Implement security

Author: lyubenblagoev

README.md

@@ -13,6 +13,7 @@ Usage:
 Available Commands:
   account       Account commands
   alias         Alias commands
+  auth          Authentication commands
   domain        Domain commands
   help          Help about any command
   recipient-bcc recipient-bcc commands
@@ -24,6 +25,7 @@ Flags:
   -h, --help            help for emailctl
 
 Use "emailctl [command] --help" for more information about a command.
+
 ```
 
 ## Installation
@@ -66,6 +68,20 @@ The above values are the defaults. You can omit options that don't change the de
 
 Below are a few usage examples:
 
+### Authentication
+
+* Log in
+
+```
+emailctl auth login admin@example.com
+```
+
+* Log out
+
+```
+emailctl auth logout
+```
+
 ### Domain API
 
 * List all domains on your server:

auth.go

@@ -0,0 +1,28 @@
+package emailctl
+
+import (
+	"github.com/lyubenblagoev/goprsc"
+)
+
+// AuthResponse is a wrapper for goprsc.AuthResponse
+type AuthResponse struct {
+	*goprsc.AuthResponse
+}
+
+// AuthService handles communication with the authentication API of the Postfix REST Server.
+type AuthService service
+
+// Login authenticates the user credential and returnes the tokens provided by the Postfix REST Server.
+func (s *AuthService) Login(login, password string) (*AuthResponse, error) {
+	response, err := s.client.Auth.Login(login, password)
+	if err != nil {
+		return nil, err
+	}
+	return &AuthResponse{AuthResponse: response}, nil
+}
+
+// Logout logs out the user, if the provided login and refreshToken are valid.
+func (s *AuthService) Logout(login, refreshToken string) error {
+	err := s.client.Auth.Logout(login, refreshToken)
+	return err
+}

client.go

@@ -11,26 +11,43 @@ import (
 type Client struct {
 	client *goprsc.Client
 
+	Auth       *AuthService
 	Domains    *DomainService
 	Accounts   *AccountService
 	Aliases    *AliasService
 	InputBccs  *InputBccService
 	OutputBccs *OutputBccService
 }
 
+// GetLogin returns the user login associated with the client
+func (c *Client) GetLogin() string {
+	return c.client.Login
+}
+
+// GetAuthToken returns the authentication token associated with the client
+func (c *Client) GetAuthToken() string {
+	return c.client.AuthToken
+}
+
+// GetRefreshToken returns the refresh token associated with the client
+func (c *Client) GetRefreshToken() string {
+	return c.client.RefreshToken
+}
+
 type service struct {
 	client *goprsc.Client
 }
 
 // NewClient creates an instance of Client.
 func NewClient() (*Client, error) {
-	goprscClient, err := getGoprscClient()
+	goprscClient, err := newGoprscClient()
 	if err != nil {
 		return nil, fmt.Errorf("unable to initialize Postfix REST Server API client: %s", err)
 	}
 
 	c := &Client{client: goprscClient}
 	s := service{client: goprscClient} // Reuse the same structure instead of allocating one for each service
+	c.Auth = (*AuthService)(&s)
 	c.Domains = (*DomainService)(&s)
 	c.Accounts = (*AccountService)(&s)
 	c.Aliases = (*AliasService)(&s)
@@ -40,17 +57,25 @@ func NewClient() (*Client, error) {
 	return c, nil
 }
 
-func getGoprscClient() (*goprsc.Client, error) {
+func newGoprscClient() (*goprsc.Client, error) {
 	host := viper.GetString("host")
 	port := viper.GetString("port")
 	useHTTPS := viper.GetBool("https")
 
+	login := viper.GetString("login")
+	authToken := viper.GetString("authToken")
+	refreshToken := viper.GetString("refreshToken")
+
 	var options []goprsc.ClientOption
+	options = append(options, goprsc.UserAgentOption("emailctl"))
 	options = append(options, goprsc.HostOption(host))
 	options = append(options, goprsc.PortOption(port))
 	if useHTTPS {
 		options = append(options, goprsc.HTTPSProtocolOption())
 	}
+	if len(authToken) > 0 {
+		options = append(options, goprsc.AuthOption(login, authToken, refreshToken))
+	}
 
 	return goprsc.NewClientWithOptions(nil, options...)
