login with sso,captcha,sms-code (#374)

* add logout v2 for sso

* support sms-code login

* use db instead of memory cache for login code

* feature: support reset password by sms code

* remove deprecated api/code

* feature: support image captcha

* use db instead of memory cache for sso.auth.state

etc/rdb.yml

@@ -24,6 +24,8 @@ sso:
   coverAttributes: false
   stateExpiresIn: 300
 
+captcha: true
+
 tokens:
   - rdb-builtin-token
 

go.mod

@@ -24,6 +24,7 @@ require (
 	github.com/influxdata/influxdb v1.8.0
 	github.com/mattn/go-isatty v0.0.12
 	github.com/mattn/go-sqlite3 v1.14.0 // indirect
+	github.com/mojocn/base64Captcha v1.3.1
 	github.com/onsi/ginkgo v1.7.0 // indirect
 	github.com/onsi/gomega v1.4.3 // indirect
 	github.com/open-falcon/rrdlite v0.0.0-20200214140804-bf5829f786ad

go.sum

@@ -138,6 +138,7 @@ github.com/gogo/protobuf v0.0.0-20171007142547-342cbe0a0415/go.mod h1:r8qH/GZQm5
 github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
 github.com/gogo/protobuf v1.2.0/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
 github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4=
+github.com/golang/freetype v0.0.0-20170609003504-e2365dfdc4a0 h1:DACJavvAHhabrF08vX0COfcOBJRhZ8lUbR+ZWIs0Y5g=
 github.com/golang/freetype v0.0.0-20170609003504-e2365dfdc4a0/go.mod h1:E/TSTwGwJL78qG/PmXZO1EjYhfJinVAhrmmHX6Z8B9k=
 github.com/golang/geo v0.0.0-20190916061304-5b978397cfec/go.mod h1:QZ0nwyI2jOfgRAoBvP+ab5aRr7c9x7lhGEJrKvBwjWI=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
@@ -282,6 +283,8 @@ github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJ
 github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
 github.com/modern-go/reflect2 v1.0.1 h1:9f412s+6RmYXLWZSEzVVgPGK7C2PphHj5RJrvfx9AWI=
 github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
+github.com/mojocn/base64Captcha v1.3.1 h1:2Wbkt8Oc8qjmNJ5GyOfSo4tgVQPsbKMftqASnq8GlT0=
+github.com/mojocn/base64Captcha v1.3.1/go.mod h1:wAQCKEc5bDujxKRmbT6/vTnTt5CjStQ8bRfPWUuz/iY=
 github.com/mschoch/smat v0.0.0-20160514031455-90eadee771ae/go.mod h1:qAyveg+e4CE+eKJXWVjKXM4ck2QobLqTDytGJbLLhJg=
 github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
 github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw=
@@ -427,6 +430,8 @@ golang.org/x/exp v0.0.0-20191129062945-2f5052295587/go.mod h1:2RIsYlXP63K8oxa1u0
 golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
 golang.org/x/image v0.0.0-20180708004352-c73c2afc3b81/go.mod h1:ux5Hcp/YLpHSI86hEcLt0YII63i6oz57MZXIpbrjZUs=
 golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
+golang.org/x/image v0.0.0-20190501045829-6d32002ffd75/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
+golang.org/x/image v0.0.0-20190802002840-cff245a6509b h1:+qEpEAPhDZ1o0x3tHzZTQDArnOixOzGD9HUJfcg0mb4=
 golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=

sql/n9e_rdb.sql

@@ -282,8 +282,7 @@ CREATE TABLE `operation_log`
     PRIMARY KEY (`id`),
     KEY (`clock`),
     KEY (`res_cl`, `res_id`)
-) ENGINE = InnoDB
-  DEFAULT CHARSET = utf8;
+) ENGINE = InnoDB DEFAULT CHARSET = utf8;
 
 CREATE TABLE `login_code`
 (
@@ -297,5 +296,19 @@ CREATE TABLE `login_code`
 ) ENGINE = InnoDB
   DEFAULT CHARSET = utf8;
 
+CREATE TABLE `auth_state` (
+  `state`		varchar(128)		DEFAULT ''	NOT NULL,
+  `typ`			varchar(32)		DEFAULT ''	NOT NULL COMMENT 'response_type',
+  `redirect`		varchar(1024)		DEFAULT ''	NOT NULL,
+  `expires_at`		bigint 			DEFAULT '0'	NOT NULL,
+  PRIMARY KEY (`state`)
+) ENGINE = InnoDB DEFAULT CHARSET = utf8;
 
