ollama/auth/auth.go

package auth

import (
	"bytes"
	"context"
	"crypto/rand"
	"encoding/base64"
	"errors"
	"fmt"
	"io"
	"log/slog"
	"os"
	"path/filepath"
	"strings"

	"golang.org/x/crypto/ssh"
)

const defaultPrivateKey = "id_ed25519"

func keyPath() (string, error) {
	home, err := os.UserHomeDir()
	if err != nil {
		return "", err
	}

	return filepath.Join(home, ".ollama", defaultPrivateKey), nil
}

func GetPublicKey() (string, error) {
	keyPath, err := keyPath()
	if err != nil {
		return "", err
	}

	privateKeyFile, err := os.ReadFile(keyPath)
	if err != nil {
		slog.Info(fmt.Sprintf("Failed to load private key: %v", err))
		return "", err
	}

	privateKey, err := ssh.ParsePrivateKey(privateKeyFile)
	if err != nil {
		return "", err
	}

	publicKey := ssh.MarshalAuthorizedKey(privateKey.PublicKey())

	return strings.TrimSpace(string(publicKey)), nil
}

func NewNonce(r io.Reader, length int) (string, error) {
	nonce := make([]byte, length)
	if _, err := io.ReadFull(r, nonce); err != nil {
		return "", err
	}

	return base64.RawURLEncoding.EncodeToString(nonce), nil
}

func Sign(ctx context.Context, bts []byte) (string, error) {
	keyPath, err := keyPath()
	if err != nil {
		return "", err
	}

	privateKeyFile, err := os.ReadFile(keyPath)
	if err != nil {
		slog.Info(fmt.Sprintf("Failed to load private key: %v", err))
		return "", err
	}

	privateKey, err := ssh.ParsePrivateKey(privateKeyFile)
	if err != nil {
		return "", err
	}

	// get the pubkey, but remove the type
	publicKey := ssh.MarshalAuthorizedKey(privateKey.PublicKey())
	parts := bytes.Split(publicKey, []byte(" "))
	if len(parts) < 2 {
		return "", errors.New("malformed public key")
	}

	signedData, err := privateKey.Sign(rand.Reader, bts)
	if err != nil {
		return "", err
	}

	// signature is <pubkey>:<signature>
	return fmt.Sprintf("%s:%s", bytes.TrimSpace(parts[1]), base64.StdEncoding.EncodeToString(signedData.Blob)), nil
}
Move hub auth out to new package 2024-02-05 20:59:52 +00:00			`package auth`
Token auth (#314) 2023-08-10 18:34:25 +00:00
			`import (`
			`"bytes"`
add maximum retries when pushing (#334) 2023-08-11 22:41:55 +00:00			`"context"`
Token auth (#314) 2023-08-10 18:34:25 +00:00			`"crypto/rand"`
			`"encoding/base64"`
lint 2024-08-01 21:52:15 +00:00			`"errors"`
Token auth (#314) 2023-08-10 18:34:25 +00:00			`"fmt"`
			`"io"`
Mechanical switch from log to slog A few obvious levels were adjusted, but generally everything mapped to "info" level. 2024-01-18 18:52:01 +00:00			`"log/slog"`
Token auth (#314) 2023-08-10 18:34:25 +00:00			`"os"`
fix mkdir on windows 2023-09-19 16:36:30 +00:00			`"path/filepath"`
prompt to display and add local ollama keys to account (#3717) - return descriptive error messages when unauthorized to create blob or push a model - display the local public key associated with the request that was denied 2024-04-30 18:02:08 +00:00			`"strings"`
Token auth (#314) 2023-08-10 18:34:25 +00:00
			`"golang.org/x/crypto/ssh"`
Move hub auth out to new package 2024-02-05 20:59:52 +00:00			`)`

rerefactor 2024-02-14 19:29:49 +00:00			`const defaultPrivateKey = "id_ed25519"`
Token auth (#314) 2023-08-10 18:34:25 +00:00
prompt to display and add local ollama keys to account (#3717) - return descriptive error messages when unauthorized to create blob or push a model - display the local public key associated with the request that was denied 2024-04-30 18:02:08 +00:00			`func keyPath() (string, error) {`
			`home, err := os.UserHomeDir()`
			`if err != nil {`
			`return "", err`
			`}`

