calendar-webapp/source/calendarwebapp/authenticator.d

module calendarwebapp.authenticator;

import calendarwebapp.passhash : PasswordHasher;

import poodinis;

import std.conv : to;
import std.range : InputRange;
import std.typecons : nullable, Nullable;

import vibe.data.bson;

import vibe.db.mongo.collection : MongoCollection;

interface Authenticator
{
    Nullable!AuthInfo checkUser(string username, string password) @safe;
    void addUser(AuthInfo authInfo);
    InputRange!AuthInfo getAllUsers();
    void removeUser(string id);
}

class MongoDBAuthenticator(Collection = MongoCollection) : Authenticator
{
private:
    @Value("users")
    Collection users;
    @Autowire PasswordHasher passwordHasher;

public:
    Nullable!AuthInfo checkUser(string username, string password) @safe
    {
        import vibe.core.concurrency : async;

        immutable result = users.findOne(["username" : username]);

        if (result != Bson(null))
        {
            auto authInfo = result.deserializeBson!AuthInfo;
            if ((()@trusted => async(() => passwordHasher.checkHash(password,
                    authInfo.passwordHash)).getResult)())
            {
                return authInfo.nullable;
            }
        }
        return Nullable!AuthInfo.init;
    }

    void addUser(AuthInfo authInfo) @safe
    {
        import std.conv : ConvException;

        try
        {
            if (!BsonObjectID.fromString(authInfo.id).valid)
                throw new ConvException("invalid BsonObjectID.");
        }
        catch (ConvException)
        {
            authInfo.id = BsonObjectID.generate.to!string;
        }

        users.insert(authInfo.serializeToBson);
    }

    InputRange!AuthInfo getAllUsers() @safe
    {
        import std.algorithm : map;
        import std.range : inputRangeObject;

        return users.find().map!(deserializeBson!AuthInfo).inputRangeObject;
    }

    void removeUser(string id) @safe
    {
        users.remove(["_id" : id]);
    }
}

enum Privilege
{
    None,
    User,
    Admin
}

class MySQLAuthenticator : Authenticator
{
private:
    import mysql;

    @Autowire MySQLPool pool;
    @Autowire PasswordHasher passwordHasher;
    @Value("mysql.table.users") string usersTableName;

public:
    Nullable!AuthInfo checkUser(string username, string password) @trusted
    {
        import vibe.core.concurrency : async;

        auto cn = pool.lockConnection();
        scope (exit)
            cn.close();
        auto prepared = cn.prepare(
                "SELECT id, username, passwordHash, privilege FROM "
                ~ usersTableName ~ " WHERE username = ?");
        prepared.setArg(0, username);
        auto result = prepared.query();
        /* checkHash should be called using vibe.core.concurrency.async to
           avoid blocking, but https://github.com/vibe-d/vibe.d/issues/1521 is
           blocking this */
        if (!result.empty)
        {
            auto authInfo = toAuthInfo(result.front);
            if (async(() => passwordHasher.checkHash(password, authInfo.passwordHash)).getResult)
            {
                return authInfo.nullable;
            }
        }
        return Nullable!AuthInfo.init;
    }

    void addUser(AuthInfo authInfo)
    {
        auto cn = pool.lockConnection();
        scope (exit)
            cn.close;
        auto prepared = cn.prepare(
                "INSERT INTO " ~ usersTableName ~ " (username, passwordHash, privilege) VALUES(?, ?, ?)");
        prepared.setArgs(authInfo.username, authInfo.passwordHash, authInfo.privilege.to!uint);
        prepared.exec();
    }

    InputRange!AuthInfo getAllUsers()
    {
        import std.algorithm : map;
        import std.range : inputRangeObject;

        auto cn = pool.lockConnection();
        scope (exit)
            cn.close;
        auto prepared = cn.prepare("SELECT id, username, passwordHash, privilege FROM " ~ usersTableName ~ "");
        return prepared.querySet.map!(r => toAuthInfo(r)).inputRangeObject;
    }

    void removeUser(string id)
    {
        auto cn = pool.lockConnection();
        scope (exit)
            cn.close;
        auto prepared = cn.prepare("DELETE FROM " ~ usersTableName ~ " WHERE id = ?");
        prepared.setArg(0, id.to!uint);
        prepared.exec();
    }

private:

    AuthInfo toAuthInfo(in Row r)
    {
        import std.conv : to;