 
+CREATE TABLE `captcha` (
+  `captcha_id`		varchar(128)				NOT NULL,
+  `answer`		varchar(128)		DEFAULT ''	NOT NULL,
+  `created_at`		bigint			DEFAULT '0'	NOT NULL,
+  KEY (`captcha_id`, `answer`),
+  KEY (`created_at`)
+) ENGINE = InnoDB DEFAULT CHARSET = utf8;

src/models/auth_state.go

+package models
+
+import (
+	"errors"
+	"time"
+)
+
+type AuthState struct {
+	State     string `json:"state"`
+	Typ       string `json:"typ"`
+	Redirect  string `json:"redirect"`
+	ExpiresAt int64  `json:"expiresAt"`
+}
+
+func AuthStateGet(where string, args ...interface{}) (*AuthState, error) {
+	var obj AuthState
+	has, err := DB["rdb"].Where(where, args...).Get(&obj)
+	if err != nil {
+		return nil, err
+	}
+
+	if !has {
+		return nil, errors.New("auth state not found")
+	}
+
+	return &obj, nil
+}
+
+func (p *AuthState) Save() error {
+	_, err := DB["rdb"].Insert(p)
+	return err
+}
+
+func (p *AuthState) Del() error {
+	_, err := DB["rdb"].Where("state=?", p.State).Delete(new(AuthState))
+	return err
+}
+
+func (p AuthState) CleanUp() error {
+	_, err := DB["rdb"].Exec("delete from auth_state where expires_at < ?", time.Now().Unix())
+	return err
+}

src/models/captcha.go

+package models
+
+import (
+	"errors"
+	"time"
+)
+
+type Captcha struct {
+	CaptchaId string `json:"captchaId"`
+	Answer    string `json:"-"`
+	Image     string `xorm:"-" json:"image"`
+	CreatedAt int64  `json:"createdAt"`
+}
+
+func CaptchaGet(where string, args ...interface{}) (*Captcha, error) {
+	var obj Captcha
+	has, err := DB["rdb"].Where(where, args...).Get(&obj)
+	if err != nil {
+		return nil, err
+	}
+
+	if !has {
+		return nil, errors.New("captcha not found")
+	}
+
+	return &obj, nil
+}
+
+func (p *Captcha) Save() error {
+	_, err := DB["rdb"].Insert(p)
+	return err
+}
+
+func (p *Captcha) Del() error {
+	_, err := DB["rdb"].Where("captcha_id=?", p.CaptchaId).Delete(new(Captcha))
+	return err
+}
+
+const captchaExpiresIn = 600
+
+func (p Captcha) CleanUp() error {
+	_, err := DB["rdb"].Exec("delete from captcha where created_at < ?", time.Now().Unix()-captchaExpiresIn)
+	return err
+}

src/modules/rdb/config/yaml.go

@@ -18,6 +18,7 @@ type ConfigT struct {
 	Sender   map[string]senderSection `yaml:"sender"`
 	RabbitMQ rabbitmqSection          `yaml:"rabbitmq"`
 	WeChat   wechatSection            `yaml:"wechat"`
+	Captcha  bool                     `yaml:"captcha"`
 }
 
 type wechatSection struct {
@@ -33,7 +34,7 @@ type ssoSection struct {
 	ClientId        string `yaml:"clientId"`
 	ClientSecret    string `yaml:"clientSecret"`
 	ApiKey          string `yaml:"apiKey"`
-	StateExpiresIn  int    `yaml:"stateExpiresIn"`
+	StateExpiresIn  int64  `yaml:"stateExpiresIn"`
 	CoverAttributes bool   `yaml:"coverAttributes"`
 	Attributes      struct {
 		Dispname string `yaml:"dispname"`

src/modules/rdb/cron/cleaner.go

+package cron
+
+import (
+	"time"
+
+	"github.com/didi/nightingale/src/models"
+)
+
+const cleanerInterval = 3600 * time.Second
+
+func CleanerLoop() {
+	tc := time.Tick(cleanerInterval)
+
+	for {
+		models.AuthState{}.CleanUp()
+		models.Captcha{}.CleanUp()
+		<-tc
+	}
+}

src/modules/rdb/http/router.go

@@ -18,16 +18,13 @@ func Config(r *gin.Engine) {
 		notLogin.GET("/roles/local", localRoleGet)
 		notLogin.POST("/users/invite", userInvitePost)
 
