Exemple #1
0
func TestMiddleware(t *testing.T) {
	m := &Middleware{}

	for k, c := range cases {
		h := hcon.NewContextAdapter(
			context.Background(),
			mockContext(c),
			m.IsAuthenticated,
		).ThenFunc(hcon.ContextHandlerFunc(handler(m, c)))

		ts := httptest.NewServer(h)
		defer ts.Close()

		res, err := http.Get(ts.URL)
		require.Nil(t, err)
		res.Body.Close()

		if !c.expectAuthN {
			assert.Equal(t, http.StatusUnauthorized, res.StatusCode, "Authentication failed case %d", k)
		} else if !c.expectAuthZ {
			assert.Equal(t, http.StatusForbidden, res.StatusCode, "Authorization failed case %d", k)
		} else {
			assert.Equal(t, http.StatusOK, res.StatusCode, "Case %d should be authorized but wasn't.", k)
		}
	}
}
Exemple #2
0
func (m *Middleware) IsAuthorized(resource, permission string, environment *env) func(hydcon.ContextHandler) hydcon.ContextHandler {
	return func(next hydcon.ContextHandler) hydcon.ContextHandler {
		return hydcon.ContextHandlerFunc(func(ctx context.Context, rw http.ResponseWriter, req *http.Request) {
			if environment == nil {
				environment = Env(req)
			}

			policies, err := hydcon.PoliciesFromContext(ctx)
			if err != nil {
				log.WithFields(log.Fields{"authorization": "forbidden"}).Warnf(`Policy extraction failed: "%s".`, err)
				errorHandler(rw, req, http.StatusForbidden)
				return
			}

			subject, err := hydcon.SubjectFromContext(ctx)
			if err != nil {
				log.WithFields(log.Fields{"authorization": "forbidden"}).Warnf(`Forbidden! Subject extraction failed: "%s".`, err)
				errorHandler(rw, req, http.StatusForbidden)
				return
			}

			ok, err := guard.IsGranted(resource, permission, subject, policies, environment.Ctx())
			if err != nil || !ok {
				log.WithFields(log.Fields{"authorization": "forbidden"}).Warnf(`Forbidden! Subject "%s" is not being granted access "%s" to resource "%s".`, subject, permission, resource)
				errorHandler(rw, req, http.StatusForbidden)
				return
			}

			log.WithFields(log.Fields{"authorization": "success"}).Infof(`Allowed! Granting subject "%s" access "%s" to resource "%s".`, subject, permission, resource)
			next.ServeHTTPContext(ctx, rw, req)
		})
	}
}
Exemple #3
0
func mockAuthorization(c test) func(h hcon.ContextHandler) hcon.ContextHandler {
	return func(h hcon.ContextHandler) hcon.ContextHandler {
		return hcon.ContextHandlerFunc(func(ctx context.Context, rw http.ResponseWriter, req *http.Request) {
			claims := hjwt.NewClaimsCarrier(uuid.New(), "hydra", c.subject, "tests", time.Now(), time.Now())
			ctx = hcon.NewContextFromAuthValues(ctx, claims, &c.token, c.policies)
			h.ServeHTTPContext(ctx, rw, req)
		})
	}
}
Exemple #4
0
func handler(m *Middleware, c test) func(context.Context, http.ResponseWriter, *http.Request) {
	return func(ctx context.Context, rw http.ResponseWriter, req *http.Request) {
		m.IsAuthorized(c.resource, c.permission, Env(req).Owner(c.owner))(hcon.ContextHandlerFunc(
			func(ctx context.Context, rw http.ResponseWriter, req *http.Request) {
				fmt.Fprintln(rw, "ok")
			},
		)).ServeHTTPContext(ctx, rw, req)
	}
}
Exemple #5
0
func (h *Handler) Delete(ctx context.Context, rw http.ResponseWriter, req *http.Request) {
	id, ok := mux.Vars(req)["id"]
	if !ok {
		http.Error(rw, "No id given.", http.StatusBadRequest)
		return
	}
	h.m.IsAuthorized(permission(id), "delete", middleware.Env(req).Owner(id))(hydcon.ContextHandlerFunc(
		func(ctx context.Context, rw http.ResponseWriter, req *http.Request) {
			if err := h.s.Delete(id); err != nil {
				http.Error(rw, err.Error(), http.StatusInternalServerError)
				return
			}

			rw.WriteHeader(http.StatusAccepted)
		}),
	).ServeHTTPContext(ctx, rw, req)
}
Exemple #6
0
func (h *Handler) Delete(ctx context.Context, rw http.ResponseWriter, req *http.Request) {
	id, ok := mux.Vars(req)["id"]
	if !ok {
		http.Error(rw, "No id given.", http.StatusBadRequest)
		return
	}

	h.m.IsAuthorized(permission(id), "delete", nil)(hctx.ContextHandlerFunc(
		func(ctx context.Context, rw http.ResponseWriter, req *http.Request) {
			if err := h.s.Delete(id); err != nil {
				http.Error(rw, fmt.Sprintf("Could not retrieve client: %s", id), http.StatusInternalServerError)
				return
			}
			rw.WriteHeader(http.StatusAccepted)
		},
	)).ServeHTTPContext(ctx, rw, req)
}
Exemple #7
0
func (h *Handler) Get(ctx context.Context, rw http.ResponseWriter, req *http.Request) {
	id, ok := mux.Vars(req)["id"]
	if !ok {
		http.Error(rw, "No id given.", http.StatusBadRequest)
		return
	}

