Пример #1
0
Файл: index.go Проект: elos/gaia
func IndexGET(ctx context.Context, w http.ResponseWriter, r *http.Request, db data.DB, logger services.Logger) {
	l := logger.WithPrefix("IndexGet: ")

	u, _ := user.FromContext(ctx)
	// u may be nil
	if err := indexTemplate.Execute(w, u); err != nil {
		l.Fatal(err)
	}
}
Пример #2
0
// Expects: the context to hold the authed user
func CommandWebGET(ctx context.Context, ws *websocket.Conn, logger services.Logger, db data.DB) {
	u, ok := user.FromContext(ctx)
	if !ok {
		logger.Print("CommandWebGET Error: failed to retrieve user from context")
		return
	}

	input := make(chan string)
	output := make(chan string)

	session := command.NewSession(
		u, db, input, output,
		func() {
			log.Print("CommandWebGET bail")
			close(output)
		},
	)

	go session.Start()

	go func() {
		for {
			var message string
			err := websocket.Message.Receive(ws, &message)

			if err != nil {
				if err != io.EOF {
					log.Printf("Read fail: %s", err)
				}

				close(output) // should this know about output
				return
			}

			input <- message
		}
	}()

	for o := range output {
		err := websocket.Message.Send(ws, o)

		if err != nil {
			log.Printf("Write fail: %s", err)
			return
		}
	}
}
Пример #3
0
func TestAuthenticateQueryParams(t *testing.T) {
	ctx := context.Background()
	db := mem.NewDB()
	logger := services.NewTestLogger(t)

	var userContext context.Context
	var authed bool
	s := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		userContext, authed = routes.Authenticate(ctx, w, r, logger, db)
		if authed {
			w.WriteHeader(http.StatusOK)
		}
	}))
	defer s.Close()

	u, _, err := user.Create(db, "username", "password")
	if err != nil {
		t.Fatalf("user.Create(db, \"username\", \"password\") error: %s", err)
	}
	client := new(http.Client)

	req, err := http.NewRequest("GET", s.URL, new(bytes.Buffer))
	if err != nil {
		t.Fatalf("http.NewRequest error: %s", err)
	}
	client.Do(req)
	if got, want := authed, false; got != want {
		t.Fatalf("authed: got %t, want %t", got, want)
	}

	req, err = http.NewRequest("GET", s.URL+"?public=username&private=password", new(bytes.Buffer))
	if err != nil {
		t.Fatalf("http.NewRequest error: %s", err)
	}
	client.Do(req)
	if got, want := authed, true; got != want {
		t.Fatalf("authed: got %t, want %t")
	}
	authedU, ok := user.FromContext(userContext)
	if got, want := ok, true; got != want {
		t.Fatalf("_, ok := user.FromContext: got %t, want %t")
	}
	if got, want := data.Equivalent(authedU, u), true; got != want {
		t.Errorf("data.Equivalent(authedU, u): got %t, want %t", got, want)
	}
}
Пример #4
0
func TestAuthenticatePostForm(t *testing.T) {
	ctx := context.Background()
	db := mem.NewDB()
	logger := services.NewTestLogger(t)

	var userContext context.Context
	var authed bool
	s := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		userContext, authed = routes.Authenticate(ctx, w, r, logger, db)
		if authed {
			w.WriteHeader(http.StatusOK)
		}
	}))
	defer s.Close()

	u, _, err := user.Create(db, "username", "password")
	if err != nil {
		t.Fatalf("user.Create(db, \"username\", \"password\") error: %s", err)
	}
	client := new(http.Client)
	client.PostForm(s.URL, url.Values{
		"public":  []string{"username"},
		"private": []string{"password"},
	})

	if got, want := authed, true; got != want {
		t.Fatalf("authed: got %t, want %t", got, want)
	}
	authedU, ok := user.FromContext(userContext)
	if got, want := ok, true; got != want {
		t.Fatalf("_, ok := user.FromContext: got %t, want %t", got, want)
	}
	if got, want := data.Equivalent(authedU, u), true; got != want {
		t.Fatal("data.Equivalent(authedU, u): got %t ,want %t", got, want)
	}
}
Пример #5
0
Файл: event.go Проект: elos/gaia
// EventPOST implements gaia's response to a POST request to the '/event/' endpoint.
//
// Assumptions: The user has been authenticated.
//
// Proceedings: Parses the url parameters.
func EventPOST(ctx context.Context, w http.ResponseWriter, r *http.Request, db data.DB, logger services.Logger) {
	l := logger.WithPrefix("EventPOST: ")

