Update internal dependencies

go.mod

@@ -4,8 +4,9 @@ go 1.14
 
 require (
 	git.autistici.org/ai3/go-common v0.0.0-20210118064555-73f00db54723
-	git.autistici.org/id/auth v0.0.0-20210110171913-dd493db32815
-	git.autistici.org/id/keystore v0.0.0-20210110165905-d5b171e81071
+	git.autistici.org/id/auth v0.0.0-20210118071252-578ebb56870c
+	git.autistici.org/id/keystore v0.0.0-20210118071531-7280c2960343
+	git.autistici.org/id/usermetadb v0.0.0-20210118071138-3ba45fae8f1c
 	github.com/crewjam/saml v0.4.5
 	github.com/elazarl/go-bindata-assetfs v1.0.1
 	github.com/gorilla/csrf v1.7.0

server/device/manager.go

@@ -9,7 +9,7 @@ import (
 	"net/http"
 	"strings"
 
-	"git.autistici.org/id/auth"
+	"git.autistici.org/id/usermetadb"
 	"github.com/gorilla/securecookie"
 	"github.com/mssola/user_agent"
 )
@@ -78,7 +78,7 @@ func New(config *Config, urlPrefix string) (*Manager, error) {
 // object for the given request. It will always return a valid object.
 // The ResponseWriter is needed to store the unique ID on the client
 // when a new device info object is created.
-func (m *Manager) GetDeviceInfoFromRequest(w http.ResponseWriter, req *http.Request) *auth.DeviceInfo {
+func (m *Manager) GetDeviceInfoFromRequest(w http.ResponseWriter, req *http.Request) *usermetadb.DeviceInfo {
 	devID, ok := m.getDeviceCookie(req)
 	if !ok || len(devID) == 0 {
 		// Generate a new Device ID and save it on the client.
@@ -93,7 +93,7 @@ func (m *Manager) GetDeviceInfoFromRequest(w http.ResponseWriter, req *http.Requ
 	uaStr := req.UserAgent()
 	ua := user_agent.New(uaStr)
 	browser, _ := ua.Browser()
-	d := auth.DeviceInfo{
+	d := usermetadb.DeviceInfo{
 		ID:        devID.String(),
 		UserAgent: uaStr,
 		Mobile:    ua.Mobile(),

vendor/git.autistici.org/id/auth/.gitlab-ci.yml

-include: "https://git.autistici.org/ai3/build-deb/raw/master/ci-nextstable.yml"
+include: "https://git.autistici.org/ai3/build-deb/raw/master/ci-buster-backports.yml"

vendor/git.autistici.org/id/auth/client/client.go

@@ -5,7 +5,7 @@ import (
 	"net"
 	"strings"
 
-	"github.com/cenkalti/backoff"
+	"github.com/cenkalti/backoff/v4"
 	"go.opencensus.io/trace"
 
 	"git.autistici.org/id/auth"

