Merge pull request #1 from vapor/start

🚀
vapor · Feb 16, 2017 · 470241a · 470241a
2 parents 903c5eb + bdad50d
commit 470241a
Show file tree

Hide file tree

Showing 19 changed files with 488 additions and 0 deletions.
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1,6 @@
+.DS_Store
+/.build
+/Packages
+/*.xcodeproj
+Package.pins
+
diff --git a/Package.swift b/Package.swift
@@ -0,0 +1,13 @@
+import PackageDescription
+
+let package = Package(
+    name: "Auth",
+    targets: [
+        Target(name: "Authentication"),
+        Target(name: "Authorization", dependencies: ["Authentication"]),
+    ],
+    dependencies: [
+        // Swift models, relationships, and querying for NoSQL and SQL databases.
+        .Package(url: "https://github.com/vapor/fluent.git", Version(2,0,0, prereleaseIdentifiers: ["alpha"]))
+    ]
+)
diff --git a/Sources/Authentication/AuthenticationError.swift b/Sources/Authentication/AuthenticationError.swift
@@ -0,0 +1,35 @@
+public enum AuthenticationError: Swift.Error {
+    case invalidBasicAuthorization
+    case invalidBearerAuthorization
+    case noAuthorizationHeader
+    case notAuthenticated
+    case invalidCredentials
+    case unsupportedCredentials
+    case unspecified(Error)
+}
+
+extension AuthenticationError: CustomStringConvertible {
+    public var description: String {
+        let reason: String
+
+        switch self {
+        case .invalidBasicAuthorization:
+            reason = "Invalid Authorization Basic header"
+        case .invalidBearerAuthorization:
+            reason = "Invalid Authorization Bearer header"
+        case .noAuthorizationHeader:
+            reason = "No authorization header"
+        case .notAuthenticated:
+            reason = "Not authenticated"
+        case .invalidCredentials:
+            reason = "Invalid credentials"
+        case .unsupportedCredentials:
+            reason = "Unsupported credentials"
+        case .unspecified(let error):
+            reason = "\(error)"
+        }
+
+        return "Authentication error: \(reason)"
+    }
+}
+
diff --git a/Sources/Authentication/Credentials/Authenticatable.swift b/Sources/Authentication/Credentials/Authenticatable.swift
@@ -0,0 +1 @@
+public protocol Authenticatable { }
diff --git a/Sources/Authentication/Credentials/Credentials.swift b/Sources/Authentication/Credentials/Credentials.swift
@@ -0,0 +1 @@
+public protocol Crendentials { }
diff --git a/Sources/Authentication/Credentials/Custom.swift b/Sources/Authentication/Credentials/Custom.swift
@@ -0,0 +1,6 @@
+// MARK: Authenticatable
+
+public protocol CustomAuthenticatable: Authenticatable {
+    /// Returns the user matching the custom credential.
+    static func authenticate(custom: Crendentials) throws -> Self
+}
diff --git a/Sources/Authentication/Credentials/Identifier.swift b/Sources/Authentication/Credentials/Identifier.swift
@@ -0,0 +1,33 @@
+// MARK: Data structure
+
+import Node
+
+public struct Identifier: Crendentials {
+    let id: Node
+
+    public init(id: Node) {
+        self.id = id
+    }
+}
+
+// MARK: Authenticatable
+
+public protocol IdentifierAuthenticatable {
+    /// Return the user with the supplied id.
+    static func authenticate(_: Identifier) throws -> Self
+}
+
+
+// MARK: Entity conformance
+
+import Fluent
+
+extension IdentifierAuthenticatable where Self: Entity {
+    public static func authenticate(_ id: Identifier) throws -> Self {
+        guard let match = try Self.find(id.id) else {
+            throw AuthenticationError.invalidCredentials
+        }
+
+        return match
+    }
+}
diff --git a/Sources/Authentication/Credentials/Token.swift b/Sources/Authentication/Credentials/Token.swift
@@ -0,0 +1,55 @@
+// MARK: Data structure
+
+public struct Token: Crendentials {
+    public let string: String
+
+    public init(string: String) {
+        self.string = string
+    }
+}
+
+// MARK: Authenticatable
+
+public protocol TokenAuthenticatable: Authenticatable {
+    /// The token entity that contains a foreign key
+    /// pointer to the user table
+    associatedtype TokenType: TokenProtocol
+
+    /// Returns the user matching the supplied token.
