[WIP]
This commit is contained in:
270
auth/auth.go
270
auth/auth.go
@@ -1,7 +1,6 @@
|
||||
package auth
|
||||
|
||||
import (
|
||||
"context"
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
"log"
|
||||
@@ -9,27 +8,20 @@ import (
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"git.acooldomain.co/server-manager/backend-kubernetes-go/db_handler/mongo"
|
||||
"git.acooldomain.co/server-manager/backend-kubernetes-go/dbhandler"
|
||||
"git.acooldomain.co/server-manager/backend-kubernetes-go/models"
|
||||
"github.com/gin-gonic/gin"
|
||||
"github.com/golang-jwt/jwt"
|
||||
"go.mongodb.org/mongo-driver/bson"
|
||||
"go.mongodb.org/mongo-driver/mongo"
|
||||
"go.mongodb.org/mongo-driver/mongo/options"
|
||||
"golang.org/x/crypto/bcrypt"
|
||||
)
|
||||
|
||||
var secret []byte
|
||||
var method string
|
||||
var DOMAIN string
|
||||
|
||||
type Connection struct {
|
||||
usersDbHandler dbhandler.UsersDBHandler
|
||||
authorizationDbHandler dbhandler.AuthorizationDbHandler
|
||||
config models.GlobalConfig
|
||||
|
||||
authMode models.AuthMode
|
||||
userAuthDbHandler *dbhandler.UserPassAuthanticationDbHandler
|
||||
OidcAuthDbHandler *dbhandler.OidcAuthenticationDbHandler
|
||||
tokenHandler dbhandler.InviteTokenDbHandler
|
||||
userAuthDbHandler dbhandler.UserPassAuthanticationDbHandler
|
||||
serverAuthDbHandler dbhandler.ServersAuthorizationDbHandler
|
||||
OidcAuthDbHandler dbhandler.OidcAuthenticationDbHandler
|
||||
}
|
||||
|
||||
type Claims struct {
|
||||
@@ -43,14 +35,8 @@ type AuthClaims struct {
|
||||
Claims
|
||||
}
|
||||
|
||||
type InviteToken struct {
|
||||
Email string `bson:"Email"`
|
||||
Permissions models.Permission `bson:"Permissions"`
|
||||
Token string `bson:"Token"`
|
||||
}
|
||||
|
||||
func signToken(token Claims) (string, error) {
|
||||
t := jwt.New(jwt.GetSigningMethod(method))
|
||||
func (con *Connection) signToken(token Claims) (string, error) {
|
||||
t := jwt.New(jwt.GetSigningMethod(con.config.Signing.Algorithm))
|
||||
|
||||
t.Claims = &AuthClaims{
|
||||
&jwt.StandardClaims{
|
||||
@@ -59,98 +45,99 @@ func signToken(token Claims) (string, error) {
|
||||
token,
|
||||
}
|
||||
|
||||
return t.SignedString(secret)
|
||||
return t.SignedString(con.config.Signing.Key)
|
||||
}
|
||||
|
||||
func AuthorizedTo(requiredPermissions models.Permission, overwriters ...func(*gin.Context) bool) gin.HandlerFunc {
|
||||
func AuthorizedTo(requiredPermissions models.Permission) gin.HandlerFunc {
|
||||
return func(ctx *gin.Context) {
|
||||
authCookie, err := ctx.Request.Cookie("auth")
|
||||
if err != nil {
|
||||
ctx.AbortWithError(403, err)
|
||||
claimsPointer, exists := ctx.Get("claims")
|
||||
if !exists {
|
||||
log.Printf("LoggedIn was not called first")
|
||||
ctx.AbortWithError(500, fmt.Errorf("Misconfigured method"))
|
||||
return
|
||||
}
|
||||
|
||||
token, err := jwt.ParseWithClaims(authCookie.Value, &AuthClaims{}, func(token *jwt.Token) (interface{}, error) {
|
||||
// Don't forget to validate the alg is what you expect:
|
||||
if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
|
||||
return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"])
|
||||
}
|
||||
|
||||
// hmacSampleSecret is a []byte containing your secret, e.g. []byte("my_secret_key")
|
||||
return secret, nil