-		notLogin.GET("/auth/authorize", authAuthorize)
-		notLogin.GET("/auth/callback", authCallback)
-		notLogin.GET("/auth/settings", authSettings)
-
 		notLogin.GET("/auth/v2/authorize", authAuthorizeV2)
 		notLogin.GET("/auth/v2/callback", authCallbackV2)
 		notLogin.GET("/auth/v2/logout", logoutV2)
 
 		notLogin.POST("/auth/send-rst-code-by-sms", sendRstCodeBySms)
 		notLogin.POST("/auth/rst-password", rstPassword)
+		notLogin.GET("/auth/captcha", captchaGet)
 
 		notLogin.GET("/v2/nodes", nodeGets)
 	}

src/modules/rdb/http/router_auth.go

@@ -2,6 +2,7 @@ package http
 
 import (
 	"bytes"
+	"errors"
 	"fmt"
 	"html/template"
 	"log"
@@ -11,6 +12,7 @@ import (
 	"time"
 
 	"github.com/gin-gonic/gin"
+	"github.com/mojocn/base64Captcha"
 	"github.com/toolkits/pkg/file"
 	"github.com/toolkits/pkg/str"
 
@@ -22,8 +24,19 @@ import (
 )
 
 var (
-	loginCodeSmsTpl   *template.Template
-	loginCodeEmailTpl *template.Template
+	loginCodeSmsTpl     *template.Template
+	loginCodeEmailTpl   *template.Template
+	errUnsupportCaptcha = errors.New("unsupported captcha")
+
+	// https://captcha.mojotv.cn
+	captchaDirver = base64Captcha.DriverString{
+		Height:          30,
+		Width:           120,
+		ShowLineOptions: 0,
+		Length:          4,
+		Source:          "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789",
+		//ShowLineOptions: 14,
+	}
 )
 
 func init() {
@@ -102,23 +115,6 @@ func logout(c *gin.Context) {
 	}
 }
 
-func authAuthorize(c *gin.Context) {
-	username := cookieUsername(c)
-	if username != "" { // alread login
-		c.String(200, "hi, "+username)
-		return
-	}
-
-	redirect := queryStr(c, "redirect", "/")
-
-	if config.Config.SSO.Enable {
-		c.Redirect(302, ssoc.Authorize(redirect))
-	} else {
-		c.String(200, "sso does not enable")
-	}
-
-}
-
 type authRedirect struct {
 	Redirect string `json:"redirect"`
 	Msg      string `json:"msg"`
@@ -134,29 +130,13 @@ func authAuthorizeV2(c *gin.Context) {
 		return
 	}
 
+	var err error
 	if config.Config.SSO.Enable {
-		ret.Redirect = ssoc.Authorize(redirect)
+		ret.Redirect, err = ssoc.Authorize(redirect)
 	} else {
 		ret.Redirect = "/login"
 	}
-	renderData(c, ret, nil)
-}
-
-func authCallback(c *gin.Context) {
-	code := queryStr(c, "code", "")
-	state := queryStr(c, "state", "")
-	if code == "" {
-		if redirect := queryStr(c, "redirect"); redirect != "" {
-			c.Redirect(302, redirect)
-			return
-		}
-	}
-
-	redirect, user, err := ssoc.Callback(code, state)
-	dangerous(err)
-
-	writeCookieUser(c, user.UUID)
-	c.Redirect(302, redirect)
+	renderData(c, ret, err)
 }
 
 func authCallbackV2(c *gin.Context) {
@@ -182,14 +162,6 @@ func authCallbackV2(c *gin.Context) {
 	renderData(c, ret, nil)
 }
 
-func authSettings(c *gin.Context) {
-	renderData(c, struct {
-		Sso bool `json:"sso"`
-	}{
-		Sso: config.Config.SSO.Enable,
-	}, nil)
-}
-
 func logoutV2(c *gin.Context) {
 	redirect := queryStr(c, "redirect", "")
 	ret := &authRedirect{Redirect: redirect}
@@ -516,3 +488,33 @@ func rstPassword(c *gin.Context) {
 		renderData(c, "reset successfully", nil)
 	}
 }
+
+func captchaGet(c *gin.Context) {
+	ret, err := func() (*models.Captcha, error) {
+		if !config.Config.Captcha {
+			return nil, errUnsupportCaptcha
+		}
+
+		driver := captchaDirver.ConvertFonts()
+		id, content, answer := driver.GenerateIdQuestionAnswer()
+		item, err := driver.DrawCaptcha(content)
+		if err != nil {
+			return nil, err
+		}
+
+		ret := &models.Captcha{
+			CaptchaId: id,
+			Answer:    answer,
+			Image:     item.EncodeB64string(),
+			CreatedAt: time.Now().Unix(),
+		}
+
+		if err := ret.Save(); err != nil {
+			return nil, err
+		}
+
+		return ret, nil
+	}()
+
+	renderData(c, ret, err)
+}

