fleet/server/service/validation_users.go

package service

import (
	"context"
	"errors"
	"strings"
	"unicode"

	"github.com/kolide/fleet/server/contexts/viewer"
	"github.com/kolide/fleet/server/kolide"
)

func (mw validationMiddleware) NewUser(ctx context.Context, p kolide.UserPayload) (*kolide.User, error) {
	invalid := &invalidArgumentError{}
	if p.Username == nil {
		invalid.Append("username", "missing required argument")
	} else {
		if *p.Username == "" {
			invalid.Append("username", "cannot be empty")
		}

		if strings.Contains(*p.Username, "@") {
			invalid.Append("username", "'@' character not allowed in usernames")
		}
	}

	// we don't need a password for single sign on
	if p.SSOInvite == nil || !*p.SSOInvite {
		if p.Password == nil {
			invalid.Append("password", "missing required argument")
		} else {
			if *p.Password == "" {
				invalid.Append("password", "cannot be empty")
			}
			if err := validatePasswordRequirements(*p.Password); err != nil {
				invalid.Append("password", err.Error())
			}
		}
	}

	if p.Email == nil {
		invalid.Append("email", "missing required argument")
	} else {
		if *p.Email == "" {
			invalid.Append("email", "cannot be empty")
		}
	}

	if p.InviteToken == nil {
		invalid.Append("invite_token", "missing required argument")
	} else {
		if *p.InviteToken == "" {
			invalid.Append("invite_token", "cannot be empty")
		}
	}

	if invalid.HasErrors() {
		return nil, invalid
	}
	return mw.Service.NewUser(ctx, p)
}

func (mw validationMiddleware) ModifyUser(ctx context.Context, userID uint, p kolide.UserPayload) (*kolide.User, error) {
	invalid := &invalidArgumentError{}
	if p.Username != nil {
		if *p.Username == "" {
			invalid.Append("username", "cannot be empty")
		}

		if strings.Contains(*p.Username, "@") {
			invalid.Append("username", "'@' character not allowed in usernames")
		}
	}

	if p.Name != nil {
		if *p.Name == "" {
			invalid.Append("name", "cannot be empty")
		}
	}

	if p.Email != nil {
		if *p.Email == "" {
			invalid.Append("email", "cannot be empty")
		}
		// if the user is not an admin, or if an admin is changing their own email
		// address a password is required,
		if passwordRequiredForEmailChange(ctx, userID, invalid) {
			if p.Password == nil {
				invalid.Append("password", "cannot be empty if email is changed")
			}
		}
	}

	if invalid.HasErrors() {
		return nil, invalid
	}
	return mw.Service.ModifyUser(ctx, userID, p)
}

func passwordRequiredForEmailChange(ctx context.Context, uid uint, invalid *invalidArgumentError) bool {
	vc, ok := viewer.FromContext(ctx)
	if !ok {
		invalid.Append("viewer", "not present")
		return false
	}
	// if a user is changing own email need a password no matter what
	if vc.UserID() == uid {
		return true
	}
	// if an admin is changing another users email no password needed
	if vc.CanPerformAdminActions() {
		return false
	}
	// should never get here because a non admin can't change the email of another
	// user
	invalid.Append("auth", "this user can't change another user's email")
	return false
}

func (mw validationMiddleware) ChangePassword(ctx context.Context, oldPass, newPass string) error {
	invalid := &invalidArgumentError{}
	if oldPass == "" {
		invalid.Append("old_password", "cannot be empty")
	}
	if newPass == "" {
		invalid.Append("new_password", "cannot be empty")
	}

	if err := validatePasswordRequirements(newPass); err != nil {
		invalid.Append("new_password", err.Error())
	}

	if invalid.HasErrors() {
		return invalid
	}
	return mw.Service.ChangePassword(ctx, oldPass, newPass)
}

func (mw validationMiddleware) ResetPassword(ctx context.Context, token, password string) error {
	invalid := &invalidArgumentError{}
	if token == "" {
		invalid.Append("token", "cannot be empty field")
	}
	if password == "" {
		invalid.Append("new_password", "cannot be empty field")
	}
	if err := validatePasswordRequirements(password); err != nil {
		invalid.Append("new_password", err.Error())
	}
	if invalid.HasErrors() {
		return invalid
	}
	return mw.Service.ResetPassword(ctx, token, password)
}