        AuthInfo authInfo;
        authInfo.id = r[0].get!uint.to!string;
        authInfo.username = r[1].get!string;
        authInfo.passwordHash = r[2].get!string;
        authInfo.privilege = r[3].get!uint.to!Privilege;
        return authInfo;
    }
}

struct AuthInfo
{
    import vibe.data.serialization : name;

    @name("_id") string id;
    string username;
    string passwordHash;
    Privilege privilege;

    mixin(generateAuthMethods);

private:
    static string generateAuthMethods() pure @safe
    {
        import std.conv : to;
        import std.format : format;
        import std.traits : EnumMembers;

        string ret;
        foreach (member; EnumMembers!Privilege)
        {
            ret ~= q{
                bool is%s() const pure @safe nothrow
                {
                    return privilege == Privilege.%s;
                }
            }.format(member.to!string, member.to!string);
        }
        return ret;
    }
}
initial addition of unittests 2017-09-17 17:52:41 +02:00			`module calendarwebapp.authenticator;`

added abstraction layer for password hashing 2017-10-27 18:58:46 +02:00			`import calendarwebapp.passhash : PasswordHasher;`

initial addition of unittests 2017-09-17 17:52:41 +02:00			`import poodinis;`

made admin interface work with mysql 2017-11-09 02:24:15 +01:00			`import std.conv : to;`
Added possibility for admins to add and remove users 2017-10-27 17:09:55 +02:00			`import std.range : InputRange;`
Initial work for support for different user roles. 2017-10-26 20:08:16 +02:00			`import std.typecons : nullable, Nullable;`

Added possibility for admins to add and remove users 2017-10-27 17:09:55 +02:00			`import vibe.data.bson;`
made admin interface work with mysql 2017-11-09 02:24:15 +01:00
initial addition of unittests 2017-09-17 17:52:41 +02:00			`import vibe.db.mongo.collection : MongoCollection;`

			`interface Authenticator`
			`{`
Initial work for support for different user roles. 2017-10-26 20:08:16 +02:00			`Nullable!AuthInfo checkUser(string username, string password) @safe;`
made admin interface work with mysql 2017-11-09 02:24:15 +01:00			`void addUser(AuthInfo authInfo);`
			`InputRange!AuthInfo getAllUsers();`
			`void removeUser(string id);`
initial addition of unittests 2017-09-17 17:52:41 +02:00			`}`

			`class MongoDBAuthenticator(Collection = MongoCollection) : Authenticator`
			`{`
			`private:`
			`@Value("users")`
			`Collection users;`
added abstraction layer for password hashing 2017-10-27 18:58:46 +02:00			`@Autowire PasswordHasher passwordHasher;`
initial addition of unittests 2017-09-17 17:52:41 +02:00
			`public:`
Initial work for support for different user roles. 2017-10-26 20:08:16 +02:00			`Nullable!AuthInfo checkUser(string username, string password) @safe`
initial addition of unittests 2017-09-17 17:52:41 +02:00			`{`
do password hashing asynchronously 2017-11-23 21:40:48 +01:00			`import vibe.core.concurrency : async;`

			`immutable result = users.findOne(["username" : username]);`

Initial work for support for different user roles. 2017-10-26 20:08:16 +02:00			`if (result != Bson(null))`
			`{`
			`auto authInfo = result.deserializeBson!AuthInfo;`
do password hashing asynchronously 2017-11-23 21:40:48 +01:00			`if ((()@trusted => async(() => passwordHasher.checkHash(password,`
			`authInfo.passwordHash)).getResult)())`
Initial work for support for different user roles. 2017-10-26 20:08:16 +02:00			`{`
			`return authInfo.nullable;`
			`}`
			`}`
Added possibility for admins to add and remove users 2017-10-27 17:09:55 +02:00			`return Nullable!AuthInfo.init;`
initial addition of unittests 2017-09-17 17:52:41 +02:00			`}`
Added possibility for admins to add and remove users 2017-10-27 17:09:55 +02:00
			`void addUser(AuthInfo authInfo) @safe`
			`{`
made admin interface work with mysql 2017-11-09 02:24:15 +01:00			`import std.conv : ConvException;`

			`try`
			`{`
			`if (!BsonObjectID.fromString(authInfo.id).valid)`
			`throw new ConvException("invalid BsonObjectID.");`
			`}`
			`catch (ConvException)`
			`{`
			`authInfo.id = BsonObjectID.generate.to!string;`
			`}`
Added possibility for admins to add and remove users 2017-10-27 17:09:55 +02:00
			`users.insert(authInfo.serializeToBson);`
			`}`