vendor/git.autistici.org/id/auth/go.mod

 module git.autistici.org/id/auth
 
-go 1.15
+go 1.14
 
 require (
-	git.autistici.org/ai3/go-common v0.0.0-20210109170950-49f8d26bcc81
-	git.autistici.org/id/usermetadb v0.0.0-20190209105239-61e5a7b24130
-	github.com/boombuler/barcode v0.0.0-20170618053812-56ef0af91246 // indirect
-	github.com/bradfitz/gomemcache v0.0.0-20180710155616-bc664df96737
-	github.com/cenkalti/backoff v2.2.1+incompatible
+	git.autistici.org/ai3/go-common v0.0.0-20210118064555-73f00db54723
+	git.autistici.org/id/usermetadb v0.0.0-20210118071138-3ba45fae8f1c
+	github.com/bradfitz/gomemcache v0.0.0-20190913173617-a41fca850d0b
+	github.com/cenkalti/backoff/v4 v4.1.0
 	github.com/coreos/go-systemd/v22 v22.1.0
 	github.com/go-ldap/ldap/v3 v3.2.4
-	github.com/go-sql-driver/mysql v1.4.0
+	github.com/go-sql-driver/mysql v1.5.0
 	github.com/google/go-cmp v0.5.4
-	github.com/lib/pq v0.0.0-20190326042056-d6156e141ac6
-	github.com/mattn/go-sqlite3 v0.0.0-20180926090220-0a88db3545c4
+	github.com/lib/pq v1.9.0
+	github.com/mattn/go-sqlite3 v1.14.6
 	github.com/patrickmn/go-cache v0.0.0-20180815053127-5633e0862627
-	github.com/pquerna/otp v1.0.0
+	github.com/pquerna/otp v1.3.0
 	github.com/prometheus/client_golang v1.9.0
 	github.com/theckman/go-flock v0.8.0
 	github.com/tstranex/u2f v1.0.0
 	go.opencensus.io v0.22.5
 	golang.org/x/sync v0.0.0-20201207232520-09787c993a3a
-	google.golang.org/appengine v1.4.0 // indirect
-	gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 // indirect
-	gopkg.in/yaml.v2 v2.3.0
+	gopkg.in/yaml.v2 v2.4.0
 )

vendor/git.autistici.org/id/auth/protocol.go

@@ -3,48 +3,10 @@ package auth
 import (
 	"fmt"
 
+	"git.autistici.org/id/usermetadb"
 	"github.com/tstranex/u2f"
 )
 
-// DeviceInfo holds information about the client device. We use a
-// simple persistent cookie to track the same client device across
-// multiple session.
-type DeviceInfo struct {
-	ID         string `json:"id"`
-	RemoteAddr string `json:"remote_addr"`
-	RemoteZone string `json:"remote_zone"`
-	UserAgent  string `json:"user_agent"`
-	Browser    string `json:"browser"`
-	OS         string `json:"os"`
-	Mobile     bool   `json:"mobile"`
-}
-
-func (d *DeviceInfo) encodeToMap(m map[string]string, prefix string) {
-	m[prefix+"id"] = d.ID
-	m[prefix+"remote_addr"] = d.RemoteAddr
-	m[prefix+"remote_zone"] = d.RemoteZone
-	m[prefix+"browser"] = d.Browser
-	m[prefix+"os"] = d.OS
-	m[prefix+"user_agent"] = d.UserAgent
-	if d.Mobile {
-		m[prefix+"mobile"] = "true"
-	} else {
-		m[prefix+"mobile"] = "false"
-	}
-}
-
-func decodeDeviceInfoFromMap(m map[string]string, prefix string) *DeviceInfo {
-	return &DeviceInfo{
-		ID:         m[prefix+"id"],
-		RemoteAddr: m[prefix+"remote_addr"],
-		RemoteZone: m[prefix+"remote_zone"],
-		Browser:    m[prefix+"browser"],
-		OS:         m[prefix+"os"],
-		UserAgent:  m[prefix+"user_agent"],
-		Mobile:     m[prefix+"mobile"] == "true",
-	}
-}
-
 // Request to authenticate a user. It supports multiple methods for
 // authentication including challenge-response 2FA.
 type Request struct {
@@ -54,7 +16,7 @@ type Request struct {
 	OTP         string
 	U2FAppID    string
 	U2FResponse *u2f.SignResponse
-	DeviceInfo  *DeviceInfo
+	DeviceInfo  *usermetadb.DeviceInfo
 }
 
 func (r *Request) EncodeToMap(m map[string]string, prefix string) {
@@ -72,7 +34,7 @@ func (r *Request) EncodeToMap(m map[string]string, prefix string) {
 		encodeU2FResponseToMap(r.U2FResponse, m, prefix+"u2f_response.")
 	}
 	if r.DeviceInfo != nil {
-		r.DeviceInfo.encodeToMap(m, prefix+"device.")
+		r.DeviceInfo.EncodeToMap(m, prefix+"device.")
 	}
 }
 
