Mercurial > gemma
changeset 447:62c909dd3098
Only allow log in if user has at least one of the roles 'sys_admin', 'waterway_admin', 'waterway_user'.
author | Sascha L. Teichmann <sascha.teichmann@intevation.de> |
---|---|
date | Tue, 21 Aug 2018 18:29:34 +0200 |
parents | 659c04feb2dc |
children | 25dd96101aeb |
files | pkg/auth/middleware.go pkg/auth/opendb.go pkg/auth/session.go |
diffstat | 3 files changed, 19 insertions(+), 9 deletions(-) [+] |
line wrap: on
line diff
--- a/pkg/auth/middleware.go Tue Aug 21 18:07:43 2018 +0200 +++ b/pkg/auth/middleware.go Tue Aug 21 18:29:34 2018 +0200 @@ -63,12 +63,7 @@ func HasRole(roles ...string) func(*Session) bool { return func(session *Session) bool { - for _, r1 := range roles { - if session.Roles.Has(r1) { - return true - } - } - return false + return session.Roles.HasAny(roles...) } }
--- a/pkg/auth/opendb.go Tue Aug 21 18:07:43 2018 +0200 +++ b/pkg/auth/opendb.go Tue Aug 21 18:29:34 2018 +0200 @@ -44,7 +44,7 @@ var ErrInvalidRoleCharacters = errors.New("rolename contains invalid character") -func AllOtherRoles(user, password string) ([]string, error) { +func AllOtherRoles(user, password string) (Roles, error) { db, err := OpenDB(user, password) if err != nil { return nil, err @@ -56,7 +56,7 @@ } defer rows.Close() - roles := []string{} // explicit empty by intention. + roles := Roles{} // explicit empty by intention. for rows.Next() { var role string
--- a/pkg/auth/session.go Tue Aug 21 18:07:43 2018 +0200 +++ b/pkg/auth/session.go Tue Aug 21 18:29:34 2018 +0200 @@ -2,6 +2,7 @@ import ( "encoding/base64" + "errors" "io" "time" @@ -27,12 +28,21 @@ return false } +func (r Roles) HasAny(roles ...string) bool { + for _, y := range roles { + if r.Has(y) { + return true + } + } + return false +} + const ( sessionKeyLength = 20 maxTokenValid = time.Hour * 3 ) -func NewSession(user, password string, roles []string) *Session { +func NewSession(user, password string, roles Roles) *Session { // Create the Claims return &Session{ @@ -78,11 +88,16 @@ common.GenerateRandomKey(sessionKeyLength)) } +var ErrInvalidRole = errors.New("Invalid role") + func GenerateSession(user, password string) (string, *Session, error) { roles, err := AllOtherRoles(user, password) if err != nil { return "", nil, err } + if !roles.HasAny("sys_admin", "waterway_admin", "waterway_user") { + return "", nil, ErrInvalidRole + } token := GenerateSessionKey() session := NewSession(user, password, roles) ConnPool.Add(token, session)