Mercurial > gemma

changeset 447:62c909dd3098

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Only allow log in if user has at least one of the roles 'sys_admin', 'waterway_admin', 'waterway_user'.
author Sascha L. Teichmann <sascha.teichmann@intevation.de>
date Tue, 21 Aug 2018 18:29:34 +0200
parents 659c04feb2dc
children 25dd96101aeb
files pkg/auth/middleware.go pkg/auth/opendb.go pkg/auth/session.go
diffstat 3 files changed, 19 insertions(+), 9 deletions(-) [+]
line wrap: on
line diff
--- a/pkg/auth/middleware.go	Tue Aug 21 18:07:43 2018 +0200
+++ b/pkg/auth/middleware.go	Tue Aug 21 18:29:34 2018 +0200
@@ -63,12 +63,7 @@
 
 func HasRole(roles ...string) func(*Session) bool {
 	return func(session *Session) bool {
-		for _, r1 := range roles {
-			if session.Roles.Has(r1) {
-				return true
-			}
-		}
-		return false
+		return session.Roles.HasAny(roles...)
 	}
 }
 
--- a/pkg/auth/opendb.go	Tue Aug 21 18:07:43 2018 +0200
+++ b/pkg/auth/opendb.go	Tue Aug 21 18:29:34 2018 +0200
@@ -44,7 +44,7 @@
 
 var ErrInvalidRoleCharacters = errors.New("rolename contains invalid character")
 
-func AllOtherRoles(user, password string) ([]string, error) {
+func AllOtherRoles(user, password string) (Roles, error) {
 	db, err := OpenDB(user, password)
 	if err != nil {
 		return nil, err
@@ -56,7 +56,7 @@
 	}
 	defer rows.Close()
 
-	roles := []string{} // explicit empty by intention.
+	roles := Roles{} // explicit empty by intention.
 
 	for rows.Next() {
 		var role string
--- a/pkg/auth/session.go	Tue Aug 21 18:07:43 2018 +0200
+++ b/pkg/auth/session.go	Tue Aug 21 18:29:34 2018 +0200
@@ -2,6 +2,7 @@
 
 import (
 	"encoding/base64"
+	"errors"
 	"io"
 	"time"
 
@@ -27,12 +28,21 @@
 	return false
 }
 
+func (r Roles) HasAny(roles ...string) bool {
+	for _, y := range roles {
+		if r.Has(y) {
+			return true
+		}
+	}
+	return false
+}
+
 const (
 	sessionKeyLength = 20
 	maxTokenValid    = time.Hour * 3
 )
 
-func NewSession(user, password string, roles []string) *Session {
+func NewSession(user, password string, roles Roles) *Session {
 
 	// Create the Claims
 	return &Session{
@@ -78,11 +88,16 @@
 		common.GenerateRandomKey(sessionKeyLength))
 }
 
+var ErrInvalidRole = errors.New("Invalid role")
+
 func GenerateSession(user, password string) (string, *Session, error) {
 	roles, err := AllOtherRoles(user, password)
 	if err != nil {
 		return "", nil, err
 	}
+	if !roles.HasAny("sys_admin", "waterway_admin", "waterway_user") {
+		return "", nil, ErrInvalidRole
+	}
 	token := GenerateSessionKey()
 	session := NewSession(user, password, roles)
 	ConnPool.Add(token, session)