			`return filepath.Join(home, ".ollama", defaultPrivateKey), nil`
			`}`

			`func GetPublicKey() (string, error) {`
			`keyPath, err := keyPath()`
			`if err != nil {`
			`return "", err`
			`}`

			`privateKeyFile, err := os.ReadFile(keyPath)`
			`if err != nil {`
			`slog.Info(fmt.Sprintf("Failed to load private key: %v", err))`
			`return "", err`
			`}`

			`privateKey, err := ssh.ParsePrivateKey(privateKeyFile)`
			`if err != nil {`
			`return "", err`
			`}`

			`publicKey := ssh.MarshalAuthorizedKey(privateKey.PublicKey())`

			`return strings.TrimSpace(string(publicKey)), nil`
			`}`

rerefactor 2024-02-14 19:29:49 +00:00			`func NewNonce(r io.Reader, length int) (string, error) {`
Token auth (#314) 2023-08-10 18:34:25 +00:00			`nonce := make([]byte, length)`
rerefactor 2024-02-14 19:29:49 +00:00			`if _, err := io.ReadFull(r, nonce); err != nil {`
Token auth (#314) 2023-08-10 18:34:25 +00:00			`return "", err`
			`}`
use url.URL 2023-08-22 01:38:31 +00:00
rerefactor 2024-02-14 19:29:49 +00:00			`return base64.RawURLEncoding.EncodeToString(nonce), nil`
Token auth (#314) 2023-08-10 18:34:25 +00:00			`}`

rerefactor 2024-02-14 19:29:49 +00:00			`func Sign(ctx context.Context, bts []byte) (string, error) {`
prompt to display and add local ollama keys to account (#3717) - return descriptive error messages when unauthorized to create blob or push a model - display the local public key associated with the request that was denied 2024-04-30 18:02:08 +00:00			`keyPath, err := keyPath()`
Token auth (#314) 2023-08-10 18:34:25 +00:00			`if err != nil {`
fix: nil pointer dereference 2023-10-20 23:52:48 +00:00			`return "", err`
Token auth (#314) 2023-08-10 18:34:25 +00:00			`}`
fix response on token error 2024-02-07 19:00:06 +00:00
rerefactor 2024-02-14 19:29:49 +00:00			`privateKeyFile, err := os.ReadFile(keyPath)`
Token auth (#314) 2023-08-10 18:34:25 +00:00			`if err != nil {`
rerefactor 2024-02-14 19:29:49 +00:00			`slog.Info(fmt.Sprintf("Failed to load private key: %v", err))`
Token auth (#314) 2023-08-10 18:34:25 +00:00			`return "", err`
			`}`

rerefactor 2024-02-14 19:29:49 +00:00			`privateKey, err := ssh.ParsePrivateKey(privateKeyFile)`
Token auth (#314) 2023-08-10 18:34:25 +00:00			`if err != nil {`
			`return "", err`
			`}`

			`// get the pubkey, but remove the type`
rerefactor 2024-02-14 19:29:49 +00:00			`publicKey := ssh.MarshalAuthorizedKey(privateKey.PublicKey())`
			`parts := bytes.Split(publicKey, []byte(" "))`
Token auth (#314) 2023-08-10 18:34:25 +00:00			`if len(parts) < 2 {`
lint 2024-08-01 21:52:15 +00:00			`return "", errors.New("malformed public key")`
Token auth (#314) 2023-08-10 18:34:25 +00:00			`}`

rerefactor 2024-02-14 19:29:49 +00:00			`signedData, err := privateKey.Sign(rand.Reader, bts)`
Token auth (#314) 2023-08-10 18:34:25 +00:00			`if err != nil {`
			`return "", err`
			`}`

			`// signature is <pubkey>:<signature>`
rerefactor 2024-02-14 19:29:49 +00:00			`return fmt.Sprintf("%s:%s", bytes.TrimSpace(parts[1]), base64.StdEncoding.EncodeToString(signedData.Blob)), nil`
Token auth (#314) 2023-08-10 18:34:25 +00:00			`}`