fleet/server/service/http_auth.go

package service

import (
	"fmt"
	"net/http"
	"strings"

	kithttp "github.com/go-kit/kit/transport/http"
	"github.com/kolide/kolide-ose/server/contexts/token"
	"github.com/kolide/kolide-ose/server/contexts/viewer"
	"github.com/kolide/kolide-ose/server/kolide"
	"golang.org/x/net/context"
)

// authentication error
type authError struct {
	reason string
	// client reason is used to provide
	// a different error message to the client
	// when security is a concern
	clientReason string
}

func (e authError) Error() string {
	return e.reason
}

func (e authError) AuthError() string {
	if e.clientReason != "" {
		return e.clientReason
	}
	return "username or email and password do not match"
}

// permissionError, set when user is authenticated, but not allowed to perform action
type permissionError struct {
	message string
	badArgs []invalidArgument
}

func (e permissionError) Error() string {
	switch len(e.badArgs) {
	case 0:
	case 1:
		e.message = fmt.Sprintf("unauthorized: %s",
			e.badArgs[0].reason,
		)
	default:
		e.message = fmt.Sprintf("unauthorized: %s and %d other errors",
			e.badArgs[0].reason,
			len(e.badArgs),
		)
	}
	if e.message == "" {
		return "unauthorized"
	}
	return e.message
}

func (e permissionError) PermissionError() []map[string]string {
	var forbidden []map[string]string
	if len(e.badArgs) == 0 {
		forbidden = append(forbidden, map[string]string{"reason": e.Error()})
		return forbidden
	}
	for _, arg := range e.badArgs {
		forbidden = append(forbidden, map[string]string{
			"name":   arg.name,
			"reason": arg.reason,
		})
	}
	return forbidden

}

// setRequestsContexts updates the request with necessary context values for a request
func setRequestsContexts(svc kolide.Service, jwtKey string) kithttp.RequestFunc {
	return func(ctx context.Context, r *http.Request) context.Context {
		bearer := token.FromHTTPRequest(r)
		ctx = token.NewContext(ctx, bearer)
		v, err := authViewer(ctx, jwtKey, bearer, svc)
		if err == nil {
			ctx = viewer.NewContext(ctx, *v)
		}

		// get the user-id for request
		if strings.Contains(r.URL.Path, "users/") {
			ctx = withUserIDFromRequest(r, ctx)
		}
		return ctx
	}
}

func withUserIDFromRequest(r *http.Request, ctx context.Context) context.Context {
	id, _ := idFromRequest(r, "id")
	return context.WithValue(ctx, "request-id", id)
}
Organizing go code (#241) 2016-09-26 18:48:55 +00:00			`package service`
go-kit server layout 2016-08-28 03:59:17 +00:00
			`import (`
			`"fmt"`
			`"net/http"`
Header based JWT authentication (#131) * add a test data subcommand * updated sessions stuff * merge and tests 2016-09-08 01:24:11 +00:00			`"strings"`
go-kit server layout 2016-08-28 03:59:17 +00:00
Header based JWT authentication (#131) * add a test data subcommand * updated sessions stuff * merge and tests 2016-09-08 01:24:11 +00:00			`kithttp "github.com/go-kit/kit/transport/http"`
Create context packages (#228) add token context package add viewer context package add host context package update authenticated middleware to set viewer context or return error re-organize API handler 2016-09-26 17:14:39 +00:00			`"github.com/kolide/kolide-ose/server/contexts/token"`
			`"github.com/kolide/kolide-ose/server/contexts/viewer"`
Login form displays error message (#243) * Login form displays error message * default bad auth to a generic error for the client 2016-09-29 00:46:45 +00:00			`"github.com/kolide/kolide-ose/server/kolide"`
Organizing cobra commands (#100) 2016-09-03 17:25:16 +00:00			`"golang.org/x/net/context"`
go-kit server layout 2016-08-28 03:59:17 +00:00			`)`

update user service (#101) - Added all required methods for a UserService - Added authentication handlers `/api/login` and `/api/logout` - Added authMiddleware for authentication for `/api/v1/kolide` path - Added authorization middleware for each endoint - Added validation middleware for validating API inputs - Began work on logging middleware 2016-09-01 04:51:38 +00:00			`// authentication error`
go-kit server layout 2016-08-28 03:59:17 +00:00			`type authError struct {`
Auth errors (#185) Return well formatted authentication errors to the client Log the reason for an error serveside but return a masked/generic reason to the client Assert go errors by behavior rather than type. 2016-09-20 19:22:54 +00:00			`reason string`
			`// client reason is used to provide`
			`// a different error message to the client`
			`// when security is a concern`
			`clientReason string`
go-kit server layout 2016-08-28 03:59:17 +00:00			`}`

			`func (e authError) Error() string {`
Auth errors (#185) Return well formatted authentication errors to the client Log the reason for an error serveside but return a masked/generic reason to the client Assert go errors by behavior rather than type. 2016-09-20 19:22:54 +00:00			`return e.reason`
			`}`

