feat: add a new basic type identity

[IronCore864]

A new "basic" type of identity and "metrics" type of access are added for the upcoming metrics feature.

To expose the upcoming metrics feature over HTTP, we need a certain level of authentication to protect the endpoint. We decided to use HTTP basic authentication for this purpose. A new type of "basic" identity needs to be implemented for this to work, and the access level would be metrics. The basic identity looks like this:

identities:
  bob:
    access: metrics
    basic:
      password: hashed-password-with-salt

Where the password is generated by openssl passed -6. The hashed password will be stored in the state, and when the user accesses the metrics endpoint, they need to set the Authorization header accordingly. Pebble daemon will sha512 hash the password and compare it to the identity stored in the state.

For more details, see the spec here.

[benhoyt]

Let's please add a few more details about the feature to the PR description, and link to the spec (internal, I know).

[benhoyt]

Just for the record, I'm pasting my little bit of research into the available sha-crypt libraries I could find. I think GehirnInc/crypt is the right choice.

https://github.com/GehirnInc/crypt
- 76 stars
- project last updated 2y ago
- file last updated 7y ago
- file last updated TODO
- originally by Jeramey Crawford
- https://github.com/GehirnInc/crypt/blob/master/sha512_crypt/sha512_crypt.go

https://github.com/tredoe/osutil
- 76 stars
- project last updated 6mo ago
- file last updated 9y ago
- originally by Jeramey Crawford, somewhat similar to GehirnInc/crypt impl
- https://github.com/tredoe/osutil/blob/master/user/crypt/sha512_crypt/sha512_crypt.go

https://github.com/ncw/pwhash
- 5 stars
- project last updated 10y ago
- file last updated 10y ago
- originally by Jeramey Crawford, somewhat similar to GehirnInc/crypt impl
https://github.com/ncw/pwhash/blob/master/sha512_crypt/sha512_crypt.go

https://github.com/go-crypt/crypt
- 16 stars
- project last updated 5 days ago
- dir last updated 2y ago (but impl is in separate xcrypt repo)
- a *lot* more API surface and complexity of implementation
- actual crypt impl is in https://github.com/go-crypt/x: 1 star, 6mo ago
- https://github.com/go-crypt/crypt/blob/master/algorithm/shacrypt/hasher.go
- https://github.com/go-crypt/x/blob/master/crypt/crypt.go

[benhoyt]

Thanks for this. Some minor stuff, but a couple of things worth further discussion, particularly how IdentityFromInputs will need to change.

[IronCore864]

In the latest commit, I have fixed most comments except for the access level part and multiple identity type part. See above comment for more information.

[benhoyt]

@IronCore864 Can you please merge from master now that the interface{} to any PR is merged? #568

[flotter]

This is great. Looking forward to getting this in Pebble.

[IronCore864]

Some manual tests:

1 Two Types of Identity

identities:
    bob:
        access: metrics
        basic:
            password: $6$F9cFSVEKyO4gB1Wh$8S1BSKsNkF.jBAixGc4W7l80OpfCNk65LZBDHBng3NAmbcHuMj4RIm7992rrJ8YA.SJ0hvm.vGk2z483am4Ym1
        local:
            user-id: 1001

$ ./pebble add-identities --from ./identity.yaml
Added 1 new identity.
$ ./pebble identities
Name  Access   Types
bob   metrics  basic,local

2 No Password for Basic Type

identities:
    nancy:
        access: metrics
        basic:
            password: 

$ ./pebble add-identities --from ./identity.yaml
error: cannot decode request body: basic identity must specify password (hashed)

3 Invalid Access Level for Basic Type

identities:
    bob:
        access: admin
        basic:
            password: $6$F9cFSVEKyO4gB1Wh$8S1BSKsNkF.jBAixGc4W7l80OpfCNk65LZBDHBng3NAmbcHuMj4RIm7992rrJ8YA.SJ0hvm.vGk2z483am4Ym1

$ ./pebble add-identities --from ./identity.yaml
error: cannot decode request body: basic identity can only have "metrics" access, got "admin"