// Recomputes the set of roles a User has been granted access to by sync() functions. // This is part of the ChannelComputer interface defined by the Authenticator. func (context *DatabaseContext) ComputeRolesForUser(user auth.User) ([]string, error) { var vres struct { Rows []struct { Value channels.TimedSet } } opts := map[string]interface{}{"stale": false, "key": user.Name()} if verr := context.Bucket.ViewCustom("sync_gateway", "role_access", opts, &vres); verr != nil { return nil, verr } // Boil the list of TimedSets down to a simple set of role names: all := map[string]bool{} for _, row := range vres.Rows { for name, _ := range row.Value { all[name] = true } } // Then turn that set into an array to return: values := make([]string, 0, len(all)) for name, _ := range all { values = append(values, name) } return values, nil }
// Updates or creates a principal from a PrincipalConfig structure. func updatePrincipal(dbc *db.DatabaseContext, newInfo PrincipalConfig, isUser bool, allowReplace bool) (replaced bool, err error) { // Get the existing principal, or if this is a POST make sure there isn't one: var princ auth.Principal var user auth.User authenticator := dbc.Authenticator() if isUser { user, err = authenticator.GetUser(internalUserName(*newInfo.Name)) princ = user } else { princ, err = authenticator.GetRole(*newInfo.Name) } if err != nil { return } replaced = (princ != nil) if !replaced { // If user/role didn't exist already, instantiate a new one: if isUser { user, err = authenticator.NewUser(internalUserName(*newInfo.Name), "", nil) princ = user } else { princ, err = authenticator.NewRole(*newInfo.Name, nil) } if err != nil { return } } else if !allowReplace { err = base.HTTPErrorf(http.StatusConflict, "Already exists") return } // Now update the Principal object from the properties in the request, first the channels: updatedChannels := princ.ExplicitChannels() if updatedChannels == nil { updatedChannels = ch.TimedSet{} } lastSeq, err := dbc.LastSequence() if err != nil { return } updatedChannels.UpdateAtSequence(newInfo.ExplicitChannels, lastSeq+1) princ.SetExplicitChannels(updatedChannels) // Then the roles: if isUser { user.SetEmail(newInfo.Email) if newInfo.Password != nil { user.SetPassword(*newInfo.Password) } user.SetDisabled(newInfo.Disabled) user.SetExplicitRoleNames(newInfo.ExplicitRoleNames) } // And finally save the Principal: err = authenticator.Save(princ) return }
func (listener *changeListener) NewWaiterWithChannels(chans base.Set, user auth.User) *changeWaiter { waitKeys := make([]string, 0, 5) for channel, _ := range chans { waitKeys = append(waitKeys, channelLogDocID(channel)) } if user != nil { waitKeys = append(waitKeys, auth.UserKeyPrefix+user.Name()) for _, role := range user.RoleNames() { waitKeys = append(waitKeys, auth.RoleKeyPrefix+role) } } return listener.NewWaiter(waitKeys) }
func (h *handler) makeSession(user auth.User) error { if user == nil { return base.HTTPErrorf(http.StatusUnauthorized, "Invalid login") } h.user = user auth := h.db.Authenticator() session, err := auth.CreateSession(user.Name(), kDefaultSessionTTL) if err != nil { return err } cookie := auth.MakeSessionCookie(session) cookie.Path = "/" + h.db.Name + "/" http.SetCookie(h.response, cookie) return h.respondWithSessionInfo() }
// Returns an HTTP 403 error if the User is not allowed to access any of the document's channels. // A nil User means access control is disabled, so the function will return nil. func AuthorizeAnyDocChannels(user *auth.User, channels ChannelMap) error { if user == nil { return nil } else if user.Channels != nil { for _, channel := range user.Channels { if channel == "*" { return nil } value, exists := channels[channel] if exists && value == nil { return nil // yup, it's in this channel } } } return user.UnauthError("You are not allowed to see this") }
func (listener *changeListener) NewWaiterWithChannels(chans base.Set, user auth.User) *changeWaiter { waitKeys := make([]string, 0, 5) for channel, _ := range chans { waitKeys = append(waitKeys, channel) } var userKeys []string if user != nil { userKeys = []string{auth.UserKeyPrefix + user.Name()} for role, _ := range user.RoleNames() { userKeys = append(userKeys, auth.RoleKeyPrefix+role) } waitKeys = append(waitKeys, userKeys...) } waiter := listener.NewWaiter(waitKeys) waiter.userKeys = userKeys return waiter }
// POST /_session creates a login session and sets its cookie func (h *handler) handleSessionPOST() error { var params struct { Name string `json:"name"` Password string `json:"password"` } err := h.readJSONInto(¶ms) if err != nil { return err } var user auth.User user, err = h.db.Authenticator().GetUser(params.Name) if err != nil { return err } if !user.Authenticate(params.Password) { user = nil } return h.makeSession(user) }
