Accueil Explorer Aide
S'inscrire Connexion
chenxixian
/
ovpm
miroir de https://github.com/cad/ovpm.git
1
0
Fork 0
Fichiers Tickets 0 Wiki
Aborescence: cbaf634afb
Branches Tags
ovpm
/
api
/
auth.go

auth.go 1.8 KB
Historique Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263 
  1. package api
    2. 

  2. 

  3. import (
    4. 

  4. 	"fmt"
    5. 

  5. 	"strings"
    6. 

  6. 

  7. 	"github.com/Sirupsen/logrus"
    8. 

  8. 	"github.com/cad/ovpm"
    9. 

  9. 	"github.com/cad/ovpm/permset"
    10. 

  10. 	gcontext "golang.org/x/net/context"
    11. 

  11. 	"google.golang.org/grpc"
    12. 

  12. 	"google.golang.org/grpc/codes"
    13. 

  13. 	"google.golang.org/grpc/metadata"
    14. 

  14. )
    15. 

  15. 

  16. func authRequired(ctx gcontext.Context, req interface{}, handler grpc.UnaryHandler) (resp interface{}, err error) {
    17. 

  17. 	logrus.Debugln("rpc: auth applied")
    18. 

  18. 	token, err := authzTokenFromContext(ctx)
    19. 

  19. 	if err != nil {
    20. 

  20. 		logrus.Debugln("rpc: auth denied because token can not be gathered from header contest")
    21. 

  21. 		return nil, grpc.Errorf(codes.Unauthenticated, err.Error())
    22. 

  22. 	}
    23. 

  23. 	user, err := ovpm.GetUserByToken(token)
    24. 

  24. 	if err != nil {
    25. 

  25. 		logrus.Debugln("rpc: auth denied because user with this token can not be found")
    26. 

  26. 		return nil, grpc.Errorf(codes.Unauthenticated, "access denied")
    27. 

  27. 	}
    28. 

  28. 

  29. 	// Set user's permissions according to it's criterias.
    30. 

  30. 	var permissions permset.Permset
    31. 

  31. 	if user.IsAdmin() {
    32. 

  32. 		permissions = permset.New(ovpm.AdminPerms()...)
    33. 

  33. 	} else {
    34. 

  34. 		permissions = permset.New(ovpm.UserPerms()...)
    35. 

  35. 	}
    36. 

  36. 

  37. 	newCtx := NewUsernameContext(ctx, user.GetUsername())
    38. 

  38. 	newCtx = permset.NewContext(newCtx, permissions)
    39. 

  39. 	return handler(newCtx, req)
    40. 

  40. }
    41. 

  41. 

  42. func authzTokenFromContext(ctx gcontext.Context) (string, error) {
    43. 

  43. 	// retrieve metadata from context
    44. 

  44. 	md, ok := metadata.FromIncomingContext(ctx)
    45. 

  45. 	if !ok {
    46. 

  46. 		return "", fmt.Errorf("authentication required")
    47. 

  47. 	}
    48. 

  48. 	if len(md["authorization"]) != 1 {
    49. 

  49. 		return "", fmt.Errorf("authentication required (length)")
    50. 

  50. 	}
    51. 

  51. 

  52. 	authHeader := md["authorization"][0]
    53. 

  53. 

  54. 	// split authorization header into two
    55. 

  55. 	splitToken := strings.Split(authHeader, "Bearer")
    56. 

  56. 	if len(splitToken) != 2 {
    57. 

  57. 		return "", fmt.Errorf("invalid Authorization header. it should be in the form of 'Bearer <token>': %s", authHeader)
    58. 

  58. 	}
    59. 

  59. 	// get token
    60. 

  60. 	token := splitToken[1]
    61. 

  61. 	token = strings.TrimSpace(token)
    62. 

  62. 	return token, nil
    63. 

  63. }
    64.