	// Parse the form
	if err := r.ParseForm(); err != nil {
		l.Printf("error parsing form: %s", err)
		http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
		return
	}

	// Retrieve the tags parameter
	tagNames, ok := r.Form[tagsParam]
	if !ok {
		l.Print("no tags param")
		tagNames = []string{}
	}
	// if any tag names have commas, split those
	tagNames = flatten(mapSplit(tagNames, ","))

	// Retrieve our user
	u, ok := user.FromContext(ctx)
	if !ok {
		l.Print("failed to retrieve user from context")
		http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
		return
	}

	e := new(models.Event)

	tags := make([]*models.Tag, len(tagNames))
	for i, n := range tagNames {
		t, err := tag.ForName(db, u, tag.Name(n))
		if err != nil {
			l.Printf("tag.ForName(%q) error: %s", n, err)
			http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
			return
		}
		tags[i] = t
	}

	defer r.Body.Close()
	if requestBody, err := ioutil.ReadAll(r.Body); err != nil {
		l.Printf("ioutil.ReadAll(r.Body) error: %s", err)
		http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
		return
	} else if err := json.Unmarshal(requestBody, e); err != nil {
		l.Printf("info: request body:\n%s", string(requestBody))
		l.Printf("error: while unmarshalling request body, %s", err)
		http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
		return
	}

	if e.CreatedAt.IsZero() {
		e.CreatedAt = time.Now()
	}
	e.UpdatedAt = time.Now()
	e.SetOwner(u)

	for _, t := range tags {
		e.IncludeTag(t)
	}

	if allowed, err := access.CanCreate(db, u, e); err != nil {
		l.Printf("access.CanCreate(db, u, e) error: %s", err)
		http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
		return
	} else if !allowed {
		l.Print("access.CanCreate(db, u, e) rejected authorization")
		http.Error(w, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized)
		return
	}

	if err := db.Save(u); err != nil {
		l.Printf("error saving record: %s", err)
		switch err {
		case data.ErrAccessDenial:
			http.Error(w, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized)
		// These are all equally distressing
		case data.ErrNotFound: // TODO shouldn't a not found not be fing impossible for a Save?
			fallthrough
		case data.ErrNoConnection:
			fallthrough
		case data.ErrInvalidID:
		default:
			http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
		}
		return
	}

	// Now we shall write our response
	b, err := json.MarshalIndent(e, "", "    ")
	if err != nil {
		l.Printf("json.MarshalIndent(m, \"\", \"   \") error: %s", err)
		http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
		return
	}

	w.WriteHeader(http.StatusCreated)
	w.Header().Set("Content-Type", "application/json")
	w.Write(b)
}
Пример #6
0
func RecordChangesGET(ctx context.Context, ws *websocket.Conn, db data.DB, logger services.Logger) {
	l := logger.WithPrefix("RecordChangesGet: ")

	u, ok := user.FromContext(ctx)
	if !ok {
		l.Print("failed to retrieve user from context")
		return
	}

	// Get the db's changes, then filter by updates, then
	// filter by whether this user can read the record
	changes := data.Filter(db.Changes(), func(c *data.Change) bool {
		ok, err := access.CanRead(db, u, c.Record)
		if err != nil {
			l.Printf("error checking access control: %s", err)
		}
		return ok
	})

	var kind data.Kind
	if kindParam := ws.Request().Form.Get(kindParam); kindParam != "" {
		kind = data.Kind(kindParam)

		if _, ok := models.Kinds[kind]; !ok {
			l.Printf("unrecognized kind: %q", kind)
			if err := websocket.Message.Send(ws, fmt.Sprintf("The kind %q is not recognized", kind)); err != nil {
				if err != io.EOF {
					l.Printf("error sending on websocket: %s", err)
				}
			}
			return
		}

