internal: move packages under this directory (#5836)

* Rename pkg -> internal * Rename routes -> route * Move route -> internal/route * Rename models -> db * Move db -> internal/db * Fix route2 -> route * Move cmd -> internal/cmd * Bump version
author: Unknwon <u@gogs.io> 2019-10-24 01:51:46 -0700
committer: GitHub <noreply@github.com> 2019-10-24 01:51:46 -0700
commit: 01c8df01ec0608f1f25b2f1444adabb98fa5ee8a (patch)
tree: f8a7e5dd8d2a8c51e1ce2cabb9d33571a93314dd /internal/db/two_factor.go
parent: 613139e7bef81d3573e7988a47eb6765f3de347a (diff)
1 files changed, 201 insertions, 0 deletions
diff --git a/internal/db/two_factor.go b/internal/db/two_factor.go
new file mode 100644
index 00000000..dcc1c16c
--- /dev/null
+++ b/internal/db/two_factor.go
@@ -0,0 +1,201 @@
+// Copyright 2017 The Gogs Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package db
+
+import (
+	"encoding/base64"
+	"fmt"
+	"strings"
+	"time"
+
+	"github.com/pquerna/otp/totp"
+	"github.com/unknwon/com"
+	log "gopkg.in/clog.v1"
+	"xorm.io/xorm"
+
+	"gogs.io/gogs/internal/db/errors"
+	"gogs.io/gogs/internal/setting"
+	"gogs.io/gogs/internal/tool"
+)
+
+// TwoFactor represents a two-factor authentication token.
+type TwoFactor struct {
+	ID          int64
+	UserID      int64 `xorm:"UNIQUE"`
+	Secret      string
+	Created     time.Time `xorm:"-" json:"-"`
+	CreatedUnix int64
+}
+
+func (t *TwoFactor) BeforeInsert() {
+	t.CreatedUnix = time.Now().Unix()
+}
+
+func (t *TwoFactor) AfterSet(colName string, _ xorm.Cell) {
+	switch colName {
+	case "created_unix":
+		t.Created = time.Unix(t.CreatedUnix, 0).Local()
+	}
+}
+
+// ValidateTOTP returns true if given passcode is valid for two-factor authentication token.
+// It also returns possible validation error.
+func (t *TwoFactor) ValidateTOTP(passcode string) (bool, error) {
+	secret, err := base64.StdEncoding.DecodeString(t.Secret)
+	if err != nil {
+		return false, fmt.Errorf("DecodeString: %v", err)
+	}
+	decryptSecret, err := com.AESGCMDecrypt(tool.MD5Bytes(setting.SecretKey), secret)
+	if err != nil {
+		return false, fmt.Errorf("AESGCMDecrypt: %v", err)
+	}
+	return totp.Validate(passcode, string(decryptSecret)), nil
+}
+
+// IsUserEnabledTwoFactor returns true if user has enabled two-factor authentication.
+func IsUserEnabledTwoFactor(userID int64) bool {
+	has, err := x.Where("user_id = ?", userID).Get(new(TwoFactor))
+	if err != nil {
+		log.Error(2, "IsUserEnabledTwoFactor [user_id: %d]: %v", userID, err)
+	}
+	return has
+}
+
+func generateRecoveryCodes(userID int64) ([]*TwoFactorRecoveryCode, error) {
+	recoveryCodes := make([]*TwoFactorRecoveryCode, 10)
+	for i := 0; i < 10; i++ {
+		code, err := tool.RandomString(10)
+		if err != nil {
+			return nil, fmt.Errorf("RandomString: %v", err)
+		}
+		recoveryCodes[i] = &TwoFactorRecoveryCode{
+			UserID: userID,
+			Code:   strings.ToLower(code[:5] + "-" + code[5:]),
+		}
+	}
+	return recoveryCodes, nil
+}
+
+// NewTwoFactor creates a new two-factor authentication token and recovery codes for given user.
+func NewTwoFactor(userID int64, secret string) error {
+	t := &TwoFactor{
+		UserID: userID,
+	}
+
+	// Encrypt secret
+	encryptSecret, err := com.AESGCMEncrypt(tool.MD5Bytes(setting.SecretKey), []byte(secret))
+	if err != nil {
+		return fmt.Errorf("AESGCMEncrypt: %v", err)
+	}
+	t.Secret = base64.StdEncoding.EncodeToString(encryptSecret)
+
+	recoveryCodes, err := generateRecoveryCodes(userID)
+	if err != nil {
+		return fmt.Errorf("generateRecoveryCodes: %v", err)
+	}
+
+	sess := x.NewSession()
+	defer sess.Close()
+	if err = sess.Begin(); err != nil {
+		return err
+	}
+
+	if _, err = sess.Insert(t); err != nil {
+		return fmt.Errorf("insert two-factor: %v", err)
+	} else if _, err = sess.Insert(recoveryCodes); err != nil {
+		return fmt.Errorf("insert recovery codes: %v", err)
+	}
+
+	return sess.Commit()
+}
+
+// GetTwoFactorByUserID returns two-factor authentication token of given user.