			`InputRange!AuthInfo getAllUsers() @safe`
			`{`
			`import std.algorithm : map;`
			`import std.range : inputRangeObject;`

			`return users.find().map!(deserializeBson!AuthInfo).inputRangeObject;`
			`}`

made admin interface work with mysql 2017-11-09 02:24:15 +01:00			`void removeUser(string id) @safe`
Added possibility for admins to add and remove users 2017-10-27 17:09:55 +02:00			`{`
			`users.remove(["_id" : id]);`
initial addition of unittests 2017-09-17 17:52:41 +02:00			`}`
			`}`

Only show menu when authenticated and only show user management when logged in as admin 2017-10-27 18:03:55 +02:00			`enum Privilege`
Initial work for support for different user roles. 2017-10-26 20:08:16 +02:00			`{`
Only show menu when authenticated and only show user management when logged in as admin 2017-10-27 18:03:55 +02:00			`None,`
Initial work for support for different user roles. 2017-10-26 20:08:16 +02:00			`User,`
			`Admin`
initial addition of unittests 2017-09-17 17:52:41 +02:00			`}`

Added MySQL support 2017-10-30 02:31:48 +01:00			`class MySQLAuthenticator : Authenticator`
			`{`
			`private:`
			`import mysql;`

			`@Autowire MySQLPool pool;`
made admin interface work with mysql 2017-11-09 02:24:15 +01:00			`@Autowire PasswordHasher passwordHasher;`
Added possibility to configure the application with a config file or with command line arguments. Currently only selection of the database system and options for those systems are available. 2017-11-10 16:29:19 +01:00			`@Value("mysql.table.users") string usersTableName;`
Added MySQL support 2017-10-30 02:31:48 +01:00
			`public:`
made admin interface work with mysql 2017-11-09 02:24:15 +01:00			`Nullable!AuthInfo checkUser(string username, string password) @trusted`
Added MySQL support 2017-10-30 02:31:48 +01:00			`{`
do password hashing asynchronously 2017-11-23 21:40:48 +01:00			`import vibe.core.concurrency : async;`

Added MySQL support 2017-10-30 02:31:48 +01:00			`auto cn = pool.lockConnection();`
			`scope (exit)`
			`cn.close();`
made admin interface work with mysql 2017-11-09 02:24:15 +01:00			`auto prepared = cn.prepare(`
Added possibility to configure the application with a config file or with command line arguments. Currently only selection of the database system and options for those systems are available. 2017-11-10 16:29:19 +01:00			`"SELECT id, username, passwordHash, privilege FROM "`
			`~ usersTableName ~ " WHERE username = ?");`
Added MySQL support 2017-10-30 02:31:48 +01:00			`prepared.setArg(0, username);`
			`auto result = prepared.query();`
made admin interface work with mysql 2017-11-09 02:24:15 +01:00			`/* checkHash should be called using vibe.core.concurrency.async to`
Added MySQL support 2017-10-30 02:31:48 +01:00			`avoid blocking, but https://github.com/vibe-d/vibe.d/issues/1521 is`
			`blocking this */`
made admin interface work with mysql 2017-11-09 02:24:15 +01:00			`if (!result.empty)`
			`{`
			`auto authInfo = toAuthInfo(result.front);`
do password hashing asynchronously 2017-11-23 21:40:48 +01:00			`if (async(() => passwordHasher.checkHash(password, authInfo.passwordHash)).getResult)`
made admin interface work with mysql 2017-11-09 02:24:15 +01:00			`{`
			`return authInfo.nullable;`
			`}`
			`}`
			`return Nullable!AuthInfo.init;`
			`}`

			`void addUser(AuthInfo authInfo)`
			`{`
			`auto cn = pool.lockConnection();`
			`scope (exit)`
			`cn.close;`
			`auto prepared = cn.prepare(`
Added possibility to configure the application with a config file or with command line arguments. Currently only selection of the database system and options for those systems are available. 2017-11-10 16:29:19 +01:00			`"INSERT INTO " ~ usersTableName ~ " (username, passwordHash, privilege) VALUES(?, ?, ?)");`
made admin interface work with mysql 2017-11-09 02:24:15 +01:00			`prepared.setArgs(authInfo.username, authInfo.passwordHash, authInfo.privilege.to!uint);`
			`prepared.exec();`
			`}`

