gemma: pkg/auth/session.go annotate

annotate pkg/auth/session.go @ 447:62c909dd3098

Only allow log in if user has at least one of the roles 'sys_admin', 'waterway_admin', 'waterway_user'.

author	Sascha L. Teichmann <sascha.teichmann@intevation.de>
date	Tue, 21 Aug 2018 18:29:34 +0200
parents	c1047fd04a3a
children	b2dc9c2f69e0

rev	line source
119 29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: diff changeset	1 package auth
29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: diff changeset	2
29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: diff changeset	3 import (
134 0c56c56a1c44 Removed the JWT layer from the session management. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: 124 diff changeset	4 "encoding/base64"
447 62c909dd3098 Only allow log in if user has at least one of the roles 'sys_admin', 'waterway_admin', 'waterway_user'. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: 414 diff changeset	5 "errors"
134 0c56c56a1c44 Removed the JWT layer from the session management. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: 124 diff changeset	6 "io"
119 29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: diff changeset	7 "time"
339 33b59c848771 Factored out some miscellaneous code into own package. Sascha L. Teichmann <teichmann@intevation.de> parents: 337 diff changeset	8
414 c1047fd04a3a Moved project specific Go packages to new pkg folder. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: 408 diff changeset	9 "gemma.intevation.de/gemma/pkg/common"
c1047fd04a3a Moved project specific Go packages to new pkg folder. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: 408 diff changeset	10 "gemma.intevation.de/gemma/pkg/misc"
119 29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: diff changeset	11 )
29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: diff changeset	12
326 a7b2db8b3d18 Added type for roles. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: 215 diff changeset	13 type Roles []string
a7b2db8b3d18 Added type for roles. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: 215 diff changeset	14
134 0c56c56a1c44 Removed the JWT layer from the session management. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: 124 diff changeset	15 type Session struct {
326 a7b2db8b3d18 Added type for roles. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: 215 diff changeset	16 ExpiresAt int64 `json:"expires"`
a7b2db8b3d18 Added type for roles. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: 215 diff changeset	17 User string `json:"user"`
a7b2db8b3d18 Added type for roles. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: 215 diff changeset	18 Password string `json:"password"`
a7b2db8b3d18 Added type for roles. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: 215 diff changeset	19 Roles Roles `json:"roles"`
a7b2db8b3d18 Added type for roles. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: 215 diff changeset	20 }
a7b2db8b3d18 Added type for roles. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: 215 diff changeset	21
a7b2db8b3d18 Added type for roles. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: 215 diff changeset	22 func (r Roles) Has(role string) bool {
a7b2db8b3d18 Added type for roles. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: 215 diff changeset	23 for _, x := range r {
a7b2db8b3d18 Added type for roles. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: 215 diff changeset	24 if x == role {
a7b2db8b3d18 Added type for roles. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: 215 diff changeset	25 return true
a7b2db8b3d18 Added type for roles. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: 215 diff changeset	26 }
a7b2db8b3d18 Added type for roles. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: 215 diff changeset	27 }
a7b2db8b3d18 Added type for roles. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: 215 diff changeset	28 return false
119 29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: diff changeset	29 }
29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: diff changeset	30
447 62c909dd3098 Only allow log in if user has at least one of the roles 'sys_admin', 'waterway_admin', 'waterway_user'. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: 414 diff changeset	31 func (r Roles) HasAny(roles ...string) bool {
62c909dd3098 Only allow log in if user has at least one of the roles 'sys_admin', 'waterway_admin', 'waterway_user'. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: 414 diff changeset	32 for _, y := range roles {
62c909dd3098 Only allow log in if user has at least one of the roles 'sys_admin', 'waterway_admin', 'waterway_user'. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: 414 diff changeset	33 if r.Has(y) {
62c909dd3098 Only allow log in if user has at least one of the roles 'sys_admin', 'waterway_admin', 'waterway_user'. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: 414 diff changeset	34 return true
62c909dd3098 Only allow log in if user has at least one of the roles 'sys_admin', 'waterway_admin', 'waterway_user'. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: 414 diff changeset	35 }
62c909dd3098 Only allow log in if user has at least one of the roles 'sys_admin', 'waterway_admin', 'waterway_user'. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: 414 diff changeset	36 }
62c909dd3098 Only allow log in if user has at least one of the roles 'sys_admin', 'waterway_admin', 'waterway_user'. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: 414 diff changeset	37 return false
