empayre/fleet
14
0
Fork 0
mirror of https://github.com/empayre/fleet.git synced 2024-11-06 17:05:18 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
6fb96d98f7
fleet/server/service/endpoint_middleware.go

209 lines
5.7 KiB
Go
Raw Normal View History

Organizing go code (#241)
2016-09-26 18:48:55 +00:00
package service
update user service (#101) - Added all required methods for a UserService - Added authentication handlers `/api/login` and `/api/logout` - Added authMiddleware for authentication for `/api/v1/kolide` path - Added authorization middleware for each endoint - Added validation middleware for validating API inputs - Began work on logging middleware
2016-09-01 04:51:38 +00:00
import (
"errors"
Create context packages (#228) add token context package add viewer context package add host context package update authenticated middleware to set viewer context or return error re-organize API handler
2016-09-26 17:14:39 +00:00
"fmt"
update user service (#101) - Added all required methods for a UserService - Added authentication handlers `/api/login` and `/api/logout` - Added authMiddleware for authentication for `/api/v1/kolide` path - Added authorization middleware for each endoint - Added validation middleware for validating API inputs - Began work on logging middleware
2016-09-01 04:51:38 +00:00
Create context packages (#228) add token context package add viewer context package add host context package update authenticated middleware to set viewer context or return error re-organize API handler
2016-09-26 17:14:39 +00:00
jwt "github.com/dgrijalva/jwt-go"
update user service (#101) - Added all required methods for a UserService - Added authentication handlers `/api/login` and `/api/logout` - Added authMiddleware for authentication for `/api/v1/kolide` path - Added authorization middleware for each endoint - Added validation middleware for validating API inputs - Began work on logging middleware
2016-09-01 04:51:38 +00:00
"github.com/go-kit/kit/endpoint"
Create context packages (#228) add token context package add viewer context package add host context package update authenticated middleware to set viewer context or return error re-organize API handler
2016-09-26 17:14:39 +00:00
"github.com/kolide/kolide-ose/server/contexts/token"
"github.com/kolide/kolide-ose/server/contexts/viewer"
Login form displays error message (#243) * Login form displays error message * default bad auth to a generic error for the client
2016-09-29 00:46:45 +00:00
"github.com/kolide/kolide-ose/server/kolide"
update user service (#101) - Added all required methods for a UserService - Added authentication handlers `/api/login` and `/api/logout` - Added authMiddleware for authentication for `/api/v1/kolide` path - Added authorization middleware for each endoint - Added validation middleware for validating API inputs - Began work on logging middleware
2016-09-01 04:51:38 +00:00
"golang.org/x/net/context"
)
Create context packages (#228) add token context package add viewer context package add host context package update authenticated middleware to set viewer context or return error re-organize API handler
2016-09-26 17:14:39 +00:00
var errNoContext = errors.New("context key not set")
update user service (#101) - Added all required methods for a UserService - Added authentication handlers `/api/login` and `/api/logout` - Added authMiddleware for authentication for `/api/v1/kolide` path - Added authorization middleware for each endoint - Added validation middleware for validating API inputs - Began work on logging middleware
2016-09-01 04:51:38 +00:00
Create context packages (#228) add token context package add viewer context package add host context package update authenticated middleware to set viewer context or return error re-organize API handler
2016-09-26 17:14:39 +00:00
func authenticated(jwtKey string, svc kolide.Service, next endpoint.Endpoint) endpoint.Endpoint {
Header based JWT authentication (#131) * add a test data subcommand * updated sessions stuff * merge and tests
2016-09-08 01:24:11 +00:00
return func(ctx context.Context, request interface{}) (interface{}, error) {
Create context packages (#228) add token context package add viewer context package add host context package update authenticated middleware to set viewer context or return error re-organize API handler
2016-09-26 17:14:39 +00:00
// first check if already succesfuly set
if _, ok := viewer.FromContext(ctx); ok {
return next(ctx, request)
}
// if not succesful, try again this time with errors
bearer, ok := token.FromContext(ctx)
if !ok {
return nil, authError{reason: "no auth token"}
}
v, err := authViewer(ctx, jwtKey, bearer, svc)
Header based JWT authentication (#131) * add a test data subcommand * updated sessions stuff * merge and tests
2016-09-08 01:24:11 +00:00
if err != nil {
return nil, err
}
Create context packages (#228) add token context package add viewer context package add host context package update authenticated middleware to set viewer context or return error re-organize API handler
2016-09-26 17:14:39 +00:00
ctx = viewer.NewContext(ctx, *v)
Header based JWT authentication (#131) * add a test data subcommand * updated sessions stuff * merge and tests
2016-09-08 01:24:11 +00:00
return next(ctx, request)
}
}
Create context packages (#228) add token context package add viewer context package add host context package update authenticated middleware to set viewer context or return error re-organize API handler
2016-09-26 17:14:39 +00:00
// authViewer creates an authenticated viewer by validating a JWT token.
