Mercurial > gemma
annotate pkg/auth/session.go @ 447:62c909dd3098
Only allow log in if user has at least one of the roles 'sys_admin', 'waterway_admin', 'waterway_user'.
author | Sascha L. Teichmann <sascha.teichmann@intevation.de> |
---|---|
date | Tue, 21 Aug 2018 18:29:34 +0200 |
parents | c1047fd04a3a |
children | b2dc9c2f69e0 |
rev | line source |
---|---|
119
29e56c342c9f
Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff
changeset
|
1 package auth |
29e56c342c9f
Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff
changeset
|
2 |
29e56c342c9f
Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff
changeset
|
3 import ( |
134
0c56c56a1c44
Removed the JWT layer from the session management.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
124
diff
changeset
|
4 "encoding/base64" |
447
62c909dd3098
Only allow log in if user has at least one of the roles 'sys_admin', 'waterway_admin', 'waterway_user'.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
414
diff
changeset
|
5 "errors" |
134
0c56c56a1c44
Removed the JWT layer from the session management.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
124
diff
changeset
|
6 "io" |
119
29e56c342c9f
Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff
changeset
|
7 "time" |
339
33b59c848771
Factored out some miscellaneous code into own package.
Sascha L. Teichmann <teichmann@intevation.de>
parents:
337
diff
changeset
|
8 |
414
c1047fd04a3a
Moved project specific Go packages to new pkg folder.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
408
diff
changeset
|
9 "gemma.intevation.de/gemma/pkg/common" |
c1047fd04a3a
Moved project specific Go packages to new pkg folder.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
408
diff
changeset
|
10 "gemma.intevation.de/gemma/pkg/misc" |
119
29e56c342c9f
Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff
changeset
|
11 ) |
29e56c342c9f
Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff
changeset
|
12 |
326
a7b2db8b3d18
Added type for roles.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
215
diff
changeset
|
13 type Roles []string |
a7b2db8b3d18
Added type for roles.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
215
diff
changeset
|
14 |
134
0c56c56a1c44
Removed the JWT layer from the session management.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
124
diff
changeset
|
15 type Session struct { |
326
a7b2db8b3d18
Added type for roles.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
215
diff
changeset
|
16 ExpiresAt int64 `json:"expires"` |
a7b2db8b3d18
Added type for roles.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
215
diff
changeset
|
17 User string `json:"user"` |
a7b2db8b3d18
Added type for roles.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
215
diff
changeset
|
18 Password string `json:"password"` |
a7b2db8b3d18
Added type for roles.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
215
diff
changeset
|
19 Roles Roles `json:"roles"` |
a7b2db8b3d18
Added type for roles.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
215
diff
changeset
|
20 } |
a7b2db8b3d18
Added type for roles.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
215
diff
changeset
|
21 |
a7b2db8b3d18
Added type for roles.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
215
diff
changeset
|
22 func (r Roles) Has(role string) bool { |
a7b2db8b3d18
Added type for roles.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
215
diff
changeset
|
23 for _, x := range r { |
a7b2db8b3d18
Added type for roles.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
215
diff
changeset
|
24 if x == role { |
a7b2db8b3d18
Added type for roles.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
215
diff
changeset
|
25 return true |
a7b2db8b3d18
Added type for roles.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
215
diff
changeset
|
26 } |
a7b2db8b3d18
Added type for roles.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
215
diff
changeset
|
27 } |
a7b2db8b3d18
Added type for roles.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
215
diff
changeset
|
28 return false |
119
29e56c342c9f
Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff
changeset
|
29 } |
29e56c342c9f
Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff
changeset
|
30 |
447
62c909dd3098
Only allow log in if user has at least one of the roles 'sys_admin', 'waterway_admin', 'waterway_user'.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
414
diff
changeset
|
31 func (r Roles) HasAny(roles ...string) bool { |
62c909dd3098