@@ -83,7 +45,7 @@ func (r *Request) DecodeFromMap(m map[string]string, prefix string) {
 	r.OTP = m[prefix+"otp"]
 	r.U2FAppID = m[prefix+"u2f_app_id"]
 	r.U2FResponse = decodeU2FResponseFromMap(m, prefix+"u2f_response.")
-	r.DeviceInfo = decodeDeviceInfoFromMap(m, prefix+"device.")
+	r.DeviceInfo = usermetadb.DecodeDeviceInfoFromMap(m, prefix+"device.")
 }
 
 // UserInfo contains optional user information that may be useful to

vendor/git.autistici.org/id/auth/renovate.json

+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
+    "config:base"
+  ]
+}

vendor/git.autistici.org/id/keystore/go.mod

@@ -3,18 +3,14 @@ module git.autistici.org/id/keystore
 go 1.15
 
 require (
-	git.autistici.org/ai3/go-common v0.0.0-20210109170950-49f8d26bcc81
+	git.autistici.org/ai3/go-common v0.0.0-20210118064555-73f00db54723
 	git.autistici.org/id/go-sso v0.0.0-20181118174541-ad4e62357912
-	github.com/coreos/go-systemd v0.0.0-20191104093116-d3cd4ed1dbcf
+	github.com/coreos/go-systemd/v22 v22.1.0
 	github.com/go-ldap/ldap/v3 v3.2.4
-	github.com/go-sql-driver/mysql v1.4.0
-	github.com/lib/pq v0.0.0-20190326042056-d6156e141ac6
-	github.com/mattn/go-sqlite3 v0.0.0-20180926090220-0a88db3545c4
-	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
-	github.com/pierrec/lz4 v2.0.5+incompatible // indirect
+	github.com/go-sql-driver/mysql v1.5.0
+	github.com/lib/pq v1.9.0
+	github.com/mattn/go-sqlite3 v1.14.6
 	github.com/prometheus/client_golang v1.9.0
 	golang.org/x/crypto v0.0.0-20201221181555-eec23a3978ad
-	golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421 // indirect
-	gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 // indirect
-	gopkg.in/yaml.v2 v2.3.0
+	gopkg.in/yaml.v2 v2.4.0
 )

