func (h *Handler) updateUsername(ctx context.Context, rw http.ResponseWriter, req *http.Request) {
id, ok := mux.Vars(req)["id"]
if !ok {
HttpError(rw, errors.Errorf("No id given."), http.StatusBadRequest)
return
}
h.m.IsAuthorized(permission(id), "put:data", middleware.NewEnv(req).Owner(id))(chd.ContextHandlerFunc(
func(ctx context.Context, rw http.ResponseWriter, req *http.Request) {
var p UpdateUsernameRequest
if err := json.NewDecoder(req.Body).Decode(&p); err != nil {
HttpError(rw, err, http.StatusBadRequest)
return
}
user, err := h.s.UpdateUsername(id, p)
if err != nil {
WriteError(rw, err)
return
}
WriteJSON(rw, user)
}),
).ServeHTTPContext(ctx, rw, req)
}
func handler(m *Middleware, c test) func(context.Context, http.ResponseWriter, *http.Request) {
return func(ctx context.Context, rw http.ResponseWriter, req *http.Request) {
m.IsAuthorized(c.resource, c.permission, mwroot.NewEnv(req).Owner(c.owner))(chd.ContextHandlerFunc(
func(ctx context.Context, rw http.ResponseWriter, req *http.Request) {
fmt.Fprintln(rw, "ok")
},
)).ServeHTTPContext(ctx, rw, req)
}
}
func (c *HTTPClient) IsRequestAllowed(req *http.Request, resource, permission, owner string) (bool, error) {
var token *osin.BearerAuth
if token = osin.CheckBearerAuth(req); token == nil {
return false, errors.New("No token given.")
} else if token.Code == "" {
return false, errors.New("No token given.")
}
env := middleware.NewEnv(req)
env.Owner(owner)
return c.IsAllowed(&AuthorizeRequest{Token: token.Code, Resource: resource, Permission: permission, Context: env.Ctx()})
}
func (m *Middleware) IsAuthorized(resource, permission string, environment *middleware.Env) func(chd.ContextHandler) chd.ContextHandler {
return func(next chd.ContextHandler) chd.ContextHandler {
return chd.ContextHandlerFunc(func(ctx context.Context, rw http.ResponseWriter, req *http.Request) {
if environment == nil {
environment = middleware.NewEnv(req)
}
policies, err := authcon.PoliciesFromContext(ctx)
if err != nil {
log.WithFields(log.Fields{
"authorization": "forbidden",
"error": err,
}).Warnf(`Policy extraction failed.`)
pkg.HttpError(rw, errors.New("Forbidden"), http.StatusForbidden)
return
}
subject, err := authcon.SubjectFromContext(ctx)
if err != nil {
log.WithFields(log.Fields{
"authorization": "forbidden",
"error": err,
}).Warnf(`Subject extraction failed.`)
pkg.HttpError(rw, errors.New("Forbidden"), http.StatusForbidden)
return
}
ok, err := guard.IsGranted(resource, permission, subject, policies, environment.Ctx())
if err != nil || !ok {
log.WithFields(log.Fields{
"authorization": "forbidden",
"error": err,
"valid": ok,
"subject": subject,
"permission": permission,
"resource": resource,
}).Warnf(`Subject is not allowed perform this action on this resource.`)
pkg.HttpError(rw, errors.New("Forbidden"), http.StatusForbidden)
return
}
log.WithFields(log.Fields{
"authorization": "success",
"subject": subject,
"permission": permission,
"resource": resource,
}).Infof(`Access granted.`)
next.ServeHTTPContext(ctx, rw, req)
})
}
}
func (h *Handler) delete(ctx context.Context, rw http.ResponseWriter, req *http.Request) {
id, ok := mux.Vars(req)["id"]
if !ok {
HttpError(rw, errors.Errorf("No id given."), http.StatusBadRequest)
return
}
h.m.IsAuthorized(permission(id), "delete", middleware.NewEnv(req).Owner(id))(chd.ContextHandlerFunc(
func(ctx context.Context, rw http.ResponseWriter, req *http.Request) {
if err := h.s.Delete(id); err != nil {
HttpError(rw, err, http.StatusInternalServerError)
return
}
rw.WriteHeader(http.StatusAccepted)
