil
+}
+
+func Validate(s, hash string) (bool, error) {
+
+	hashParts := strings.Split(hash, "$")
+
+	config := &PasswordConfig{}
+
+	_, err := fmt.Sscanf(hashParts[3], "m=%d,t=%d,p=%d", &config.memory, &config.time, &config.threads)
+	if err != nil {
+		return false, err
+	}
+
+	salt, err := base64.RawStdEncoding.DecodeString(hashParts[4])
+	if err != nil {
+		return false, err
+	}
+
+	decodedHash, err := base64.RawStdEncoding.DecodeString(hashParts[5])
+
+	config.keyLen = uint32(len(decodedHash))
+
+	comparisonHash := argon2.IDKey([]byte(s), salt, config.time, config.memory, config.threads, config.keyLen)
+
+	return subtle.ConstantTimeCompare(decodedHash, comparisonHash) == 1, nil
+}
diff --git a/crypto/argon_helper_test.go b/crypto/argon_helper_test.go
@@ -0,0 +1,23 @@
+package crypto
+
+import "testing"
+
+func TestDefaultConfig(t *testing.T) {
+	config := PasswordConfig{}.DefaultConfig()
+
+	if config.time != 1 {
+		t.Errorf("Incorrect default time %d . Expected '1'", config.time)
+	}
+
+	if config.memory != 65536 {
+		t.Errorf("Incorrect default memory %d . Expected '65536'", config.memory)
+	}
+
+	if config.threads != 4 {
+		t.Errorf("Incorrect default memory %d . Expected '4'", config.threads)
+	}
+
+	if config.keyLen != 32 {
+		t.Errorf("Incorrect default key length %d . Expected '32'", config.keyLen)
+	}
+}
diff --git a/http-tests.http b/http-tests.http
@@ -3,7 +3,30 @@
 POST http://localhost/ssh
 Content-Type: application/json
 
-{"username": "test", "api_key": "47e69901-7feb-40fd-a48f-8d42211a16f0", "principals": ["test"], "key": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICazCPU7VgxhgZWNXr2bA2nErkFyXRz4IMddcZLDN7MU xxx@aaa"}
+{"username": "test", "api_key": "63cac958-6a06-4f18-9a58-d26779f89ab1", "principals": ["test"], "key": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICazCPU7VgxhgZWNXr2bA2nErkFyXRz4IMddcZLDN7MU xxx@aaa"}
 
+> {%
+ // Response handler
+ client.test("Request was successful", function () {
+     client.assert(response.status === 200, "Status was not 200");
+     client.assert(response.body.signedKey !== "", "signed key was empty!");
+     // let responseBody = JSON.parse(response.body.toString());
+     // client.assert(responseBody.signedKey != null, "Signed key was empty / null");
+ });
+ %}
 
-###
+### testFailedRequestUnAuthorisedAPIKey
+POST http://localhost/ssh
+Content-Type:  application/json
+
+{"username": "test", "api_key": "aabb", "principals": ["test"], "key": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICazCPU7VgxhgZWNXr2bA2nErkFyXRz4IMddcZLDN7MU xxx@aaa"}
+
+> {%
+ // Response handler
+ client.test("Request failed", function () {
+     client.assert(response.status === 401, "Status was not 401");
+     client.assert(response.body.signedKey === "", "signed key was not empty!");
+     // let responseBody = JSON.parse(response.body.toString());
+     // client.assert(responseBody.signedKey != null, "Signed key was empty / null");
+ });
+ %}
diff --git a/model/db/user.go b/model/db/user.go
@@ -1,12 +1,10 @@
 package db
 
 import (
-	"crypto/sha256"
-	"crypto/subtle"
-	"encoding/hex"
 	"github.com/google/uuid"
 	log "github.com/sirupsen/logrus"
 	"gorm.io/gorm"
+	"ssh-sentinel-server/crypto"
 )
 
 type User struct {
@@ -34,40 +32,17 @@ type APIKey struct {
 func NewAPIKey() (APIKey, string) {
 	id := uuid.New().String()
 
-	sha := sha256.New()
-	sha.Write([]byte(id))
-	finalValue := sha.Sum(nil)
-
-	apiKey := APIKey{}
-
-	apiKey.Key = hex.EncodeToString(finalValue)
-
-	return apiKey, id
-}
-
-func AsAPIKey(key uuid.UUID) APIKey {
-	sha := sha256.New()
-	sha.Write([]byte(key.String()))
-	finalValue := sha.Sum(nil)
-
 	apiKey := APIKey{}
-	apiKey.Key = hex.EncodeToString(finalValue)
-	return apiKey
-}
 
-func (k *APIKey) Validate(other string) bool {
-	sha := sha256.New()
-	sha.Write([]byte(other))
-	otherSum := sha.Sum(nil)
-
-	thisDecoded, err := hex.DecodeString(k.Key)
+	k, err := crypto.GenerateHash(crypto.PasswordConfig{}.DefaultConfig(), id)
 
 	if err != nil {
-		log.Fatal("Failed to decode key", err)
+		log.Fatal("Cannot create key", err)
 	}
 
-	// ConstantTimeCompare returns 1 when equal...
-	return subtle.ConstantTimeCompare(thisDecoded, otherSum) == 1
+	apiKey.Key = k
+
+	return apiKey, id
 }
 
 func (p *Principal) String() string {
diff --git a/model/db/user_test.go b/model/db/user_test.go
@@ -2,16 +2,6 @@ package db
 
 import "testing"
 
-func TestAPIKeyType_Validate(t *testing.T) {
-	myKey := APIKey{Key: "e072bebc2cf6191881f0a1af2af353e1ded499e77b9d05a0425a25c3fce90807"}
-
-	validated := myKey.Validate("39d61458-7c4c-4e58-a79d-37f02a448ca9")
-
-	if !validated {
-		t.Error("Key did not validate")
-	}
-}
-
 func TestUser_Table(t *testing.T) {
 	u := User{}
 
diff --git a/server/handlers.go b/server/handlers.go
@@ -7,6 +7,7 @@ import (
 	log "github.com/sirupsen/logrus"
 	"io/ioutil"
 	"net/http"
+	"ssh-sentinel-server/crypto"
 	"ssh-sentinel-server/helper"
 	model "ssh-sentinel-server/model/http"
 	"ssh-sentinel-server/sql"
@@ -33,9 +34,10 @@ func AuthenticationHandler(next http.Handler) http.Handler {
 
 		user := sql.GetUserByUsername(signRequest.Username)
 
-		hasValidAPIKey := user.APIKey.Validate(signRequest.APIKey)
+		hasValidAPIKey, err := crypto.Validate(signRequest.APIKey, user.APIKey.Key)
 
 		if !hasValidAPIKey {
+			w.WriteHeader(http.StatusUnauthorized)
 			panic(helper.NewError("Unauthorised key"))
 		}
 

Original file line number	Diff line number	Diff line change
`@@ -171,3 +171,4 @@ fabric.properties`
`171`	`171`
`172`	`172`	`resources`
`173`	`173`	`dist/`
	`174`	`+./ssh-sentinel-server`