vendor/git.autistici.org/id/keystore/go.sum

@@ -2,8 +2,8 @@ cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMT
 cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
 contrib.go.opencensus.io/exporter/zipkin v0.1.2 h1:YqE293IZrKtqPnpwDPH/lOqTWD/s3Iwabycam74JV3g=
 contrib.go.opencensus.io/exporter/zipkin v0.1.2/go.mod h1:mP5xM3rrgOjpn79MM8fZbj3gsxcuytSqtH0dxSWW1RE=
-git.autistici.org/ai3/go-common v0.0.0-20210109170950-49f8d26bcc81 h1:p+NSXGJI+dyXsKHPsyrDeXIDXS0iBqsevv+F1N+eVJA=
-git.autistici.org/ai3/go-common v0.0.0-20210109170950-49f8d26bcc81/go.mod h1:nuLJyKZZaC3DBPN4gA1qdGXcm0U5WCcus1z3pI8RdTE=
+git.autistici.org/ai3/go-common v0.0.0-20210118064555-73f00db54723 h1:ylA6azCumIJnT7xb5hHrz0At6r1u3zqnugl1gB92KO0=
+git.autistici.org/ai3/go-common v0.0.0-20210118064555-73f00db54723/go.mod h1:T8BS+630KLzy30X2lshL98H0NW3Xuyzs8NI9D6C3New=
 git.autistici.org/id/go-sso v0.0.0-20181118174541-ad4e62357912 h1:1amb0pZr7c44TXSpFyb8q4J1+Ie+l7K1hYuXVD4zFrY=
 git.autistici.org/id/go-sso v0.0.0-20181118174541-ad4e62357912/go.mod h1:B9omXX7rw0qgWdBoF4RZnM7clwEVejoAe8oNJWETBZ0=
 github.com/Azure/go-ntlmssp v0.0.0-20200615164410-66371956d46c h1:/IBSNwUN8+eKzUzbJPqhK839ygXJ82sde8x3ogr6R28=
@@ -38,6 +38,8 @@ github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kB
 github.com/casbin/casbin/v2 v2.1.2/go.mod h1:YcPU1XXisHhLzuxH9coDNf2FbKpjGlbCg3n9yuLkIJQ=
 github.com/cenkalti/backoff v2.2.1+incompatible h1:tNowT99t7UNflLxfYYSlKYsBpXdEet03Pg2g16Swow4=
 github.com/cenkalti/backoff v2.2.1+incompatible/go.mod h1:90ReRw6GdpyfrHakVjL/QHaoyV4aDUVVkXQJJJ3NXXM=
+github.com/cenkalti/backoff/v4 v4.1.0 h1:c8LkOFQTzuO0WBM/ae5HdGQuZPfPxp7lqBRwQRm4fSc=
+github.com/cenkalti/backoff/v4 v4.1.0/go.mod h1:scbssz8iZGpm3xbr14ovlUdkxfGXNInqkPWOWmG2CLw=
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
 github.com/cespare/xxhash/v2 v2.1.1 h1:6MnRN8NT7+YBpUIWxHtefFZOKTAPgGjpQSxqLNn0+qY=
 github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
@@ -47,9 +49,10 @@ github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGX
 github.com/cockroachdb/datadriven v0.0.0-20190809214429-80d97fb3cbaa/go.mod h1:zn76sxSg3SzpJ0PPJaLDCu+Bu0Lg3sKTORVIj19EIF8=
 github.com/codahale/hdrhistogram v0.0.0-20161010025455-3a0bb77429bd/go.mod h1:sE/e/2PUdi/liOCUjSTXgM1o87ZssimdTWN964YiIeI=
 github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
+github.com/coreos/go-systemd v0.0.0-20180511133405-39ca1b05acc7 h1:u9SHYsPQNyt5tgDm3YN7+9dYrpK96E5wFilTFWIDZOM=
 github.com/coreos/go-systemd v0.0.0-20180511133405-39ca1b05acc7/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
-github.com/coreos/go-systemd v0.0.0-20191104093116-d3cd4ed1dbcf h1:iW4rZ826su+pqaw19uhpSCzhj44qo35pNgKFGqzDKkU=
-github.com/coreos/go-systemd v0.0.0-20191104093116-d3cd4ed1dbcf/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
+github.com/coreos/go-systemd/v22 v22.1.0 h1:kq/SbG2BCKLkDKkjQf5OWwKWUKj1lgs3lFI4PxnR5lg=
+github.com/coreos/go-systemd/v22 v22.1.0/go.mod h1:xO0FLkIi5MaZafQlIrOotqXZ90ih+1atmu1JpKERPPk=
 github.com/coreos/pkg v0.0.0-20160727233714-3ac0863d7acf/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA=
 github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
 github.com/creack/pty v1.1.7/go.mod h1:lj5s0c3V2DBrqTV7llrYr5NG6My20zk30Fl46Y7DoTY=
@@ -76,6 +79,8 @@ github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMo
 github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
 github.com/go-asn1-ber/asn1-ber v1.5.1 h1:pDbRAunXzIUXfx4CB2QJFv5IuPiuoW+sWvr/Us009o8=
 github.com/go-asn1-ber/asn1-ber v1.5.1/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
+github.com/go-asn1-ber/asn1-ber v1.5.3 h1:u7utq56RUFiynqUzgVMFDymapcOtQ/MZkh3H4QYkxag=
+github.com/go-asn1-ber/asn1-ber v1.5.3/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
 github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
 github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
