diff --git a/backend/backend.go b/backend/backend.go index fb3e23378a0c5357ca6c7c2463e63c8ce9285874..653f0a9483e8bd848194902aa8cbbe9bef94b10d 100644 --- a/backend/backend.go +++ b/backend/backend.go @@ -16,7 +16,7 @@ type User struct { Name string Email string Shard string - EncryptedPassword []byte + EncryptedPassword string TOTPSecret string WebAuthnRegistrations []webauthn.Credential AppSpecificPasswords []*AppSpecificPassword @@ -27,7 +27,7 @@ type User struct { type AppSpecificPassword struct { ID string Service string - EncryptedPassword []byte + EncryptedPassword string } // Has2FA returns true if the user supports any interactive 2FA method. diff --git a/backend/file/file.go b/backend/file/file.go index 1ad06107c422495d3b255017a99fdcbd2c1d85b3..7a30fa7e1abe8ed92605afa48e0c76a4da57a06e 100644 --- a/backend/file/file.go +++ b/backend/file/file.go @@ -55,7 +55,7 @@ func (f *fileUser) toUser(filename string) *backend.User { Name: f.Name, Email: f.Email, Shard: f.Shard, - EncryptedPassword: []byte(f.EncryptedPassword), + EncryptedPassword: f.EncryptedPassword, TOTPSecret: f.TOTPSecret, Groups: f.Groups, } @@ -64,7 +64,7 @@ func (f *fileUser) toUser(filename string) *backend.User { u.AppSpecificPasswords = append(u.AppSpecificPasswords, &backend.AppSpecificPassword{ ID: asp.ID, Service: asp.Service, - EncryptedPassword: []byte(asp.EncryptedPassword), + EncryptedPassword: asp.EncryptedPassword, }) } diff --git a/backend/ldap/ldap.go b/backend/ldap/ldap.go index fdad60ca9e743bfca04c229fabca86d67f692304..6c70b7f7b529414e4a2f35b93c2187390d4ec026 100644 --- a/backend/ldap/ldap.go +++ b/backend/ldap/ldap.go @@ -9,8 +9,8 @@ import ( ldaputil "git.autistici.org/ai3/go-common/ldap" ct "git.autistici.org/ai3/go-common/ldap/compositetypes" - "github.com/go-webauthn/webauthn/webauthn" "github.com/go-ldap/ldap/v3" + "github.com/go-webauthn/webauthn/webauthn" "gopkg.in/yaml.v3" "git.autistici.org/id/auth/backend" @@ -72,7 +72,7 @@ func decodeAppSpecificPasswordList(encodedAsps []string) []*backend.AppSpecificP out = append(out, &backend.AppSpecificPassword{ ID: p.ID, Service: p.Service, - EncryptedPassword: []byte(p.EncryptedPassword), + EncryptedPassword: p.EncryptedPassword, }) } } @@ -245,7 +245,7 @@ func (b *ldapServiceBackend) userFromResponse(username string, result *ldap.Sear Name: username, Email: getStringFromLDAPEntry(entry, b.attrs["email"]), Shard: getStringFromLDAPEntry(entry, b.attrs["shard"]), - EncryptedPassword: []byte(dropCryptPrefix(getStringFromLDAPEntry(entry, b.attrs["password"]))), + EncryptedPassword: dropCryptPrefix(getStringFromLDAPEntry(entry, b.attrs["password"])), TOTPSecret: getStringFromLDAPEntry(entry, b.attrs["totp_secret"]), AppSpecificPasswords: decodeAppSpecificPasswordList(getListFromLDAPEntry(entry, b.attrs["app_specific_password"])), WebAuthnRegistrations: decodeU2FRegistrationList(getListFromLDAPEntry(entry, b.attrs["u2f_registration"])), @@ -277,8 +277,7 @@ func mustEscape(c byte) bool { // special characters in the 'escaped' set and those out of the range // 0 < c < 0x80, as defined in RFC4515. // -// escaped = DQUOTE / PLUS / COMMA / SEMI / LANGLE / RANGLE -// +// escaped = DQUOTE / PLUS / COMMA / SEMI / LANGLE / RANGLE func escapeDN(s string) string { escape := 0 for i := 0; i < len(s); i++ { diff --git a/protocol.go b/protocol.go index 0df709d023f600cdae1fa7f19635d72e66576d3e..90d8320b4f66b7bc528ef171d74a96c023e94baa 100644 --- a/protocol.go +++ b/protocol.go @@ -16,7 +16,7 @@ import ( type Request struct { Service string Username string - Password []byte + Password string OTP string WebAuthnSession *webauthn.SessionData WebAuthnResponse *protocol.ParsedCredentialAssertionData @@ -26,7 +26,7 @@ type Request struct { func (r *Request) EncodeToMap(m map[string]string, prefix string) { m[prefix+"service"] = r.Service m[prefix+"username"] = r.Username - m[prefix+"password"] = string(r.Password) + m[prefix+"password"] = r.Password if r.OTP != "" { m[prefix+"otp"] = r.OTP @@ -47,7 +47,7 @@ func (r *Request) EncodeToMap(m map[string]string, prefix string) { func (r *Request) DecodeFromMap(m map[string]string, prefix string) { r.Service = m[prefix+"service"] r.Username = m[prefix+"username"] - r.Password = []byte(m[prefix+"password"]) + r.Password = m[prefix+"password"] r.OTP = m[prefix+"otp"] if s := m[prefix+"webauthn_session"]; s != "" { var sess webauthn.SessionData diff --git a/protocol_test.go