v0.4.4 (#72)

* v0.4.4

* removing unwanted changes in the launch.json

* fix linting problems

* fixing a bug where a root password could be longer than 40 characters

* fixed the issue with invalid tokens being accepted

* added a fix for the validation of all required roles and claims for an endpoint

* upgraded to cryptorand v0.0.6

.gitignore

@@ -11,3 +11,4 @@ __debug_*
 *.key
 .env
 **/*.local.*
+**/*.pem

.vscode/launch.json

@@ -10,7 +10,7 @@
       // Comment out if you need to setup environment variables for the module
       "envFile": "${workspaceFolder}/.env",
       // "args": [
-      //   "--port=5570",
+      //   "--BRUTE_FORCE_MAX_LOGIN_ATTEMPTS=10",
       // ]
     },
     {

CHANGELOG.md

@@ -5,13 +5,41 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
-## [Unreleased]
+## [0.4.4] - 2024-01-12
 
 ### Added
 
-- Initial project setup
+- brute force attack protection, this will lock accounts after x attempts, by
+  default 5 attempts and will use by default incremental wait periods for each
+  failed attempts, all of these parameters can be changed
+- added the ability to sign a token with different algorithms, by default it will
+  use HS256, but you can change it to RS256, HS384, RS384, HS512, RS512, this will
+  cater for the request we had for asymmetric keys
+- added a random secret generator for the default HS256 is none is provided, this
+  is a change from previous versions where we used the machine id as the secret
+  this will increment the security of the default installation
+- added a password complexity pipeline for checking if the users passwords adhere
+  to the complexity requirements, this can be disabled if required, by default the
+  password complexity is enabled and the complexity is set to 12 characters, at least
+  one uppercase, one lowercase, one number and one special character
+- added a diagnostics class to better cater for errors and exceptions, this will
+  allow us to better handle errors and exceptions and return a more meaningful
+  error message to the user a the moment is not used in all of the code, but we
+  will be adding it to all of the code in the future
+
+### Changed
+
+- added back the ability to hash passwords using the SHA256 algorithm, this was
+  removed in a previous version, but we have added it back as some users already
+  had passwords hashed using this algorithm and this was breaking them. the default
+  installation will use the bcrypt algorithm
+
+### Fixed
+
+- fixed an issue where the token validation endpoint was not working and only accepted
+  GET requests, it now accepts only POST requests as expected and documented
 
-## [0.4.3] - 2024-01-12
+## [0.4.3] - 2024-01-09
 
 ### Added
 
@@ -21,3 +49,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Fixed
 
 - fixed a bug where a host would not show it status correctly
+
+## [Unreleased]
+
+### Added
+
+- Initial project setup

src/catalog/models/pull_catalog_manifest.go

@@ -49,7 +49,7 @@ func (r *PullCatalogManifestRequest) Validate() error {
 	}
 
 	ctx := basecontext.NewRootBaseContext()
-	svcCtl := system.Get(ctx)
+	svcCtl := system.Get()
 	arch, err := svcCtl.GetArchitecture(ctx)
 	if err != nil {
 		return errors.New("unable to determine architecture")

src/catalog/models/push_catalog_manifest.go

@@ -61,7 +61,7 @@ func (r *PushCatalogManifestRequest) Validate() error {
 
 	if r.Architecture == "" {
 		ctx := basecontext.NewRootBaseContext()
-		sysCtl := system.Get(ctx)
+		sysCtl := system.Get()
 		arch, err := sysCtl.GetArchitecture(ctx)
 		if err != nil {
 			return errors.NewWithCode("unable to determine architecture and none was set", 400)

src/catalog/pull.go

@@ -77,7 +77,7 @@ func (s *CatalogManifestService) Pull(ctx basecontext.ApiContext, r *models.Pull
 		manifest = &models.VirtualMachineCatalogManifest{}
 		manifest.Provider = &provider
 		apiClient.SetAuthorization(GetAuthenticator(manifest.Provider))
-		srvCtl := system.Get(ctx)
+		srvCtl := system.Get()
 		arch, err := srvCtl.GetArchitecture(ctx)
 		if err != nil {
 			response.AddError(errors.New("unable to determine architecture"))

