Mercurial > gemma

annotate auth/middleware.go @ 143:abfac07bd82a vue-gettext

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
closing branch vue-gettext
author Thomas Junk <thomas.junk@intevation.de>
date Mon, 02 Jul 2018 09:37:53 +0200
parents 441a8ee637c5
children 0c56c56a1c44
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
119
29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
1 package auth
29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
2
29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
3 import (
29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
4 "context"
29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
5 "fmt"
29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
6 "net/http"
29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
7 "regexp"
29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
8 )
29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
9
29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
10 var extractToken = regexp.MustCompile(`\s*Bearer\s+(\S+)`)
29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
11
29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
12 type contextType int
29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
13
29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
14 const (
29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
15 claimsKey contextType = iota
29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
16 tokenKey
29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
17 )
29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
18
29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
19 func GetClaims(req *http.Request) (*Claims, bool) {
29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
20 claims, ok := req.Context().Value(claimsKey).(*Claims)
29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
21 return claims, ok
29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
22 }
29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
23
29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
24 func GetToken(req *http.Request) (string, bool) {
29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
25 token, ok := req.Context().Value(tokenKey).(string)
29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
26 return token, ok
29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
27 }
29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
28
29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
29 func JWTMiddleware(next http.Handler) http.Handler {
29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
30
29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
31 return http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {
29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
32
29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
33 auth := req.Header.Get("Authorization")
29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
34
29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
35 token := extractToken.FindStringSubmatch(auth)
29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
36 if len(token) != 2 {
29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
37 http.Error(rw, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized)
29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
38 return
29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
39 }
29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
40
29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
41 claims, err := TokenToClaims(token[1])
29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
42 if err != nil {
29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
43 http.Error(rw, fmt.Sprintf("error: %v", err), http.StatusUnauthorized)
29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
44 return
29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
45 }
29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
46
29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
47 ctx := req.Context()
29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
48 ctx = context.WithValue(ctx, claimsKey, claims)
29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
49 ctx = context.WithValue(ctx, tokenKey, token[1])
29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
50 req = req.WithContext(ctx)
29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
51
29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
52 next.ServeHTTP(rw, req)
29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
53 })
29e56c342c9f Added first middleware for JWT token extraction. TODO: Add second one to check against logged in users.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents:
diff changeset
54 }
128
441a8ee637c5 Added claims checker + example.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 119
diff changeset
55
441a8ee637c5 Added claims checker + example.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 119
diff changeset
56 func ClaimsChecker(next http.Handler, check func(*Claims) bool) http.Handler {
441a8ee637c5 Added claims checker + example.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 119
diff changeset
57 return http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {
441a8ee637c5 Added claims checker + example.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 119
diff changeset
58 claims, ok := GetClaims(req)
441a8ee637c5 Added claims checker + example.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 119
diff changeset
59 if !ok || !check(claims) {
441a8ee637c5 Added claims checker + example.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 119
diff changeset
60 http.Error(rw, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized)
441a8ee637c5 Added claims checker + example.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 119
diff changeset
61 return
441a8ee637c5 Added claims checker + example.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 119
diff changeset
62 }
441a8ee637c5 Added claims checker + example.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 119
diff changeset
63 next.ServeHTTP(rw, req)
441a8ee637c5 Added claims checker + example.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 119
diff changeset
64 })
441a8ee637c5 Added claims checker + example.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 119
diff changeset
65 }
441a8ee637c5 Added claims checker + example.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 119
diff changeset
66
441a8ee637c5 Added claims checker + example.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 119
diff changeset
67 func HasRole(roles ...string) func(*Claims) bool {
441a8ee637c5 Added claims checker + example.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 119
diff changeset
68 return func(claims *Claims) bool {
441a8ee637c5 Added claims checker + example.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 119
diff changeset
69 for _, r1 := range roles {
441a8ee637c5 Added claims checker + example.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 119
diff changeset
70 for _, r2 := range claims.Roles {
441a8ee637c5 Added claims checker + example.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 119
diff changeset
71 if r1 == r2 {
441a8ee637c5 Added claims checker + example.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 119
diff changeset
72 return true
441a8ee637c5 Added claims checker + example.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 119
diff changeset
73 }
441a8ee637c5 Added claims checker + example.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 119
diff changeset
74 }
441a8ee637c5 Added claims checker + example.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 119
diff changeset
75 }
441a8ee637c5 Added claims checker + example.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 119
diff changeset
76 return false
441a8ee637c5 Added claims checker + example.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 119
diff changeset
77 }
441a8ee637c5 Added claims checker + example.
Sascha L. Teichmann <sascha.teichmann@intevation.de>
parents: 119
diff changeset
78 }