Mercurial > gemma

view pkg/auth/middleware.go @ 1133:dd4071019676

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Delete contour lines with their sounding result Contour lines are no independent data sets and thus can safely be deleted with sounding results. In passing, name the primary key as such.
author Tom Gottfried <tom@intevation.de>
date Wed, 07 Nov 2018 18:13:02 +0100
parents a244b18cb916
children 450f5d0f5fe7
line wrap: on
line source

// This is Free Software under GNU Affero General Public License v >= 3.0
// without warranty, see README.md and license for details.
//
// SPDX-License-Identifier: AGPL-3.0-or-later
// License-Filename: LICENSES/AGPL-3.0.txt
//
// Copyright (C) 2018 by via donau
//   – Österreichische Wasserstraßen-Gesellschaft mbH
// Software engineering by Intevation GmbH
//
// Author(s):
//  * Sascha L. Teichmann <sascha.teichmann@intevation.de>

package auth

import (
	"context"
	"net/http"
	"strings"
)

type contextType int

const (
	sessionKey contextType = iota
	tokenKey
)

func GetSession(req *http.Request) (*Session, bool) {
	session, ok := req.Context().Value(sessionKey).(*Session)
	return session, ok
}

func GetToken(req *http.Request) (string, bool) {
	token, ok := req.Context().Value(tokenKey).(string)
	return token, ok
}

func SessionMiddleware(next http.Handler) http.Handler {

	return http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {

		auth := req.Header.Get("X-Gemma-Auth")

		token := strings.TrimSpace(auth)
		if token == "" {
			http.Error(rw, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized)
			return
		}

		session := Sessions.Session(token)
		if session == nil {
			http.Error(rw, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized)
			return
		}

		ctx := req.Context()
		ctx = context.WithValue(ctx, sessionKey, session)
		ctx = context.WithValue(ctx, tokenKey, token)
		req = req.WithContext(ctx)

		next.ServeHTTP(rw, req)
	})
}

func SessionChecker(next http.Handler, check func(*Session) bool) http.Handler {
	return http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {
		claims, ok := GetSession(req)
		if !ok || !check(claims) {
			http.Error(rw, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized)
			return
		}
		next.ServeHTTP(rw, req)
	})
}

func HasRole(roles ...string) func(*Session) bool {
	return func(session *Session) bool {
		return session.Roles.HasAny(roles...)
	}
}

func EnsureRole(roles ...string) func(http.Handler) http.Handler {
	return func(handler http.Handler) http.Handler {
		return SessionMiddleware(SessionChecker(handler, HasRole(roles...)))
	}
}