// POST /_session creates a login session and sets its cookie func (h *handler) handleSessionPOST() error { var params struct { Name string `json:"name"` Password string `json:"password"` } err := db.ReadJSONFromMIME(h.rq.Header, h.rq.Body, ¶ms) if err != nil { return err } var user *auth.User user, err = h.context.auth.GetUser(params.Name) if err != nil { return err } if !user.Authenticate(params.Password) { user = nil } return h.makeSession(user) }
// Recomputes the set of roles a User has been granted access to by sync() functions. // This is part of the ChannelComputer interface defined by the Authenticator. func (context *DatabaseContext) ComputeRolesForUser(user auth.User) (channels.TimedSet, error) { var vres struct { Rows []struct { Value channels.TimedSet } } opts := map[string]interface{}{"stale": false, "key": user.Name()} if verr := context.Bucket.ViewCustom("sync_gateway", "role_access", opts, &vres); verr != nil { return nil, verr } // Merge the TimedSets from the view result: var result channels.TimedSet for _, row := range vres.Rows { if result == nil { result = row.Value } else { result.Add(row.Value) } } return result, nil }
// Handles PUT or POST to /username func putUser(r http.ResponseWriter, rq *http.Request, a *auth.Authenticator, username string) error { body, _ := ioutil.ReadAll(rq.Body) var user auth.User err := json.Unmarshal(body, &user) if err != nil { return err } if user.Channels == nil { return &base.HTTPError{http.StatusBadRequest, "Missing channels property"} } if rq.Method == "POST" { username = user.Name if username == "" { return &base.HTTPError{http.StatusBadRequest, "Missing name property"} } } else if user.Name == "" { user.Name = username } else if user.Name != username { return &base.HTTPError{http.StatusBadRequest, "Name mismatch (can't change name)"} } log.Printf("SaveUser: %v", user) //TEMP return a.SaveUser(&user) }
// Creates a userCtx object to be passed to the sync function func makeUserCtx(user auth.User) map[string]interface{} { if user == nil { return nil } return map[string]interface{}{ "name": user.Name(), "roles": user.RoleNames(), "channels": user.InheritedChannels().AllChannels(), } }
// Returns an HTTP 403 error if the User is not allowed to access any of the document's channels. // A nil User means access control is disabled, so the function will return nil. func AuthorizeAnyDocChannels(user auth.User, channels ChannelMap) error { if user == nil { return nil } for channel, removed := range channels { if removed == nil && user.CanSeeChannel(channel) { return nil } } if user.CanSeeChannel("*") { return nil // Doc is not in any channels, but user has all-access } return user.UnauthError("You are not allowed to see this") }
// Handles PUT and POST for a user or a role. func (h *handler) updatePrincipal(name string, isUser bool) error { h.assertAdminOnly() // Unmarshal the request body into a PrincipalJSON struct: body, _ := ioutil.ReadAll(h.rq.Body) var newInfo PrincipalJSON var err error if err = json.Unmarshal(body, &newInfo); err != nil { return err } var princ auth.Principal var user auth.User if h.rq.Method == "POST" { // On POST, take the name from the "name" property in the request body: if newInfo.Name == nil { return &base.HTTPError{http.StatusBadRequest, "Missing name property"} } name = *newInfo.Name } else { // ON PUT, verify the name matches, if given: if newInfo.Name != nil && *newInfo.Name != name { return &base.HTTPError{http.StatusBadRequest, "Name mismatch (can't change name)"} } } // Get the existing principal, or if this is a POST make sure there isn't one: if isUser { user, err = h.db.Authenticator().GetUser(internalUserName(name)) princ = user } else { princ, err = h.db.Authenticator().GetRole(name) } if err != nil { return err } status := http.StatusOK if princ == nil { // If user/role didn't exist already, instantiate a new one: status = http.StatusCreated if isUser { user, err = h.db.Authenticator().NewUser(internalUserName(name), "", nil) princ = user } else { princ, err = h.db.Authenticator().NewRole(name, nil) } if err != nil { return err } } else if h.rq.Method == "POST" { return &base.HTTPError{http.StatusConflict, "Already exists"} } // Now update the Principal object from the properties in the request, first the channels: updatedChannels := princ.ExplicitChannels() if updatedChannels == nil { updatedChannels = ch.TimedSet{} } updatedChannels.UpdateAtSequence(newInfo.ExplicitChannels, h.db.LastSequence()+1) princ.SetExplicitChannels(updatedChannels) // Then the roles: if isUser { user.SetEmail(newInfo.Email) if newInfo.Password != nil { user.SetPassword(*newInfo.Password) } user.SetDisabled(newInfo.Disabled) user.SetExplicitRoleNames(newInfo.ExplicitRoleNames) } // And finally save the Principal: if err = h.db.Authenticator().Save(princ); err != nil { return err } h.response.WriteHeader(status) return nil }
