Update User Authentication

* Update bindings
* Add user authentication sql functions

Reference #579
This commit is contained in:
Gert-Jan Timmer 2018-06-01 11:28:04 +02:00
parent 4a33fcc1d2
commit 0e289439a2
3 changed files with 207 additions and 47 deletions

View File

@ -1292,9 +1292,7 @@ func (d *SQLiteDriver) Open(dsn string) (driver.Conn, error) {
return nil, err return nil, err
} }
// Register Authentication Functions into connection // Register: authenticate
//
// Register Authentication function
// Authenticate will perform an authentication of the provided username // Authenticate will perform an authentication of the provided username
// and password against the database. // and password against the database.
// //
@ -1308,12 +1306,12 @@ func (d *SQLiteDriver) Open(dsn string) (driver.Conn, error) {
// //
// If the SQLITE_USER table is not present in the database file, then // If the SQLITE_USER table is not present in the database file, then
// this interface is a harmless no-op returnning SQLITE_OK. // this interface is a harmless no-op returnning SQLITE_OK.
if err := conn.RegisterFunc("authenticate", conn.Authenticate, false); err != nil { if err := conn.RegisterFunc("authenticate", conn.authenticate, false); err != nil {
return nil, err return nil, err
} }
// //
// Register AuthUserAdd // Register: auth_user_add
// AuthUserAdd can be used (by an admin user only) // auth_user_add can be used (by an admin user only)
// to create a new user. When called on a no-authentication-required // to create a new user. When called on a no-authentication-required
// database, this routine converts the database into an authentication- // database, this routine converts the database into an authentication-
// required database, automatically makes the added user an // required database, automatically makes the added user an
@ -1321,25 +1319,33 @@ func (d *SQLiteDriver) Open(dsn string) (driver.Conn, error) {
// The AuthUserAdd only works for the "main" database, not // The AuthUserAdd only works for the "main" database, not
// for any ATTACH-ed databases. Any call to AuthUserAdd by a // for any ATTACH-ed databases. Any call to AuthUserAdd by a
// non-admin user results in an error. // non-admin user results in an error.
if err := conn.RegisterFunc("auth_user_add", conn.AuthUserAdd, false); err != nil { if err := conn.RegisterFunc("auth_user_add", conn.authUserAdd, false); err != nil {
return nil, err return nil, err
} }
// //
// AuthUserChange can be used to change a users // Register: auth_user_change
// auth_user_change can be used to change a users
// login credentials or admin privilege. Any user can change their own // login credentials or admin privilege. Any user can change their own
// login credentials. Only an admin user can change another users login // login credentials. Only an admin user can change another users login
// credentials or admin privilege setting. No user may change their own // credentials or admin privilege setting. No user may change their own
// admin privilege setting. // admin privilege setting.
if err := conn.RegisterFunc("auth_user_change", conn.AuthUserChange, false); err != nil { if err := conn.RegisterFunc("auth_user_change", conn.authUserChange, false); err != nil {
return nil, err return nil, err
} }
// //
// AuthUserDelete can be used (by an admin user only) // Register: auth_user_delete
// auth_user_delete can be used (by an admin user only)
// to delete a user. The currently logged-in user cannot be deleted, // to delete a user. The currently logged-in user cannot be deleted,
// which guarantees that there is always an admin user and hence that // which guarantees that there is always an admin user and hence that
// the database cannot be converted into a no-authentication-required // the database cannot be converted into a no-authentication-required
// database. // database.
if err := conn.RegisterFunc("auth_user_delete", conn.AuthUserDelete, false); err != nil { if err := conn.RegisterFunc("auth_user_delete", conn.authUserDelete, false); err != nil {
return nil, err
}
// Register: auth_enabled
// auth_enabled can be used to check if user authentication is enabled
if err := conn.RegisterFunc("auth_enabled", conn.authEnabled, false); err != nil {
return nil, err return nil, err
} }
@ -1369,7 +1375,7 @@ func (d *SQLiteDriver) Open(dsn string) (driver.Conn, error) {
} }
// Check if User Authentication is Enabled // Check if User Authentication is Enabled
authExists := conn.AuthIsEnabled() authExists := conn.AuthEnabled()
if !authExists { if !authExists {
if err := conn.AuthUserAdd(authUser, authPass, true); err != nil { if err := conn.AuthUserAdd(authUser, authPass, true); err != nil {
return nil, err return nil, err