+func GetTwoFactorByUserID(userID int64) (*TwoFactor, error) {
+	t := new(TwoFactor)
+	has, err := x.Where("user_id = ?", userID).Get(t)
+	if err != nil {
+		return nil, err
+	} else if !has {
+		return nil, errors.TwoFactorNotFound{userID}
+	}
+
+	return t, nil
+}
+
+// DeleteTwoFactor removes two-factor authentication token and recovery codes of given user.
+func DeleteTwoFactor(userID int64) (err error) {
+	sess := x.NewSession()
+	defer sess.Close()
+	if err = sess.Begin(); err != nil {
+		return err
+	}
+
+	if _, err = sess.Where("user_id = ?", userID).Delete(new(TwoFactor)); err != nil {
+		return fmt.Errorf("delete two-factor: %v", err)
+	} else if err = deleteRecoveryCodesByUserID(sess, userID); err != nil {
+		return fmt.Errorf("deleteRecoveryCodesByUserID: %v", err)
+	}
+
+	return sess.Commit()
+}
+
+// TwoFactorRecoveryCode represents a two-factor authentication recovery code.
+type TwoFactorRecoveryCode struct {
+	ID     int64
+	UserID int64
+	Code   string `xorm:"VARCHAR(11)"`
+	IsUsed bool
+}
+
+// GetRecoveryCodesByUserID returns all recovery codes of given user.
+func GetRecoveryCodesByUserID(userID int64) ([]*TwoFactorRecoveryCode, error) {
+	recoveryCodes := make([]*TwoFactorRecoveryCode, 0, 10)
+	return recoveryCodes, x.Where("user_id = ?", userID).Find(&recoveryCodes)
+}
+
+func deleteRecoveryCodesByUserID(e Engine, userID int64) error {
+	_, err := e.Where("user_id = ?", userID).Delete(new(TwoFactorRecoveryCode))
+	return err
+}
+
+// RegenerateRecoveryCodes regenerates new set of recovery codes for given user.
+func RegenerateRecoveryCodes(userID int64) error {
+	recoveryCodes, err := generateRecoveryCodes(userID)
+	if err != nil {
+		return fmt.Errorf("generateRecoveryCodes: %v", err)
+	}
+
+	sess := x.NewSession()
+	defer sess.Close()
+	if err = sess.Begin(); err != nil {
+		return err
+	}
+
+	if err = deleteRecoveryCodesByUserID(sess, userID); err != nil {
+		return fmt.Errorf("deleteRecoveryCodesByUserID: %v", err)
+	} else if _, err = sess.Insert(recoveryCodes); err != nil {
+		return fmt.Errorf("insert new recovery codes: %v", err)
+	}
+
+	return sess.Commit()
+}
+
+// UseRecoveryCode validates recovery code of given user and marks it is used if valid.
+func UseRecoveryCode(userID int64, code string) error {
+	recoveryCode := new(TwoFactorRecoveryCode)
+	has, err := x.Where("code = ?", code).And("is_used = ?", false).Get(recoveryCode)
+	if err != nil {
+		return fmt.Errorf("get unused code: %v", err)
+	} else if !has {
+		return errors.TwoFactorRecoveryCodeNotFound{code}
+	}
+
+	recoveryCode.IsUsed = true
+	if _, err = x.Id(recoveryCode.ID).Cols("is_used").Update(recoveryCode); err != nil {
+		return fmt.Errorf("mark code as used: %v", err)
+	}
+
+	return nil
+}
author	Unknwon <u@gogs.io>	2019-10-24 01:51:46 -0700
committer	GitHub <noreply@github.com>	2019-10-24 01:51:46 -0700
commit	01c8df01ec0608f1f25b2f1444adabb98fa5ee8a (patch)
tree	f8a7e5dd8d2a8c51e1ce2cabb9d33571a93314dd /internal/db/two_factor.go
parent	613139e7bef81d3573e7988a47eb6765f3de347a (diff)