1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
|
package authz
import (
"crypto/rand"
"encoding/csv"
"encoding/hex"
"fmt"
"log/slog"
"os"
"sync"
"golang.org/x/crypto/bcrypt"
)
// TokenSize is the number of random bytes used for token generation
const TokenSize = 32
// AccessID represents a unique authentication identifier
type AccessID string
// FriendlyName represents a human-readable identifier
type FriendlyName string
// TokenMap maps AccessIDs to password hashes
type TokenMap map[AccessID]string
// SafeTokenMap provides thread-safe access to TokenMap
type SafeTokenMap struct {
mu sync.RWMutex
tokens TokenMap
}
// NewSafeTokenMap creates a new thread-safe token map
func NewSafeTokenMap() *SafeTokenMap {
return &SafeTokenMap{
tokens: make(TokenMap),
}
}
// Get retrieves a hash for the given AccessID
func (s *SafeTokenMap) Get(id AccessID) (string, bool) {
s.mu.RLock()
defer s.mu.RUnlock()
hash, exists := s.tokens[id]
return hash, exists
}
// Set stores a hash for the given AccessID
func (s *SafeTokenMap) Set(id AccessID, hash string) {
s.mu.Lock()
defer s.mu.Unlock()
s.tokens[id] = hash
}
// LoadFromFile loads tokens from a CSV file
func (s *SafeTokenMap) LoadFromFile(path string) error {
tokens, _, err := LoadTokensFromFile(path)
if err != nil {
return err
}
s.mu.Lock()
defer s.mu.Unlock()
s.tokens = tokens
return nil
}
// IdentityMap manages mappings between AccessIDs and FriendlyNames
type IdentityMap struct {
mu sync.RWMutex
IDToName map[AccessID]FriendlyName
NameToID map[FriendlyName]AccessID
}
// NewTokenMap creates a new token map
func NewTokenMap() TokenMap {
return make(TokenMap)
}
// NewIdentityMap creates a new identity mapping
func NewIdentityMap() *IdentityMap {
return &IdentityMap{
IDToName: make(map[AccessID]FriendlyName),
NameToID: make(map[FriendlyName]AccessID),
}
}
// LoadTokensFromFile loads tokens and identities from a csv file
func LoadTokensFromFile(path string) (TokenMap, *IdentityMap, error) {
tm := make(TokenMap)
im := NewIdentityMap()
contents, err := os.Open(path)
if err != nil {
slog.Error("File reading error", slog.Any("error", err))
return nil, nil, err
}
defer contents.Close()
r := csv.NewReader(contents)
tokens, err := r.ReadAll()
if err != nil {
return nil, nil, fmt.Errorf("file reading error: %w", err)
}
for _, row := range tokens {
if len(row) != 3 {
return nil, nil, fmt.Errorf("invalid row format, expected: access_id,friendly_name,hash")
}
accessID, friendlyName, hash := AccessID(row[0]), FriendlyName(row[1]), row[2]
tm[accessID] = hash
im.Register(accessID, friendlyName)
}
return tm, im, nil
}
// Register adds a mapping between an AccessID and FriendlyName
func (im *IdentityMap) Register(id AccessID, name FriendlyName) {
im.mu.Lock()
defer im.mu.Unlock()
im.IDToName[id] = name
im.NameToID[name] = id
}
// GetID retrieves the AccessID for a given FriendlyName
func (im *IdentityMap) GetID(name FriendlyName) (AccessID, bool) {
im.mu.RLock()
defer im.mu.RUnlock()
id, exists := im.NameToID[name]
return id, exists
}
// GetName retrieves the FriendlyName for a given AccessID
func (im *IdentityMap) GetName(id AccessID) (FriendlyName, bool) {
im.mu.RLock()
defer im.mu.RUnlock()
name, exists := im.IDToName[id]
return name, exists
}
// GenerateAccessID creates a new random access identifier
func GenerateAccessID() (AccessID, error) {
idBytes := make([]byte, 16) // 16 bytes = 128 bits
if _, err := rand.Read(idBytes); err != nil {
return "", fmt.Errorf("failed to generate access ID: %w", err)
}
return AccessID(hex.EncodeToString(idBytes)), nil
}
// GenerateNewToken generates a new secure random token and its bcrypt hash
// The token is 32 bytes (256 bits) of cryptographically secure random data
// encoded as a 64-character hex string. The hash is a bcrypt hash of the
// random bytes using default cost parameters.
func GenerateNewToken() (string, string, error) {
tokenBytes := make([]byte, TokenSize)
if _, err := rand.Read(tokenBytes); err != nil {
return "", "", fmt.Errorf("failed to generate random token: %w", err)
}
hashBytes, err := bcrypt.GenerateFromPassword(tokenBytes, bcrypt.DefaultCost)
if err != nil {
return "", "", err
}
token := hex.EncodeToString(tokenBytes)
hash := string(hashBytes)
return token, hash, nil
}
|