// Requirements for user password:
// at least 7 character length
// at least 1 symbol
// at least 1 number
func validatePasswordRequirements(password string) error {
	var (
		number bool
		symbol bool
	)

	for _, s := range password {
		switch {
		case unicode.IsNumber(s):
			number = true
		case unicode.IsPunct(s) || unicode.IsSymbol(s):
			symbol = true
		}
	}

	if len(password) >= 7 &&
		number &&
		symbol {
		return nil
	}

	return errors.New("password does not meet validation requirements")
}
Organizing go code (#241) 2016-09-26 18:48:55 +00:00			`package service`
update user service (#101) - Added all required methods for a UserService - Added authentication handlers `/api/login` and `/api/logout` - Added authMiddleware for authentication for `/api/v1/kolide` path - Added authorization middleware for each endoint - Added validation middleware for validating API inputs - Began work on logging middleware 2016-09-01 04:51:38 +00:00
			`import (`
Update go-kit to 0.4.0 (#1411) Notable refactoring: - Use stdlib "context" in place of "golang.org/x/net/context" - Go-kit no longer wraps errors, so we remove the unwrap in transport_error.go - Use MakeHandler when setting up endpoint tests (fixes test bug caught during this refactoring) Closes #1411. 2017-03-15 15:55:30 +00:00			`"context"`
Validate password requirements (#962) Add validation for user password creation/reset - at least 7 chars - 1 number - 1 symbol consolidated service errors to a single file. 2017-01-15 23:23:09 +00:00			`"errors"`
Allow with Logins with email address (#174) The Auth service now accepts emails in the username field The UserService now rejects user creation if the user has @ in the username. 2016-09-15 19:27:55 +00:00			`"strings"`
Validate password requirements (#962) Add validation for user password creation/reset - at least 7 chars - 1 number - 1 symbol consolidated service errors to a single file. 2017-01-15 23:23:09 +00:00			`"unicode"`
Allow with Logins with email address (#174) The Auth service now accepts emails in the username field The UserService now rejects user creation if the user has @ in the username. 2016-09-15 19:27:55 +00:00
Rename project to Kolide Fleet (#1529) 2017-06-22 19:50:45 +00:00			`"github.com/kolide/fleet/server/contexts/viewer"`
			`"github.com/kolide/fleet/server/kolide"`
update user service (#101) - Added all required methods for a UserService - Added authentication handlers `/api/login` and `/api/logout` - Added authMiddleware for authentication for `/api/v1/kolide` path - Added authorization middleware for each endoint - Added validation middleware for validating API inputs - Began work on logging middleware 2016-09-01 04:51:38 +00:00			`)`

			`func (mw validationMiddleware) NewUser(ctx context.Context, p kolide.UserPayload) (*kolide.User, error) {`
Adds endpoints to invite new users to the application. (#235) User service checks that tokens are valid on new user signups. Closes #230 2016-09-29 02:44:05 +00:00			`invalid := &invalidArgumentError{}`
update user service (#101) - Added all required methods for a UserService - Added authentication handlers `/api/login` and `/api/logout` - Added authMiddleware for authentication for `/api/v1/kolide` path - Added authorization middleware for each endoint - Added validation middleware for validating API inputs - Began work on logging middleware 2016-09-01 04:51:38 +00:00			`if p.Username == nil {`
Adds endpoints to invite new users to the application. (#235) User service checks that tokens are valid on new user signups. Closes #230 2016-09-29 02:44:05 +00:00			`invalid.Append("username", "missing required argument")`
Improve user endpoint validations (#642) - Add empty string checks for NewUser - Create validations for ModifyUser - Use GravatarURL when creating new user Fixes #620 2016-12-15 17:28:53 +00:00			`} else {`
			`if *p.Username == "" {`
			`invalid.Append("username", "cannot be empty")`
			`}`