 github.com/go-kit/kit v0.10.0/go.mod h1:xUsJbQ/Fp4kEt7AFgCuvyX4a71u8h9jB8tj/ORgOZ7o=
@@ -86,7 +91,10 @@ github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V
 github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG1KdI/P7A=
 github.com/go-sql-driver/mysql v1.4.0 h1:7LxgVwFb2hIQtMm87NdgAVfXjnt4OePseqT1tKx+opk=
 github.com/go-sql-driver/mysql v1.4.0/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w=
+github.com/go-sql-driver/mysql v1.5.0 h1:ozyZYNQW3x3HtqT1jira07DN2PArx2v7/mN66gGcHOs=
+github.com/go-sql-driver/mysql v1.5.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg=
 github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
+github.com/godbus/dbus/v5 v5.0.3/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/gofrs/flock v0.8.0 h1:MSdYClljsF3PbENUUEx85nkWfJSGfzYI9yEBZOJz6CY=
 github.com/gofrs/flock v0.8.0/go.mod h1:F1TvTiK9OcQqauNUHlbJvyl9Qa1QvF/gOUDKA14jxHU=
 github.com/gogo/googleapis v1.1.0/go.mod h1:gf4bu3Q80BeJ6H1S1vYPm8/ELATdvryBaNFGgqEef3s=
@@ -180,8 +188,8 @@ github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORN
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
-github.com/lib/pq v0.0.0-20190326042056-d6156e141ac6 h1:faSzJmSgOhbgs/gWoEPhVr+mHTZWGFwiBgCW6/P49VM=
-github.com/lib/pq v0.0.0-20190326042056-d6156e141ac6/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
+github.com/lib/pq v1.9.0 h1:L8nSXQQzAYByakOFMTwpjRoHsMJklur4Gi59b6VivR8=
+github.com/lib/pq v1.9.0/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
 github.com/lightstep/lightstep-tracer-common/golang/gogo v0.0.0-20190605223551-bc2310a04743/go.mod h1:qklhhLq1aX+mtWk9cPHPzaBjWImj5ULL6C7HFJtXQMM=
 github.com/lightstep/lightstep-tracer-go v0.18.1/go.mod h1:jlF1pusYV4pidLvZ+XD0UBX0ZE6WURAspgAczcDHrL4=
 github.com/lunixbochs/struc v0.0.0-20200707160740-784aaebc1d40 h1:EnfXoSqDfSNJv0VBNqY/88RNnhSGYkrHaO0mmFGbVsc=
@@ -191,8 +199,8 @@ github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaO
 github.com/mattn/go-isatty v0.0.3/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4=
 github.com/mattn/go-isatty v0.0.4/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4=
 github.com/mattn/go-runewidth v0.0.2/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU=
-github.com/mattn/go-sqlite3 v0.0.0-20180926090220-0a88db3545c4 h1:yqLtdnsIwi5hBOhHZyF0JDPMLKiPT3R3rBIND41j7mk=
-github.com/mattn/go-sqlite3 v0.0.0-20180926090220-0a88db3545c4/go.mod h1:FPy6KqzDD04eiIsT53CuJW3U88zkxoIYsOqkbpncsNc=
+github.com/mattn/go-sqlite3 v1.14.6 h1:dNPt6NO46WmLVt2DLNpwczCmdV5boIZ6g/tlDrlRUbg=
+github.com/mattn/go-sqlite3 v1.14.6/go.mod h1:NyWgC/yNuGj7Q9rpYnZvas74GogHl5/Z4A/KQRfk6bU=
 github.com/matttproud/golang_protobuf_extensions v1.0.1 h1:4hp9jkHxhMHkqkrB3Ix0jegS5sx/RkqARlsWZ6pIwiU=
 github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
 github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg=
@@ -450,8 +458,6 @@ google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpAD
 google.golang.org/protobuf v1.25.0 h1:Ejskq+SyPohKW+1uil0JJMtmHCgJPJ/qWTxr8qp+R4c=
 google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
 gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
-gopkg.in/asn1-ber.v1 v1.0.0-20181015200546-f715ec2f112d h1:TxyelI5cVkbREznMhfzycHdkp5cLA7DpE+GKjSslYhM=
-gopkg.in/asn1-ber.v1 v1.0.0-20181015200546-f715ec2f112d/go.mod h1:cuepJuh7vyXfUyUwEgHQXw849cJrilpS5NeIjOWESAw=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 h1:YR8cESwS4TdDjEe65xsg0ogRM/Nc3DYOhEAlW+xobZo=
@@ -470,6 +476,8 @@ gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.5/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.3.0 h1:clyUAQHOM3G0M3f5vQj7LuJrETvjVot3Z5el9nffUtU=
 gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
+gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 honnef.co/go/tools v0.0.0-20180728063816-88497007e858/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=