src/cmd/api.go

@@ -8,9 +8,9 @@ import (
 	"github.com/Parallels/pd-api-service/common"
 	"github.com/Parallels/pd-api-service/config"
 	"github.com/Parallels/pd-api-service/constants"
-	"github.com/Parallels/pd-api-service/helpers"
 	"github.com/Parallels/pd-api-service/orchestrator"
 	"github.com/Parallels/pd-api-service/restapi"
+	"github.com/Parallels/pd-api-service/security/password"
 	"github.com/Parallels/pd-api-service/serviceprovider"
 	"github.com/Parallels/pd-api-service/startup"
 	"github.com/cjlapao/common-go/helper"
@@ -29,8 +29,8 @@ func processApi(ctx basecontext.ApiContext) {
 	if cfg.GetSecurityKey() == "" {
 		common.Logger.Warn("No security key found, database will be unencrypted")
 	}
-
 	startup.Start()
+	startup.Init()
 
 	currentUser, err := serviceprovider.Get().System.GetCurrentUser(ctx)
 	if err != nil {
@@ -49,7 +49,8 @@ func processApi(ctx basecontext.ApiContext) {
 		rootUser, _ := db.GetUser(ctx, "root")
 		rootPassword := os.Getenv(constants.ROOT_PASSWORD_ENV_VAR)
 		if rootUser != nil {
-			if err := helpers.BcryptCompare(rootPassword, rootUser.ID, rootUser.Password); err != nil {
+			passwdSvc := password.Get()
+			if err := passwdSvc.Compare(rootPassword, rootUser.ID, rootUser.Password); err != nil {
 				ctx.LogInfo("Updating root password")
 				if err := db.UpdateRootPassword(ctx, os.Getenv(constants.ROOT_PASSWORD_ENV_VAR)); err != nil {
 					panic(err)

src/cmd/catalog.go

@@ -70,7 +70,7 @@ func catalogInitPdFile(ctx basecontext.ApiContext, cmd string) *pdfile.PDFile {
 	}
 
 	if pdFile.Owner == "" {
-		user, _ := system.Get(ctx).GetCurrentUser(ctx)
+		user, _ := system.Get().GetCurrentUser(ctx)
 		if user != "" {
 			pdFile.Owner = user
 		}

src/cmd/generate_security_key.go

@@ -2,6 +2,7 @@ package cmd
 
 import (
 	"os"
+	"strconv"
 
 	"github.com/Parallels/pd-api-service/basecontext"
 	"github.com/Parallels/pd-api-service/constants"
@@ -10,14 +11,24 @@ import (
 )
 
 func processGenerateSecurityKey(ctx basecontext.ApiContext) {
-	ctx.LogInfo("Generating security key")
 	filename := "private.key"
 
 	if helper.GetFlagValue(constants.FILE_FLAG, "") != "" {
 		filename = helper.GetFlagValue(constants.FILE_FLAG, "")
 	}
+	keySize := 2048
+	if helper.GetFlagValue(constants.SIZE_FLAG, "") != "" {
+		size, err := strconv.Atoi(helper.GetFlagValue(constants.SIZE_FLAG, "0"))
+		if err != nil {
+			ctx.LogError("Error parsing size flag: %s", err.Error())
+		} else {
+			keySize = size
+		}
+	}
+
+	ctx.LogInfo("Generating security key, with size %v", keySize)
 