|
||||
})
|
||||
if err != nil {
|
||||
ctx.AbortWithError(403, err)
|
||||
return
|
||||
}
|
||||
if claims, ok := token.Claims.(*AuthClaims); ok && token.Valid {
|
||||
ctx.Set("claims", claims)
|
||||
if (requiredPermissions&claims.Permissions != requiredPermissions) && (models.Admin&claims.Permissions != models.Admin) {
|
||||
for _, overwrite := range overwriters {
|
||||
if overwrite(ctx) {
|
||||
return
|
||||
}
|
||||
}
|
||||
ctx.AbortWithStatusJSON(403, "matching permissions were not found")
|
||||
return
|
||||
}
|
||||
} else {
|
||||
claims, ok := claimsPointer.(*AuthClaims)
|
||||
if !ok {
|
||||
ctx.AbortWithStatus(500)
|
||||
return
|
||||
}
|
||||
|
||||
if (requiredPermissions&claims.Permissions != requiredPermissions) && (models.Admin&claims.Permissions != models.Admin) {
|
||||
ctx.AbortWithStatusJSON(403, "matching permissions were not found")
|
||||
return
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func (con *Connection) LoggedIn(ctx *gin.Context) {
|
||||
authCookie, err := ctx.Request.Cookie("auth")
|
||||
if err != nil {
|
||||
ctx.AbortWithError(403, err)
|
||||
return
|
||||
}
|
||||
|
||||
token, err := jwt.ParseWithClaims(authCookie.Value, &AuthClaims{}, func(token *jwt.Token) (interface{}, error) {
|
||||
// Don't forget to validate the alg is what you expect:
|
||||
if token.Method.Alg() != con.config.Signing.Algorithm {
|
||||
return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"])
|
||||
}
|
||||
|
||||
// hmacSampleSecret is a []byte containing your secret, e.g. []byte("my_secret_key")
|
||||
return con.config.Signing.Key, nil
|
||||
})
|
||||
if err != nil {
|
||||
ctx.AbortWithError(403, err)
|
||||
return
|
||||
}
|
||||
|
||||
if !token.Valid {
|
||||
ctx.AbortWithStatus(403)
|
||||
return
|
||||
}
|
||||
claims, ok := token.Claims.(*AuthClaims)
|
||||
if !ok {
|
||||
ctx.AbortWithStatus(500)
|
||||
return
|
||||
}
|
||||
|
||||
ctx.Set("claims", claims)
|
||||
}
|
||||
|
||||
type SignUpRequest struct {
|
||||
Token string
|
||||
Username string
|
||||
Password string
|
||||
}
|
||||
|
||||
func (con Connection) signUp(c *gin.Context) {
|
||||
func (con Connection) signUp(ctx *gin.Context) {
|
||||
var request SignUpRequest
|
||||
|
||||
err := json.NewDecoder(c.Request.Body).Decode(&request)
|
||||
err := json.NewDecoder(ctx.Request.Body).Decode(&request)
|
||||
if err != nil {
|
||||
c.AbortWithError(500, err)
|
||||
}
|
||||
|
||||
var token InviteToken
|
||||
|
||||
err = con.DatabaseConnection.Database("Backend").Collection("Tokens").FindOne(
|
||||
context.TODO(),
|
||||
bson.D{{}},
|
||||
options.FindOne(),
|
||||
).Decode(&token)
|
||||
|
||||
if err != nil {
|
||||
c.AbortWithError(500, err)
|
||||
ctx.AbortWithError(500, err)
|
||||
return
|
||||
}
|
||||
|
||||
token, err := con.tokenHandler.GetInviteToken(ctx, request.Token)
|
||||
if err != nil {
|
||||
ctx.AbortWithError(500, err)
|
||||
return
|
||||
}
|
||||
|
||||
if token.Token == "" {
|
||||
c.AbortWithStatusJSON(403, "PermissionDenied")
|
||||
ctx.AbortWithStatusJSON(403, "PermissionDenied")
|
||||
return
|
||||
}
|
||||
|
||||
hashedPass, err := hashPassword(request.Password)
|
||||
if err != nil {
|
||||
c.AbortWithError(500, err)
|
||||
return
|
||||
}
|
||||
|
||||