+    static func authenticate(_: Token) throws -> Self
+}
+
+public protocol TokenProtocol {
+    static var tokenKey: String { get }
+    static func findUser<U: Entity>(for: Token) throws -> U
+}
+
+extension TokenProtocol {
+    public static var tokenKey: String {
+        return "token"
+    }
+}
+
+// MARK: Entity conformance
+
+import Fluent
+
+extension TokenAuthenticatable where Self: Entity {
+    public static func authenticate(_ token: Token) throws -> Self {
+        return try TokenType.findUser(for: token)
+    }
+}
+
+extension TokenProtocol where Self: Entity {
+    public static func findUser<U: Entity>(for token: Token) throws -> U {
+        guard let user = try U.query()
+            .join(self)
+            .filter(self, tokenKey, token.string)
+            .first()
+        else {
+            throw AuthenticationError.invalidCredentials
+        }
+
+        return user
+    }
+}
diff --git a/Sources/Authentication/Credentials/UsernamePassword.swift b/Sources/Authentication/Credentials/UsernamePassword.swift
@@ -0,0 +1,99 @@
+// MARK: Data structure
+
+public struct Password: Crendentials {
+    public let username: String
+    public let password: String
+    public let verifier: PasswordVerifier?
+
+    public init(username: String, password: String, verifier: PasswordVerifier? = nil) {
+        self.username = username
+        self.password = password
+        self.verifier = verifier
+    }
+}
+
+// MARK: Authenticatable
+
+public protocol PasswordAuthenticatable: Authenticatable {
+    // MARK:  Username / Password
+    /// Return the user matching the supplied
+    /// username and password
+    static func authenticate(_: Password) throws -> Self
+
+    /// The entity's hashed password used for
+    /// validating against Password credentials
+    /// with a PasswordVerifier
+    var hashedPassword: String? { get }
+
+    /// The key under which the user's username,
+    /// email, or other identifing value is stored.
+    static var usernameKey: String { get }
+
+    /// The key under which the user's password
+    /// is stored.
+    static var passwordKey: String { get }
+}
+
+extension PasswordAuthenticatable {
+    public static var usernameKey: String {
+        return "email"
+    }
+
+    public static var passwordKey: String {
+        return "password"
+    }
+
+    public var hashedPassword: String? {
+        return nil
+    }
+}
+
+public protocol PasswordVerifier {
+    func verify(password: String, matchesHash: String) throws -> Bool
+}
+
+// MARK: Entity conformance
+
+import Fluent
+
+extension PasswordAuthenticatable where Self: Entity {
+    public static func authenticate(_ creds: Password) throws -> Self {
+        let user: Self
+
+        if let verifier = creds.verifier {
+            guard let match = try Self
+                .query()
+                .filter(usernameKey, creds.username)
+                .first()
+                else {
+                    throw AuthenticationError.invalidCredentials
+            }
+
+            guard let hash = match.hashedPassword else {
+                throw AuthenticationError.invalidCredentials
+            }
+
+            guard try verifier.verify(
+                password: creds.password,
+                matchesHash: hash
+            ) else {
+                    throw AuthenticationError.invalidCredentials
+            }
+
+            user = match
+        } else {
+            guard let match = try Self
+                .query()
+                .filter(usernameKey, creds.username)
+                .filter(passwordKey, creds.password)
+                .first()
+                else {
+                    throw AuthenticationError.invalidCredentials
+            }
+
+            user = match
+        }
+
+        return user
+    }
+}
diff --git a/Sources/Authentication/Header/Authorization.swift b/Sources/Authentication/Header/Authorization.swift
@@ -0,0 +1,7 @@
+public struct Authorization {
+    public let header: String
+
+    public init(header: String) {
+        self.header = header