func authViewer(ctx context.Context, jwtKey string, bearerToken string, svc kolide.Service) (*viewer.Viewer, error) {
jwtToken, err := jwt.Parse(bearerToken, func(token *jwt.Token) (interface{}, error) {
if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
return nil, fmt.Errorf("Unexpected signing method: %v", token.Header["alg"])
}
return []byte(jwtKey), nil
})
if err != nil {
Login form displays error message (#243) * Login form displays error message * default bad auth to a generic error for the client
2016-09-29 00:46:45 +00:00
return nil, authError{reason: err.Error()}
Create context packages (#228) add token context package add viewer context package add host context package update authenticated middleware to set viewer context or return error re-organize API handler
2016-09-26 17:14:39 +00:00
}
claims, ok := jwtToken.Claims.(jwt.MapClaims)
if !ok {
Login form displays error message (#243) * Login form displays error message * default bad auth to a generic error for the client
2016-09-29 00:46:45 +00:00
return nil, authError{reason: "no jwt claims"}
Create context packages (#228) add token context package add viewer context package add host context package update authenticated middleware to set viewer context or return error re-organize API handler
2016-09-26 17:14:39 +00:00
}
sessionKeyClaim, ok := claims["session_key"]
if !ok {
Login form displays error message (#243) * Login form displays error message * default bad auth to a generic error for the client
2016-09-29 00:46:45 +00:00
return nil, authError{reason: "no session_key in JWT claims"}
Create context packages (#228) add token context package add viewer context package add host context package update authenticated middleware to set viewer context or return error re-organize API handler
2016-09-26 17:14:39 +00:00
}
sessionKey, ok := sessionKeyClaim.(string)
if !ok {
Login form displays error message (#243) * Login form displays error message * default bad auth to a generic error for the client
2016-09-29 00:46:45 +00:00
return nil, authError{reason: "non-string key in sessionClaim"}
Create context packages (#228) add token context package add viewer context package add host context package update authenticated middleware to set viewer context or return error re-organize API handler
2016-09-26 17:14:39 +00:00
}
session, err := svc.GetSessionByKey(ctx, sessionKey)
if err != nil {
Login form displays error message (#243) * Login form displays error message * default bad auth to a generic error for the client
2016-09-29 00:46:45 +00:00
return nil, authError{reason: err.Error()}
Create context packages (#228) add token context package add viewer context package add host context package update authenticated middleware to set viewer context or return error re-organize API handler
2016-09-26 17:14:39 +00:00
}
user, err := svc.User(ctx, session.UserID)
if err != nil {
Login form displays error message (#243) * Login form displays error message * default bad auth to a generic error for the client
2016-09-29 00:46:45 +00:00
return nil, authError{reason: err.Error()}
Create context packages (#228) add token context package add viewer context package add host context package update authenticated middleware to set viewer context or return error re-organize API handler
2016-09-26 17:14:39 +00:00
}
return &viewer.Viewer{User: user, Session: session}, nil
}
update user service (#101) - Added all required methods for a UserService - Added authentication handlers `/api/login` and `/api/logout` - Added authMiddleware for authentication for `/api/v1/kolide` path - Added authorization middleware for each endoint - Added validation middleware for validating API inputs - Began work on logging middleware
2016-09-01 04:51:38 +00:00
func mustBeAdmin(next endpoint.Endpoint) endpoint.Endpoint {
return func(ctx context.Context, request interface{}) (interface{}, error) {
Create context packages (#228) add token context package add viewer context package add host context package update authenticated middleware to set viewer context or return error re-organize API handler