b/protocol_test.go index 2d11004257e1e02e911efa7bd7bbe3c9e6838de8..0dd9dfe73717141e0fd517a088a01dea9f3f469e 100644 --- a/protocol_test.go +++ b/protocol_test.go @@ -16,7 +16,7 @@ func TestProtocol_SerializeRequest(t *testing.T) { req := &Request{ Service: "service", Username: "username", - Password: []byte("password"), + Password: "password", OTP: "123456", WebAuthnSession: &webauthn.SessionData{ Challenge: "challenge", diff --git a/server/authserver.go b/server/authserver.go index e97ca0c2d21a80ce4764411893de047ad8df716d..6d9279d9c5acf34f674826719d5b25b0a3574f20 100644 --- a/server/authserver.go +++ b/server/authserver.go @@ -589,8 +589,8 @@ func (s *Server) finishWebAuthnLogin(user *backend.User, sessionData *webauthn.S return hex.EncodeToString(cred.ID), nil } -func checkPassword(password, hash []byte) bool { - return pwhash.ComparePassword(string(hash), string(password)) +func checkPassword(password, hash string) bool { + return pwhash.ComparePassword(hash, password) } func (s *Server) checkOTP(user *backend.User, otp, secret string) bool { diff --git a/server/authserver_test.go b/server/authserver_test.go index 85772472964c70fe86fbc55bc5f7af38a755ecfd..7f226ea924957f5a675058de4c732eb42043ffb4 100644 --- a/server/authserver_test.go +++ b/server/authserver_test.go @@ -241,7 +241,7 @@ func runAuthenticationTest(t *testing.T, client client.Client) { resp, err := client.Authenticate(context.Background(), &auth.Request{ Service: td.service, Username: td.username, - Password: []byte(td.password), + Password: td.password, }) if err != nil { t.Errorf("transport error: %v", err) @@ -272,7 +272,7 @@ func runAuthenticationTest(t *testing.T, client client.Client) { Service: "interactive", Username: td.username, OTP: td.otp, - Password: []byte(td.password), + Password: td.password, }) if err != nil { t.Errorf("transport error: %v", err) @@ -319,13 +319,13 @@ func TestAuthServer_Blacklist(t *testing.T) { c.Authenticate(context.Background(), &auth.Request{ Service: "test", Username: "testuser", - Password: []byte("bad_password"), + Password: "bad_password", }) } resp, _ := c.Authenticate(context.Background(), &auth.Request{ Service: "test", Username: "testuser", - Password: []byte("password"), + Password: "password", }) if resp.Status != auth.StatusError { t.Fatalf("user was not blacklisted: %v", resp) @@ -345,7 +345,7 @@ func TestAuthServer_Blacklist_UnknownUser(t *testing.T) { c.Authenticate(context.Background(), &auth.Request{ Service: "test", Username: fmt.Sprintf("nonexistinguser%d", i), - Password: []byte("bad_password"), + Password: "bad_password", DeviceInfo: &usermetadb.DeviceInfo{ RemoteAddr: "1.2.3.4", }, @@ -371,13 +371,13 @@ func TestAuthServer_Blacklist_BelowLimit(t *testing.T) { c.Authenticate(context.Background(), &auth.Request{ Service: "test", Username: "testuser", - Password: []byte("bad_password"), + Password: "bad_password", }) } resp, _ := c.Authenticate(context.Background(), &auth.Request{ Service: "test", Username: "testuser", - Password: []byte("password"), + Password: "password", }) if resp.Status != auth.StatusOK { t.Fatal("user was incorrectly blacklisted") @@ -395,7 +395,7 @@ func TestAuthServer_WithStaticGroups(t *testing.T) { resp, _ := c.Authenticate(context.Background(), &auth.Request{ Service: "test", Username: "testuser", - Password: []byte("password"), + Password: "password", }) if resp.Status != auth.StatusOK { t.Fatal("auth failed unexpectedly") diff --git a/server/sql_test.go b/server/sql_test.go index 2eb07023d97f3d08ab4fe7abf68f9705221135c3..952adcc6b1d9360093929a576afb8145bc2333de 100644 --- a/server/sql_test.go +++ b/server/sql_test.go @@ -117,7 +117,7 @@ INSERT INTO users (email, password) VALUES ( resp, err := client.Authenticate(context.Background(), &auth.Request{ Service: "test", Username: "test@example.com", - Password: []byte("password"), + Password: "password", }) if err != nil { t.Fatalf("Authenticate: %v", err) diff --git a/server/unixserver_test.go b/server/unixserver_test.go index b64cf9712df257cd1a3027e88cf7d40a704af7a7..6cf1e04a2911c241438f09024f676bcdf943ddbf 100644 --- a/server/unixserver_test.go +++ b/server/unixserver_test.go @@ -146,7 +146,7 @@ func trySuccessfulLogin(socketPath string) error { resp, err := c.Authenticate(ctx, &auth.Request{ Service: "test", Username: "testuser", - Password: []byte("password"), + Password: "password", }) if err != nil { return err