func (h *Handler) updateUsername(ctx context.Context, rw http.ResponseWriter, req *http.Request) { id, ok := mux.Vars(req)["id"] if !ok { HttpError(rw, errors.Errorf("No id given."), http.StatusBadRequest) return } h.m.IsAuthorized(permission(id), "put:data", middleware.NewEnv(req).Owner(id))(chd.ContextHandlerFunc( func(ctx context.Context, rw http.ResponseWriter, req *http.Request) { var p UpdateUsernameRequest if err := json.NewDecoder(req.Body).Decode(&p); err != nil { HttpError(rw, err, http.StatusBadRequest) return } user, err := h.s.UpdateUsername(id, p) if err != nil { WriteError(rw, err) return } WriteJSON(rw, user) }), ).ServeHTTPContext(ctx, rw, req) }
func handler(m *Middleware, c test) func(context.Context, http.ResponseWriter, *http.Request) { return func(ctx context.Context, rw http.ResponseWriter, req *http.Request) { m.IsAuthorized(c.resource, c.permission, mwroot.NewEnv(req).Owner(c.owner))(chd.ContextHandlerFunc( func(ctx context.Context, rw http.ResponseWriter, req *http.Request) { fmt.Fprintln(rw, "ok") }, )).ServeHTTPContext(ctx, rw, req) } }
func (c *HTTPClient) IsRequestAllowed(req *http.Request, resource, permission, owner string) (bool, error) { var token *osin.BearerAuth if token = osin.CheckBearerAuth(req); token == nil { return false, errors.New("No token given.") } else if token.Code == "" { return false, errors.New("No token given.") } env := middleware.NewEnv(req) env.Owner(owner) return c.IsAllowed(&AuthorizeRequest{Token: token.Code, Resource: resource, Permission: permission, Context: env.Ctx()}) }
func (m *Middleware) IsAuthorized(resource, permission string, environment *middleware.Env) func(chd.ContextHandler) chd.ContextHandler { return func(next chd.ContextHandler) chd.ContextHandler { return chd.ContextHandlerFunc(func(ctx context.Context, rw http.ResponseWriter, req *http.Request) { if environment == nil { environment = middleware.NewEnv(req) } policies, err := authcon.PoliciesFromContext(ctx) if err != nil { log.WithFields(log.Fields{ "authorization": "forbidden", "error": err, }).Warnf(`Policy extraction failed.`) pkg.HttpError(rw, errors.New("Forbidden"), http.StatusForbidden) return } subject, err := authcon.SubjectFromContext(ctx) if err != nil { log.WithFields(log.Fields{ "authorization": "forbidden", "error": err, }).Warnf(`Subject extraction failed.`) pkg.HttpError(rw, errors.New("Forbidden"), http.StatusForbidden) return } ok, err := guard.IsGranted(resource, permission, subject, policies, environment.Ctx()) if err != nil || !ok { log.WithFields(log.Fields{ "authorization": "forbidden", "error": err, "valid": ok, "subject": subject, "permission": permission, "resource": resource, }).Warnf(`Subject is not allowed perform this action on this resource.`) pkg.HttpError(rw, errors.New("Forbidden"), http.StatusForbidden) return } log.WithFields(log.Fields{ "authorization": "success", "subject": subject, "permission": permission, "resource": resource, }).Infof(`Access granted.`) next.ServeHTTPContext(ctx, rw, req) }) } }
func (h *Handler) delete(ctx context.Context, rw http.ResponseWriter, req *http.Request) { id, ok := mux.Vars(req)["id"] if !ok { HttpError(rw, errors.Errorf("No id given."), http.StatusBadRequest) return } h.m.IsAuthorized(permission(id), "delete", middleware.NewEnv(req).Owner(id))(chd.ContextHandlerFunc( func(ctx context.Context, rw http.ResponseWriter, req *http.Request) { if err := h.s.Delete(id); err != nil { HttpError(rw, err, http.StatusInternalServerError) return } rw.WriteHeader(http.StatusAccepted) }), ).ServeHTTPContext(ctx, rw, req) }