62c909dd3098 Only allow log in if user has at least one of the roles 'sys_admin', 'waterway_admin', 'waterway_user'. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: 414 diff changeset	38 }
62c909dd3098 Only allow log in if user has at least one of the roles 'sys_admin', 'waterway_admin', 'waterway_user'. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: 414 diff changeset	39
134 0c56c56a1c44 Removed the JWT layer from the session management. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: 124 diff changeset	40 const (
0c56c56a1c44 Removed the JWT layer from the session management. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: 124 diff changeset	41 sessionKeyLength = 20
0c56c56a1c44 Removed the JWT layer from the session management. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: 124 diff changeset	42 maxTokenValid = time.Hour * 3
0c56c56a1c44 Removed the JWT layer from the session management. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: 124 diff changeset	43 )
119 29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: diff changeset	44
447 62c909dd3098 Only allow log in if user has at least one of the roles 'sys_admin', 'waterway_admin', 'waterway_user'. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: 414 diff changeset	45 func NewSession(user, password string, roles Roles) *Session {
119 29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: diff changeset	46
29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: diff changeset	47 // Create the Claims
134 0c56c56a1c44 Removed the JWT layer from the session management. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: 124 diff changeset	48 return &Session{
0c56c56a1c44 Removed the JWT layer from the session management. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: 124 diff changeset	49 ExpiresAt: time.Now().Add(maxTokenValid).Unix(),
0c56c56a1c44 Removed the JWT layer from the session management. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: 124 diff changeset	50 User: user,
0c56c56a1c44 Removed the JWT layer from the session management. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: 124 diff changeset	51 Password: password,
0c56c56a1c44 Removed the JWT layer from the session management. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: 124 diff changeset	52 Roles: roles,
119 29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: diff changeset	53 }
134 0c56c56a1c44 Removed the JWT layer from the session management. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: 124 diff changeset	54 }
119 29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: diff changeset	55
197 e85413e5befa Cleaned up serialisation/deserilisation of sessions a bit. Sascha L. Teichmann <teichmann@intevation.de> parents: 193 diff changeset	56 func (s *Session) serialize(w io.Writer) error {
340 4c211ad5349e Embed Reader and Writer in BinReader and BinWriter to make API more distinct. Sascha L. Teichmann <teichmann@intevation.de> parents: 339 diff changeset	57 wr := misc.BinWriter{w, nil}
4c211ad5349e Embed Reader and Writer in BinReader and BinWriter to make API more distinct. Sascha L. Teichmann <teichmann@intevation.de> parents: 339 diff changeset	58 wr.WriteBin(s.ExpiresAt)
339 33b59c848771 Factored out some miscellaneous code into own package. Sascha L. Teichmann <teichmann@intevation.de> parents: 337 diff changeset	59 wr.WriteString(s.User)
33b59c848771 Factored out some miscellaneous code into own package. Sascha L. Teichmann <teichmann@intevation.de> parents: 337 diff changeset	60 wr.WriteString(s.Password)
340 4c211ad5349e Embed Reader and Writer in BinReader and BinWriter to make API more distinct. Sascha L. Teichmann <teichmann@intevation.de> parents: 339 diff changeset	61 wr.WriteBin(uint32(len(s.Roles)))
215 f345edb409b2 Made serialisation and deserialisation of sessions more robust (fixed a small bug on the way). Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: 197 diff changeset	62 for _, role := range s.Roles {
339 33b59c848771 Factored out some miscellaneous code into own package. Sascha L. Teichmann <teichmann@intevation.de> parents: 337 diff changeset	63 wr.WriteString(role)
197 e85413e5befa Cleaned up serialisation/deserilisation of sessions a bit. Sascha L. Teichmann <teichmann@intevation.de> parents: 193 diff changeset	64 }
339 33b59c848771 Factored out some miscellaneous code into own package. Sascha L. Teichmann <teichmann@intevation.de> parents: 337 diff changeset	65 return wr.Err
193 1585c334e8a7 More on persisting sessions. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: 149 diff changeset	66 }
1585c334e8a7 More on persisting sessions. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: 149 diff changeset	67
197 e85413e5befa Cleaned up serialisation/deserilisation of sessions a bit. Sascha L. Teichmann <teichmann@intevation.de> parents: 193 diff changeset	68 func (s *Session) deserialize(r io.Reader) error {
193 1585c334e8a7 More on persisting sessions. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: 149 diff changeset	69 var x Session
1585c334e8a7 More on persisting sessions. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: 149 diff changeset	70 var n uint32
340 4c211ad5349e Embed Reader and Writer in BinReader and BinWriter to make API more distinct. Sascha L. Teichmann <teichmann@intevation.de> parents: 339 diff changeset	71 rd := misc.BinReader{r, nil}
4c211ad5349e Embed Reader and Writer in BinReader and BinWriter to make API more distinct. Sascha L. Teichmann <teichmann@intevation.de> parents: 339 diff changeset	72 rd.ReadBin(&x.ExpiresAt)
