func hasRootAccess(sec auth.Store, r *http.Request) bool { if sec == nil { // No store means no auth available, eg, tests. return true } if !sec.AuthEnabled() { return true } username, password, ok := r.BasicAuth() if !ok { return false } rootUser, err := sec.GetUser(username) if err != nil { return false } ok = rootUser.CheckPassword(password) if !ok { plog.Warningf("auth: wrong password for user %s", username) return false } for _, role := range rootUser.Roles { if role == auth.RootRoleName { return true } } plog.Warningf("auth: user %s does not have the %s role for resource %s.", username, auth.RootRoleName, r.URL.Path) return false }
func hasGuestAccess(sec auth.Store, r *http.Request, key string) bool { writeAccess := r.Method != "GET" && r.Method != "HEAD" role, err := sec.GetRole(auth.GuestRoleName) if err != nil { return false } if role.HasKeyAccess(key, writeAccess) { return true } plog.Warningf("auth: invalid access for unauthenticated user on resource %s.", key) return false }
func hasKeyPrefixAccess(sec auth.Store, r *http.Request, key string, recursive bool) bool { if sec == nil { // No store means no auth available, eg, tests. return true } if !sec.AuthEnabled() { return true } if r.Header.Get("Authorization") == "" { plog.Warningf("auth: no authorization provided, checking guest access") return hasGuestAccess(sec, r, key) } username, password, ok := r.BasicAuth() if !ok { plog.Warningf("auth: malformed basic auth encoding") return false } user, err := sec.GetUser(username) if err != nil { plog.Warningf("auth: no such user: %s.", username) return false } authAsUser := user.CheckPassword(password) if !authAsUser { plog.Warningf("auth: incorrect password for user: %s.", username) return false } writeAccess := r.Method != "GET" && r.Method != "HEAD" for _, roleName := range user.Roles { role, err := sec.GetRole(roleName) if err != nil { continue } if recursive { if role.HasRecursiveAccess(key, writeAccess) { return true } } else if role.HasKeyAccess(key, writeAccess) { return true } } plog.Warningf("auth: invalid access for user %s on key %s.", username, key) return false }