2016-09-26 17:14:39 +00:00
vc, ok := viewer.FromContext(ctx)
if !ok {
return nil, errNoContext
update user service (#101) - Added all required methods for a UserService - Added authentication handlers `/api/login` and `/api/logout` - Added authMiddleware for authentication for `/api/v1/kolide` path - Added authorization middleware for each endoint - Added validation middleware for validating API inputs - Began work on logging middleware
2016-09-01 04:51:38 +00:00
}
if !vc.IsAdmin() {
update how permission errors are updated to the client (#187) Closes #152 allow batching of permission errors refactor some of the error handling in encodeError clean up some of the error messages
2016-09-23 02:41:58 +00:00
return nil, permissionError{message: "must be an admin"}
update user service (#101) - Added all required methods for a UserService - Added authentication handlers `/api/login` and `/api/logout` - Added authMiddleware for authentication for `/api/v1/kolide` path - Added authorization middleware for each endoint - Added validation middleware for validating API inputs - Began work on logging middleware
2016-09-01 04:51:38 +00:00
}
return next(ctx, request)
}
}
Update users service (#156) Closes #144 #145 #160 Implements PATCH method on user and endpoint middleware for authnz Implements `reset_password` (with token) and `forgot_password` endpoints Added godoc comments for UserService interface Shift to using testify/assert in test code Multiple fixes/changes to the UserService API
2016-09-15 14:52:17 +00:00
func canPerformActions(next endpoint.Endpoint) endpoint.Endpoint {
return func(ctx context.Context, request interface{}) (interface{}, error) {
Create context packages (#228) add token context package add viewer context package add host context package update authenticated middleware to set viewer context or return error re-organize API handler
2016-09-26 17:14:39 +00:00
vc, ok := viewer.FromContext(ctx)
if !ok {
return nil, errNoContext
Update users service (#156) Closes #144 #145 #160 Implements PATCH method on user and endpoint middleware for authnz Implements `reset_password` (with token) and `forgot_password` endpoints Added godoc comments for UserService interface Shift to using testify/assert in test code Multiple fixes/changes to the UserService API
2016-09-15 14:52:17 +00:00
}
if !vc.CanPerformActions() {
update how permission errors are updated to the client (#187) Closes #152 allow batching of permission errors refactor some of the error handling in encodeError clean up some of the error messages
2016-09-23 02:41:58 +00:00
return nil, permissionError{message: "no read permissions"}
Update users service (#156) Closes #144 #145 #160 Implements PATCH method on user and endpoint middleware for authnz Implements `reset_password` (with token) and `forgot_password` endpoints Added godoc comments for UserService interface Shift to using testify/assert in test code Multiple fixes/changes to the UserService API
2016-09-15 14:52:17 +00:00
}
return next(ctx, request)
}
}
update user service (#101) - Added all required methods for a UserService - Added authentication handlers `/api/login` and `/api/logout` - Added authMiddleware for authentication for `/api/v1/kolide` path - Added authorization middleware for each endoint - Added validation middleware for validating API inputs - Began work on logging middleware
2016-09-01 04:51:38 +00:00
func canReadUser(next endpoint.Endpoint) endpoint.Endpoint {
return func(ctx context.Context, request interface{}) (interface{}, error) {
Create context packages (#228) add token context package add viewer context package add host context package update authenticated middleware to set viewer context or return error re-organize API handler
2016-09-26 17:14:39 +00:00
vc, ok := viewer.FromContext(ctx)
if !ok {
return nil, errNoContext
update user service (#101) - Added all required methods for a UserService - Added authentication handlers `/api/login` and `/api/logout` - Added authMiddleware for authentication for `/api/v1/kolide` path - Added authorization middleware for each endoint - Added validation middleware for validating API inputs - Began work on logging middleware