		// If a kind was specified, filter by it
		changes = data.FilterKind(changes, kind)
	}

	for {
		select {
		case change, ok := <-*changes:
			if !ok {
				l.Printf("change channel was closed")
				return
			}

			l.Printf("recieved change: %+v", change)

			changeTransport := transfer.Change(change)

			if err := websocket.JSON.Send(ws, changeTransport); err != nil {
				if err != io.EOF {
					l.Printf("error sending to socket: %s", err)
				}

				return
			}
		case <-time.After(5 * time.Second):
			l.Printf("no change in 5 seconds, but still listening")
		case <-ctx.Done():
			l.Printf("context cancelled")
			// context was cancelled
			return
		}
	}
}
Пример #7
0
// RecordQueryPOST implements gaia's response to a POST request to the '/record/query/' endpoint.
//
// Assumptions: The user has been authenticated.
//
// Proceedings:
//
// Success:
//		* StatusOK
//
// Error:
//		* InternalServerError: parsing url params,
//		* BadRequest: no kind parameter, unrecognized kind
func RecordQueryPOST(ctx context.Context, w http.ResponseWriter, r *http.Request, logger services.Logger, db data.DB) {
	l := logger.WithPrefix("RecordQueryPOST: ")

	// Parse the form
	if err := r.ParseForm(); err != nil {
		l.Printf("error parsing form: %s", err)
		http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
		return
	}

	// Retrieve the kind parameter
	k := r.FormValue(kindParam)
	if k == "" {
		l.Printf("no kind parameter")
		http.Error(w, fmt.Sprintf("You must specify a %q parameter", kindParam), http.StatusBadRequest)
		return
	}
	kind := data.Kind(k)

	// Verify the kind is recognized
	if !models.Kinds[kind] {
		l.Printf("unrecognized kind %q", kind)
		http.Error(w, fmt.Sprintf("The kind %q is not recognized", kind), http.StatusBadRequest)
		return
	}

	// Retrieve the limit, batch and skip parameters
	lim := r.FormValue(limitParam)
	bat := r.FormValue(batchParam)
	ski := r.FormValue(skipParam)

	// Set up the variables to apply to the query
	var limit, batch, skip int
	if lim != "" {
		limit, _ = strconv.Atoi(lim)
	} else if bat != "" {
		batch, _ = strconv.Atoi(bat)
	} else if ski != "" {
		skip, _ = strconv.Atoi(ski)
	}

	// Read the selection attrs from the body
	var requestBody []byte
	var err error
	defer r.Body.Close()
	if requestBody, err = ioutil.ReadAll(r.Body); err != nil {
		l.Printf("error while reading request body: %s", err)
		http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
		return
	}

	// These are the selectors, unmarshal the request body into them
	attrs := make(data.AttrMap)

	// only unmarshall if there is any request body
	if len(requestBody) > 0 {
		if err = json.Unmarshal(requestBody, &attrs); err != nil {
			l.Printf("info: request body:\n%s", string(requestBody))
			l.Printf("error: while unmarshalling request body, %s", err)
			http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
			return
		}
	}

	// Retrieve the user we are acting on behalf
	u, ok := user.FromContext(ctx)
	if !ok {
		l.Print("failed to retrieve user from context")
		http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
		return
	}

	// Load our actual query
	var iter data.Iterator
	if iter, err = db.Query(kind).Select(attrs).Limit(limit).Batch(batch).Skip(skip).Order(r.Form["order"]...).Execute(); err != nil {
		l.Printf("db.Query(%q).Select(%v).Limit(%d).Batch(%d).Skip(%d) error: %s", kind, attrs, limit, batch, skip, err)
		http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
		return
	}

	fmt.Fprint(w, "[")

	first := true

	// Iterator through the results and write the response
	m := models.ModelFor(kind)
	for iter.Next(m) {
		if !first {
			fmt.Fprint(w, ",")
		}
		first = false
		if ok, err := access.CanRead(db, u, m); err != nil {
			// We've hit an error and need to bail
			l.Printf("access.CanRead error: %s", err)
			http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
			return
		} else if ok {
			bytes, err := json.Marshal(m)
			if err != nil {
				l.Printf("error marshalling JSON: %s", err)
				http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
				return
			}
			w.Write(bytes)
		}
	}

	if err := iter.Close(); err != nil {
		l.Printf("error closing query, %s", err)
		http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
		return
	}

	fmt.Fprint(w, "]")
}
Пример #8
0
// RecordDelete implements gaia's response to a DELETE request to the '/record/' endpoint.
//
// Assumptions: The user has been authenticated.
//
// Proceedings: Parses the url parameters, and retrieves the kind and id parameters (both required).
// Then checks for authorization to delete, carries it out if allowed.
//
// Success:
//		* StatusNoContent indicating a succesful deletion
//
// Errors:
//		* InternalServerError: failure to parse the parameters, database connections, json marshalling
//		* BadRequest: no kind param, unrecognized kind, no id param, invalid id param
//		* NotFound: unauthorized, record actually doesn't exist
//		* Unauthorized: not authorized to delete that record, database access denial
func RecordDELETE(ctx context.Context, w http.ResponseWriter, r *http.Request, logger services.Logger, db services.DB) {
	l := logger.WithPrefix("RecordDELETE: ")