 }

commands/account.go

@@ -64,7 +64,7 @@ func showAccount(client *emailctl.Client, args []string) error {
 
 func addAccount(client *emailctl.Client, args []string) error {
 	domain, username := args[0], args[1]
-	password, err := emailctl.ReadPassword()
+	password, err := emailctl.ReadAndConfirmPassword()
 	if err != nil {
 		return err
 	}
@@ -93,7 +93,7 @@ func renameAccount(client *emailctl.Client, args []string) error {
 
 func changeAccountPassword(client *emailctl.Client, args []string) error {
 	domain, username := args[0], args[1]
-	password, err := emailctl.ReadPassword()
+	password, err := emailctl.ReadAndConfirmPassword()
 	if err != nil {
 		return err
 	}

commands/auth.go

@@ -0,0 +1,64 @@
+package commands
+
+import (
+	"fmt"
+
+	"github.com/lyubenblagoev/emailctl"
+	"github.com/spf13/cobra"
+	"github.com/spf13/viper"
+)
+
+// CreateAuthCommand creates an auth command with its subcommands.
+func CreateAuthCommand() *Command {
+	c := &Command{
+		Command: &cobra.Command{
+			Use:   "auth",
+			Short: "Authentication commands",
+			Long:  "Auth is used to access authentication commands",
+		},
+	}
+	BuildCommand(c, login, "login <email-address>", "Log in using the given email address", ArgsOption(1), AliasOption("l"))
+	BuildCommand(c, logout, "logout", "Log in using the given email address", AliasOption("l"))
+	return c
+}
+
+func login(client *emailctl.Client, args []string) error {
+	login := args[0]
+	password, err := emailctl.ReadPassword("Password: ")
+	if err != nil {
+		return err
+	}
+	auth, err := client.Auth.Login(login, password)
+	if err != nil {
+		return err
+	}
+	fmt.Printf("Logged in successfully.\n")
+	err = SaveAuth(login, auth.AuthToken, auth.RefreshToken)
+	return err
+}
+
+func logout(client *emailctl.Client, args []string) error {
+	login := viper.GetString("login")
+	refreshToken := viper.GetString("refreshToken")
+	CleanAuth()
+	return client.Auth.Logout(login, refreshToken)
+}
+
+// SaveAuth writes active authentication tokens to the configuration file
+func SaveAuth(login, token, refreshToken string) error {
+	if login != "" && token != "" && refreshToken != "" {
+		viper.Set("login", login)
+		viper.Set("authToken", token)
+		viper.Set("refreshToken", refreshToken)
+		return viper.WriteConfig()
+	}
+	return nil
+}
+
+// CleanAuth removes saved authentication tokens
+func CleanAuth() {
+	viper.Set("login", "")
+	viper.Set("authToken", "")
+	viper.Set("refreshToken", "")
+	viper.WriteConfig()
+}

commands/command.go

@@ -25,9 +25,8 @@ func BuildCommand(parent *Command, runner CommandRunner, usage, description stri
 		Short: description,
 		Long:  description,
 		Run: func(cmd *cobra.Command, args []string) {
-			client, err := emailctl.NewClient()
-			checkErr(err)
 			checkErr(runner(client, args))
+			SaveAuth(client.GetLogin(), client.GetAuthToken(), client.GetRefreshToken())
 		},
 	}
 

commands/emailctl.go

@@ -1,6 +1,9 @@
 package commands
 
 import (
+	"log"
+	"os"
+
 	"github.com/lyubenblagoev/emailctl"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
@@ -9,11 +12,12 @@ import (
 // EmailctlVersion is emailctl's version.