339 33b59c848771 Factored out some miscellaneous code into own package. Sascha L. Teichmann <teichmann@intevation.de> parents: 337 diff changeset	73 rd.ReadString(&x.User)
33b59c848771 Factored out some miscellaneous code into own package. Sascha L. Teichmann <teichmann@intevation.de> parents: 337 diff changeset	74 rd.ReadString(&x.Password)
340 4c211ad5349e Embed Reader and Writer in BinReader and BinWriter to make API more distinct. Sascha L. Teichmann <teichmann@intevation.de> parents: 339 diff changeset	75 rd.ReadBin(&n)
337 e48da6f427c8 Be a bit more type precise in deserialisation of roles in sessions. Sascha L. Teichmann <teichmann@intevation.de> parents: 326 diff changeset	76 x.Roles = make(Roles, n)
193 1585c334e8a7 More on persisting sessions. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: 149 diff changeset	77 for i := uint32(0); n > 0 && i < n; i++ {
339 33b59c848771 Factored out some miscellaneous code into own package. Sascha L. Teichmann <teichmann@intevation.de> parents: 337 diff changeset	78 rd.ReadString(&x.Roles[i])
193 1585c334e8a7 More on persisting sessions. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: 149 diff changeset	79 }
339 33b59c848771 Factored out some miscellaneous code into own package. Sascha L. Teichmann <teichmann@intevation.de> parents: 337 diff changeset	80 if rd.Err == nil {
197 e85413e5befa Cleaned up serialisation/deserilisation of sessions a bit. Sascha L. Teichmann <teichmann@intevation.de> parents: 193 diff changeset	81 *s = x
e85413e5befa Cleaned up serialisation/deserilisation of sessions a bit. Sascha L. Teichmann <teichmann@intevation.de> parents: 193 diff changeset	82 }
339 33b59c848771 Factored out some miscellaneous code into own package. Sascha L. Teichmann <teichmann@intevation.de> parents: 337 diff changeset	83 return rd.Err
193 1585c334e8a7 More on persisting sessions. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: 149 diff changeset	84 }
1585c334e8a7 More on persisting sessions. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: 149 diff changeset	85
134 0c56c56a1c44 Removed the JWT layer from the session management. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: 124 diff changeset	86 func GenerateSessionKey() string {
339 33b59c848771 Factored out some miscellaneous code into own package. Sascha L. Teichmann <teichmann@intevation.de> parents: 337 diff changeset	87 return base64.URLEncoding.EncodeToString(
408 ac23905e64b1 Improve WFS proxy a lot. It now generates signed re-writings. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: 340 diff changeset	88 common.GenerateRandomKey(sessionKeyLength))
119 29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: diff changeset	89 }
124 bb9120d28950 Generate JWT from database roles. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: 119 diff changeset	90
447 62c909dd3098 Only allow log in if user has at least one of the roles 'sys_admin', 'waterway_admin', 'waterway_user'. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: 414 diff changeset	91 var ErrInvalidRole = errors.New("Invalid role")
62c909dd3098 Only allow log in if user has at least one of the roles 'sys_admin', 'waterway_admin', 'waterway_user'. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: 414 diff changeset	92
134 0c56c56a1c44 Removed the JWT layer from the session management. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: 124 diff changeset	93 func GenerateSession(user, password string) (string, *Session, error) {
124 bb9120d28950 Generate JWT from database roles. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: 119 diff changeset	94 roles, err := AllOtherRoles(user, password)
bb9120d28950 Generate JWT from database roles. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: 119 diff changeset	95 if err != nil {
134 0c56c56a1c44 Removed the JWT layer from the session management. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: 124 diff changeset	96 return "", nil, err
124 bb9120d28950 Generate JWT from database roles. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: 119 diff changeset	97 }
447 62c909dd3098 Only allow log in if user has at least one of the roles 'sys_admin', 'waterway_admin', 'waterway_user'. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: 414 diff changeset	98 if !roles.HasAny("sys_admin", "waterway_admin", "waterway_user") {
62c909dd3098 Only allow log in if user has at least one of the roles 'sys_admin', 'waterway_admin', 'waterway_user'. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: 414 diff changeset	99 return "", nil, ErrInvalidRole
62c909dd3098 Only allow log in if user has at least one of the roles 'sys_admin', 'waterway_admin', 'waterway_user'. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: 414 diff changeset	100 }
134 0c56c56a1c44 Removed the JWT layer from the session management. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: 124 diff changeset	101 token := GenerateSessionKey()
0c56c56a1c44 Removed the JWT layer from the session management. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: 124 diff changeset	102 session := NewSession(user, password, roles)
0c56c56a1c44 Removed the JWT layer from the session management. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: 124 diff changeset	103 ConnPool.Add(token, session)
0c56c56a1c44 Removed the JWT layer from the session management. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: 124 diff changeset	104 return token, session, nil
124 bb9120d28950 Generate JWT from database roles. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: 119 diff changeset	105 }

Mercurial > gemma

annotate pkg/auth/session.go @ 447:62c909dd3098