}),
).ServeHTTPContext(ctx, rw, req)
}
func (h *Handler) Find(ctx context.Context, rw http.ResponseWriter, req *http.Request) {
subject, ok := mux.Vars(req)["subject"]
if !ok {
HttpError(rw, errors.New("No id given."), http.StatusBadRequest)
return
}
h.m.IsAuthorized(connectionsPermission, "get", middleware.NewEnv(req).Owner(subject))(hydcon.ContextHandlerFunc(
func(ctx context.Context, rw http.ResponseWriter, req *http.Request) {
conns, err := h.s.FindAllByLocalSubject(subject)
if err != nil {
HttpError(rw, err, http.StatusNotFound)
return
}
WriteJSON(rw, conns)
},
)).ServeHTTPContext(ctx, rw, req)
}
func (h *Handler) get(ctx context.Context, rw http.ResponseWriter, req *http.Request) {
id, ok := mux.Vars(req)["id"]
if !ok {
HttpError(rw, errors.Errorf("No id given."), http.StatusBadRequest)
return
}
h.m.IsAuthorized(permission(id), "get", middleware.NewEnv(req).Owner(id))(chd.ContextHandlerFunc(
func(ctx context.Context, rw http.ResponseWriter, req *http.Request) {
user, err := h.s.Get(id)
if err != nil {
WriteError(rw, err)
return
}
WriteJSON(rw, user)
}),
).ServeHTTPContext(ctx, rw, req)
}
func (h *Handler) Get(ctx context.Context, rw http.ResponseWriter, req *http.Request) {
id, ok := mux.Vars(req)["id"]
if !ok {
HttpError(rw, errors.New("No id given."), http.StatusBadRequest)
return
}
conn, err := h.s.Get(id)
if err != nil {
WriteError(rw, err)
return
}
h.m.IsAuthorized(permission(id), "get", middleware.NewEnv(req).Owner(conn.GetLocalSubject()))(hydcon.ContextHandlerFunc(
func(ctx context.Context, rw http.ResponseWriter, req *http.Request) {
WriteJSON(rw, conn)
},
)).ServeHTTPContext(ctx, rw, req)
}
func (m *Middleware) IsAuthorized(resource, permission string, environment *middleware.Env) func(chd.ContextHandler) chd.ContextHandler {
return func(next chd.ContextHandler) chd.ContextHandler {
return chd.ContextHandlerFunc(func(ctx context.Context, rw http.ResponseWriter, req *http.Request) {
if environment == nil {
environment = middleware.NewEnv(req)
}
bearer := osin.CheckBearerAuth(req)
if allowed, err := m.Client.IsAllowed(&AuthorizeRequest{
Resource: resource,
Permission: permission,
Context: environment.Ctx(),
Token: bearer.Code,
}); err != nil {
log.WithFields(log.Fields{
"authorization": "forbidden",
"error": err,
"valid": allowed,
"permission": permission,
"resource": resource,
}).Warnf(`Subject is not allowed perform this action on this resource.`)
rw.WriteHeader(http.StatusForbidden)
return
} else if !allowed {
log.WithFields(log.Fields{
"authorization": "forbidden",
"error": nil,
"valid": allowed,
"permission": permission,
"resource": resource,
}).Warnf(`Subject is not allowed perform this action on this resource.`)
rw.WriteHeader(http.StatusForbidden)
return
}
log.WithFields(log.Fields{"authorization": "success"}).Info(`Allowed!`)
next.ServeHTTPContext(ctx, rw, req)
})
}
}
func (h *Handler) Delete(ctx context.Context, rw http.ResponseWriter, req *http.Request) {
id, ok := mux.Vars(req)["id"]
if !ok {
http.Error(rw, "No id given.", http.StatusBadRequest)
return
}
conn, err := h.s.Get(id)
if err != nil {
HttpError(rw, err, http.StatusNotFound)
return
}
h.m.IsAuthorized(permission(id), "delete", middleware.NewEnv(req).Owner(conn.GetLocalSubject()))(hydcon.ContextHandlerFunc(
func(ctx context.Context, rw http.ResponseWriter, req *http.Request) {
if err := h.s.Delete(conn.GetID()); err != nil {
HttpError(rw, err, http.StatusInternalServerError)
return
}
rw.WriteHeader(http.StatusAccepted)
},
)).ServeHTTPContext(ctx, rw, req)
}
