func (p *protocolV2) CheckAuth(client *nsqd.ClientV2, cmd, topicName, channelName string) error {
// if auth is enabled, the client must have authorized already
// compare topic/channel against cached authorization data (refetching if expired)
if p.ctx.isAuthEnabled() {
if !client.HasAuthorizations() {
return protocol.NewFatalClientErr(nil, "E_AUTH_FIRST",
fmt.Sprintf("AUTH required before %s", cmd))
}
ok, err := client.IsAuthorized(topicName, channelName)
if err != nil {
// we don't want to leak errors contacting the auth server to untrusted clients
nsqd.NsqLogger().Logf("PROTOCOL(V2): [%s] Auth Failed %s", client, err)
return protocol.NewFatalClientErr(nil, "E_AUTH_FAILED", "AUTH failed")
}
if !ok {
return protocol.NewFatalClientErr(nil, "E_UNAUTHORIZED",
fmt.Sprintf("AUTH failed for %s on %q %q", cmd, topicName, channelName))
}
}
return nil
}
func (p *protocolV2) AUTH(client *nsqd.ClientV2, params [][]byte) ([]byte, error) {
state := atomic.LoadInt32(&client.State)
if state != stateInit {
nsqd.NsqLogger().LogWarningf("[%s] command in wrong state: %v", client, state)
return nil, protocol.NewFatalClientErr(nil, E_INVALID, "cannot AUTH in current state")
}
if len(params) != 1 {
return nil, protocol.NewFatalClientErr(nil, E_INVALID, "AUTH invalid number of parameters")
}
bodyLen, err := readLen(client.Reader, client.LenSlice)
if err != nil {
return nil, protocol.NewFatalClientErr(err, "E_BAD_BODY", "AUTH failed to read body size")
}
if int64(bodyLen) > p.ctx.getOpts().MaxBodySize {
return nil, protocol.NewFatalClientErr(nil, "E_BAD_BODY",
fmt.Sprintf("AUTH body too big %d > %d", bodyLen, p.ctx.getOpts().MaxBodySize))
}
if bodyLen <= 0 {
return nil, protocol.NewFatalClientErr(nil, "E_BAD_BODY",
fmt.Sprintf("AUTH invalid body size %d", bodyLen))
}
body := make([]byte, bodyLen)
_, err = io.ReadFull(client.Reader, body)
if err != nil {
return nil, protocol.NewFatalClientErr(err, "E_BAD_BODY", "AUTH failed to read body")
}
if client.HasAuthorizations() {
return nil, protocol.NewFatalClientErr(nil, E_INVALID, "AUTH Already set")
}
if !p.ctx.isAuthEnabled() {
return nil, protocol.NewFatalClientErr(err, "E_AUTH_DISABLED", "AUTH Disabled")
}
if err = client.Auth(string(body)); err != nil {
// we don't want to leak errors contacting the auth server to untrusted clients
nsqd.NsqLogger().Logf("PROTOCOL(V2): [%s] Auth Failed %s", client, err)
return nil, protocol.NewFatalClientErr(err, "E_AUTH_FAILED", "AUTH failed")
}
if !client.HasAuthorizations() {
return nil, protocol.NewFatalClientErr(nil, "E_UNAUTHORIZED", "AUTH No authorizations found")
}
var resp []byte
resp, err = json.Marshal(struct {
Identity string `json:"identity"`
IdentityURL string `json:"identity_url"`
PermissionCount int `json:"permission_count"`
}{
Identity: client.AuthState.Identity,
IdentityURL: client.AuthState.IdentityURL,
PermissionCount: len(client.AuthState.Authorizations),
})
if err != nil {
return nil, protocol.NewFatalClientErr(err, "E_AUTH_ERROR", "AUTH error "+err.Error())
}
err = Send(client, frameTypeResponse, resp)
if err != nil {
return nil, protocol.NewFatalClientErr(err, "E_AUTH_ERROR", "AUTH error "+err.Error())
}
return nil, nil
}
