//validateAdmin Validate the requestor is an admin in the namepace. If returns false, the caller should halt and return. True if the request should continue. TODO make this cleaner
func validateAdmin(imageSpace string, w http.ResponseWriter, r *http.Request) bool {
//validate this user has a token and is org admin
token, err := authsdk.NewJWTTokenFromRequest(r)
if err != nil {
message := fmt.Sprintf("Unable to find oAuth token %s", err)
kiln.LogError.Printf(message)
writeErrorResponse(http.StatusUnauthorized, message, w)
return false
}
kiln.LogInfo.Printf("Checking to see if user %s has admin authority for namepace %s", token.GetUsername(), imageSpace)
isAdmin, err := token.IsOrgAdmin(imageSpace)
if err != nil {
message := fmt.Sprintf("Unable to get permission token %s", err)
kiln.LogError.Printf(message)
writeErrorResponse(http.StatusForbidden, message, w)
return false
}
//if not an admin, give access denied
if !isAdmin {
kiln.LogInfo.Printf("User %s is not an admin for imageSpace %s", token.GetUsername(), imageSpace)
writeErrorResponse(http.StatusForbidden, fmt.Sprintf("You do not have admin permisison for imageSpace %s", imageSpace), w)
return false
}
kiln.LogInfo.Printf("User %s is an admin for imageSpace %s", token.GetUsername(), imageSpace)
return true
}
//getImagespaces get the imagespaces
func (server *Server) getImagespaces(w http.ResponseWriter, r *http.Request) {
//TODO, what's the security on this? Open? How can I validate they're an admin if I dont' see them, or do I filter?
imagespaces := []*Imagespace{}
imagespaceNames, err := server.imageCreator.GetImagespaces()
if err != nil {
message := fmt.Sprintf("Unable to retrieve imagespaces. %s", err)
kiln.LogError.Printf(message)
internalError(message, w)
return
}
//get our token
token, err := authsdk.NewJWTTokenFromRequest(r)
if err != nil {
message := fmt.Sprintf("Unable to find oAuth token %s", err)
kiln.LogError.Printf(message)
writeErrorResponse(http.StatusUnauthorized, message, w)
return
}
// copy everything over
for _, imagespace := range *imagespaceNames {
kiln.LogInfo.Printf("Checking to see if user %s has admin authority for namepace %s", token.GetUsername(), imagespace)
isAdmin, err := token.IsOrgAdmin(imagespace)
if err != nil {
message := fmt.Sprintf("Unable to get permission token %s", err)
kiln.LogError.Printf(message)
writeErrorResponse(http.StatusUnauthorized, message, w)
}
//if not an admin ignore this imagespace since theyr'e not allowed to see it
if !isAdmin {
continue
}
imagespaceObj := &Imagespace{
Name: imagespace,
}
imagespaces = append(imagespaces, imagespaceObj)
}
w.Header().Set("Content-Type", "application/json")
json.NewEncoder(w).Encode(imagespaces)
}