Only allow log in if user has at least one of the roles 'sys_admin', 'waterway_admin', 'waterway_user'.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
414
diff
changeset
|
32 for _, y := range roles { |
62c909dd3098
Only allow log in if user has at least one of the roles 'sys_admin', 'waterway_admin', 'waterway_user'.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
414
diff
changeset
|
33 if r.Has(y) { |
62c909dd3098
Only allow log in if user has at least one of the roles 'sys_admin', 'waterway_admin', 'waterway_user'.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
414
diff
changeset
|
34 return true |
62c909dd3098
Only allow log in if user has at least one of the roles 'sys_admin', 'waterway_admin', 'waterway_user'.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
414
diff
changeset
|
35 } |
62c909dd3098
Only allow log in if user has at least one of the roles 'sys_admin', 'waterway_admin', 'waterway_user'.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
414
diff
changeset
|
36 } |
62c909dd3098
Only allow log in if user has at least one of the roles 'sys_admin', 'waterway_admin', 'waterway_user'.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
414
diff
changeset
|
37 return false |
62c909dd3098
Only allow log in if user has at least one of the roles 'sys_admin', 'waterway_admin', 'waterway_user'.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
414
diff
changeset
|
38 } |
62c909dd3098
Only allow log in if user has at least one of the roles 'sys_admin', 'waterway_admin', 'waterway_user'.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
414
diff
changeset
|
39 |
134
0c56c56a1c44
Removed the JWT layer from the session management.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
124
diff
changeset
|
40 const ( |
0c56c56a1c44
Removed the JWT layer from the session management.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
124
diff
changeset
|
41 sessionKeyLength = 20 |
0c56c56a1c44
Removed the JWT layer from the session management.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
124
diff
changeset
|
42 maxTokenValid = time.Hour * 3 |
0c56c56a1c44
Removed the JWT layer from the session management.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
124
diff
changeset
|
43 ) |
119
29e56c342c9f
Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff
changeset
|
44 |
447
62c909dd3098
Only allow log in if user has at least one of the roles 'sys_admin', 'waterway_admin', 'waterway_user'.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
414
diff
changeset
|
45 func NewSession(user, password string, roles Roles) *Session { |
119
29e56c342c9f
Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff
changeset
|
46 |
29e56c342c9f
Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff
changeset
|
47 // Create the Claims |
134
0c56c56a1c44
Removed the JWT layer from the session management.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
124
diff
changeset
|
48 return &Session{ |
0c56c56a1c44
Removed the JWT layer from the session management.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
124
diff
changeset
|
49 ExpiresAt: time.Now().Add(maxTokenValid).Unix(), |
0c56c56a1c44
Removed the JWT layer from the session management.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
124
diff
changeset
|
50 User: user, |
0c56c56a1c44
Removed the JWT layer from the session management.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
124
diff
changeset
|
51 Password: password, |
0c56c56a1c44
Removed the JWT layer from the session management.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
124
diff
changeset
|
52 Roles: roles, |
119
29e56c342c9f
Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff
changeset
|
53 } |
134
0c56c56a1c44
Removed the JWT layer from the session management.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
124
diff
changeset
|
54 } |
119
29e56c342c9f
Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff
changeset
|
55 |
197
e85413e5befa
Cleaned up serialisation/deserilisation of sessions a bit.
Sascha L. Teichmann <teichmann@intevation.de>
parents:
193
diff
changeset
|
56 func (s *Session) serialize(w io.Writer) error { |
340
4c211ad5349e
Embed Reader and Writer in BinReader and BinWriter to make API more distinct.
Sascha L. Teichmann <teichmann@intevation.de>
parents:
339
diff
changeset
|
57 wr := misc.BinWriter{w, nil} |
4c211ad5349e
Embed Reader and Writer in BinReader and BinWriter to make API more distinct.
Sascha L. Teichmann <teichmann@intevation.de>
parents:
339
diff
changeset
|
58 wr.WriteBin(s.ExpiresAt) |
339
33b59c848771
Factored out some miscellaneous code into own package.
