Exemple #1
0
func (m *Middleware) IsAuthorized(resource, permission string, environment *env) func(hydcon.ContextHandler) hydcon.ContextHandler {
	return func(next hydcon.ContextHandler) hydcon.ContextHandler {
		return hydcon.ContextHandlerFunc(func(ctx context.Context, rw http.ResponseWriter, req *http.Request) {
			if environment == nil {
				environment = Env(req)
			}

			policies, err := hydcon.PoliciesFromContext(ctx)
			if err != nil {
				log.WithFields(log.Fields{"authorization": "forbidden"}).Warnf(`Policy extraction failed: "%s".`, err)
				errorHandler(rw, req, http.StatusForbidden)
				return
			}

			subject, err := hydcon.SubjectFromContext(ctx)
			if err != nil {
				log.WithFields(log.Fields{"authorization": "forbidden"}).Warnf(`Forbidden! Subject extraction failed: "%s".`, err)
				errorHandler(rw, req, http.StatusForbidden)
				return
			}

			ok, err := guard.IsGranted(resource, permission, subject, policies, environment.Ctx())
			if err != nil || !ok {
				log.WithFields(log.Fields{"authorization": "forbidden"}).Warnf(`Forbidden! Subject "%s" is not being granted access "%s" to resource "%s".`, subject, permission, resource)
				errorHandler(rw, req, http.StatusForbidden)
				return
			}

			log.WithFields(log.Fields{"authorization": "success"}).Infof(`Allowed! Granting subject "%s" access "%s" to resource "%s".`, subject, permission, resource)
			next.ServeHTTPContext(ctx, rw, req)
		})
	}
}
Exemple #2
0
func (m *Middleware) IsAuthorized(resource, permission string, environment *middleware.Env) func(chd.ContextHandler) chd.ContextHandler {
	return func(next chd.ContextHandler) chd.ContextHandler {
		return chd.ContextHandlerFunc(func(ctx context.Context, rw http.ResponseWriter, req *http.Request) {
			if environment == nil {
				environment = middleware.NewEnv(req)
			}

			policies, err := authcon.PoliciesFromContext(ctx)
			if err != nil {
				log.WithFields(log.Fields{
					"authorization": "forbidden",
					"error":         err,
				}).Warnf(`Policy extraction failed.`)
				pkg.HttpError(rw, errors.New("Forbidden"), http.StatusForbidden)
				return
			}

			subject, err := authcon.SubjectFromContext(ctx)
			if err != nil {
				log.WithFields(log.Fields{
					"authorization": "forbidden",
					"error":         err,
				}).Warnf(`Subject extraction failed.`)
				pkg.HttpError(rw, errors.New("Forbidden"), http.StatusForbidden)
				return
			}

			ok, err := guard.IsGranted(resource, permission, subject, policies, environment.Ctx())
			if err != nil || !ok {
				log.WithFields(log.Fields{
					"authorization": "forbidden",
					"error":         err,
					"valid":         ok,
					"subject":       subject,
					"permission":    permission,
					"resource":      resource,
				}).Warnf(`Subject is not allowed perform this action on this resource.`)
				pkg.HttpError(rw, errors.New("Forbidden"), http.StatusForbidden)
				return
			}

			log.WithFields(log.Fields{
				"authorization": "success",
				"subject":       subject,
				"permission":    permission,
				"resource":      resource,
			}).Infof(`Access granted.`)
			next.ServeHTTPContext(ctx, rw, req)
		})
	}
}
Exemple #3
0
func (m *Middleware) IsAuthenticated(next chd.ContextHandler) chd.ContextHandler {
	return chd.ContextHandlerFunc(func(ctx context.Context, rw http.ResponseWriter, req *http.Request) {
		if !authcon.IsAuthenticatedFromContext(ctx) {
			log.WithFields(log.Fields{"authentication": "fail"}).Warn(`Not able to get authorization from context.`)
			pkg.HttpError(rw, errors.New("Unauthorized"), http.StatusUnauthorized)
			return
		}

		subject, err := authcon.SubjectFromContext(ctx)
		if err != nil {
			log.WithFields(log.Fields{"authentication": "fail"}).Warnf("Subject extraction failed: %s", err)
			pkg.HttpError(rw, errors.New("Unauthorized"), http.StatusUnauthorized)
			return
		} else if subject == "" {
			log.WithFields(log.Fields{"authentication": "fail"}).Warnf("No subject given.")
			pkg.HttpError(rw, errors.New("Unauthorized"), http.StatusUnauthorized)
			return
		}

		log.WithFields(log.Fields{"authentication": "success"}).Infof(`Authenticated subject "%s".`, subject)
		next.ServeHTTPContext(ctx, rw, req)
	})
}