Merge branch 'admin_interface' into 'master'

Admin interface Closes #2 See merge request fsimphy/calendar-webapp!11
2017-11-05 15:09:12 +01:00 · 2017-11-05 15:09:12 +01:00 · 2eec08b9bf
parent ea0d5a6d9f 28e22f08be
commit 2eec08b9bf
11 changed files with 335 additions and 41 deletions
--- a/source/calendarwebapp/authenticator.d
+++ b/source/calendarwebapp/authenticator.d
@ -1,12 +1,21 @@
 module calendarwebapp.authenticator;

+import calendarwebapp.passhash : PasswordHasher;
+
 import poodinis;

+import std.range : InputRange;
+import std.typecons : nullable, Nullable;
+
+import vibe.data.bson;
 import vibe.db.mongo.collection : MongoCollection;

 interface Authenticator
 {
-    bool checkUser(string username, string password) @safe;
+    Nullable!AuthInfo checkUser(string username, string password) @safe;
+    void addUser(AuthInfo authInfo) @safe;
+    InputRange!AuthInfo getAllUsers() @safe;
+    void removeUser(BsonObjectID id) @safe;
 }

 class MongoDBAuthenticator(Collection = MongoCollection) : Authenticator
@ -14,23 +23,85 @@ class MongoDBAuthenticator(Collection = MongoCollection) : Authenticator
 private:
    @Value("users")
    Collection users;
+    @Autowire PasswordHasher passwordHasher;

 public:
-    bool checkUser(string username, string password) @safe
+    Nullable!AuthInfo checkUser(string username, string password) @safe
    {
        import botan.passhash.bcrypt : checkBcrypt;
-        import vibe.data.bson : Bson;

        auto result = users.findOne(["username" : username]);
-        /* checkBcrypt should be called using vibe.core.concurrency.async to
+        /* checkHash should be called using vibe.core.concurrency.async to
           avoid blocking, but https://github.com/vibe-d/vibe.d/issues/1521 is
           blocking this */
-        return (result != Bson(null)) && (() @trusted => checkBcrypt(password,
-                result["password"].get!string))();
+        if (result != Bson(null))
+        {
+            auto authInfo = result.deserializeBson!AuthInfo;
+            if (passwordHasher.checkHash(password, authInfo.passwordHash))
+            {
+                return authInfo.nullable;
+            }
+        }
+        return Nullable!AuthInfo.init;
    }
+
+    void addUser(AuthInfo authInfo) @safe
+    {
+        if (!authInfo.id.valid)
+            authInfo.id = BsonObjectID.generate;
+
+        users.insert(authInfo.serializeToBson);
+    }
+
+    InputRange!AuthInfo getAllUsers() @safe
+    {
+        import std.algorithm : map;
+        import std.range : inputRangeObject;
+
+        return users.find().map!(deserializeBson!AuthInfo).inputRangeObject;
+    }
+
+    void removeUser(BsonObjectID id) @safe
+    {
+        users.remove(["_id" : id]);
+    }
+}
+
+enum Privilege
+{
+    None,
+    User,
+    Admin
 }

 struct AuthInfo
 {
-    string userName;
+    import vibe.data.serialization : name;
+
+    @name("_id") BsonObjectID id;
+    string username;
+    string passwordHash;
+    Privilege privilege;
+
+    mixin(generateAuthMethods);
+
+private:
+    static string generateAuthMethods() pure @safe
+    {
+        import std.conv : to;
+        import std.format : format;
+        import std.traits : EnumMembers;
+
+        string ret;
+        foreach (member; EnumMembers!Privilege)
+        {
+            ret ~= q{
+                bool is%s() const pure @safe nothrow
+                {
+                    return privilege == Privilege.%s;
+                }
+            }.format(member.to!string, member.to!string);
+        }
+        return ret;
+    }
 }
--- a/source/calendarwebapp/calendarwebapp.d
+++ b/source/calendarwebapp/calendarwebapp.d
@ -1,7 +1,8 @@
 module calendarwebapp.calendarwebapp;

-import calendarwebapp.authenticator : Authenticator, AuthInfo;
+import calendarwebapp.authenticator;
 import calendarwebapp.event;
+import calendarwebapp.passhash : PasswordHasher;

 import core.time : days;

@ -23,46 +24,48 @@ import vibe.web.web : errorDisplay, noRoute, redirect, render, SessionVar,
 {
    @noRoute AuthInfo authenticate(scope HTTPServerRequest req, scope HTTPServerResponse) @safe
    {
-        if (!req.session || !req.session.isKeySet("auth"))
-        {
+        if (authInfo.value.isNone)
            redirect("/login");
-            return AuthInfo.init;
-        }
-        return req.session.get!AuthInfo("auth");
+
+        return authInfo.value;
    }

 public:
-    @anyAuth void index()
+    @auth(Role.user | Role.admin) void index()
    {
        auto events = eventStore.getAllEvents();
-        render!("showevents.dt", events);
+        auto authInfo = this.authInfo.value;
+        render!("showevents.dt", events, authInfo);
    }