View File

@ -42,7 +42,7 @@ _sqlite3_user_delete(sqlite3* db, const char* zUsername)
} }
static int static int
_sqlite3_auth_is_enabled(sqlite3* db) _sqlite3_auth_enabled(sqlite3* db)
{ {
int exists = -1; int exists = -1;
@ -87,6 +87,26 @@ var (
// If the SQLITE_USER table is not present in the database file, then // If the SQLITE_USER table is not present in the database file, then
// this interface is a harmless no-op returnning SQLITE_OK. // this interface is a harmless no-op returnning SQLITE_OK.
func (c *SQLiteConn) Authenticate(username, password string) error { func (c *SQLiteConn) Authenticate(username, password string) error {
rv := c.authenticate(username, password)
switch rv {
case C.SQLITE_ERROR, C.SQLITE_AUTH:
return ErrUnauthorized
case C.SQLITE_OK:
return nil
default:
return c.lastError()
}
}
// authenticate provides the actual authentication to SQLite.
// This is not exported for usage in Go.
// It is however exported for usage within SQL by the user.
//
// Returns:
// C.SQLITE_OK (0)
// C.SQLITE_ERROR (1)
// C.SQLITE_AUTH (23)
func (c *SQLiteConn) authenticate(username, password string) int {
// Allocate C Variables // Allocate C Variables
cuser := C.CString(username) cuser := C.CString(username)
cpass := C.CString(password) cpass := C.CString(password)
@ -97,15 +117,7 @@ func (c *SQLiteConn) Authenticate(username, password string) error {
C.free(unsafe.Pointer(cpass)) C.free(unsafe.Pointer(cpass))
}() }()
rv := C._sqlite3_user_authenticate(c.db, cuser, cpass, C.int(len(password))) return int(C._sqlite3_user_authenticate(c.db, cuser, cpass, C.int(len(password))))
if rv == C.SQLITE_AUTH {
return ErrUnauthorized
}
if rv != C.SQLITE_OK {
return c.lastError()
}
return nil
} }
// AuthUserAdd can be used (by an admin user only) // AuthUserAdd can be used (by an admin user only)
@ -124,7 +136,7 @@ func (c *SQLiteConn) AuthUserAdd(username, password string, admin bool) error {
rv := c.authUserAdd(username, password, isAdmin) rv := c.authUserAdd(username, password, isAdmin)
switch rv { switch rv {
case C.SQLITE_AUTH: case C.SQLITE_ERROR, C.SQLITE_AUTH:
return ErrAdminRequired return ErrAdminRequired
case C.SQLITE_OK: case C.SQLITE_OK:
return nil return nil
@ -133,6 +145,19 @@ func (c *SQLiteConn) AuthUserAdd(username, password string, admin bool) error {
} }
} }
// authUserAdd enables the User Authentication if not enabled.
// Otherwise it will add a user.
//
// When user authentication is already enabled then this function
// can only be called by an admin.
//
// This is not exported for usage in Go.
// It is however exported for usage within SQL by the user.
//
// Returns:
// C.SQLITE_OK (0)
// C.SQLITE_ERROR (1)
// C.SQLITE_AUTH (23)
func (c *SQLiteConn) authUserAdd(username, password string, admin int) int { func (c *SQLiteConn) authUserAdd(username, password string, admin int) int {
// Allocate C Variables // Allocate C Variables
cuser := C.CString(username) cuser := C.CString(username)
@ -158,6 +183,34 @@ func (c *SQLiteConn) AuthUserChange(username, password string, admin bool) error
isAdmin = 1 isAdmin = 1
} }
rv := c.authUserChange(username, password, isAdmin)
switch rv {
case C.SQLITE_ERROR, C.SQLITE_AUTH:
return ErrAdminRequired
case C.SQLITE_OK:
return nil
default:
return c.lastError()
}
}
// authUserChange allows to modify a user.
