// PermissionHandler validates the permissions of a user before further handling
func PermissionHandler(inner http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
var user string
var ps string
t := r.Header.Get("Authorization")
if strings.HasPrefix(t, "Bearer ") {
user, _ = authn.Validate(strings.SplitAfter(t, "Bearer ")[1])
log.Debugf("Getting user %s from %s", user, t)
} else {
user = ""
}
if GetProvider().IsAuthorized(user, r.Method, r.URL.RequestURI()) {
sw := util.MakeLogger(w)
inner.ServeHTTP(sw, r)
} else {
for _, p := range authn.KnownProviders() {
if ps > "" {
ps = ps + "," + p
} else {
ps = p
}
}
w.Header().Set("WWW-Authenticate", "WWW-Authenticate:"+ps)
w.WriteHeader(http.StatusUnauthorized)
}
})
}
// GetRoles implements a naive role listing. All valid tokens will
// result in a single "ADMIN" role, everybody else gets "*"
func (provider *SimpleProvider) GetRoles(token string) []string {
user, _ := authn.Validate(token)
var roles []string
if user != "" {
return append(roles, "ADMIN")
}
return append(roles, "*")
}
// TODO: make it possible to get multiple groups for users
func (provider *LdapProvider) GetRoles(token string) []string {
user, _ := authn.Validate(token)
entry, err := provider.getEntryForUser(user)
if err != nil {
return []string{"registry user"}
} else {
return []string{entry.GetAttributeValue("cn")}
}
}
// Reissue re-issues a new token based on an existing valid one
func Reissue(w http.ResponseWriter, r *http.Request) {
w.Header().Set("Content-Type", "application/json; charset=UTF-8")
t := r.Header.Get("Authorization")
if strings.HasPrefix(t, "Bearer ") {
user, err := authn.Validate(strings.SplitAfter(t, "Bearer ")[1])
if err != nil {
w.WriteHeader(http.StatusUnauthorized)
} else {
sendToken(w, user)
}
} else {
w.WriteHeader(http.StatusUnauthorized)
}
}
var newToken string
var err error
var user = "******"
var challange = "test"
var provider = "pwd"
BeforeEach(func() {
util.LoadConfigByName("test_config")
authn.InitMint()
authn.InitValidator()
})
Describe("Token roundtrip", func() {
Context("Freshly minted token", func() {
It("Fresh token should be valid", func() {
user, err := authn.Validate(authn.GetToken(user))
Expect(err).To(BeNil())
Expect(user).To(Equal(user))
})
})
Context("Authenticating the user", func() {
It("should return true, given valid username, challange and provider", func() {
bool := authn.Authenticate(user, challange, provider)
Expect(bool).To(BeTrue())
})
})
})
Describe("Reissuing a token", func() {
Context("Username is preserved", func() {
It("should return the username that was given to the old token", func() {