Sascha L. Teichmann <teichmann@intevation.de>
parents:
337
diff
changeset
|
59 wr.WriteString(s.User) |
33b59c848771
Factored out some miscellaneous code into own package.
Sascha L. Teichmann <teichmann@intevation.de>
parents:
337
diff
changeset
|
60 wr.WriteString(s.Password) |
340
4c211ad5349e
Embed Reader and Writer in BinReader and BinWriter to make API more distinct.
Sascha L. Teichmann <teichmann@intevation.de>
parents:
339
diff
changeset
|
61 wr.WriteBin(uint32(len(s.Roles))) |
215
f345edb409b2
Made serialisation and deserialisation of sessions more robust (fixed a small bug on the way).
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
197
diff
changeset
|
62 for _, role := range s.Roles { |
339
33b59c848771
Factored out some miscellaneous code into own package.
Sascha L. Teichmann <teichmann@intevation.de>
parents:
337
diff
changeset
|
63 wr.WriteString(role) |
197
e85413e5befa
Cleaned up serialisation/deserilisation of sessions a bit.
Sascha L. Teichmann <teichmann@intevation.de>
parents:
193
diff
changeset
|
64 } |
339
33b59c848771
Factored out some miscellaneous code into own package.
Sascha L. Teichmann <teichmann@intevation.de>
parents:
337
diff
changeset
|
65 return wr.Err |
193
1585c334e8a7
More on persisting sessions.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
149
diff
changeset
|
66 } |
1585c334e8a7
More on persisting sessions.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
149
diff
changeset
|
67 |
197
e85413e5befa
Cleaned up serialisation/deserilisation of sessions a bit.
Sascha L. Teichmann <teichmann@intevation.de>
parents:
193
diff
changeset
|
68 func (s *Session) deserialize(r io.Reader) error { |
193
1585c334e8a7
More on persisting sessions.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
149
diff
changeset
|
69 var x Session |
1585c334e8a7
More on persisting sessions.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
149
diff
changeset
|
70 var n uint32 |
340
4c211ad5349e
Embed Reader and Writer in BinReader and BinWriter to make API more distinct.
Sascha L. Teichmann <teichmann@intevation.de>
parents:
339
diff
changeset
|
71 rd := misc.BinReader{r, nil} |
4c211ad5349e
Embed Reader and Writer in BinReader and BinWriter to make API more distinct.
Sascha L. Teichmann <teichmann@intevation.de>
parents:
339
diff
changeset
|
72 rd.ReadBin(&x.ExpiresAt) |
339
33b59c848771
Factored out some miscellaneous code into own package.
Sascha L. Teichmann <teichmann@intevation.de>
parents:
337
diff
changeset
|
73 rd.ReadString(&x.User) |
33b59c848771
Factored out some miscellaneous code into own package.
Sascha L. Teichmann <teichmann@intevation.de>
parents:
337
diff
changeset
|
74 rd.ReadString(&x.Password) |
340
4c211ad5349e
Embed Reader and Writer in BinReader and BinWriter to make API more distinct.
Sascha L. Teichmann <teichmann@intevation.de>
parents:
339
diff
changeset
|
75 rd.ReadBin(&n) |
337
e48da6f427c8
Be a bit more type precise in deserialisation of roles in sessions.
Sascha L. Teichmann <teichmann@intevation.de>
parents:
326
diff
changeset
|
76 x.Roles = make(Roles, n) |
193
1585c334e8a7
More on persisting sessions.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
149
diff
changeset
|
77 for i := uint32(0); n > 0 && i < n; i++ { |
339
33b59c848771
Factored out some miscellaneous code into own package.
Sascha L. Teichmann <teichmann@intevation.de>
parents:
337
diff
changeset
|
78 rd.ReadString(&x.Roles[i]) |
193
1585c334e8a7
More on persisting sessions.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
149
diff
changeset
|
79 } |
339
33b59c848771
Factored out some miscellaneous code into own package.