// Users can change their own password.
//
// Only admins can change passwords for other users
// and modify the admin flag.
//
// The admin flag of the current logged in user cannot be changed.
// THis ensures that their is always an admin.
//
// This is not exported for usage in Go.
// It is however exported for usage within SQL by the user.
//
// Returns:
// C.SQLITE_OK (0)
// C.SQLITE_ERROR (1)
// C.SQLITE_AUTH (23)
func (c *SQLiteConn) authUserChange(username, password string, admin int) int {
// Allocate C Variables // Allocate C Variables
cuser := C.CString(username) cuser := C.CString(username)
cpass := C.CString(password) cpass := C.CString(password)
@ -168,15 +221,7 @@ func (c *SQLiteConn) AuthUserChange(username, password string, admin bool) error
C.free(unsafe.Pointer(cpass)) C.free(unsafe.Pointer(cpass))
}() }()
rv := C._sqlite3_user_change(c.db, cuser, cpass, C.int(len(password)), C.int(isAdmin)) return int(C._sqlite3_user_change(c.db, cuser, cpass, C.int(len(password)), C.int(admin)))
if rv == C.SQLITE_AUTH {
return ErrAdminRequired
}
if rv != C.SQLITE_OK {
return c.lastError()
}
return nil
} }
// AuthUserDelete can be used (by an admin user only) // AuthUserDelete can be used (by an admin user only)
@ -185,6 +230,29 @@ func (c *SQLiteConn) AuthUserChange(username, password string, admin bool) error
// the database cannot be converted into a no-authentication-required // the database cannot be converted into a no-authentication-required
// database. // database.
func (c *SQLiteConn) AuthUserDelete(username string) error { func (c *SQLiteConn) AuthUserDelete(username string) error {
rv := c.authUserDelete(username)
switch rv {
case C.SQLITE_ERROR, C.SQLITE_AUTH:
return ErrAdminRequired
case C.SQLITE_OK:
return nil
default:
return c.lastError()
}
}
// authUserDelete can be used to delete a user.
//
// This function can only be executed by an admin.
//
// This is not exported for usage in Go.
// It is however exported for usage within SQL by the user.
//
// Returns:
// C.SQLITE_OK (0)
// C.SQLITE_ERROR (1)
// C.SQLITE_AUTH (23)
func (c *SQLiteConn) authUserDelete(username string) int {
// Allocate C Variables // Allocate C Variables
cuser := C.CString(username) cuser := C.CString(username)
@ -193,20 +261,12 @@ func (c *SQLiteConn) AuthUserDelete(username string) error {
C.free(unsafe.Pointer(cuser)) C.free(unsafe.Pointer(cuser))
}() }()
rv := C._sqlite3_user_delete(c.db, cuser) return int(C._sqlite3_user_delete(c.db, cuser))
if rv == SQLITE_AUTH {
return ErrAdminRequired
}
if rv != C.SQLITE_OK {
return c.lastError()
} }
return nil // AuthEnabled checks if the database is protected by user authentication
} func (c *SQLiteConn) AuthEnabled() (exists bool) {
rv := c.authEnabled()
// Check is database is protected by user authentication
func (c *SQLiteConn) AuthIsEnabled() (exists bool) {
rv := C._sqlite3_auth_is_enabled(c.db)
if rv == 1 { if rv == 1 {
exists = true exists = true
} }
@ -214,4 +274,16 @@ func (c *SQLiteConn) AuthIsEnabled() (exists bool) {
return return
} }
// authEnabled perform the actual check for user authentication.
//
// This is not exported for usage in Go.
// It is however exported for usage within SQL by the user.
//
// Returns:
// 0 - Disabled
// 1 - Enabled
func (c *SQLiteConn) authEnabled() int {
return int(C._sqlite3_auth_enabled(c.db))
}
// EOF // EOF