			`func (e authError) AuthError() string {`
			`if e.clientReason != "" {`
			`return e.clientReason`
go-kit server layout 2016-08-28 03:59:17 +00:00			`}`
Login form displays error message (#243) * Login form displays error message * default bad auth to a generic error for the client 2016-09-29 00:46:45 +00:00			`return "username or email and password do not match"`
go-kit server layout 2016-08-28 03:59:17 +00:00			`}`

update how permission errors are updated to the client (#187) Closes #152 allow batching of permission errors refactor some of the error handling in encodeError clean up some of the error messages 2016-09-23 02:41:58 +00:00			`// permissionError, set when user is authenticated, but not allowed to perform action`
			`type permissionError struct {`
update user service (#101) - Added all required methods for a UserService - Added authentication handlers `/api/login` and `/api/logout` - Added authMiddleware for authentication for `/api/v1/kolide` path - Added authorization middleware for each endoint - Added validation middleware for validating API inputs - Began work on logging middleware 2016-09-01 04:51:38 +00:00			`message string`
update how permission errors are updated to the client (#187) Closes #152 allow batching of permission errors refactor some of the error handling in encodeError clean up some of the error messages 2016-09-23 02:41:58 +00:00			`badArgs []invalidArgument`
update user service (#101) - Added all required methods for a UserService - Added authentication handlers `/api/login` and `/api/logout` - Added authMiddleware for authentication for `/api/v1/kolide` path - Added authorization middleware for each endoint - Added validation middleware for validating API inputs - Began work on logging middleware 2016-09-01 04:51:38 +00:00			`}`

update how permission errors are updated to the client (#187) Closes #152 allow batching of permission errors refactor some of the error handling in encodeError clean up some of the error messages 2016-09-23 02:41:58 +00:00			`func (e permissionError) Error() string {`
			`switch len(e.badArgs) {`
			`case 0:`
			`case 1:`
			`e.message = fmt.Sprintf("unauthorized: %s",`
			`e.badArgs[0].reason,`
			`)`
			`default:`
			`e.message = fmt.Sprintf("unauthorized: %s and %d other errors",`
			`e.badArgs[0].reason,`
			`len(e.badArgs),`
			`)`
			`}`
update user service (#101) - Added all required methods for a UserService - Added authentication handlers `/api/login` and `/api/logout` - Added authMiddleware for authentication for `/api/v1/kolide` path - Added authorization middleware for each endoint - Added validation middleware for validating API inputs - Began work on logging middleware 2016-09-01 04:51:38 +00:00			`if e.message == "" {`
			`return "unauthorized"`
			`}`
update how permission errors are updated to the client (#187) Closes #152 allow batching of permission errors refactor some of the error handling in encodeError clean up some of the error messages 2016-09-23 02:41:58 +00:00			`return e.message`
			`}`

			`func (e permissionError) PermissionError() []map[string]string {`
			`var forbidden []map[string]string`
			`if len(e.badArgs) == 0 {`
			`forbidden = append(forbidden, map[string]string{"reason": e.Error()})`
			`return forbidden`
			`}`
			`for _, arg := range e.badArgs {`
			`forbidden = append(forbidden, map[string]string{`
			`"name": arg.name,`
			`"reason": arg.reason,`
			`})`
			`}`
			`return forbidden`

update user service (#101) - Added all required methods for a UserService - Added authentication handlers `/api/login` and `/api/logout` - Added authMiddleware for authentication for `/api/v1/kolide` path - Added authorization middleware for each endoint - Added validation middleware for validating API inputs - Began work on logging middleware 2016-09-01 04:51:38 +00:00			`}`

Create context packages (#228) add token context package add viewer context package add host context package update authenticated middleware to set viewer context or return error re-organize API handler 2016-09-26 17:14:39 +00:00			`// setRequestsContexts updates the request with necessary context values for a request`
			`func setRequestsContexts(svc kolide.Service, jwtKey string) kithttp.RequestFunc {`
Header based JWT authentication (#131) * add a test data subcommand * updated sessions stuff * merge and tests 2016-09-08 01:24:11 +00:00			`return func(ctx context.Context, r *http.Request) context.Context {`
Create context packages (#228) add token context package add viewer context package add host context package update authenticated middleware to set viewer context or return error re-organize API handler 2016-09-26 17:14:39 +00:00			`bearer := token.FromHTTPRequest(r)`
			`ctx = token.NewContext(ctx, bearer)`
			`v, err := authViewer(ctx, jwtKey, bearer, svc)`
			`if err == nil {`
			`ctx = viewer.NewContext(ctx, *v)`
Header based JWT authentication (#131) * add a test data subcommand * updated sessions stuff * merge and tests 2016-09-08 01:24:11 +00:00			`}`

			`// get the user-id for request`
			`if strings.Contains(r.URL.Path, "users/") {`
			`ctx = withUserIDFromRequest(r, ctx)`
			`}`
			`return ctx`
go-kit server layout 2016-08-28 03:59:17 +00:00			`}`
Header based JWT authentication (#131) * add a test data subcommand * updated sessions stuff * merge and tests 2016-09-08 01:24:11 +00:00			`}`

			`func withUserIDFromRequest(r *http.Request, ctx context.Context) context.Context {`
			`id, _ := idFromRequest(r, "id")`
			`return context.WithValue(ctx, "request-id", id)`
go-kit server layout 2016-08-28 03:59:17 +00:00			`}`