go-away/lib/challenge/register.go

package challenge

import (
	http_cel "codeberg.org/gone/http-cel"
	"fmt"
	"git.gammaspectra.live/git/go-away/lib/policy"
	"github.com/goccy/go-yaml/ast"
	"github.com/google/cel-go/cel"
	"io"
	"net/http"
	"path"
	"strings"
	"time"
)

type Register map[Id]*Registration

func (r Register) Get(id Id) (*Registration, bool) {
	c, ok := r[id]
	return c, ok
}

func (r Register) GetByName(name string) (*Registration, Id, bool) {
	for id, c := range r {
		if c.Name == name {
			return c, id, true
		}
	}

	return nil, 0, false
}

var idCounter Id

// DefaultDuration TODO: adjust
const DefaultDuration = time.Hour * 24 * 7

func (r Register) Create(state StateInterface, name string, pol policy.Challenge, replacer *strings.Replacer) (*Registration, Id, error) {
	runtime, ok := Runtimes[pol.Runtime]
	if !ok {
		return nil, 0, fmt.Errorf("unknown challenge runtime %s", pol.Runtime)
	}

	reg := &Registration{
		Name:     name,
		Path:     path.Join(state.UrlPath(), "challenge", name),
		Duration: pol.Duration,
	}

	if reg.Duration == 0 {
		reg.Duration = DefaultDuration
	}

	// allow nesting
	var conditions []string
	for _, cond := range pol.Conditions {
		if replacer != nil {
			cond = replacer.Replace(cond)
		}
		conditions = append(conditions, cond)
	}

	if len(conditions) > 0 {
		var err error
		reg.Condition, err = state.RegisterCondition(http_cel.OperatorOr, conditions...)
		if err != nil {
			return nil, 0, fmt.Errorf("error compiling condition: %w", err)
		}
	}

	if _, oldId, ok := r.GetByName(reg.Name); ok {
		reg.id = oldId
	} else {
		idCounter++
		reg.id = idCounter
	}

	err := runtime(state, reg, pol.Parameters)
	if err != nil {
		return nil, 0, fmt.Errorf("error filling registration: %v", err)
	}
	r[reg.id] = reg
	return reg, reg.id, nil
}

func (r Register) Add(c *Registration) Id {
	if _, oldId, ok := r.GetByName(c.Name); ok {
		c.id = oldId
		r[oldId] = c
		return oldId
	} else {
		idCounter++
		c.id = idCounter
		r[idCounter] = c
		return idCounter
	}
}

type Registration struct {
	// id The assigned internal identifier
	id Id

	// Name The unique name for this challenge
	Name string

	// Class whether this challenge is transparent or otherwise
	Class Class

	// Condition A CEL condition which is passed the same environment as general rules.
	// If nil, always true
	// If non-nil, must return true for this challenge to be allowed to be executed
	Condition cel.Program

	// Path The url path that this challenge is hosted under for the Handler to be called.
	Path string

	// Duration How long this challenge will be valid when passed
	Duration time.Duration

	// Handler An HTTP handler for all requests coming on the Path
	// This handler will need to handle MakeChallengeUrlSuffix and VerifyChallengeUrlSuffix as well if needed
	// Recommended to use http.ServeMux
	Handler http.Handler

	// Verify Verify an issued token
	Verify            VerifyFunc
	VerifyProbability float64

	// IssueChallenge Issues a challenge to a request.
	// If Class is ClassTransparent and VerifyResult is !VerifyResult.Ok(), continue with other challenges
	// TODO: have this return error as well
	IssueChallenge func(w http.ResponseWriter, r *http.Request, key Key, expiry time.Time) VerifyResult

	// Object used to handle state or similar
	// Can be nil if no state is needed
	// If non-nil must implement io.Closer even if there's nothing to do
	Object io.Closer
}

type VerifyFunc func(key Key, token []byte, r *http.Request) (VerifyResult, error)

func (reg Registration) Id() Id {
	return reg.id
}

type FillRegistration func(state StateInterface, reg *Registration, parameters ast.Node) error

var Runtimes = make(map[string]FillRegistration)