Allow with Logins with email address (#174) The Auth service now accepts emails in the username field The UserService now rejects user creation if the user has @ in the username. 2016-09-15 19:27:55 +00:00			`if strings.Contains(*p.Username, "@") {`
Adds endpoints to invite new users to the application. (#235) User service checks that tokens are valid on new user signups. Closes #230 2016-09-29 02:44:05 +00:00			`invalid.Append("username", "'@' character not allowed in usernames")`
Allow with Logins with email address (#174) The Auth service now accepts emails in the username field The UserService now rejects user creation if the user has @ in the username. 2016-09-15 19:27:55 +00:00			`}`
			`}`
Improve user endpoint validations (#642) - Add empty string checks for NewUser - Create validations for ModifyUser - Use GravatarURL when creating new user Fixes #620 2016-12-15 17:28:53 +00:00
Add SSO support to new user activation (#1504) Closes #1502. This PR adds support for SSO to the new user creation process. An admin now has the option to select SSO when creating a new user. When the confirmation form is submitted, the user is automatically authenticated with the IDP, and if successful, is redirected to the Kolide home page. Password authentication, password change and password reset are not allowed for an SSO user. 2017-05-10 16:26:05 +00:00			`// we don't need a password for single sign on`
General simplification in go part (#1658) * don't check if error is nil, return it * don't compare bool to bool, use it * don't supply capacity to make for slice when len is equal to cap 2017-12-04 14:43:43 +00:00			`if p.SSOInvite == nil \|\| !*p.SSOInvite {`
Add SSO support to new user activation (#1504) Closes #1502. This PR adds support for SSO to the new user creation process. An admin now has the option to select SSO when creating a new user. When the confirmation form is submitted, the user is automatically authenticated with the IDP, and if successful, is redirected to the Kolide home page. Password authentication, password change and password reset are not allowed for an SSO user. 2017-05-10 16:26:05 +00:00			`if p.Password == nil {`
			`invalid.Append("password", "missing required argument")`
			`} else {`
			`if *p.Password == "" {`
			`invalid.Append("password", "cannot be empty")`
			`}`
			`if err := validatePasswordRequirements(*p.Password); err != nil {`
			`invalid.Append("password", err.Error())`
			`}`
Validate password requirements (#962) Add validation for user password creation/reset - at least 7 chars - 1 number - 1 symbol consolidated service errors to a single file. 2017-01-15 23:23:09 +00:00			`}`
update user service (#101) - Added all required methods for a UserService - Added authentication handlers `/api/login` and `/api/logout` - Added authMiddleware for authentication for `/api/v1/kolide` path - Added authorization middleware for each endoint - Added validation middleware for validating API inputs - Began work on logging middleware 2016-09-01 04:51:38 +00:00			`}`
Improve user endpoint validations (#642) - Add empty string checks for NewUser - Create validations for ModifyUser - Use GravatarURL when creating new user Fixes #620 2016-12-15 17:28:53 +00:00
update user service (#101) - Added all required methods for a UserService - Added authentication handlers `/api/login` and `/api/logout` - Added authMiddleware for authentication for `/api/v1/kolide` path - Added authorization middleware for each endoint - Added validation middleware for validating API inputs - Began work on logging middleware 2016-09-01 04:51:38 +00:00			`if p.Email == nil {`
Adds endpoints to invite new users to the application. (#235) User service checks that tokens are valid on new user signups. Closes #230 2016-09-29 02:44:05 +00:00			`invalid.Append("email", "missing required argument")`
Improve user endpoint validations (#642) - Add empty string checks for NewUser - Create validations for ModifyUser - Use GravatarURL when creating new user Fixes #620 2016-12-15 17:28:53 +00:00			`} else {`
			`if *p.Email == "" {`
			`invalid.Append("email", "cannot be empty")`
			`}`
nicer validation errors (#180) 2016-09-16 15:23:48 +00:00			`}`
Improve user endpoint validations (#642) - Add empty string checks for NewUser - Create validations for ModifyUser - Use GravatarURL when creating new user Fixes #620 2016-12-15 17:28:53 +00:00
Adds endpoints to invite new users to the application. (#235) User service checks that tokens are valid on new user signups. Closes #230 2016-09-29 02:44:05 +00:00			`if p.InviteToken == nil {`
			`invalid.Append("invite_token", "missing required argument")`
Improve user endpoint validations (#642) - Add empty string checks for NewUser - Create validations for ModifyUser - Use GravatarURL when creating new user Fixes #620 2016-12-15 17:28:53 +00:00			`} else {`
			`if *p.InviteToken == "" {`
			`invalid.Append("invite_token", "cannot be empty")`
			`}`
Adds endpoints to invite new users to the application. (#235) User service checks that tokens are valid on new user signups. Closes #230 2016-09-29 02:44:05 +00:00			`}`
Improve user endpoint validations (#642) - Add empty string checks for NewUser - Create validations for ModifyUser - Use GravatarURL when creating new user Fixes #620 2016-12-15 17:28:53 +00:00
Adds endpoints to invite new users to the application. (#235) User service checks that tokens are valid on new user signups. Closes #230 2016-09-29 02:44:05 +00:00			`if invalid.HasErrors() {`
			`return nil, invalid`
update user service (#101) - Added all required methods for a UserService - Added authentication handlers `/api/login` and `/api/logout` - Added authMiddleware for authentication for `/api/v1/kolide` path - Added authorization middleware for each endoint - Added validation middleware for validating API inputs - Began work on logging middleware 2016-09-01 04:51:38 +00:00			`}`
			`return mw.Service.NewUser(ctx, p)`
			`}`