	// Parse the form
	if err := r.ParseForm(); err != nil {
		l.Printf("error parsing form: %s", err)
		http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
		return
	}

	// Retrieve the kind parameter
	k := r.FormValue(kindParam)
	if k == "" {
		l.Printf("no kind specified")
		http.Error(w, fmt.Sprintf("You must specify a %q parameter", kindParam), http.StatusBadRequest)
		return
	}
	kind := data.Kind(k)

	// Retrieve the id parameter
	i := r.FormValue(idParam)
	if i == "" {
		l.Printf("no id specified")
		http.Error(w, fmt.Sprintf("You must specify a %q parameter", idParam), http.StatusBadRequest)
		return
	}

	// Verify the kind is recognized
	_, ok := models.Kinds[kind]
	if !ok {
		l.Printf("unrecognized kind: %q", kind)
		http.Error(w, fmt.Sprintf("The kind %q is not recognized", kind), http.StatusBadRequest)
		return
	}

	// Verify the id is valid
	id, err := db.ParseID(i)
	if err != nil {
		l.Printf("invalid id: %q, error: %s", i, err)
		http.Error(w, fmt.Sprintf("The id %q is invalid", i), http.StatusBadRequest)
		return
	}

	// Get the record, so that we can decide whether we have permission to delete it
	m := models.ModelFor(kind)
	m.SetID(id)
	if err = db.PopulateByID(m); err != nil {
		l.Printf("db.PopulateByID error: %s", err)
		switch err {
		case data.ErrAccessDenial:
			fallthrough // don't leak information (were we denied access, this record doesn't exist)
		case data.ErrNotFound:
			http.Error(w, http.StatusText(http.StatusNotFound), http.StatusNotFound)
		case data.ErrNoConnection:
			fallthrough
		case data.ErrInvalidID:
			fallthrough
		default:
			http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
		}
		return
	}

	// Retrieve the user we are authenticated as
	u, ok := user.FromContext(ctx)
	if !ok {
		l.Print("faild to retrieve user from context")
		http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
		return
	}

	// check for authorization
	if allowed, err := access.CanDelete(db, u, m); err != nil {
		// TODO(nclandolfi) standardize this with the POST and GET where we handle the possible errors
		l.Printf("RecordDELETE Error: %s", err)
		http.Error(w, "database error", http.StatusInternalServerError)
		return
	} else if !allowed {
		// in order to not leak information, we treat this as a not found
		http.Error(w, http.StatusText(http.StatusNotFound), http.StatusNotFound)
		return
	}

	if err := db.Delete(m); err != nil {
		switch err {
		case data.ErrAccessDenial:
			http.Error(w, http.StatusText(http.StatusNotFound), http.StatusNotFound) // don't leak information
		case data.ErrNotFound:
			// this shouldn't happen unless it was deleted by another process
			// in between when we populated the record by id, in which case it was successful
			goto successfulDelete
			// all of these errors, we can't guarantee deletion
		case data.ErrNoConnection:
			fallthrough
		case data.ErrInvalidID:
			http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
		default:
			l.Printf("RecordDELETE Error: %s", err)
			http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
		}
		return
	}

successfulDelete:
	w.WriteHeader(http.StatusNoContent)
}
Пример #9
0
// RecordPOST implements gaia's response to a POST request to the '/record/' endpoint.
//
// Assumptions: The user has been authenticated.
//
// Proceedings: Parses the url parameters, and retrieves the kind parameter (required).
// Then it checks whether the payload record's id is declared, generating one if not.
// Finally, it saves or updates the record, returning the record with corresponding status.
//
// Success:
//		* StatusOK with the record as JSON, meaning the record was _updated_
//		* StatusCreated with the record as JSON, meaning the record was _created_
//
// Errors:
//		* InternalServerError: failure to parse the parameters, database connections, json marshalling
//		* BadRequest: no kind param, unrecognized kind
//		* NotFound: unauthorized, record actually doesn't exist
//		* Unauthorized: not authorized to create/update that record, database access denial
func RecordPOST(ctx context.Context, w http.ResponseWriter, r *http.Request, logger services.Logger, db services.DB) {
	l := logger.WithPrefix("RecordPOST: ")