    @noAuth void getLogin(string _error = null)
    {
-        render!("login.dt", _error);
+        auto authInfo = this.authInfo.value;
+        render!("login.dt", _error, authInfo);
    }

    @noAuth @errorDisplay!getLogin void postLogin(string username, string password) @safe
    {
-        enforce(authenticator.checkUser(username, password), "Benutzername oder Passwort ungültig");
-        immutable AuthInfo authInfo = {username};
-        auth = authInfo;
+        auto authInfo = authenticator.checkUser(username, password);
+        enforce(!authInfo.isNull, "Benutzername oder Passwort ungültig");
+        this.authInfo = authInfo.get;
        redirect("/");
    }

-    @anyAuth void getLogout() @safe
+    @auth(Role.user | Role.admin) void getLogout() @safe
    {
        terminateSession();
        redirect("/");
    }

-    @anyAuth void getCreate(ValidationErrorData _error = ValidationErrorData.init)
+    @auth(Role.user | Role.admin) void getCreateevent(
+            ValidationErrorData _error = ValidationErrorData.init)
    {
-        render!("create.dt", _error);
+        auto authInfo = this.authInfo.value;
+        render!("createevent.dt", _error, authInfo);
    }

-    @anyAuth @errorDisplay!getCreate void postCreate(Date begin,
+    @auth(Role.user | Role.admin) @errorDisplay!getCreateevent void postCreateevent(Date begin,
            Nullable!Date end, string description, string name, EventType type, bool shout) @safe
    {
        import std.array : replace, split;
@ -78,12 +81,39 @@ public:
        redirect("/");
    }

-    @anyAuth void postRemove(BsonObjectID id) @safe
+    @auth(Role.user | Role.admin) void postRemoveevent(BsonObjectID id) @safe
    {
        eventStore.removeEvent(id);
        redirect("/");
    }

+    @auth(Role.admin) void getUsers()
+    {
+        auto users = authenticator.getAllUsers;
+        auto authInfo = this.authInfo.value;
+        render!("showusers.dt", users, authInfo);
+    }
+
+    @auth(Role.admin) void postRemoveuser(BsonObjectID id) @safe
+    {
+        authenticator.removeUser(id);
+        redirect("/users");
+    }
+
+    @auth(Role.admin) void getCreateuser(ValidationErrorData _error = ValidationErrorData.init)
+    {
+        auto authInfo = this.authInfo.value;
+        render!("createuser.dt", _error, authInfo);
+    }
+
+    @auth(Role.admin) @errorDisplay!getCreateuser void postCreateuser(string username,
+            string password, Privilege role) @safe
+    {
+        authenticator.addUser(AuthInfo(BsonObjectID.generate, username,
+                passwordHasher.generateHash(password), role));
+        redirect("/users");
+    }
+
 private:
    struct ValidationErrorData
    {
@ -91,8 +121,10 @@ private:
        string field;
    }

-    SessionVar!(AuthInfo, "auth") auth;
+    SessionVar!(AuthInfo, "authInfo") authInfo = AuthInfo(BsonObjectID.init,
+            string.init, string.init, Privilege.None);

    @Autowire EventStore eventStore;
    @Autowire Authenticator authenticator;
+    @Autowire PasswordHasher passwordHasher;
 }
--- a/source/calendarwebapp/configuration.d
+++ b/source/calendarwebapp/configuration.d
@ -1,8 +1,12 @@
 module calendarwebapp.configuration;

+import botan.rng.auto_rng : AutoSeededRNG;
+import botan.rng.rng : RandomNumberGenerator;
+
 import calendarwebapp.authenticator : Authenticator, MongoDBAuthenticator;
 import calendarwebapp.calendarwebapp : CalendarWebapp;
 import calendarwebapp.event : EventStore, MongoDBEventStore;
+import calendarwebapp.passhash : BcryptPasswordHasher, PasswordHasher;

 import poodinis;

