// GetRoles implements a naive role listing for a user. All valid tokens will
// result in a single "ADMIN" role, everybody else gets "*"
func (provider *SimpleProvider) GetRoles(token string) []string {
user, _ := authn.Validate(token)
var roles []string
if user != "" {
return append(roles, "ADMIN")
}
return append(roles, "*")
}
// Reissue re-issues a new token based on an existing valid one
func Reissue(w http.ResponseWriter, r *http.Request) {
w.Header().Set("Content-Type", "application/json; charset=UTF-8")
t := r.Header.Get("Authorization")
if strings.HasPrefix(t, "Bearer ") {
user, err := authn.Validate(strings.SplitAfter(t, "Bearer ")[1])
if err != nil {
w.WriteHeader(http.StatusUnauthorized)
} else {
sendToken(w, user)
}
} else {
w.WriteHeader(http.StatusUnauthorized)
}
}
// PermissionHandler validates the permissions of a user before further handling
func PermissionHandler(inner http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
var user string
var ps string
t := r.Header.Get("Authorization")
if strings.HasPrefix(t, "Bearer ") {
user, _ = authn.Validate(strings.SplitAfter(t, "Bearer ")[1])
log.Debugf("Getting user %s from %s", user, t)
} else {
user = ""
log.Debugf("Failed to get user from %s", t)
}
if GetProvider().IsAuthorized(user, r.Method, r.URL.RequestURI()) {
log.Debugf("Authorized access, serving the request")
sw := util.MakeLogger(w)
inner.ServeHTTP(sw, r)
} else {
log.Debugf("Unauthorized access, sending an error message")
for _, p := range authn.KnownProviders() {
if ps > "" {
ps = ps + "," + p
} else {
ps = p
}
}
w.Header().Set("WWW-Authenticate", "WWW-Authenticate:"+ps)
w.WriteHeader(http.StatusUnauthorized)
if err := json.NewEncoder(w).Encode(util.Error{Code: http.StatusUnauthorized, Message: "Permission denied"}); err != nil {
panic(err)
}
}
})
}
provider = "pwd"
)
s := "TEST"
util.SetupSvcLogging(&s)
BeforeEach(func() {
util.LoadConfigByPathWOExtension("test_config")
authn.InitMint()
authn.InitValidator()
})
Describe("Token roundtrip", func() {
Context("Freshly minted token", func() {
It("Fresh token should be valid", func() {
user, err := authn.Validate(authn.GetToken(user))
Expect(err).To(BeNil())
Expect(user).To(Equal(user))
})
})
Context("Authenticating the user", func() {
It("should return true, given valid username, challenge and provider", func() {
booln := authn.Authenticate(user, challenge, provider)
Expect(booln).To(BeTrue())
})
})
})
Describe("Reissuing a token", func() {
Context("Username is preserved", func() {
It("should return the username that was given to the old token", func() {