//validateAdmin Validate the requestor is an admin in the namepace. If returns false, the caller should halt and return. True if the request should continue. TODO make this cleaner func validateAdmin(imageSpace string, w http.ResponseWriter, r *http.Request) bool { //validate this user has a token and is org admin token, err := authsdk.NewJWTTokenFromRequest(r) if err != nil { message := fmt.Sprintf("Unable to find oAuth token %s", err) kiln.LogError.Printf(message) writeErrorResponse(http.StatusUnauthorized, message, w) return false } kiln.LogInfo.Printf("Checking to see if user %s has admin authority for namepace %s", token.GetUsername(), imageSpace) isAdmin, err := token.IsOrgAdmin(imageSpace) if err != nil { message := fmt.Sprintf("Unable to get permission token %s", err) kiln.LogError.Printf(message) writeErrorResponse(http.StatusForbidden, message, w) return false } //if not an admin, give access denied if !isAdmin { kiln.LogInfo.Printf("User %s is not an admin for imageSpace %s", token.GetUsername(), imageSpace) writeErrorResponse(http.StatusForbidden, fmt.Sprintf("You do not have admin permisison for imageSpace %s", imageSpace), w) return false } kiln.LogInfo.Printf("User %s is an admin for imageSpace %s", token.GetUsername(), imageSpace) return true }
//getImagespaces get the imagespaces func (server *Server) getImagespaces(w http.ResponseWriter, r *http.Request) { //TODO, what's the security on this? Open? How can I validate they're an admin if I dont' see them, or do I filter? imagespaces := []*Imagespace{} imagespaceNames, err := server.imageCreator.GetImagespaces() if err != nil { message := fmt.Sprintf("Unable to retrieve imagespaces. %s", err) kiln.LogError.Printf(message) internalError(message, w) return } //get our token token, err := authsdk.NewJWTTokenFromRequest(r) if err != nil { message := fmt.Sprintf("Unable to find oAuth token %s", err) kiln.LogError.Printf(message) writeErrorResponse(http.StatusUnauthorized, message, w) return } // copy everything over for _, imagespace := range *imagespaceNames { kiln.LogInfo.Printf("Checking to see if user %s has admin authority for namepace %s", token.GetUsername(), imagespace) isAdmin, err := token.IsOrgAdmin(imagespace) if err != nil { message := fmt.Sprintf("Unable to get permission token %s", err) kiln.LogError.Printf(message) writeErrorResponse(http.StatusUnauthorized, message, w) } //if not an admin ignore this imagespace since theyr'e not allowed to see it if !isAdmin { continue } imagespaceObj := &Imagespace{ Name: imagespace, } imagespaces = append(imagespaces, imagespaceObj) } w.Header().Set("Content-Type", "application/json") json.NewEncoder(w).Encode(imagespaces) }