@ -19,6 +23,8 @@ public:
        container.register!MongoClient.existingInstance(mongoClient);
        container.register!(EventStore, MongoDBEventStore!());
        container.register!(Authenticator, MongoDBAuthenticator!());
+        container.register!(PasswordHasher, BcryptPasswordHasher);
+        container.register!(RandomNumberGenerator, AutoSeededRNG);
        container.register!CalendarWebapp;
        container.register!(ValueInjector!string, StringInjector);
        container.register!(ValueInjector!MongoCollection, MongoCollectionInjector);
--- a/source/calendarwebapp/passhash.d
+++ b/source/calendarwebapp/passhash.d
@ -0,0 +1,42 @@
+module calendarwebapp.passhash;
+
+import poodinis;
+
+interface PasswordHasher
+{
+    string generateHash(in string password) @safe;
+    bool checkHash(in string password, in string hash) const @safe;
+}
+
+class BcryptPasswordHasher : PasswordHasher
+{
+    import botan.passhash.bcrypt : checkBcrypt, generateBcrypt;
+    import botan.rng.rng : RandomNumberGenerator;
+
+    string generateHash(in string password) @safe
+    {
+        return (() @trusted => generateBcrypt(password, rng, cost))();
+    }
+
+    bool checkHash(in string password, in string hash) const @safe
+    {
+        return (()@trusted => checkBcrypt(password, hash))();
+    }
+
+private:
+    @Autowire RandomNumberGenerator rng;
+    enum cost = 10;
+}
+
+class StubPasswordHasher : PasswordHasher
+{
+    string generateHash(in string password) const @safe pure nothrow
+    {
+        return password;
+    }
+
+    bool checkHash(in string password, in string hash) const @safe pure nothrow
+    {
+        return password == hash;
+    }
+}
--- a/test/calendarwebapp/testauthenticator.d
+++ b/test/calendarwebapp/testauthenticator.d
@ -1,6 +1,7 @@
 module test.calendarwebapp.testauthenticator;

 import calendarwebapp.authenticator;
+import calendarwebapp.passhash : PasswordHasher, StubPasswordHasher;

 import poodinis;

@ -11,7 +12,10 @@ import vibe.data.bson : Bson, BsonObjectID;

 interface Collection
 {
+    Bson[] find() @safe;
    Bson findOne(string[string] query) @safe;
+    void insert(Bson document) @safe;
+    void remove(BsonObjectID[string] selector) @safe;
 }

 class CollectionInjector : ValueInjector!Collection
@ -31,7 +35,7 @@ public:
    }
 }

-@("Test MongoDBAuthenticator")
+@("MongoDBAuthenticator.checkUser")
@system unittest
 {
    auto collection = mock!Collection;
@ -40,14 +44,65 @@ public:
    container.resolve!CollectionInjector.add("users", collection);
    container.register!(Authenticator, MongoDBAuthenticator!(Collection))(
            RegistrationOption.doNotAddConcreteTypeRegistration);
+    container.register!(PasswordHasher, StubPasswordHasher);

-    auto userBson = Bson(["_id" : Bson(BsonObjectID.fromString("5988ef4ae6c19089a1a53b79")), "username" : Bson("foo"),
-            "password" : Bson("$2a$10$9LBqOZV99ARiE4Nx.2b7GeYfqk2.0A32PWGu2cRGyW2hRJ0xeDfnO")]);
+    auto userBson = Bson(["_id" : Bson(BsonObjectID.fromString("5988ef4ae6c19089a1a53b79")),
+            "username" : Bson("foo"), "passwordHash"
+            : Bson("bar"),
+            "privilege" : Bson(1)]);

    collection.returnValue!"findOne"(Bson(null), userBson, userBson);