vendor/git.autistici.org/id/keystore/renovate.json

+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
+    "config:base"
+  ]
+}

vendor/git.autistici.org/id/usermetadb/.gitignore

+*.swp

vendor/git.autistici.org/id/usermetadb/.gitlab-ci.yml

+include: "https://git.autistici.org/ai3/build-deb/raw/master/ci-nextstable.yml"

vendor/git.autistici.org/id/usermetadb/README.md

+usermetadb
+==========
+
+The *User Metadata Database* (`usermetadb`) stores long-term information
+about user access patterns in order to detect anomalous behavior and
+implement other safety checks. It strives to do so while respecting
+the anonymity of the users, focusing on information that is actually
+useful to them.
+
+In practical terms, it stores the following information on every
+successful login:
+* *timestamps*, quantized/fuzzed to a sufficiently large amount (1h?)
+  to make correlation difficult
+* *location*, stored at the country level based on user IP
+* *device information* based on long-term cookies
+
+The idea is that this is enough information to provide users with
+meaningful summaries such as "you have just logged in from a
+new/unknown device" and "you logged in earlier today with Chrome on a
+mobile Android device", without storing de-anonymizing information on
+the server side.
+
+The cookie-based device detection might present an issue from this
+point of view, because it allows to establish a forensic link between
+a specific device and an account if one is in possession of the
+server-side log database (only partially mitigated by the fact that
+the cookie is encrypted).
+
+`usermetadb` also stores last-login information for internal infrastructure
+maintenance. The idea is to retain the minimal amount of information to perform
+tasks such as "disable accounts that have not been active for more than N
+years".
+
+# API
+
+The server exports an API over HTTP/HTTPS, all requests should be made
+using the POST method and an *application/json* Content-Type. The
+request body should contain a JSON-encoded request object. Responses
+will similarly be JSON-encoded.
+
+The API is split into two conceptually separate sets, the *log* API
+and the *analysis* API.
+
+## Log API
+
+`/api/add_log` (*AddLogRequest*)
+
+Stores a new log entry for a user in the database. The request must be
+a `LogEntry` object. The method returns an empty response.  If the log
+entry contains device information, the list of devices for the
+specified user is updated with that information.
+
+`/api/get_user_logs` (*GetUserLogsRequest*) -> *GetUserLogsResponse*
+
+Returns recent logs for a specific user.
+
+`/api/get_user_devices` (*GetUserDevicesRequest*) -> *GetUserDevicesResponse*
+
+Returns the list of known devices for a user.
+
+## Analysis API
+
+`/api/check_device` (*CheckDeviceRequest*) -> *CheckDeviceResponse*
+
+Returns information about a device, whether we have seen it before, if
+the localization information matches the historical trend, etc.
+
+## Last-login API
+
+`/api/set_last_login` (*SetLastLoginRequest*)
+
+Stores the last login of a user in the database. The request must be a
+`LastLoginEntry` object. The method returns an empty response. The service name
+must be specified in the last login entry.
+
+`/api/get_last_login` (*GetLastLoginRequest*) -> *GetLastLoginResponse*
+
+Returns the last login of a given user. If the service name is specified it
+returns the last login for that specific service, otherwise return last login
+for all services.
+
+`/api/get_unused_accounts` (*GetUnusedAccountsRequest*) -> *GetUnusedAccountsResponse*
+
+Returns accounts that have not been used in a specified amount of time.
+
+# Configuration
+
+The configuration is contained in a YAML-encoded file, normally
+`/etc/user-meta-server.yml` (this can be changed using the
+*--config* command-line flag).
+
+The known attributes are:
+
+* `db_uri` is the database URI. As currently only the *sqlite3* driver
+  is supported, this is just the path to the database file.
+* `http_server` specifies standard parameters for the HTTP server:
+  * `tls` contains the server-side TLS configuration:
+    * `cert` is the path to the server certificate
+    * `key` is the path to the server's private key
+    * `ca` is the path to the CA used to validate clients
+    * `acl` specifies TLS-based access controls, a list of entries
+      with the following attributes:
+      * `path` is a regular expression to match the request URL path
+      * `cn` is a regular expression that must match the CommonName
+        part of the subject of the client certificate