Improve user endpoint validations (#642) - Add empty string checks for NewUser - Create validations for ModifyUser - Use GravatarURL when creating new user Fixes #620 2016-12-15 17:28:53 +00:00			`func (mw validationMiddleware) ModifyUser(ctx context.Context, userID uint, p kolide.UserPayload) (*kolide.User, error) {`
			`invalid := &invalidArgumentError{}`
			`if p.Username != nil {`
			`if *p.Username == "" {`
			`invalid.Append("username", "cannot be empty")`
			`}`

			`if strings.Contains(*p.Username, "@") {`
			`invalid.Append("username", "'@' character not allowed in usernames")`
			`}`
			`}`

			`if p.Name != nil {`
			`if *p.Name == "" {`
			`invalid.Append("name", "cannot be empty")`
			`}`
			`}`

			`if p.Email != nil {`
			`if *p.Email == "" {`
			`invalid.Append("email", "cannot be empty")`
			`}`
Allow user to change email with confirmation (#1102) * Change email functionality * Code review changes for @groob * Name change per @groob * Code review changes per @marpaia Also added addition non-happy path tests to satisfy concerns by @groob 2017-01-27 13:35:58 +00:00			`// if the user is not an admin, or if an admin is changing their own email`
			`// address a password is required,`
			`if passwordRequiredForEmailChange(ctx, userID, invalid) {`
			`if p.Password == nil {`
			`invalid.Append("password", "cannot be empty if email is changed")`
			`}`
			`}`
Improve user endpoint validations (#642) - Add empty string checks for NewUser - Create validations for ModifyUser - Use GravatarURL when creating new user Fixes #620 2016-12-15 17:28:53 +00:00			`}`

			`if invalid.HasErrors() {`
			`return nil, invalid`
			`}`
			`return mw.Service.ModifyUser(ctx, userID, p)`
			`}`