			`InputRange!AuthInfo getAllUsers()`
			`{`
			`import std.algorithm : map;`
			`import std.range : inputRangeObject;`

			`auto cn = pool.lockConnection();`
			`scope (exit)`
			`cn.close;`
Added possibility to configure the application with a config file or with command line arguments. Currently only selection of the database system and options for those systems are available. 2017-11-10 16:29:19 +01:00			`auto prepared = cn.prepare("SELECT id, username, passwordHash, privilege FROM " ~ usersTableName ~ "");`
made admin interface work with mysql 2017-11-09 02:24:15 +01:00			`return prepared.querySet.map!(r => toAuthInfo(r)).inputRangeObject;`
			`}`

			`void removeUser(string id)`
			`{`
			`auto cn = pool.lockConnection();`
			`scope (exit)`
			`cn.close;`
Added possibility to configure the application with a config file or with command line arguments. Currently only selection of the database system and options for those systems are available. 2017-11-10 16:29:19 +01:00			`auto prepared = cn.prepare("DELETE FROM " ~ usersTableName ~ " WHERE id = ?");`
made admin interface work with mysql 2017-11-09 02:24:15 +01:00			`prepared.setArg(0, id.to!uint);`
			`prepared.exec();`
			`}`

			`private:`

do password hashing asynchronously 2017-11-23 21:40:48 +01:00			`AuthInfo toAuthInfo(in Row r)`
made admin interface work with mysql 2017-11-09 02:24:15 +01:00			`{`
			`import std.conv : to;`

			`AuthInfo authInfo;`
			`authInfo.id = r[0].get!uint.to!string;`
			`authInfo.username = r[1].get!string;`
			`authInfo.passwordHash = r[2].get!string;`
			`authInfo.privilege = r[3].get!uint.to!Privilege;`
			`return authInfo;`
Added MySQL support 2017-10-30 02:31:48 +01:00			`}`
			`}`

initial addition of unittests 2017-09-17 17:52:41 +02:00			`struct AuthInfo`
			`{`
Initial work for support for different user roles. 2017-10-26 20:08:16 +02:00			`import vibe.data.serialization : name;`

made admin interface work with mysql 2017-11-09 02:24:15 +01:00			`@name("_id") string id;`
Initial work for support for different user roles. 2017-10-26 20:08:16 +02:00			`string username;`
			`string passwordHash;`
Only show menu when authenticated and only show user management when logged in as admin 2017-10-27 18:03:55 +02:00			`Privilege privilege;`
Initial work for support for different user roles. 2017-10-26 20:08:16 +02:00
Automatically generate methods for checking if a user has certain privileges. Once static foreach is supported by ldc, this can be done even more elegant without the use of a helper function. 2017-10-27 15:13:02 +02:00			`mixin(generateAuthMethods);`
Initial work for support for different user roles. 2017-10-26 20:08:16 +02:00
Automatically generate methods for checking if a user has certain privileges. Once static foreach is supported by ldc, this can be done even more elegant without the use of a helper function. 2017-10-27 15:13:02 +02:00			`private:`
			`static string generateAuthMethods() pure @safe`
Initial work for support for different user roles. 2017-10-26 20:08:16 +02:00			`{`
Automatically generate methods for checking if a user has certain privileges. Once static foreach is supported by ldc, this can be done even more elegant without the use of a helper function. 2017-10-27 15:13:02 +02:00			`import std.conv : to;`
			`import std.format : format;`
			`import std.traits : EnumMembers;`

			`string ret;`
Only show menu when authenticated and only show user management when logged in as admin 2017-10-27 18:03:55 +02:00			`foreach (member; EnumMembers!Privilege)`
Automatically generate methods for checking if a user has certain privileges. Once static foreach is supported by ldc, this can be done even more elegant without the use of a helper function. 2017-10-27 15:13:02 +02:00			`{`
			`ret ~= q{`
			`bool is%s() const pure @safe nothrow`
			`{`
Only show menu when authenticated and only show user management when logged in as admin 2017-10-27 18:03:55 +02:00			`return privilege == Privilege.%s;`
Automatically generate methods for checking if a user has certain privileges. Once static foreach is supported by ldc, this can be done even more elegant without the use of a helper function. 2017-10-27 15:13:02 +02:00			`}`
			`}.format(member.to!string, member.to!string);`
			`}`
			`return ret;`
Initial work for support for different user roles. 2017-10-26 20:08:16 +02:00			`}`
initial addition of unittests 2017-09-17 17:52:41 +02:00			`}`