Esempio n. 1
0
func (this *cbConfigStore) Authorize(credentials map[string]string, privileges []clustering.Privilege) errors.Error {

	if len(credentials) == 0 {
		return errors.NewAdminAuthError(nil, "no credentials provided")
	}

	for username, password := range credentials {
		auth, err := cbauth.Auth(username, password)
		if err != nil {
			return errors.NewAdminAuthError(err, "")
		}
		for _, requested := range privileges {
			switch requested {
			case clustering.PRIV_SYS_ADMIN:
				isAdmin, err := auth.IsAdmin()
				if err != nil {
					return errors.NewAdminAuthError(err, "")
				}
				if isAdmin {
					return nil
				}
				return errors.NewAdminAuthError(nil, "sys admin requires administrator credentials")
			case clustering.PRIV_READ:
				if auth.CanReadAnyMetadata() {
					return nil
				}
				return errors.NewAdminAuthError(nil, "read not authorized")
			}
		}
	}
	return errors.NewAdminAuthError(nil, "unrecognized authorization request")
}
func (this *HttpEndpoint) hasAdminAuth(req *http.Request) errors.Error {
	// retrieve the credentials from the request; the credentials must be specified
	// using basic authorization format. An error is returned if there is a step that
	// prevents retrieval of the credentials.
	authHdr := req.Header["Authorization"]
	if len(authHdr) == 0 {
		return errors.NewAdminAuthError(nil, "basic authorization required")
	}

	auth := authHdr[0]
	basicPrefix := "Basic "
	if !strings.HasPrefix(auth, basicPrefix) {
		return errors.NewAdminAuthError(nil, "basic authorization required")
	}

	decoded, err := base64.StdEncoding.DecodeString(auth[len(basicPrefix):])
	if err != nil {
		return errors.NewAdminDecodingError(err)
	}

	colonIndex := bytes.IndexByte(decoded, ':')
	if colonIndex == -1 {
		return errors.NewAdminAuthError(nil, "incorrect authorization header")
	}

	user := string(decoded[:colonIndex])
	password := string(decoded[colonIndex+1:])
	creds := map[string]string{user: password}

	// Attempt authorization with the cluster
	configstore := this.server.ConfigurationStore()
	sslPrivs := []clustering.Privilege{clustering.PRIV_SYS_ADMIN}
	authErr := configstore.Authorize(creds, sslPrivs)
	if authErr != nil {
		return authErr
	}

	return nil
}