// Are the principal and role names in an AccessMap all valid?
func validateAccessMap(access channels.AccessMap) bool {
for name, _ := range access {
if strings.HasPrefix(name, "role:") {
name = name[5:] // Roles are identified in access view by a "role:" prefix
}
if !auth.IsValidPrincipalName(name) {
base.Warn("Invalid principal name %q in access() or role() call", name)
return false
}
}
return true
}
func validateRoleAccessMap(roleAccess channels.AccessMap) bool {
if !validateAccessMap(roleAccess) {
return false
}
for _, roles := range roleAccess {
for rolename, _ := range roles {
if !auth.IsValidPrincipalName(rolename) {
base.Warn("Invalid role name %q in role() call", rolename)
return false
}
}
}
return true
}
// ADMIN API: Generates a login session for a user and returns the session ID and cookie name.
func (h *handler) createUserSession() error {
h.assertAdminOnly()
var params struct {
Name string `json:"name"`
TTL int `json:"ttl"`
}
params.TTL = int(kDefaultSessionTTL / time.Second)
err := h.readJSONInto(¶ms)
if err != nil {
return err
} else if params.Name == "" || params.Name == base.GuestUsername || !auth.IsValidPrincipalName(params.Name) {
return base.HTTPErrorf(http.StatusBadRequest, "Invalid or missing user name")
} else if user, err := h.db.Authenticator().GetUser(params.Name); user == nil {
if err == nil {
err = base.HTTPErrorf(http.StatusNotFound, "No such user %q", params.Name)
}
return err
}
ttl := time.Duration(params.TTL) * time.Second
if ttl < 1.0 {
return base.HTTPErrorf(http.StatusBadRequest, "Invalid or missing ttl")
}
session, err := h.db.Authenticator().CreateSession(params.Name, ttl)
if err != nil {
return err
}
var response struct {
SessionID string `json:"session_id"`
Expires time.Time `json:"expires"`
CookieName string `json:"cookie_name"`
}
response.SessionID = session.ID
response.Expires = session.Expiration
response.CookieName = auth.CookieName
h.writeJSON(response)
return nil
}