	// Parse the form
	if err := r.ParseForm(); err != nil {
		l.Printf("error parsing form: %s", err)
		http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
		return
	}

	//	l.Printf("%+v", r)

	// Retrieve the kind parameter
	k := r.FormValue(kindParam)
	if k == "" {
		l.Printf("no kind specified")
		http.Error(w, fmt.Sprintf("You must specify a %q parameter", kindParam), http.StatusBadRequest)
		return
	}
	kind := data.Kind(k)

	// Verify it is a recognized kind
	if _, ok := models.Kinds[kind]; !ok {
		http.Error(w, fmt.Sprintf("The kind %q is not recognized", kind), http.StatusBadRequest)
		return
	}

	m := models.ModelFor(kind)

	var requestBody []byte
	var err error

	// Now we must read the body of the request
	defer r.Body.Close() // don't forget to close it
	if requestBody, err = ioutil.ReadAll(r.Body); err != nil {
		l.Printf("error while reading request body: %s", err)
		http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
		return
	}

	// Now we unmarshal that into the record
	if err = json.Unmarshal(requestBody, m); err != nil {
		l.Printf("info: request body:\n%s", string(requestBody))
		l.Printf("error: while unmarshalling request body, %s", err)
		http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
		return
	}

	// Now we can determine whether we are creating a new record
	// or updating an existing one. We expect to be updating...
	creation := false

	// ...unless the id is empty, in which case we are creating
	if m.ID().String() == "" {
		m.SetID(db.NewID()) // Be sure to assign it an ID
		creation = true
	}

	// Retrieve our user
	u, ok := user.FromContext(ctx)
	if !ok {
		l.Print("failed to retrieve user from context")
		http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
		return
	}

	var allowed bool

	// We need to check either [creation] we can create the record or [!creation]
	// we can update the record we are trying to update
	if creation {
		prop, ok := m.(access.Property)
		if !ok {
			l.Printf("tried to create record that isn't property")
			http.Error(w, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized)
			return
		}

		allowed, err = access.CanCreate(db, u, prop)
	} else {
		allowed, err = access.CanWrite(db, u, m)
	}

	if err != nil {
		l.Printf("access.{CanCreate | CanWrite} error: %s", err)
		switch err {
		// This indicates that no, you have no access
		case data.ErrAccessDenial:
			http.Error(w, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized)
		// All of these are bad, and considered an internal error
		case data.ErrNotFound:
			fallthrough
		case data.ErrNoConnection:
			fallthrough
		case data.ErrInvalidID:
			fallthrough
		default:
			http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
		}
		return
	} else if !allowed {
		l.Printf("access denied at create/update stage")
		http.Error(w, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized)
		return
	}

	// If we have made it this far, it only remains to commit the record
	if err = db.Save(m); err != nil {
		l.Printf("error saving record: %s", err)
		switch err {
		case data.ErrAccessDenial:
			http.Error(w, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized)
		// These are all equally distressing
		case data.ErrNotFound: // TODO shouldn't a not found not be fing impossible for a Save?
			fallthrough
		case data.ErrNoConnection:
			fallthrough
		case data.ErrInvalidID:
		default:
			http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
		}
		return
	}

	// Now we shall write our response
	bytes, err := json.MarshalIndent(m, "", "    ")
	if err != nil {
		l.Printf("error marshalling model: %s", err)
		http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
		return
	}

	if creation {
		w.WriteHeader(http.StatusCreated)
	} else {
		w.WriteHeader(http.StatusOK)
	}

	w.Header().Set("Content-Type", "application/json")
	w.Write(bytes)
}
Пример #10
0
// RecordGET implements gaia's response to a GET request to the '/record/' endpoint.
//
// Assumptions: The user has been authenticated.
//
// Proceedings: Parses the url parameters, retrieving the kind and id parameters (both required).
// Then it loads that record, checks if the user is allowed to access it, if so it returns the model as JSON.
//
// Success:
//		* StatusOK with the record as JSON
//
// Errors:
//		* InternalServerError: failure to parse the parameters, database connections, json marshalling
//		* BadRequest: no kind param, no id param, unrecognized kind, invalid id
//		* NotFound: unauthorized, record actually doesn't exist
func RecordGET(ctx context.Context, w http.ResponseWriter, r *http.Request, logger services.Logger, db services.DB) {
	l := logger.WithPrefix("RecordGet: ")