vendor/git.autistici.org/id/usermetadb/go.mod

+module git.autistici.org/id/usermetadb
+
+go 1.14
+
+require (
+	git.autistici.org/ai3/go-common v0.0.0-20210118064555-73f00db54723
+	github.com/golang-migrate/migrate/v4 v4.14.1
+	github.com/google/go-cmp v0.5.4
+	github.com/gorilla/mux v1.8.0 // indirect
+	github.com/hashicorp/errwrap v1.1.0 // indirect
+	github.com/mattn/go-sqlite3 v1.14.6
+	gopkg.in/yaml.v2 v2.4.0
+)

vendor/git.autistici.org/id/usermetadb/protocol.go

+package usermetadb
+
+//go:generate go-bindata --nocompress --pkg migrations --ignore \.go$ -o migrations/bindata.go -prefix migrations/ ./migrations
+
+import (
+	"errors"
+	"time"
+)
+
+type CheckDeviceRequest struct {
+	Username   string      `json:"username"`
+	DeviceInfo *DeviceInfo `json:"device_info"`
+}
+
+type CheckDeviceResponse struct {
+	Seen bool `json:"seen"`
+}
+
+const (
+	LogTypeLogin          = "login"
+	LogTypeLogout         = "logout"
+	LogTypePasswordReset  = "password_reset"
+	LogTypePasswordChange = "password_change"
+	LogTypeOTPEnabled     = "otp_enabled"
+	LogTypeOTPDisabled    = "otp_disabled"
+)
+
+const (
+	LoginMethodPassword = "password"
+	LoginMethodOTP      = "otp"
+	LoginMethodU2F      = "u2f"
+)
+
+// DeviceInfo holds information about the client device. We use a
+// simple persistent cookie to track the same client device across
+// multiple session.
+type DeviceInfo struct {
+	ID         string `json:"id"`
+	RemoteAddr string `json:"remote_addr"`
+	RemoteZone string `json:"remote_zone"`
+	UserAgent  string `json:"user_agent"`
+	Browser    string `json:"browser"`
+	OS         string `json:"os"`
+	Mobile     bool   `json:"mobile"`
+}
+
+func (d *DeviceInfo) EncodeToMap(m map[string]string, prefix string) {
+	m[prefix+"id"] = d.ID
+	m[prefix+"remote_addr"] = d.RemoteAddr
+	m[prefix+"remote_zone"] = d.RemoteZone
+	m[prefix+"browser"] = d.Browser
+	m[prefix+"os"] = d.OS
+	m[prefix+"user_agent"] = d.UserAgent
+	if d.Mobile {
+		m[prefix+"mobile"] = "true"
+	} else {
+		m[prefix+"mobile"] = "false"
+	}
+}
+
+func DecodeDeviceInfoFromMap(m map[string]string, prefix string) *DeviceInfo {
+	return &DeviceInfo{
+		ID:         m[prefix+"id"],
+		RemoteAddr: m[prefix+"remote_addr"],
+		RemoteZone: m[prefix+"remote_zone"],
+		Browser:    m[prefix+"browser"],
+		OS:         m[prefix+"os"],
+		UserAgent:  m[prefix+"user_agent"],
+		Mobile:     m[prefix+"mobile"] == "true",
+	}
+}
+
+// LogEntry represents an authentication event in the user-specific log.
+type LogEntry struct {
+	Timestamp   time.Time   `json:"timestamp"`