View File

@ -29,6 +29,19 @@ func (c *SQLiteConn) Authenticate(username, password string) error {
return nil return nil
} }
// authenticate provides the actual authentication to SQLite.
// This is not exported for usage in Go.
// It is however exported for usage within SQL by the user.
//
// Returns:
// C.SQLITE_OK (0)
// C.SQLITE_ERROR (1)
// C.SQLITE_AUTH (23)
func (c *SQLiteConn) authenticate(username, password string) int {
// NOOP
return 0
}
// AuthUserAdd can be used (by an admin user only) // AuthUserAdd can be used (by an admin user only)
// to create a new user. When called on a no-authentication-required // to create a new user. When called on a no-authentication-required
// database, this routine converts the database into an authentication- // database, this routine converts the database into an authentication-
@ -42,6 +55,24 @@ func (c *SQLiteConn) AuthUserAdd(username, password string, admin bool) error {
return nil return nil
} }
// authUserAdd enables the User Authentication if not enabled.
// Otherwise it will add a user.
//
// When user authentication is already enabled then this function
// can only be called by an admin.
//
// This is not exported for usage in Go.
// It is however exported for usage within SQL by the user.
//
// Returns:
// C.SQLITE_OK (0)
// C.SQLITE_ERROR (1)
// C.SQLITE_AUTH (23)
func (c *SQLiteConn) authUserAdd(username, password string, admin int) int {
// NOOP
return 0
}
// AuthUserChange can be used to change a users // AuthUserChange can be used to change a users
// login credentials or admin privilege. Any user can change their own // login credentials or admin privilege. Any user can change their own
// login credentials. Only an admin user can change another users login // login credentials. Only an admin user can change another users login
@ -52,6 +83,27 @@ func (c *SQLiteConn) AuthUserChange(username, password string, admin bool) error
return nil return nil
} }
// authUserChange allows to modify a user.
// Users can change their own password.
//
// Only admins can change passwords for other users
// and modify the admin flag.
//
// The admin flag of the current logged in user cannot be changed.
// THis ensures that their is always an admin.
//
// This is not exported for usage in Go.
// It is however exported for usage within SQL by the user.
//
// Returns:
// C.SQLITE_OK (0)
// C.SQLITE_ERROR (1)
// C.SQLITE_AUTH (23)
func (c *SQLiteConn) authUserChange(username, password string, admin int) int {
// NOOP
return 0
}
// AuthUserDelete can be used (by an admin user only) // AuthUserDelete can be used (by an admin user only)
// to delete a user. The currently logged-in user cannot be deleted, // to delete a user. The currently logged-in user cannot be deleted,
// which guarantees that there is always an admin user and hence that // which guarantees that there is always an admin user and hence that
@ -62,9 +114,39 @@ func (c *SQLiteConn) AuthUserDelete(username string) error {
return nil return nil
} }
// Check is database is protected by user authentication // authUserDelete can be used to delete a user.
func (c *SQLiteConn) AuthIsEnabled() (exists bool) { //
return // This function can only be executed by an admin.
//
// This is not exported for usage in Go.
// It is however exported for usage within SQL by the user.
//
// Returns:
// C.SQLITE_OK (0)
// C.SQLITE_ERROR (1)
// C.SQLITE_AUTH (23)
func (c *SQLiteConn) authUserDelete(username string) int {
// NOOP
return 0
}
// AuthEnabled checks if the database is protected by user authentication
func (c *SQLiteConn) AuthEnabled() (exists bool) {
// NOOP
return false
}
// authEnabled perform the actual check for user authentication.
//
// This is not exported for usage in Go.
// It is however exported for usage within SQL by the user.
//
// Returns:
// 0 - Disabled
// 1 - Enabled
func (c *SQLiteConn) authEnabled() int {
// NOOP
return 0
} }
// EOF // EOF