func (h *Handler) Find(ctx context.Context, rw http.ResponseWriter, req *http.Request) { subject, ok := mux.Vars(req)["subject"] if !ok { HttpError(rw, errors.New("No id given."), http.StatusBadRequest) return } h.m.IsAuthorized(connectionsPermission, "get", middleware.NewEnv(req).Owner(subject))(hydcon.ContextHandlerFunc( func(ctx context.Context, rw http.ResponseWriter, req *http.Request) { conns, err := h.s.FindAllByLocalSubject(subject) if err != nil { HttpError(rw, err, http.StatusNotFound) return } WriteJSON(rw, conns) }, )).ServeHTTPContext(ctx, rw, req) }
func (h *Handler) get(ctx context.Context, rw http.ResponseWriter, req *http.Request) { id, ok := mux.Vars(req)["id"] if !ok { HttpError(rw, errors.Errorf("No id given."), http.StatusBadRequest) return } h.m.IsAuthorized(permission(id), "get", middleware.NewEnv(req).Owner(id))(chd.ContextHandlerFunc( func(ctx context.Context, rw http.ResponseWriter, req *http.Request) { user, err := h.s.Get(id) if err != nil { WriteError(rw, err) return } WriteJSON(rw, user) }), ).ServeHTTPContext(ctx, rw, req) }
func (h *Handler) Get(ctx context.Context, rw http.ResponseWriter, req *http.Request) { id, ok := mux.Vars(req)["id"] if !ok { HttpError(rw, errors.New("No id given."), http.StatusBadRequest) return } conn, err := h.s.Get(id) if err != nil { WriteError(rw, err) return } h.m.IsAuthorized(permission(id), "get", middleware.NewEnv(req).Owner(conn.GetLocalSubject()))(hydcon.ContextHandlerFunc( func(ctx context.Context, rw http.ResponseWriter, req *http.Request) { WriteJSON(rw, conn) }, )).ServeHTTPContext(ctx, rw, req) }
func (m *Middleware) IsAuthorized(resource, permission string, environment *middleware.Env) func(chd.ContextHandler) chd.ContextHandler { return func(next chd.ContextHandler) chd.ContextHandler { return chd.ContextHandlerFunc(func(ctx context.Context, rw http.ResponseWriter, req *http.Request) { if environment == nil { environment = middleware.NewEnv(req) } bearer := osin.CheckBearerAuth(req) if allowed, err := m.Client.IsAllowed(&AuthorizeRequest{ Resource: resource, Permission: permission, Context: environment.Ctx(), Token: bearer.Code, }); err != nil { log.WithFields(log.Fields{ "authorization": "forbidden", "error": err, "valid": allowed, "permission": permission, "resource": resource, }).Warnf(`Subject is not allowed perform this action on this resource.`) rw.WriteHeader(http.StatusForbidden) return } else if !allowed { log.WithFields(log.Fields{ "authorization": "forbidden", "error": nil, "valid": allowed, "permission": permission, "resource": resource, }).Warnf(`Subject is not allowed perform this action on this resource.`) rw.WriteHeader(http.StatusForbidden) return } log.WithFields(log.Fields{"authorization": "success"}).Info(`Allowed!`) next.ServeHTTPContext(ctx, rw, req) }) } }
func (h *Handler) Delete(ctx context.Context, rw http.ResponseWriter, req *http.Request) { id, ok := mux.Vars(req)["id"] if !ok { http.Error(rw, "No id given.", http.StatusBadRequest) return } conn, err := h.s.Get(id) if err != nil { HttpError(rw, err, http.StatusNotFound) return } h.m.IsAuthorized(permission(id), "delete", middleware.NewEnv(req).Owner(conn.GetLocalSubject()))(hydcon.ContextHandlerFunc( func(ctx context.Context, rw http.ResponseWriter, req *http.Request) { if err := h.s.Delete(conn.GetID()); err != nil { HttpError(rw, err, http.StatusInternalServerError) return } rw.WriteHeader(http.StatusAccepted) }, )).ServeHTTPContext(ctx, rw, req) }