feat: add disable password and disapble public key on namespace config

Add two configuration fields to namespace settings that allow
administrators to restrict SSH authentication methods (password, public
key) for all devices within their namespace.

When a connection is rejected due to these restrictions, the server logs
the rejection event with details, while the client receives a generic
authentication failure message.

Closes #6136

Author: henrybarreto

api/services/namespace.go

@@ -66,6 +66,8 @@ func (s *service) CreateNamespace(ctx context.Context, req *requests.NamespaceCr
 		Settings: &models.NamespaceSettings{
 			SessionRecord:          true,
 			ConnectionAnnouncement: "",
+			DisablePassword:        false,
+			DisablePublicKey:       false,
 		},
 		TenantID: req.TenantID,
 		Type:     models.NewDefaultType(),
@@ -176,6 +178,14 @@ func (s *service) EditNamespace(ctx context.Context, req *requests.NamespaceEdit
 		namespace.Settings.ConnectionAnnouncement = *req.Settings.ConnectionAnnouncement
 	}
 
+	if req.Settings.DisablePassword != nil {
+		namespace.Settings.DisablePassword = *req.Settings.DisablePassword
+	}
+
+	if req.Settings.DisablePublicKey != nil {
+		namespace.Settings.DisablePublicKey = *req.Settings.DisablePublicKey
+	}
+
 	if err := s.store.NamespaceUpdate(ctx, namespace); err != nil {
 		return nil, err
 	}

api/services/namespace_test.go

@@ -1026,7 +1026,13 @@ func TestEditNamespace(t *testing.T) {
 		requiredMocks func()
 		tenantID      string
 		namespaceName string
-		expected      Expected
+		settings      struct {
+			SessionRecord          *bool
+			ConnectionAnnouncement *string
+			DisablePassword        *bool
+			DisablePublicKey       *bool
+		}
+		expected Expected
 	}{
 		{
 			description:   "fails when namespace does not exist",
@@ -1111,10 +1117,112 @@ func TestEditNamespace(t *testing.T) {
 				nil,
 			},
 		},
+		{
+			description: "succeeds changing DisablePassword",
+			tenantID:    "xxxxx",
+			settings: struct {
+				SessionRecord          *bool
+				ConnectionAnnouncement *string
+				DisablePassword        *bool
+				DisablePublicKey       *bool
+			}{
+				DisablePassword: func(b bool) *bool { return &b }(true),
+			},
+			requiredMocks: func() {
+				namespace := &models.Namespace{
+					TenantID: "xxxxx",
+					Name:     "oldname",
+					Settings: &models.NamespaceSettings{DisablePassword: false},
+				}
+				storeMock.
+					On("NamespaceResolve", ctx, store.NamespaceTenantIDResolver, "xxxxx").
+					Return(namespace, nil).
+					Once()
+
+				expectedNamespace := *namespace
+				expectedNamespace.Settings.DisablePassword = true
+				storeMock.
+					On("NamespaceUpdate", ctx, &expectedNamespace).
+					Return(nil).
+					Once()
+
+				finalNamespace := &models.Namespace{
+					TenantID: "xxxxx",
+					Name:     "oldname",
+					Settings: &models.NamespaceSettings{DisablePassword: true},
+				}
+				storeMock.
+					On("NamespaceResolve", ctx, store.NamespaceTenantIDResolver, "xxxxx").
+					Return(finalNamespace, nil).
+					Once()
+			},
+			expected: Expected{
+				&models.Namespace{
+					TenantID: "xxxxx",
+					Name:     "oldname",
+					Settings: &models.NamespaceSettings{DisablePassword: true},
+				},
+				nil,
+			},
+		},
+		{
+			description: "succeeds changing DisablePublicKey",
+			tenantID:    "xxxxx",
+			settings: struct {
+				SessionRecord          *bool
+				ConnectionAnnouncement *string
+				DisablePassword        *bool
+				DisablePublicKey       *bool
+			}{
+				DisablePublicKey: func(b bool) *bool { return &b }(true),
+			},
+			requiredMocks: func() {
+				namespace := &models.Namespace{
+					TenantID: "xxxxx",
+					Name:     "oldname",
+					Settings: &models.NamespaceSettings{DisablePublicKey: false},
+				}
+				storeMock.
+					On("NamespaceResolve", ctx, store.NamespaceTenantIDResolver, "xxxxx").
+					Return(namespace, nil).
+					Once()
+
+				expectedNamespace := *namespace
+				expectedNamespace.Settings.DisablePublicKey = true
+				storeMock.
+					On("NamespaceUpdate", ctx, &expectedNamespace).
+					Return(nil).
+					Once()
+
+				finalNamespace := &models.Namespace{
+					TenantID: "xxxxx",
+					Name:     "oldname",
+					Settings: &models.NamespaceSettings{DisablePublicKey: true},
+				}
+				storeMock.
+					On("NamespaceResolve", ctx, store.NamespaceTenantIDResolver, "xxxxx").
+					Return(finalNamespace, nil).
+					Once()
+			},
+			expected: Expected{
+				&models.Namespace{
+					TenantID: "xxxxx",
+					Name:     "oldname",
+					Settings: &models.NamespaceSettings{DisablePublicKey: true},
+				},
+				nil,
+			},
+		},
 		{
 			description:   "succeeds",
 			namespaceName: "newname",
 			tenantID:      "xxxxx",
+			settings: struct {
+				SessionRecord          *bool
+				ConnectionAnnouncement *string
+				DisablePassword        *bool
+				DisablePublicKey       *bool
+			}{},
 			requiredMocks: func() {
 				namespace := &models.Namespace{
 					TenantID: "xxxxx",
@@ -1163,6 +1271,11 @@ func TestEditNamespace(t *testing.T) {
 				TenantParam: requests.TenantParam{Tenant: tc.tenantID},
 				Name:        tc.namespaceName,
 			}
+			req.Settings.SessionRecord = tc.settings.SessionRecord
+			req.Settings.ConnectionAnnouncement = tc.settings.ConnectionAnnouncement
+			req.Settings.DisablePassword = tc.settings.DisablePassword
+			req.Settings.DisablePublicKey = tc.settings.DisablePublicKey
+
 			namespace, err := service.EditNamespace(ctx, req)
 