2016-09-01 04:51:38 +00:00
}
uid := requestUserIDFromContext(ctx)
if !vc.CanPerformReadActionOnUser(uid) {
update how permission errors are updated to the client (#187) Closes #152 allow batching of permission errors refactor some of the error handling in encodeError clean up some of the error messages
2016-09-23 02:41:58 +00:00
return nil, permissionError{message: "no read permissions on user"}
update user service (#101) - Added all required methods for a UserService - Added authentication handlers `/api/login` and `/api/logout` - Added authMiddleware for authentication for `/api/v1/kolide` path - Added authorization middleware for each endoint - Added validation middleware for validating API inputs - Began work on logging middleware
2016-09-01 04:51:38 +00:00
}
return next(ctx, request)
}
}
func canModifyUser(next endpoint.Endpoint) endpoint.Endpoint {
return func(ctx context.Context, request interface{}) (interface{}, error) {
Create context packages (#228) add token context package add viewer context package add host context package update authenticated middleware to set viewer context or return error re-organize API handler
2016-09-26 17:14:39 +00:00
vc, ok := viewer.FromContext(ctx)
if !ok {
return nil, errNoContext
update user service (#101) - Added all required methods for a UserService - Added authentication handlers `/api/login` and `/api/logout` - Added authMiddleware for authentication for `/api/v1/kolide` path - Added authorization middleware for each endoint - Added validation middleware for validating API inputs - Began work on logging middleware
2016-09-01 04:51:38 +00:00
}
uid := requestUserIDFromContext(ctx)
if !vc.CanPerformWriteActionOnUser(uid) {
update how permission errors are updated to the client (#187) Closes #152 allow batching of permission errors refactor some of the error handling in encodeError clean up some of the error messages
2016-09-23 02:41:58 +00:00
return nil, permissionError{message: "no write permissions on user"}
update user service (#101) - Added all required methods for a UserService - Added authentication handlers `/api/login` and `/api/logout` - Added authMiddleware for authentication for `/api/v1/kolide` path - Added authorization middleware for each endoint - Added validation middleware for validating API inputs - Began work on logging middleware
2016-09-01 04:51:38 +00:00
}
return next(ctx, request)
}
}
Update users service (#156) Closes #144 #145 #160 Implements PATCH method on user and endpoint middleware for authnz Implements `reset_password` (with token) and `forgot_password` endpoints Added godoc comments for UserService interface Shift to using testify/assert in test code Multiple fixes/changes to the UserService API
2016-09-15 14:52:17 +00:00
type permission int
const (
anyone permission = iota
self
admin
)
func validateModifyUserRequest(next endpoint.Endpoint) endpoint.Endpoint {
return func(ctx context.Context, request interface{}) (interface{}, error) {
r := request.(modifyUserRequest)
Create context packages (#228) add token context package add viewer context package add host context package update authenticated middleware to set viewer context or return error re-organize API handler
2016-09-26 17:14:39 +00:00
vc, ok := viewer.FromContext(ctx)
if !ok {
return nil, errNoContext
Update users service (#156) Closes #144 #145 #160 Implements PATCH method on user and endpoint middleware for authnz Implements `reset_password` (with token) and `forgot_password` endpoints Added godoc comments for UserService interface Shift to using testify/assert in test code Multiple fixes/changes to the UserService API
2016-09-15 14:52:17 +00:00
}
uid := requestUserIDFromContext(ctx)
p := r.payload
must := requireRoleForUserModification(p)
update how permission errors are updated to the client (#187) Closes #152 allow batching of permission errors refactor some of the error handling in encodeError clean up some of the error messages
