func hasRootAccess(sec *security.Store, r *http.Request) bool {
if sec == nil {
// No store means no security avaliable, eg, tests.
return true
}
if !sec.SecurityEnabled() {
return true
}
username, password, ok := netutil.BasicAuth(r)
if !ok {
return false
}
if username != "root" {
log.Printf("security: Attempting to use user %s for resource that requires root.", username)
return false
}
root, err := sec.GetUser("root")
if err != nil {
return false
}
ok = root.CheckPassword(password)
if !ok {
log.Printf("security: Wrong password for user %s", username)
}
return ok
}
func hasKeyPrefixAccess(sec *security.Store, r *http.Request, key string) bool {
if sec == nil {
// No store means no security avaliable, eg, tests.
return true
}
if !sec.SecurityEnabled() {
return true
}
username, password, ok := netutil.BasicAuth(r)
if !ok {
return false
}
user, err := sec.GetUser(username)
if err != nil {
log.Printf("security: No such user: %s.", username)
return false
}
authAsUser := user.CheckPassword(password)
if !authAsUser {
log.Printf("security: Incorrect password for user: %s.", username)
return false
}
if user.User == "root" {
return true
}
writeAccess := r.Method != "GET" && r.Method != "HEAD"
for _, roleName := range user.Roles {
role, err := sec.GetRole(roleName)
if err != nil {
continue
}
if role.HasKeyAccess(key, writeAccess) {
return true
}
}
log.Printf("security: Invalid access for user %s on key %s.", username, key)
return false
}