+    }
+}
diff --git a/Sources/Authentication/Header/Basic.swift b/Sources/Authentication/Header/Basic.swift
@@ -0,0 +1,22 @@
+import Core
+
+extension Authorization {
+    public var basic: Password? {
+        guard let range = header.range(of: "Basic ") else {
+            return nil
+        }
+
+        let token = header.substring(from: range.upperBound)
+
+
+        let decodedToken = token.makeBytes().base64Decoded.string
+        guard let separatorRange = decodedToken.range(of: ":") else {
+            return nil
+        }
+
+        let apiKeyID = decodedToken.substring(to: separatorRange.lowerBound)
+        let apiKeySecret = decodedToken.substring(from: separatorRange.upperBound)
+
+        return Password(username: apiKeyID, password: apiKeySecret)
+    }
+}
diff --git a/Sources/Authentication/Header/Bearer.swift b/Sources/Authentication/Header/Bearer.swift
@@ -0,0 +1,10 @@
+extension Authorization {
+    public var bearer: Token? {
+        guard let range = header.range(of: "Bearer ") else {
+            return nil
+        }
+
+        let token = header.substring(from: range.upperBound)
+        return Token(string: token)
+    }
+}
diff --git a/Sources/Authentication/User/User.swift b/Sources/Authentication/User/User.swift
@@ -0,0 +1,3 @@
+import Fluent
+
+// public protocol User: Entity {}
diff --git a/Sources/Authorization/Authorizable.swift b/Sources/Authorization/Authorizable.swift
@@ -0,0 +1,86 @@
+import Fluent
+
+public protocol Authorizable: Entity {
+
+}
+
+extension Authorizable {
+    public func isAuthorized<
+        PermissionType: Permission,
+        PivotType: PivotProtocol & Entity
+    >(
+        to permission: PermissionType,
+        withPivot: PivotType.Type = PivotType.self
+    ) throws -> Bool
+        where
+            PivotType.Left == Self,
+            PivotType.Right == PermissionType
+    {
+        guard let permission = try PermissionType.query().filter("key", permission.key).first() else {
+            throw AuthorizationError.unknownPermission
+        }
+
+        return try PivotType.related(self, permission)
+    }
+
+
+    public func assertAuthorization<
+        PermissionType: Permission,
+        PivotType: PivotProtocol & Entity
+    >(
+        to permission: PermissionType,
+        withPivot pivot: PivotType.Type = PivotType.self
+    ) throws
+        where
+            PivotType.Left == Self,
+            PivotType.Right == PermissionType
+    {
+            guard try isAuthorized(to: permission, withPivot: PivotType.self) else {
+                throw AuthorizationError.notAuthorized
+            }
+    }
+}
+
+extension Authorizable {
+    public func isAuthorized<
+        PermissionType: Permission,
+        MiddleType: Entity,
+        PivotType: PivotProtocol & Entity
+    >(
+        to permission: PermissionType,
+        _ item: MiddleType,
+        withPivot: PivotType.Type = PivotType.self
+    ) throws -> Bool
+        where
+            PivotType.Left: PivotProtocol,
+            PivotType.Left.Left == Self,
+            PivotType.Left.Right == MiddleType,
+            PivotType.Right == PermissionType
+    {
+        guard let permission = try PermissionType.query().filter("key", permission.key).first() else {
+            throw AuthorizationError.unknownPermission
+        }
+
+        return try PivotType.related(left: self, middle: item, right: permission)
+    }
+
+    public func assertAuthorization<
+        PermissionType: Permission,
+        MiddleType: Entity,
+        PivotType: PivotProtocol & Entity
+    >(
+        to permission: PermissionType,
+        _ item: MiddleType,
+        withPivot pivot: PivotType.Type = PivotType.self
+    ) throws
+        where
+            PivotType.Left: PivotProtocol,
+            PivotType.Left.Left == Self,
+            PivotType.Left.Right == MiddleType,
+            PivotType.Right == PermissionType
+    {
+        guard try isAuthorized(to: permission, item, withPivot: PivotType.self) else {
+            throw AuthorizationError.notAuthorized
+        }
+    }
+}