 var EmailctlVersion = emailctl.Version{
 	Major: 0,
-	Minor: 1,
+	Minor: 2,
 	Patch: 0,
 }
 
 var cfgFile string
+var client *emailctl.Client
 
 // emailctlCommand represents the base command when called without any subcommands
 var emailctlCommand = &Command{
@@ -38,24 +42,39 @@ func init() {
 func initConfig() {
 	if cfgFile != "" {
 		viper.SetConfigFile(cfgFile)
+	} else {
+		viper.SetConfigName(".emailctl")
+		viper.SetConfigType("yaml")
 	}
 
-	viper.SetConfigName(".emailctl")
-	viper.AddConfigPath("$HOME")
+	home, err := os.UserHomeDir()
+	if err != nil {
+		log.Fatal("Failed to determine user's home directory.", err)
+	}
+	viper.AddConfigPath(home)
 	viper.AutomaticEnv()
 
 	viper.SetDefault("host", "localhost")
 	viper.SetDefault("port", "8080")
 	viper.SetDefault("https", false)
 
 	checkErr(viper.ReadInConfig())
+
+	initClient()
 }
 
 func initCommands() {
+	emailctlCommand.AddCommand(CreateAuthCommand())
 	emailctlCommand.AddCommand(CreateDomainCommand())
 	emailctlCommand.AddCommand(CreateAccountCommand())
 	emailctlCommand.AddCommand(CreateAliasCommand())
 	emailctlCommand.AddCommand(CreateVersionCommand())
 	emailctlCommand.AddCommand(CreateSenderBccCommand())
 	emailctlCommand.AddCommand(CreateRecipientBccCommand())
 }
+
+func initClient() {
+	var err error
+	client, err = emailctl.NewClient()
+	checkErr(err)
+}

commands/error.go

@@ -2,11 +2,20 @@ package commands
 
 import (
 	"fmt"
+	"net/http"
 	"os"
+
+	"github.com/lyubenblagoev/goprsc"
 )
 
 func checkErr(err error) {
 	if err != nil {
+		if e, ok := err.(*goprsc.ErrorResponse); ok {
+			statusCode := e.Response.StatusCode
+			if statusCode == http.StatusUnauthorized || statusCode == http.StatusForbidden {
+				CleanAuth()
+			}
+		}
 		fmt.Println(err.Error())
 		os.Exit(-1)
 	}

go.mod

@@ -3,7 +3,7 @@ module github.com/lyubenblagoev/emailctl
 go 1.15
 
 require (
-	github.com/lyubenblagoev/goprsc v0.0.0-20200821145540-97dc088fd222
+	github.com/lyubenblagoev/goprsc v0.2.0
 	github.com/spf13/cobra v0.0.3
 	github.com/spf13/viper v1.2.1
 	golang.org/x/crypto v0.0.0-20181029021203-45a5f77698d3

go.sum

@@ -7,6 +7,8 @@ github.com/lyubenblagoev/goprsc v0.0.0-20181029073722-795bb40c88dc h1:fzzJn+uM3P
 github.com/lyubenblagoev/goprsc v0.0.0-20181029073722-795bb40c88dc/go.mod h1:tLux+5WiiwdKkaSKpzqbDzp7sWVxtIFPdUvdRb/U05U=
 github.com/lyubenblagoev/goprsc v0.0.0-20200821145540-97dc088fd222 h1:Ue7MouIj6amVqR8X2PDfKTO5d5Uq5H/uBlcGiSs1AlU=
 github.com/lyubenblagoev/goprsc v0.0.0-20200821145540-97dc088fd222/go.mod h1:w1nNEnn97AvUNOlyQ+y7wE48xxAp/yhsQrk0rmufEyc=
+github.com/lyubenblagoev/goprsc v0.2.0 h1:rrvFeGNx+OpbAj9eov0V6oDKoLLnL9a24X8tAqxGH5E=
+github.com/lyubenblagoev/goprsc v0.2.0/go.mod h1:w1nNEnn97AvUNOlyQ+y7wE48xxAp/yhsQrk0rmufEyc=
 github.com/magiconair/properties v1.8.0 h1:LLgXmsheXeRoUOBOjtwPQCWIYqM/LU1ayDtDePerRcY=
 github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
 github.com/mitchellh/mapstructure v1.0.0 h1:vVpGvMXJPqSDh2VYHF7gsfQj8Ncx+Xw5Y1KHeTRY+7I=

password.go

@@ -13,15 +13,16 @@ const (
 	maxPromptRetries = 3
 )
 
-// ReadPassword reads a password and confirmation from the terminal.
-func ReadPassword() (string, error) {
+// ReadAndConfirmPassword reads a password and confirmation from the terminal.
+// Retries three times if the passwords do not match.
+func ReadAndConfirmPassword() (string, error) {
 	for i := 0; i < maxPromptRetries; i++ {
-		pass, err := readPass("Password: ")
+		pass, err := ReadPassword("Password: ")
 		if err != nil {
 			return "", err
 		}
 
-		confirmPass, err := readPass("Confirm password: ")
+		confirmPass, err := ReadPassword("Confirm password: ")
 		if err != nil {
 			return "", err
 		}
@@ -39,7 +40,8 @@ func ReadPassword() (string, error) {
 	return "", errors.New("Passwords don't match")
 }
 
-func readPass(prompt string) (string, error) {
+// ReadPassword reads a password from the terminal
+func ReadPassword(prompt string) (string, error) {
 	fmt.Print(prompt)
 	b, err := terminal.ReadPassword(syscall.Stdin)
 	fmt.Print("\n")