	// Parse the form value
	if err := r.ParseForm(); err != nil {
		l.Printf("error parsing form: %s", err)
		http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
		return
	}

	// Secure the kind parameter's existence, and superficial validity (i.e., non-empty)
	k := r.FormValue(kindParam)
	if k == "" {
		l.Printf("no kind parameter")
		http.Error(w, fmt.Sprintf("You must specify a '%s' parameter", kindParam), http.StatusBadRequest)
		return
	}
	kind := data.Kind(k)

	// Secure the id parameter's existence, and superficial validity (i.e., non-empty)
	i := r.FormValue(idParam)
	if i == "" {
		l.Printf("no id parameter")
		http.Error(w, fmt.Sprintf("You must specify a '%s' parameter", idParam), http.StatusBadRequest)
		return
	}

	// Ensure the kind is recognized
	if _, ok := models.Kinds[kind]; !ok {
		l.Printf("unrecognized kind: %q", kind)
		http.Error(w, fmt.Sprintf("The kind %q is not recognized", kind), http.StatusBadRequest)
		return
	}

	// Ensure the id is valid
	id, err := db.ParseID(i)
	if err != nil {
		l.Printf("unrecognized id: %q, err: %s", i, err)
		http.Error(w, fmt.Sprintf("The id %q is invalid", i), http.StatusBadRequest)
		return
	}

	m := models.ModelFor(kind)
	m.SetID(id)

	if err := db.PopulateByID(m); err != nil {
		switch err {
		// ErrAccessDenial and ErrNotFound are "normal" courses, in the sense that they
		// may be expected in normal usage.
		case data.ErrAccessDenial:
			fallthrough // don't leak information, make it look like a 404
		case data.ErrNotFound:
			// This is, by far, the most common error case here.
			http.Error(w, http.StatusText(http.StatusNotFound), http.StatusNotFound)
		// ErrNoConnection, ErrInvalidID and the under-determined errors are all non-normal cases
		case data.ErrNoConnection:
			fallthrough
		case data.ErrInvalidID:
			fallthrough
		default:
			http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
		}
		l.Printf("db.PopulateByID error: %s", err)
		return // regardless of what the error was, we are bailing
	}

	// Retrieve the user this request was authenticated as
	u, ok := user.FromContext(ctx)
	if !ok { // This is certainly an issue, and should _never_ happen
		l.Print("failed to retrieve user from context")
		http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
		return
	}

	// Now we impose the system access control, beyond the database access control
	// TODO: limit the domain of errors CanRead returns
	if allowed, err := access.CanRead(db, u, m); err != nil {
		switch err {
		// Again, though odd, both of these are arguably expected
		case data.ErrAccessDenial:
			fallthrough // don't leak information
		case data.ErrNotFound:
			http.Error(w, http.StatusText(http.StatusNotFound), http.StatusNotFound)
		// These are not-expected
		case data.ErrNoConnection:
			fallthrough
		case data.ErrInvalidID:
			fallthrough
		default:
			http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
		}
		l.Printf("access.CanRead error: %s", err)
		return
	} else if !allowed {
		// If you can't read the record you are asking for,
		// it "does not exist" as far as you are concerned
		l.Print("access denied")
		http.Error(w, http.StatusText(http.StatusNotFound), http.StatusNotFound)
		return
	}

	bytes, err := json.MarshalIndent(m, "", "	")
	if err != nil {
		l.Printf("error while marshalling json %s", err)
		http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
		return
	}

	w.WriteHeader(http.StatusOK)
	w.Header().Set("Content-Type", "application/json")
	w.Write(bytes)
}
Пример #11
0
// --- TestAuthenticateSession {{{
func TestAuthenticateSession(t *testing.T) {
	ctx := context.Background()
	db := mem.NewDB()
	logger := services.NewTestLogger(t)

	var userContext context.Context
	var authed bool
	s := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		userContext, authed = routes.Authenticate(ctx, w, r, logger, db)
		if authed {
			w.WriteHeader(http.StatusOK)
		}
	}))
	defer s.Close()

	u, _, err := user.Create(db, "username", "password")
	if err != nil {
		t.Fatalf("user.Create(db, \"username\", \"password\") error: %s", err)
	}
	client := new(http.Client)