+	Username    string      `json:"username"`
+	Type        string      `json:"log_type"`
+	Message     string      `json:"message,omitempty"`
+	Service     string      `json:"service,omitempty"`
+	LoginMethod string      `json:"login_method,omitempty"`
+	DeviceInfo  *DeviceInfo `json:"device_info,omitempty"`
+}
+
+func (e *LogEntry) Validate() error {
+	if e.Username == "" {
+		return errors.New("invalid log entry: missing username")
+	}
+	switch e.Type {
+	case LogTypeLogin, LogTypeLogout, LogTypePasswordReset, LogTypePasswordChange, LogTypeOTPEnabled, LogTypeOTPDisabled:
+	default:
+		return errors.New("invalid log entry: unknown log type")
+	}
+
+	if e.DeviceInfo != nil {
+		if e.DeviceInfo.ID == "" {
+			return errors.New("invalid device info in log entry")
+		}
+	}
+
+	return nil
+}
+
+type AddLogRequest struct {
+	Log *LogEntry `json:"log"`
+}
+
+type AddLogResponse struct{}
+
+type GetUserDevicesRequest struct {
+	Username string `json:"username"`
+}
+
+type MetaDeviceInfo struct {
+	DeviceInfo *DeviceInfo `json:"device_info"`
+	FirstSeen  time.Time   `json:"first_seen"`
+	LastSeen   time.Time   `json:"last_seen"`
+	NumLogins  int         `json:"num_logins"`
+}
+
+type GetUserDevicesResponse struct {
+	Devices []*MetaDeviceInfo `json:"devices"`
+}
+
+type GetUserLogsRequest struct {
+	Username string `json:"username"`
+	MaxDays  int    `json:"max_days"`
+	Limit    int    `json:"limit"`
+}
+
+type GetUserLogsResponse struct {
+	Results []*LogEntry `json:"result"`
+}
+
+type LastLoginEntry struct {
+	Timestamp time.Time `json:"timestamp"`
+	Username  string    `json:"username"`
+	Service   string    `json:"service"`
+}
+
+func (e *LastLoginEntry) Validate() error {
+	if e.Username == "" {
+		return errors.New("invalid last login entry: missing username")
+	}
+	if e.Service == "" {
+		return errors.New("invalid last login entry: missing service")
+	}
+
+	return nil
+}
+
+type SetLastLoginRequest struct {
+	LastLogin *LastLoginEntry `json:"last_login"`
+}
+
+type SetLastLoginResponse struct{}
+
+type GetLastLoginRequest struct {
+	Username string `json:"username"`
+	Service  string `json:"service,omitempty"`
+}
+
+type GetLastLoginResponse struct {
+	Results []*LastLoginEntry `json:"result"`
+}
+
+type GetUnusedAccountsRequest struct {
+	Usernames []string `json:"usernames"`
+	Days      int      `json:"days"`
+}
+
+type GetUnusedAccountsResponse struct {
+	UnusedUsernames []string `json:"unused_usernames"`
+}

vendor/git.autistici.org/id/usermetadb/renovate.json

+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",