2016-09-23 02:41:58 +00:00
var badArgs []invalidArgument
if !vc.IsAdmin() {
for _, field := range must[admin] {
badArgs = append(badArgs, invalidArgument{name: field, reason: "must be an admin"})
Update users service (#156) Closes #144 #145 #160 Implements PATCH method on user and endpoint middleware for authnz Implements `reset_password` (with token) and `forgot_password` endpoints Added godoc comments for UserService interface Shift to using testify/assert in test code Multiple fixes/changes to the UserService API
2016-09-15 14:52:17 +00:00
}
}
update how permission errors are updated to the client (#187) Closes #152 allow batching of permission errors refactor some of the error handling in encodeError clean up some of the error messages
2016-09-23 02:41:58 +00:00
if !vc.CanPerformWriteActionOnUser(uid) {
for _, field := range must[self] {
badArgs = append(badArgs, invalidArgument{name: field, reason: "no write permissions on user"})
Update users service (#156) Closes #144 #145 #160 Implements PATCH method on user and endpoint middleware for authnz Implements `reset_password` (with token) and `forgot_password` endpoints Added godoc comments for UserService interface Shift to using testify/assert in test code Multiple fixes/changes to the UserService API
2016-09-15 14:52:17 +00:00
}
}
update how permission errors are updated to the client (#187) Closes #152 allow batching of permission errors refactor some of the error handling in encodeError clean up some of the error messages
2016-09-23 02:41:58 +00:00
if len(badArgs) != 0 {
return nil, permissionError{badArgs: badArgs}
}
Update users service (#156) Closes #144 #145 #160 Implements PATCH method on user and endpoint middleware for authnz Implements `reset_password` (with token) and `forgot_password` endpoints Added godoc comments for UserService interface Shift to using testify/assert in test code Multiple fixes/changes to the UserService API
2016-09-15 14:52:17 +00:00
return next(ctx, request)
}
}
// checks if fields were set in a user payload
// returns a map of updated fields for each role required
func requireRoleForUserModification(p kolide.UserPayload) map[permission][]string {
must := make(map[permission][]string)
adminFields := []string{}
if p.Enabled != nil {
adminFields = append(adminFields, "enabled")
}
if p.Admin != nil {
adminFields = append(adminFields, "admin")
}
if p.AdminForcedPasswordReset != nil {
adminFields = append(adminFields, "force_password_reset")
}
if len(adminFields) != 0 {
must[admin] = adminFields
}
selfFields := []string{}
if p.Username != nil {
selfFields = append(selfFields, "username")
}
if p.GravatarURL != nil {
selfFields = append(selfFields, "gravatar_url")
}
if p.Position != nil {
selfFields = append(selfFields, "position")
}
if p.Email != nil {
selfFields = append(selfFields, "email")
}
update password reset check for user PATCH request (#238)
2016-09-26 16:29:51 +00:00
if p.Password != nil {
selfFields = append(selfFields, "password")
}
Update users service (#156) Closes #144 #145 #160 Implements PATCH method on user and endpoint middleware for authnz Implements `reset_password` (with token) and `forgot_password` endpoints Added godoc comments for UserService interface Shift to using testify/assert in test code Multiple fixes/changes to the UserService API
2016-09-15 14:52:17 +00:00
// self is always a must, otherwise
// anyone can edit the field, and we don't have that requirement
must[self] = selfFields
return must
}
update user service (#101) - Added all required methods for a UserService - Added authentication handlers `/api/login` and `/api/logout` - Added authMiddleware for authentication for `/api/v1/kolide` path - Added authorization middleware for each endoint - Added validation middleware for validating API inputs - Began work on logging middleware
2016-09-01 04:51:38 +00:00
func requestUserIDFromContext(ctx context.Context) uint {
userID, ok := ctx.Value("request-id").(uint)
if !ok {
return 0
}
return userID
}
Reference in New Issue Copy Permalink