 			assert.Equal(t, tc.expected, Expected{namespace, err})

api/store/mongo/migrations/main.go

@@ -130,6 +130,7 @@ func GenerateMigrations() []migrate.Migration {
 		migration118,
 		migration119,
 		migration120,
+		migration121,
 	}
 }
 

api/store/mongo/migrations/migration_121.go

@@ -0,0 +1,47 @@
+package migrations
+
+import (
+	"context"
+
+	log "github.com/sirupsen/logrus"
+	migrate "github.com/xakep666/mongo-migrate"
+	"go.mongodb.org/mongo-driver/bson"
+	"go.mongodb.org/mongo-driver/mongo"
+)
+
+var migration121 = migrate.Migration{
+	Version:     121,
+	Description: "Add disable_password and disable_public_key to namespace settings",
+	Up: migrate.MigrationFunc(func(ctx context.Context, db *mongo.Database) error {
+		log.WithFields(log.Fields{"component": "migration", "version": 121, "action": "Up"}).Info("Applying migration")
+
+		if _, err := db.Collection("namespaces").UpdateMany(ctx, bson.M{}, bson.M{
+			"$set": bson.M{
+				"settings.disable_password":   false,
+				"settings.disable_public_key": false,
+			},
+		}); err != nil {
+			log.WithError(err).Error("Failed to add disable_password and disable_public_key to namespace settings")
+
+			return err
+		}
+
+		return nil
+	}),
+	Down: migrate.MigrationFunc(func(ctx context.Context, db *mongo.Database) error {
+		log.WithFields(log.Fields{"component": "migration", "version": 121, "action": "Down"}).Info("Reverting migration")
+
+		if _, err := db.Collection("namespaces").UpdateMany(ctx, bson.M{}, bson.M{
+			"$unset": bson.M{
+				"settings.disable_password":   "",
+				"settings.disable_public_key": "",
+			},
+		}); err != nil {
+			log.WithError(err).Error("Failed to remove disable_password and disable_public_key from namespace settings")
+
+			return err
+		}
+
+		return nil
+	}),
+}