-	err := security.GenPrivateRsaKey(filename)
+	err := security.GenPrivateRsaKey(filename, keySize)
 	if err != nil {
 		panic(err)
 	}

src/cmd/main.go

@@ -34,5 +34,6 @@ func Process() {
 	default:
 		processApi(ctx)
 	}
+
 	os.Exit(0)
 }

src/config/main.go

@@ -152,7 +152,7 @@ func (c *Config) GetTokenDurationMinutes() int {
 
 func (c *Config) GetRootFolder() (string, error) {
 	ctx := basecontext.NewRootBaseContext()
-	srv := system.Get(ctx)
+	srv := system.Get()
 	currentUser, err := srv.GetCurrentUser(ctx)
 	if err != nil {
 		currentUser = "root"
@@ -284,3 +284,40 @@ func (c *Config) UseOrchestratorResources() bool {
 
 	return false
 }
+
+func (c *Config) GetKey(key string) string {
+	value := os.Getenv(key)
+	if value == "" {
+		value = helper.GetFlagValue(key, "")
+	}
+
+	return value
+}
+
+func (c *Config) GetIntKey(key string) int {
+	value := c.GetKey(key)
+	if value == "" {
+		return 0
+	}
+
+	intVal, err := strconv.Atoi(value)
+	if err != nil {
+		return 0
+	}
+
+	return intVal
+}
+
+func (c *Config) GetBoolKey(key string) bool {
+	value := c.GetKey(key)
+	if value == "" {
+		return false
+	}
+
+	boolVal, err := strconv.ParseBool(value)
+	if err != nil {
+		return false
+	}
+
+	return boolVal
+}

src/constants/brute_force_guard.go

@@ -0,0 +1,7 @@
+package constants
+
+const (
+	BRUTE_FORCE_MAX_LOGIN_ATTEMPTS_ENV_VAR = "BRUTE_FORCE_MAX_LOGIN_ATTEMPTS"
+	BRUTE_FORCE_LOCKOUT_DURATION_ENV_VAR   = "BRUTE_FORCE_LOCKOUT_DURATION"
+	BRUTE_FORCE_INCREMENTAL_WAIT_ENV_VAR   = "BRUTE_FORCE_INCREMENTAL_WAIT"
+)

src/constants/jwt.go

@@ -0,0 +1,8 @@
+package constants
+
+const (
+	JWT_PRIVATE_KEY_ENV_VAR    = "JWT_PRIVATE_KEY"
+	JWT_HMACS_SECRET_ENV_VAR   = "JWT_HMACS_SECRET"
+	JWT_DURATION_ENV_VAR       = "JWT_DURATION"
+	JWT_SIGN_ALGORITHM_ENV_VAR = "JWT_SIGN_ALGORITHM"
+)

src/constants/main.go

@@ -71,6 +71,7 @@ const (
 	API_PORT_FLAG                   = "port"
 	UPDATE_ROOT_PASSWORD_FLAG       = "update-root-pass"
 	FILE_FLAG                       = "file"
+	SIZE_FLAG                       = "size"
 	MODE_FLAG                       = "mode"
 	HELP_FLAG                       = "help"
 	PASSWORD_FLAG                   = "password"

src/constants/password.go

@@ -0,0 +1,11 @@
+package constants
+
+const (
+	SECURITY_PASSWORD_MIN_PASSWORD_LENGTH_ENV_VAR  = "SECURITY_PASSWORD_MIN_PASSWORD_LENGTH"
+	SECURITY_PASSWORD_MAX_PASSWORD_LENGTH_ENV_VAR  = "SECURITY_PASSWORD_MAX_PASSWORD_LENGTH"
+	SECURITY_PASSWORD_REQUIRE_LOWERCASE_ENV_VAR    = "SECURITY_PASSWORD_REQUIRE_LOWERCASE"
+	SECURITY_PASSWORD_REQUIRE_UPPERCASE_ENV_VAR    = "SECURITY_PASSWORD_REQUIRE_UPPERCASE"
+	SECURITY_PASSWORD_REQUIRE_NUMBER_ENV_VAR       = "SECURITY_PASSWORD_REQUIRE_NUMBER"
+	SECURITY_PASSWORD_REQUIRE_SPECIAL_CHAR_ENV_VAR = "SECURITY_PASSWORD_REQUIRE_SPECIAL_CHAR"
+	SECURITY_PASSWORD_SALT_PASSWORD_ENV_VAR        = "SECURITY_PASSWORD_SALT_PASSWORD"
+)