    auto authenticator = container.resolve!(Authenticator);
-    authenticator.checkUser("", "").shouldBeFalse;
-    authenticator.checkUser("foo", "bar").shouldBeTrue;
-    authenticator.checkUser("foo", "baz").shouldBeFalse;
+    authenticator.checkUser("", "").isNull.shouldBeTrue;
+    authenticator.checkUser("foo", "bar").isNull.shouldBeFalse;
+    authenticator.checkUser("foo", "baz").isNull.shouldBeTrue;
+}
+
+@("AuthInfo.isUser success")
+@safe unittest
+{
+    AuthInfo auth;
+    auth.privilege = Privilege.User;
+    auth.isUser.shouldBeTrue;
+}
+
+@("AuthInfo.isUser failure")
+@safe unittest
+{
+    AuthInfo auth;
+    auth.privilege = Privilege.None;
+    auth.isUser.shouldBeFalse;
+}
+
+@("AuthInfo.isAdmin success")
+@safe unittest
+{
+    AuthInfo auth;
+    auth.privilege = Privilege.Admin;
+    auth.isAdmin.shouldBeTrue;
+}
+
+@("AuthInfo.isAdmin failure")
+@safe unittest
+{
+    AuthInfo auth;
+    auth.privilege = Privilege.None;
+    auth.isAdmin.shouldBeFalse;
+}
+
+@("AuthInfo.isNone success")
+@safe unittest
+{
+    AuthInfo auth;
+    auth.privilege = Privilege.None;
+    auth.isNone.shouldBeTrue;
+}
+
+@("AuthInfo.isNone failure")
+@safe unittest
+{
+    AuthInfo auth;
+    auth.privilege = Privilege.User;
+    auth.isNone.shouldBeFalse;
 }
--- a/test/calendarwebapp/testpasshash.d
+++ b/test/calendarwebapp/testpasshash.d
@ -0,0 +1,32 @@
+module test.calendarwebapp.testpasshash;
+
+import calendarwebapp.passhash;
+
+import poodinis;
+
+//import unit_threaded.should;
+import unit_threaded;
+
+@("BcryptPasswordHasher")
+@Values("", "test", "langesKompliziertesPasswort")
+@system unittest
+{
+    import botan.rng.rng : RandomNumberGenerator;
+    import botan.rng.auto_rng : AutoSeededRNG;
+    auto container = new shared DependencyContainer;
+    container.register!(RandomNumberGenerator, AutoSeededRNG);
+    container.register!(PasswordHasher, BcryptPasswordHasher);
+
+    auto hasher = container.resolve!PasswordHasher;
+    immutable testPassword = getValue!string;
+    hasher.checkHash(testPassword, hasher.generateHash(testPassword)).shouldBeTrue;
+}
+
+@("StubPasswordHasher")
+@Values("", "test", "langesKompliziertesPasswort")
+@safe unittest
+{
+    immutable hasher = new StubPasswordHasher;
+    immutable testPassword = getValue!string;
+    hasher.checkHash(testPassword, hasher.generateHash(testPassword)).shouldBeTrue;
+}
--- a/views/createevent.dt
+++ b/views/createevent.dt
@ -3,7 +3,7 @@ block content
 	- void showerror(string field = null)
 		- if (_error.msg && _error.field == field)
 			td.error= _error.msg
-	form(action="/create", method="post")
+	form(action="/createevent", method="post")
 		fieldset(name="eventFields")
 			table
 				tbody#fieldTable
--- a/views/createuser.dt
+++ b/views/createuser.dt
@ -0,0 +1,32 @@
+extends layout
+block content
+	- void showerror(string field = null)
+		- if (_error.msg && _error.field == field)
+			td.error= _error.msg
+	form(action="/createuser", method="post")
+		fieldset(name="eventFields")
+			table
+				tbody#fieldTable
+					tr
+						td
+							label(for="username") Benutzername
+						td
+							input#username(value="", name="username", type="text")
+						- showerror("username");
+					tr
+						td
+							label(for="password") Passwort
+						td
+							input#password(value="", name="password", type="password")
+					tr
+						td
+							label(for="role") Rolle
+						td
+							select#type(name="role")
+								option(value="User") Benutzer
+								option(value="Admin") Administrator
+						- showerror("role");
+				tfoot
+					tr
+						td(colspan="2")
+							input#submitButton(type="submit", value="Benutzer erstellen")
--- a/views/navigation.dt
+++ b/views/navigation.dt
@ -1,8 +1,14 @@
-nav
-	ul
-		li
-			a(href='/') Home
-		li
-			a(href='/create') Ereignis erstellen 
-		li
-			a(href='/logout') Ausloggen
+- if(!authInfo.isNone())
+	nav
+		ul
+			li
+				a(href='/') Home
+			li
+				a(href='/createevent') Ereignis erstellen
+			- if(authInfo.isAdmin())
+				li
+					a(href='/users') Benutzerliste
+				li
+					a(href='/createuser') Benutzer erstellen
+			li
+				a(href='/logout') Ausloggen
--- a/views/showevents.dt
+++ b/views/showevents.dt
@ -24,7 +24,7 @@ block content
 			tr
 				td shout
 				td #{event.shout}
-		form(action="/remove", method="post")
+		form(action="/removeevent", method="post")
 			input#id(value="#{event.id}", name="id", type="hidden")
 			input#submitButton(type="submit", value="Entfernen")
 		hr
--- a/views/showusers.dt
+++ b/views/showusers.dt
@ -0,0 +1,18 @@
+extends layout.dt
+block content
+	h1 Users
+	- foreach (user; users)
+		table
+			tr
+				td id
+				td #{user.id}
+			tr
+				td username
+				td #{user.username}
+			tr
+				td privilege
+				td #{user.privilege}
+		form(action="/removeuser", method="post")
+			input#id(value="#{user.id}", name="id", type="hidden")
+			input#submitButton(type="submit", value="Entfernen")
+		hr