gemma: auth/middleware.go annotate

annotate auth/middleware.go @ 230:8a226dc1c6ff

Made auth.Role variadic to allow to express that a endpoint may be used by more than one role. auth.HasRole already had this ability but I forgot to pull it through.

author	Sascha L. Teichmann <sascha.teichmann@intevation.de>
date	Thu, 26 Jul 2018 13:39:59 +0200
parents	63dd5216eee4
children	3771788d3dae

rev	line source
119 29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: diff changeset	1 package auth
29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: diff changeset	2
29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: diff changeset	3 import (
29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: diff changeset	4 "context"
29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: diff changeset	5 "net/http"
134 0c56c56a1c44 Removed the JWT layer from the session management. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: 128 diff changeset	6 "strings"
119 29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: diff changeset	7 )
29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: diff changeset	8
29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: diff changeset	9 type contextType int
29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: diff changeset	10
29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: diff changeset	11 const (
134 0c56c56a1c44 Removed the JWT layer from the session management. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: 128 diff changeset	12 sessionKey contextType = iota
119 29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: diff changeset	13 tokenKey
29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: diff changeset	14 )
29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: diff changeset	15
134 0c56c56a1c44 Removed the JWT layer from the session management. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: 128 diff changeset	16 func GetSession(req http.Request) (Session, bool) {
0c56c56a1c44 Removed the JWT layer from the session management. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: 128 diff changeset	17 session, ok := req.Context().Value(sessionKey).(*Session)
0c56c56a1c44 Removed the JWT layer from the session management. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: 128 diff changeset	18 return session, ok
119 29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: diff changeset	19 }
29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: diff changeset	20
29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: diff changeset	21 func GetToken(req *http.Request) (string, bool) {
29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: diff changeset	22 token, ok := req.Context().Value(tokenKey).(string)
29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: diff changeset	23 return token, ok
29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: diff changeset	24 }
29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: diff changeset	25
134 0c56c56a1c44 Removed the JWT layer from the session management. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: 128 diff changeset	26 func SessionMiddleware(next http.Handler) http.Handler {
119 29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: diff changeset	27
29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: diff changeset	28 return http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {
29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: diff changeset	29
134 0c56c56a1c44 Removed the JWT layer from the session management. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: 128 diff changeset	30 auth := req.Header.Get("X-Gemma-Auth")
119 29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: diff changeset	31
134 0c56c56a1c44 Removed the JWT layer from the session management. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: 128 diff changeset	32 token := strings.TrimSpace(auth)
0c56c56a1c44 Removed the JWT layer from the session management. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: 128 diff changeset	33 if token == "" {
119 29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: diff changeset	34 http.Error(rw, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized)
29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: diff changeset	35 return
29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: diff changeset	36 }
29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: diff changeset	37
134 0c56c56a1c44 Removed the JWT layer from the session management. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: 128 diff changeset	38 session := ConnPool.Session(token)
0c56c56a1c44 Removed the JWT layer from the session management. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: 128 diff changeset	39 if session == nil {
0c56c56a1c44 Removed the JWT layer from the session management. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: 128 diff changeset	40 http.Error(rw, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized)
119 29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: diff changeset	41 return
29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: diff changeset	42 }
29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: diff changeset	43
29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: diff changeset	44 ctx := req.Context()
134 0c56c56a1c44 Removed the JWT layer from the session management. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: 128 diff changeset	45 ctx = context.WithValue(ctx, sessionKey, session)
0c56c56a1c44 Removed the JWT layer from the session management. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: 128 diff changeset	46 ctx = context.WithValue(ctx, tokenKey, token)
119 29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: diff changeset	47 req = req.WithContext(ctx)
29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: diff changeset	48
29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: diff changeset	49 next.ServeHTTP(rw, req)
29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: diff changeset	50 })
29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: diff changeset	51 }
128 441a8ee637c5 Added claims checker + example. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: 119 diff changeset	52
134 0c56c56a1c44 Removed the JWT layer from the session management. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: 128 diff changeset	53 func SessionChecker(next http.Handler, check func(*Session) bool) http.Handler {
128 441a8ee637c5 Added claims checker + example. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: 119 diff changeset	54 return http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {
134 0c56c56a1c44 Removed the JWT layer from the session management. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: 128 diff changeset	55 claims, ok := GetSession(req)
128 441a8ee637c5 Added claims checker + example. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: 119 diff changeset	56 if !ok \|\| !check(claims) {
441a8ee637c5 Added claims checker + example. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: 119 diff changeset	57 http.Error(rw, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized)
441a8ee637c5 Added claims checker + example. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: 119 diff changeset	58 return
441a8ee637c5 Added claims checker + example. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: 119 diff changeset	59 }
441a8ee637c5 Added claims checker + example. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: 119 diff changeset	60 next.ServeHTTP(rw, req)
441a8ee637c5 Added claims checker + example. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: 119 diff changeset	61 })
441a8ee637c5 Added claims checker + example. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: 119 diff changeset	62 }
441a8ee637c5 Added claims checker + example. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: 119 diff changeset	63
134 0c56c56a1c44 Removed the JWT layer from the session management. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: 128 diff changeset	64 func HasRole(roles ...string) func(*Session) bool {
0c56c56a1c44 Removed the JWT layer from the session management. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: 128 diff changeset	65 return func(session *Session) bool {
128 441a8ee637c5 Added claims checker + example. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: 119 diff changeset	66 for _, r1 := range roles {
134 0c56c56a1c44 Removed the JWT layer from the session management. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: 128 diff changeset	67 for _, r2 := range session.Roles {
128 441a8ee637c5 Added claims checker + example. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: 119 diff changeset	68 if r1 == r2 {
441a8ee637c5 Added claims checker + example. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: 119 diff changeset	69 return true
441a8ee637c5 Added claims checker + example. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: 119 diff changeset	70 }
441a8ee637c5 Added claims checker + example. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: 119 diff changeset	71 }
441a8ee637c5 Added claims checker + example. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: 119 diff changeset	72 }
441a8ee637c5 Added claims checker + example. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: 119 diff changeset	73 return false
441a8ee637c5 Added claims checker + example. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: 119 diff changeset	74 }
441a8ee637c5 Added claims checker + example. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: 119 diff changeset	75 }
226 63dd5216eee4 Refactored gemma server to be more REST-like. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: 134 diff changeset	76
230 8a226dc1c6ff Made auth.Role variadic to allow to express that a endpoint may be used by more than one role. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: 226 diff changeset	77 func EnsureRole(roles ...string) func(func(http.ResponseWriter, *http.Request)) http.Handler {
226 63dd5216eee4 Refactored gemma server to be more REST-like. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: 134 diff changeset	78 return func(fn func(http.ResponseWriter, *http.Request)) http.Handler {
230 8a226dc1c6ff Made auth.Role variadic to allow to express that a endpoint may be used by more than one role. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: 226 diff changeset	79 return SessionMiddleware(SessionChecker(http.HandlerFunc(fn), HasRole(roles...)))
226 63dd5216eee4 Refactored gemma server to be more REST-like. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: 134 diff changeset	80 }
63dd5216eee4 Refactored gemma server to be more REST-like. Sascha L. Teichmann <sascha.teichmann@intevation.de> parents: 134 diff changeset	81 }

Mercurial > gemma

annotate auth/middleware.go @ 230:8a226dc1c6ff