// Updates or creates a principal from a PrincipalConfig structure. func updatePrincipal(dbc *db.DatabaseContext, newInfo PrincipalConfig, isUser bool, allowReplace bool) (replaced bool, err error) { // Get the existing principal, or if this is a POST make sure there isn't one: var princ auth.Principal var user auth.User authenticator := dbc.Authenticator() if isUser { user, err = authenticator.GetUser(internalUserName(*newInfo.Name)) princ = user } else { princ, err = authenticator.GetRole(*newInfo.Name) } if err != nil { return } replaced = (princ != nil) if !replaced { // If user/role didn't exist already, instantiate a new one: if isUser { user, err = authenticator.NewUser(internalUserName(*newInfo.Name), "", nil) princ = user } else { princ, err = authenticator.NewRole(*newInfo.Name, nil) } if err != nil { return } } else if !allowReplace { err = base.HTTPErrorf(http.StatusConflict, "Already exists") return } // Now update the Principal object from the properties in the request, first the channels: updatedChannels := princ.ExplicitChannels() if updatedChannels == nil { updatedChannels = ch.TimedSet{} } lastSeq, err := dbc.LastSequence() if err != nil { return } updatedChannels.UpdateAtSequence(newInfo.ExplicitChannels, lastSeq+1) princ.SetExplicitChannels(updatedChannels) // Then the user-specific fields like roles: if isUser { user.SetEmail(newInfo.Email) if newInfo.Password != nil { user.SetPassword(*newInfo.Password) } user.SetDisabled(newInfo.Disabled) // Convert the array of role strings into a TimedSet by reapplying the current sequences // for existing roles, and using the database's last sequence for any new roles. newRoles := ch.TimedSet{} oldRoles := user.ExplicitRoles() var currentSequence uint64 for _, roleName := range newInfo.ExplicitRoleNames { since, found := oldRoles[roleName] if !found { if currentSequence == 0 { currentSequence, _ = dbc.LastSequence() if currentSequence == 0 { currentSequence = 1 } } since = currentSequence } newRoles[roleName] = since } user.SetExplicitRoles(newRoles) } // And finally save the Principal: err = authenticator.Save(princ) return }
// Updates or creates a principal from a PrincipalConfig structure. func (dbc *DatabaseContext) UpdatePrincipal(newInfo PrincipalConfig, isUser bool, allowReplace bool) (replaced bool, err error) { // Get the existing principal, or if this is a POST make sure there isn't one: var princ auth.Principal var user auth.User authenticator := dbc.Authenticator() if isUser { if newInfo.Password != nil && len(*(newInfo.Password)) < 3 { err = base.HTTPErrorf(http.StatusBadRequest, "Passwords must be at least three 3 characters") return } user, err = authenticator.GetUser(*newInfo.Name) princ = user } else { princ, err = authenticator.GetRole(*newInfo.Name) } if err != nil { return } changed := false replaced = (princ != nil) if !replaced { // If user/role didn't exist already, instantiate a new one: if isUser { user, err = authenticator.NewUser(*newInfo.Name, "", nil) princ = user } else { princ, err = authenticator.NewRole(*newInfo.Name, nil) } if err != nil { return } changed = true } else if !allowReplace { err = base.HTTPErrorf(http.StatusConflict, "Already exists") return } // Update the persistent sequence number of this principal: nextSeq, err := dbc.sequences.nextSequence() if err != nil { return } princ.SetSequence(nextSeq) // Now update the Principal object from the properties in the request, first the channels: updatedChannels := princ.ExplicitChannels() if updatedChannels == nil { updatedChannels = ch.TimedSet{} } if updatedChannels.UpdateAtSequence(newInfo.ExplicitChannels, nextSeq) { princ.SetExplicitChannels(updatedChannels) changed = true } // Then the user-specific fields like roles: if isUser { if newInfo.Email != user.Email() { user.SetEmail(newInfo.Email) changed = true } if newInfo.Password != nil { user.SetPassword(*newInfo.Password) changed = true } if newInfo.Disabled != user.Disabled() { user.SetDisabled(newInfo.Disabled) changed = true } updatedRoles := user.ExplicitRoles() if updatedRoles == nil { updatedRoles = ch.TimedSet{} } if updatedRoles.UpdateAtSequence(base.SetFromArray(newInfo.ExplicitRoleNames), nextSeq) { user.SetExplicitRoles(updatedRoles) changed = true } } // And finally save the Principal: if changed { err = authenticator.Save(princ) } return }