api/store/pg/entity/namespace.go

@@ -28,6 +28,8 @@ type NamespaceSettings struct {
 	MaxDevices             int    `bun:"max_devices"`
 	SessionRecord          bool   `bun:"record_sessions"`
 	ConnectionAnnouncement string `bun:"connection_announcement,type:text"`
+	DisablePassword        bool   `bun:"disable_password"`
+	DisablePublicKey       bool   `bun:"disable_public_key"`
 }
 
 func NamespaceFromModel(model *models.Namespace) *Namespace {
@@ -55,6 +57,8 @@ func NamespaceFromModel(model *models.Namespace) *Namespace {
 	if model.Settings != nil {
 		namespace.Settings.SessionRecord = model.Settings.SessionRecord
 		namespace.Settings.ConnectionAnnouncement = model.Settings.ConnectionAnnouncement
+		namespace.Settings.DisablePassword = model.Settings.DisablePassword
+		namespace.Settings.DisablePublicKey = model.Settings.DisablePublicKey
 	}
 
 	namespace.Memberships = make([]Membership, len(model.Members))
@@ -85,6 +89,8 @@ func NamespaceToModel(entity *Namespace) *models.Namespace {
 		Settings: &models.NamespaceSettings{
 			SessionRecord:          entity.Settings.SessionRecord,
 			ConnectionAnnouncement: entity.Settings.ConnectionAnnouncement,
+			DisablePassword:        entity.Settings.DisablePassword,
+			DisablePublicKey:       entity.Settings.DisablePublicKey,
 		},
 	}
 

api/store/pg/migrations/002_add_disable_password_and_disable_public_key_to_namespaces.tx.down.sql

@@ -0,0 +1,2 @@
+ALTER TABLE namespaces DROP COLUMN disable_password;
+ALTER TABLE namespaces DROP COLUMN disable_public_key;

api/store/pg/migrations/002_add_disable_password_and_disable_public_key_to_namespaces.tx.up.sql

@@ -0,0 +1,2 @@
+ALTER TABLE namespaces ADD COLUMN disable_password BOOLEAN DEFAULT FALSE NOT NULL;
+ALTER TABLE namespaces ADD COLUMN disable_public_key BOOLEAN DEFAULT FALSE NOT NULL;

openapi/spec/components/schemas/namespaceSettings.yaml

@@ -12,6 +12,16 @@ properties:
     maxLength: 4096
     format: alphanumunicode
     example: my awesome connection announcement
-required:
+  disable_password:
+    description: The disable password define when the namespace should block or not password authentication.
+    type: boolean
+    example: false
+  disable_public_key:
+    description: The disable public key define when the namespace should block or not public key authentication.
+    type: boolean
+    example: false
+required: 
   - session_record
   - connection_announcement
+  - disable_password
+  - disable_public_key

pkg/api/requests/namespace.go

@@ -52,6 +52,8 @@ type NamespaceEdit struct {
 	Settings struct {
 		SessionRecord          *bool   `json:"session_record" validate:"omitempty"`
 		ConnectionAnnouncement *string `json:"connection_announcement" validate:"omitempty,min=0,max=4096"`
+		DisablePassword        *bool   `json:"disable_password" validate:"omitempty"`
+		DisablePublicKey       *bool   `json:"disable_public_key" validate:"omitempty"`
 	} `json:"settings"`
 }
 

pkg/models/namespace.go

@@ -51,6 +51,8 @@ func (n *Namespace) FindMember(id string) (*Member, bool) {
 type NamespaceSettings struct {
 	SessionRecord          bool   `json:"session_record" bson:"session_record,omitempty"`
 	ConnectionAnnouncement string `json:"connection_announcement" bson:"connection_announcement"`
+	DisablePassword        bool   `json:"disable_password" bson:"disable_password,omitempty"`
+	DisablePublicKey       bool   `json:"disable_public_key" bson:"disable_public_key,omitempty"`
 }
 
 // default Announcement Message for the shellhub namespace