Sascha L. Teichmann <teichmann@intevation.de>
parents:
337
diff
changeset
|
80 if rd.Err == nil { |
197
e85413e5befa
Cleaned up serialisation/deserilisation of sessions a bit.
Sascha L. Teichmann <teichmann@intevation.de>
parents:
193
diff
changeset
|
81 *s = x |
e85413e5befa
Cleaned up serialisation/deserilisation of sessions a bit.
Sascha L. Teichmann <teichmann@intevation.de>
parents:
193
diff
changeset
|
82 } |
339
33b59c848771
Factored out some miscellaneous code into own package.
Sascha L. Teichmann <teichmann@intevation.de>
parents:
337
diff
changeset
|
83 return rd.Err |
193
1585c334e8a7
More on persisting sessions.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
149
diff
changeset
|
84 } |
1585c334e8a7
More on persisting sessions.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
149
diff
changeset
|
85 |
134
0c56c56a1c44
Removed the JWT layer from the session management.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
124
diff
changeset
|
86 func GenerateSessionKey() string { |
339
33b59c848771
Factored out some miscellaneous code into own package.
Sascha L. Teichmann <teichmann@intevation.de>
parents:
337
diff
changeset
|
87 return base64.URLEncoding.EncodeToString( |
408
ac23905e64b1
Improve WFS proxy a lot. It now generates signed re-writings.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
340
diff
changeset
|
88 common.GenerateRandomKey(sessionKeyLength)) |
119
29e56c342c9f
Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff
changeset
|
89 } |
124
bb9120d28950
Generate JWT from database roles.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
119
diff
changeset
|
90 |
447
62c909dd3098
Only allow log in if user has at least one of the roles 'sys_admin', 'waterway_admin', 'waterway_user'.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
414
diff
changeset
|
91 var ErrInvalidRole = errors.New("Invalid role") |
62c909dd3098
Only allow log in if user has at least one of the roles 'sys_admin', 'waterway_admin', 'waterway_user'.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
414
diff
changeset
|
92 |
134
0c56c56a1c44
Removed the JWT layer from the session management.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
124
diff
changeset
|
93 func GenerateSession(user, password string) (string, *Session, error) { |
124
bb9120d28950
Generate JWT from database roles.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
119
diff
changeset
|
94 roles, err := AllOtherRoles(user, password) |
bb9120d28950
Generate JWT from database roles.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
119
diff
changeset
|
95 if err != nil { |
134
0c56c56a1c44
Removed the JWT layer from the session management.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
124
diff
changeset
|
96 return "", nil, err |
124
bb9120d28950
Generate JWT from database roles.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
119
diff
changeset
|
97 } |
447
62c909dd3098
Only allow log in if user has at least one of the roles 'sys_admin', 'waterway_admin', 'waterway_user'.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
414
diff
changeset
|
98 if !roles.HasAny("sys_admin", "waterway_admin", "waterway_user") { |
62c909dd3098
Only allow log in if user has at least one of the roles 'sys_admin', 'waterway_admin', 'waterway_user'.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
414
diff
changeset
|
99 return "", nil, ErrInvalidRole |
62c909dd3098
Only allow log in if user has at least one of the roles 'sys_admin', 'waterway_admin', 'waterway_user'.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
414
diff
changeset
|
100 } |
134
0c56c56a1c44
Removed the JWT layer from the session management.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
124
diff
changeset
|
101 token := GenerateSessionKey() |
0c56c56a1c44
Removed the JWT layer from the session management.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
124
diff
changeset
|
102 session := NewSession(user, password, roles) |
0c56c56a1c44
Removed the JWT layer from the session management.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
124
diff
changeset
|
103 ConnPool.Add(token, session) |
0c56c56a1c44
Removed the JWT layer from the session management.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
124
diff
changeset
|
104 return token, session, nil |
124
bb9120d28950
Generate JWT from database roles.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
119
diff
changeset
|
105 } |