src/modules/rdb/rdb.go

@@ -77,6 +77,7 @@ func main() {
 	go cron.ConsumeSms()
 	go cron.ConsumeVoice()
 	go cron.ConsumeIm()
+	go cron.CleanerLoop()
 
 	http.Start()
 

src/modules/rdb/ssoc/sso.go

@@ -3,6 +3,7 @@ package ssoc
 import (
 	"context"
 	"crypto/tls"
+	"errors"
 	"fmt"
 	"io"
 	"log"
@@ -16,15 +17,18 @@ import (
 	"github.com/didi/nightingale/src/modules/rdb/config"
 	"github.com/google/uuid"
 	"golang.org/x/oauth2"
-	"k8s.io/apimachinery/pkg/util/cache"
+)
+
+var (
+	errState = errors.New("您的登录信息已过期，请前往首页重新登录..")
+	errUser  = errors.New("用户信息异常")
 )
 
 type ssoClient struct {
 	verifier        *oidc.IDTokenVerifier
 	config          oauth2.Config
 	apiKey          string
-	cache           *cache.LRUExpireCache
-	stateExpiresIn  time.Duration
+	stateExpiresIn  int64
 	ssoAddr         string
 	callbackAddr    string
 	coverAttributes bool
@@ -48,7 +52,6 @@ func InitSSO() {
 		return
 	}
 
-	cli.cache = cache.NewLRUExpireCache(1000)
 	cli.ssoAddr = cf.SsoAddr
 	cli.callbackAddr = cf.RedirectURL
 	cli.coverAttributes = cf.CoverAttributes
@@ -75,19 +78,26 @@ func InitSSO() {
 	}
 	cli.apiKey = cf.ApiKey
 
-	if cf.StateExpiresIn == 0 {
-		cli.stateExpiresIn = time.Second * 60
-	} else {
-		cli.stateExpiresIn = time.Second * time.Duration(cf.StateExpiresIn)
+	if cli.stateExpiresIn = cf.StateExpiresIn; cli.stateExpiresIn == 0 {
+		cli.stateExpiresIn = 60
 	}
 }
 
 // Authorize return the sso authorize location with state
-func Authorize(redirect string) string {
-	state := uuid.New().String()
-	cli.cache.Add(state, redirect, cli.stateExpiresIn)
+func Authorize(redirect string) (string, error) {
+	state := &models.AuthState{
+		State:     uuid.New().String(),
+		Typ:       "OAuth2.CODE",
+		Redirect:  redirect,
+		ExpiresAt: time.Now().Unix() + cli.stateExpiresIn,
+	}
+
+	if err := state.Save(); err != nil {
+		return "", err
+	}
+
 	// log.Printf("add state %s", state)
-	return cli.config.AuthCodeURL(state)
+	return cli.config.AuthCodeURL(state.State), nil
 }
 
 // LogoutLocation return logout location
@@ -100,25 +110,23 @@ func LogoutLocation(redirect string) string {
 
 // Callback 用 code 兑换 accessToken 以及 用户信息,
 func Callback(code, state string) (string, *models.User, error) {
-	s, ok := cli.cache.Get(state)
-	if !ok {
-		return "", nil, fmt.Errorf("invalid state %s", state)
+	s, err := models.AuthStateGet("state=?", state)
+	if err != nil {
+		return "", nil, errState
 	}
-	cli.cache.Remove(state)
-	// log.Printf("remove state %s", state)
 
-	redirect := s.(string)
-	// log.Printf("callback, get state %s redirect %s", state, redirect)
+	s.Del()
+	// log.Printf("remove state %s", state)
 
 	u, err := exchangeUser(code)
 	if err != nil {
-		return "", nil, err
+		return "", nil, errUser
 	}
 	// log.Printf("exchange user %v", u)
 
 	user, err := models.UserGet("username=?", u.Username)
 	if err != nil {
-		return "", nil, err
+		return "", nil, errUser
 	}
 
 	if user == nil {
@@ -132,7 +140,7 @@ func Callback(code, state string) (string, *models.User, error) {
 		err = user.Update("email", "dispname", "phone", "im")
 	}
 
-	return redirect, user, err
+	return s.Redirect, user, err
 }
 
 func exchangeUser(code string) (*models.User, error) {