Allow user to change email with confirmation (#1102) * Change email functionality * Code review changes for @groob * Name change per @groob * Code review changes per @marpaia Also added addition non-happy path tests to satisfy concerns by @groob 2017-01-27 13:35:58 +00:00			`func passwordRequiredForEmailChange(ctx context.Context, uid uint, invalid *invalidArgumentError) bool {`
			`vc, ok := viewer.FromContext(ctx)`
			`if !ok {`
			`invalid.Append("viewer", "not present")`
			`return false`
			`}`
			`// if a user is changing own email need a password no matter what`
			`if vc.UserID() == uid {`
			`return true`
			`}`
			`// if an admin is changing another users email no password needed`
Refactoring and fixes in user authorization - Simplify/fix logic for authorization - Rename/refactor for clarity - Add tests for auth related code 2018-09-13 20:59:53 +00:00			`if vc.CanPerformAdminActions() {`
Allow user to change email with confirmation (#1102) * Change email functionality * Code review changes for @groob * Name change per @groob * Code review changes per @marpaia Also added addition non-happy path tests to satisfy concerns by @groob 2017-01-27 13:35:58 +00:00			`return false`
			`}`
			`// should never get here because a non admin can't change the email of another`
			`// user`
			`invalid.Append("auth", "this user can't change another user's email")`
			`return false`
			`}`

Add change password endpoint (#628) 2016-12-14 18:11:43 +00:00			`func (mw validationMiddleware) ChangePassword(ctx context.Context, oldPass, newPass string) error {`
			`invalid := &invalidArgumentError{}`
			`if oldPass == "" {`
Improve user endpoint validations (#642) - Add empty string checks for NewUser - Create validations for ModifyUser - Use GravatarURL when creating new user Fixes #620 2016-12-15 17:28:53 +00:00			`invalid.Append("old_password", "cannot be empty")`
Add change password endpoint (#628) 2016-12-14 18:11:43 +00:00			`}`
			`if newPass == "" {`
Improve user endpoint validations (#642) - Add empty string checks for NewUser - Create validations for ModifyUser - Use GravatarURL when creating new user Fixes #620 2016-12-15 17:28:53 +00:00			`invalid.Append("new_password", "cannot be empty")`
Add change password endpoint (#628) 2016-12-14 18:11:43 +00:00			`}`
Validate password requirements (#962) Add validation for user password creation/reset - at least 7 chars - 1 number - 1 symbol consolidated service errors to a single file. 2017-01-15 23:23:09 +00:00
			`if err := validatePasswordRequirements(newPass); err != nil {`
			`invalid.Append("new_password", err.Error())`
			`}`

Add change password endpoint (#628) 2016-12-14 18:11:43 +00:00			`if invalid.HasErrors() {`
			`return invalid`
			`}`
			`return mw.Service.ChangePassword(ctx, oldPass, newPass)`
			`}`