	h.m.IsAuthorized(permission(id), "get", nil)(hctx.ContextHandlerFunc(
		func(ctx context.Context, rw http.ResponseWriter, req *http.Request) {
			policy, err := h.s.Get(id)
			if err != nil {
				http.NotFound(rw, req)
			}
			pkg.WriteJSON(rw, policy)
		},
	))
}
Exemple #8
0
func (h *Handler) Find(ctx context.Context, rw http.ResponseWriter, req *http.Request) {
	subject, ok := mux.Vars(req)["subject"]
	if !ok {
		http.Error(rw, "No id given.", http.StatusBadRequest)
		return
	}

	h.m.IsAuthorized(connectionsPermission, "get", middleware.Env(req).Owner(subject))(hydcon.ContextHandlerFunc(
		func(ctx context.Context, rw http.ResponseWriter, req *http.Request) {
			conns, err := h.s.FindAllByLocalSubject(subject)
			if err != nil {
				http.Error(rw, err.Error(), http.StatusNotFound)
				return
			}
			WriteJSON(rw, conns)
		},
	)).ServeHTTPContext(ctx, rw, req)
}
Exemple #9
0
func (h *Handler) Get(ctx context.Context, rw http.ResponseWriter, req *http.Request) {
	id, ok := mux.Vars(req)["id"]
	if !ok {
		http.Error(rw, "No id given.", http.StatusBadRequest)
		return
	}

	h.m.IsAuthorized(permission(id), "get", nil)(hydcon.ContextHandlerFunc(
		func(ctx context.Context, rw http.ResponseWriter, req *http.Request) {
			client, err := h.s.GetClient(id)
			if err != nil {
				http.Error(rw, fmt.Sprintf("Could not retrieve client: %s", id), http.StatusNotFound)
				return
			}
			WriteJSON(rw, client)
		},
	)).ServeHTTPContext(ctx, rw, req)
}
Exemple #10
0
func (h *Handler) Get(ctx context.Context, rw http.ResponseWriter, req *http.Request) {
	id, ok := mux.Vars(req)["id"]
	if !ok {
		http.Error(rw, "No id given.", http.StatusBadRequest)
		return
	}

	h.m.IsAuthorized(permission(id), "get", middleware.Env(req).Owner(id))(hydcon.ContextHandlerFunc(
		func(ctx context.Context, rw http.ResponseWriter, req *http.Request) {
			user, err := h.s.Get(id)
			if err == ErrNotFound {
				http.Error(rw, err.Error(), http.StatusNotFound)
				return
			} else if err != nil {
				http.Error(rw, err.Error(), http.StatusInternalServerError)
				return
			}
			WriteJSON(rw, user)
		}),
	).ServeHTTPContext(ctx, rw, req)
}
Exemple #11
0
func (m *Middleware) IsAuthenticated(next hydcon.ContextHandler) hydcon.ContextHandler {
	return hydcon.ContextHandlerFunc(func(ctx context.Context, rw http.ResponseWriter, req *http.Request) {
		if !hydcon.IsAuthenticatedFromContext(ctx) {
			log.WithFields(log.Fields{"authentication": "fail"}).Warn(`Not able to get authorization from context.`)
			errorHandler(rw, req, http.StatusUnauthorized)
			return
		}

		subject, err := hydcon.SubjectFromContext(ctx)
		if err != nil {
			log.WithFields(log.Fields{"authentication": "fail"}).Warnf("Subject extraction failed: %s", err)
			errorHandler(rw, req, http.StatusUnauthorized)
			return
		} else if subject == "" {
			log.WithFields(log.Fields{"authentication": "fail"}).Warnf("No subject given.")
			errorHandler(rw, req, http.StatusUnauthorized)
			return
		}

		log.WithFields(log.Fields{"authentication": "success"}).Infof(`Authenticated subject "%s".`, subject)
		next.ServeHTTPContext(ctx, rw, req)
	})
}
Exemple #12
0
func (h *Handler) Get(ctx context.Context, rw http.ResponseWriter, req *http.Request) {
	id, ok := mux.Vars(req)["id"]
	if !ok {
		http.Error(rw, "No id given.", http.StatusBadRequest)
		return
	}

	conn, err := h.s.Get(id)
	if err != nil {
		http.Error(rw, err.Error(), http.StatusNotFound)
		return
	}

	h.m.IsAuthorized(permission(id), "get", middleware.Env(req).Owner(conn.GetLocalSubject()))(hydcon.ContextHandlerFunc(
		func(ctx context.Context, rw http.ResponseWriter, req *http.Request) {
			WriteJSON(rw, conn)
		},
	)).ServeHTTPContext(ctx, rw, req)
}
Exemple #13
0
func (m *Middleware) ExtractAuthentication(next hydcon.ContextHandler) hydcon.ContextHandler {
	return hydcon.ContextHandlerFunc(func(ctx context.Context, rw http.ResponseWriter, req *http.Request) {
		ctx = hydcon.NewContextFromAuthorization(ctx, req, m.jwtService, m.policyStore)
		next.ServeHTTPContext(ctx, rw, req)
	})
}