	req, err := http.NewRequest("GET", s.URL, new(bytes.Buffer))
	if err != nil {
		t.Fatalf("http.NewRequest error: %s", err)
	}
	req.AddCookie(&http.Cookie{
		Name:  "elos-session-token",
		Value: "garbage",
	})
	client.Do(req)

	if got, want := authed, false; got != want {
		t.Errorf("authed: got %t, want %t", got, want)
	}

	sesh := models.NewSessionForUser(u)
	sesh.SetID(db.NewID())
	if err := db.Save(sesh); err != nil {
		t.Fatalf("db.Save(sesh) error: %s", err)
	}
	req, err = http.NewRequest("GET", s.URL, new(bytes.Buffer))
	if err != nil {
		t.Fatalf("http.NewRequest error: %s", err)
	}
	req.AddCookie(&http.Cookie{
		Name:  "elos-session-token",
		Value: sesh.Token,
	})
	client.Do(req)

	if got, want := authed, true; got != want {
		t.Fatalf("authed: got %t, want %t", got, want)
	}
	authedU, ok := user.FromContext(userContext)
	if got, want := ok, true; got != want {
		t.Fatalf("_, ok := user.FromContext: got %t, want %t", got, want)
	}
	if got, want := data.Equivalent(authedU, u), true; got != want {
		t.Errorf("data.Equivalent(authedU, u): got %t, want %t", got, want)
	}
}
Пример #12
0
func MobileLocationPOST(ctx context.Context, w http.ResponseWriter, r *http.Request, l services.Logger, db data.DB) {
	// Parse the form value
	if err := r.ParseForm(); err != nil {
		l.Printf("MobileLocationPOST Error: %s", err)
		http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
		return
	}

	// Altitude
	alt := r.FormValue(altitudeParam)
	if alt == "" {
		http.Error(w, "You must specify an altitude", http.StatusBadRequest)
		return
	}
	altitude, err := strconv.ParseFloat(alt, 64)
	if err != nil {
		http.Error(w, "Parsing altitude", http.StatusBadRequest)
		return
	}

	// Latitude
	lat := r.FormValue(latitudeParam)
	if lat == "" {
		http.Error(w, "You must specify a latitude", http.StatusBadRequest)
		return
	}
	latitude, err := strconv.ParseFloat(lat, 64)
	if err != nil {
		http.Error(w, "Parsing latitude", http.StatusBadRequest)
		return
	}

	// Longitude
	lon := r.FormValue(longitudeParam)
	if lon == "" {
		http.Error(w, "You must specify an longitude", http.StatusBadRequest)
		return
	}
	longitude, err := strconv.ParseFloat(lon, 64)
	if err != nil {
		http.Error(w, "Parsing longitude", http.StatusBadRequest)
		return
	}

	// Retrieve the user this request was authenticated as
	u, ok := user.FromContext(ctx)
	if !ok { // This is certainly an issue, and should _never_ happen
		l.Print("MobileLocationPOST Error: failed to retrieve user from context")
		http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
		return
	}

	// Create location
	loc := location.NewCoords(altitude, latitude, longitude)
	loc.SetID(db.NewID())
	loc.SetOwner(u)

	now := loc.CreatedAt

	e := models.NewEvent()
	e.CreatedAt = now
	e.SetID(db.NewID())
	e.SetOwner(u)
	e.Name = "Location Update"
	e.SetLocation(loc)
	e.Time = now
	e.UpdatedAt = now

	locationTag, err1 := tag.ForName(db, u, tag.Location)
	updateTag, err2 := tag.ForName(db, u, tag.Update)
	mobileTag, err3 := tag.ForName(db, u, tag.Mobile)
	if err1 != nil || err2 != nil || err3 != nil {
		l.Printf("MobileLocationPOST Error: %s", err)
		http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
		return
	}
	e.IncludeTag(locationTag)
	e.IncludeTag(updateTag)
	e.IncludeTag(mobileTag)

	if err = db.Save(loc); err != nil {
		l.Printf("MobileLocationPOST Error: %s", err)
		http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
		return
	}

	if err = db.Save(e); err != nil {
		l.Printf("MobileLocationPOST Error: %s", err)
		http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
		return
	}

	bytes, err := json.MarshalIndent(e, "", "	")
	if err != nil {
		l.Printf("MobileLocationPOST Error: while marshalling json %s", err)
		http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
		return
	}

	w.WriteHeader(http.StatusCreated)
	w.Header().Set("Content-Type", "application/json")
	w.Write(bytes)
}