Update users service (#156) Closes #144 #145 #160 Implements PATCH method on user and endpoint middleware for authnz Implements `reset_password` (with token) and `forgot_password` endpoints Added godoc comments for UserService interface Shift to using testify/assert in test code Multiple fixes/changes to the UserService API 2016-09-15 14:52:17 +00:00			`func (mw validationMiddleware) ResetPassword(ctx context.Context, token, password string) error {`
Adds endpoints to invite new users to the application. (#235) User service checks that tokens are valid on new user signups. Closes #230 2016-09-29 02:44:05 +00:00			`invalid := &invalidArgumentError{}`
Update users service (#156) Closes #144 #145 #160 Implements PATCH method on user and endpoint middleware for authnz Implements `reset_password` (with token) and `forgot_password` endpoints Added godoc comments for UserService interface Shift to using testify/assert in test code Multiple fixes/changes to the UserService API 2016-09-15 14:52:17 +00:00			`if token == "" {`
Adds endpoints to invite new users to the application. (#235) User service checks that tokens are valid on new user signups. Closes #230 2016-09-29 02:44:05 +00:00			`invalid.Append("token", "cannot be empty field")`
update user service (#101) - Added all required methods for a UserService - Added authentication handlers `/api/login` and `/api/logout` - Added authMiddleware for authentication for `/api/v1/kolide` path - Added authorization middleware for each endoint - Added validation middleware for validating API inputs - Began work on logging middleware 2016-09-01 04:51:38 +00:00			`}`
Update users service (#156) Closes #144 #145 #160 Implements PATCH method on user and endpoint middleware for authnz Implements `reset_password` (with token) and `forgot_password` endpoints Added godoc comments for UserService interface Shift to using testify/assert in test code Multiple fixes/changes to the UserService API 2016-09-15 14:52:17 +00:00			`if password == "" {`
Adds endpoints to invite new users to the application. (#235) User service checks that tokens are valid on new user signups. Closes #230 2016-09-29 02:44:05 +00:00			`invalid.Append("new_password", "cannot be empty field")`
nicer validation errors (#180) 2016-09-16 15:23:48 +00:00			`}`
Validate password requirements (#962) Add validation for user password creation/reset - at least 7 chars - 1 number - 1 symbol consolidated service errors to a single file. 2017-01-15 23:23:09 +00:00			`if err := validatePasswordRequirements(password); err != nil {`
			`invalid.Append("new_password", err.Error())`
			`}`
Adds endpoints to invite new users to the application. (#235) User service checks that tokens are valid on new user signups. Closes #230 2016-09-29 02:44:05 +00:00			`if invalid.HasErrors() {`
			`return invalid`
update user service (#101) - Added all required methods for a UserService - Added authentication handlers `/api/login` and `/api/logout` - Added authMiddleware for authentication for `/api/v1/kolide` path - Added authorization middleware for each endoint - Added validation middleware for validating API inputs - Began work on logging middleware 2016-09-01 04:51:38 +00:00			`}`
Update users service (#156) Closes #144 #145 #160 Implements PATCH method on user and endpoint middleware for authnz Implements `reset_password` (with token) and `forgot_password` endpoints Added godoc comments for UserService interface Shift to using testify/assert in test code Multiple fixes/changes to the UserService API 2016-09-15 14:52:17 +00:00			`return mw.Service.ResetPassword(ctx, token, password)`
update user service (#101) - Added all required methods for a UserService - Added authentication handlers `/api/login` and `/api/logout` - Added authMiddleware for authentication for `/api/v1/kolide` path - Added authorization middleware for each endoint - Added validation middleware for validating API inputs - Began work on logging middleware 2016-09-01 04:51:38 +00:00			`}`
nicer validation errors (#180) 2016-09-16 15:23:48 +00:00
Validate password requirements (#962) Add validation for user password creation/reset - at least 7 chars - 1 number - 1 symbol consolidated service errors to a single file. 2017-01-15 23:23:09 +00:00			`// Requirements for user password:`
			`// at least 7 character length`
			`// at least 1 symbol`
			`// at least 1 number`
			`func validatePasswordRequirements(password string) error {`
			`var (`
			`number bool`
			`symbol bool`
			`)`

			`for _, s := range password {`
			`switch {`
			`case unicode.IsNumber(s):`
			`number = true`
			`case unicode.IsPunct(s) \|\| unicode.IsSymbol(s):`
			`symbol = true`
			`}`
update how permission errors are updated to the client (#187) Closes #152 allow batching of permission errors refactor some of the error handling in encodeError clean up some of the error messages 2016-09-23 02:41:58 +00:00			`}`
nicer validation errors (#180) 2016-09-16 15:23:48 +00:00
Validate password requirements (#962) Add validation for user password creation/reset - at least 7 chars - 1 number - 1 symbol consolidated service errors to a single file. 2017-01-15 23:23:09 +00:00			`if len(password) >= 7 &&`
			`number &&`
			`symbol {`
			`return nil`
nicer validation errors (#180) 2016-09-16 15:23:48 +00:00			`}`
Validate password requirements (#962) Add validation for user password creation/reset - at least 7 chars - 1 number - 1 symbol consolidated service errors to a single file. 2017-01-15 23:23:09 +00:00
			`return errors.New("password does not meet validation requirements")`
nicer validation errors (#180) 2016-09-16 15:23:48 +00:00			`}`