_, err = con.DatabaseConnection.Database("Backend").Collection("Users").InsertOne(context.TODO(), &models.User{
|
||||
Username: request.Username,
|
||||
HashedPass: hashedPass,
|
||||
Permissions: token.Permissions,
|
||||
MaxOwnedServers: 5,
|
||||
Email: token.Email,
|
||||
}, &options.InsertOneOptions{})
|
||||
err = con.userAuthDbHandler.CreateUser(ctx, request.Username, request.Password, token.Permissions, token.Email, con.config.Users.DefaultMaxOwnedServers)
|
||||
|
||||
if err != nil {
|
||||
c.AbortWithError(500, err)
|
||||
ctx.AbortWithError(500, err)
|
||||
return
|
||||
}
|
||||
|
||||
con.signIn(c)
|
||||
con.signIn(ctx)
|
||||
}
|
||||
|
||||
type SignInRequest struct {
|
||||
@@ -158,24 +145,18 @@ type SignInRequest struct {
|
||||
Password string
|
||||
}
|
||||
|
||||
func (con Connection) signIn(c *gin.Context) {
|
||||
func (con Connection) signIn(ctx *gin.Context) {
|
||||
|
||||
var request SignInRequest
|
||||
err := json.NewDecoder(c.Request.Body).Decode(&request)
|
||||
err := json.NewDecoder(ctx.Request.Body).Decode(&request)
|
||||
|
||||
if err != nil {
|
||||
c.AbortWithError(500, err)
|
||||
ctx.AbortWithError(500, err)
|
||||
return
|
||||
}
|
||||
var userItem models.User
|
||||
err = con.DatabaseConnection.Database("Backend").Collection("Users").FindOne(context.TODO(), bson.D{{Key: "Username", Value: request.Username}}).Decode(&userItem)
|
||||
userItem, err := con.userAuthDbHandler.AuthenticateUser(ctx, request.Username, request.Password)
|
||||
if err != nil {
|
||||
c.AbortWithError(403, err)
|
||||
return
|
||||
}
|
||||
|
||||
if bcrypt.CompareHashAndPassword([]byte(userItem.HashedPass), []byte(request.Password)) != nil {
|
||||
c.AbortWithStatus(403)
|
||||
ctx.AbortWithError(403, err)
|
||||
return
|
||||
}
|
||||
|
||||
@@ -184,76 +165,89 @@ func (con Connection) signIn(c *gin.Context) {
|
||||
Permissions: userItem.Permissions,
|
||||
}
|
||||
|
||||
signedToken, err := signToken(token)
|
||||
signedToken, err := con.signToken(token)
|
||||
if err != nil {
|
||||
c.AbortWithError(500, err)
|
||||
ctx.AbortWithError(500, err)
|
||||
return
|
||||
}
|
||||
|
||||
c.SetCookie("auth", signedToken, int(time.Hour)*24*30, "", ".games.acooldomain.co", true, false)
|
||||
c.IndentedJSON(http.StatusOK, signedToken)
|
||||
ctx.SetCookie("auth", signedToken, int(time.Hour)*24*30, "", "."+con.config.Domain, true, false)
|
||||
ctx.IndentedJSON(http.StatusOK, signedToken)
|
||||
}
|
||||
|
||||
func (con Connection) verify(c *gin.Context) {
|
||||
authCookie, err := c.Request.Cookie("auth")
|
||||
if err != nil {
|
||||
c.Redirect(303, fmt.Sprintf("http://%s/", DOMAIN))
|
||||
func (con Connection) Verify(ctx *gin.Context) {
|
||||
claimsPointer, exists := ctx.Get("claims")
|
||||
if !exists {
|
||||
ctx.Status(403)
|
||||
return
|
||||
}
|
||||
|
||||
token, err := jwt.ParseWithClaims(authCookie.Value, &AuthClaims{}, func(token *jwt.Token) (interface{}, error) {
|
||||
// Don't forget to validate the alg is what you expect:
|
||||
if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
|
||||
return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"])
|
||||
}
|
||||
claims := claimsPointer.(*AuthClaims)
|
||||
|
||||
// hmacSampleSecret is a []byte containing your secret, e.g. []byte("my_secret_key")
|
||||
return secret, nil
|
||||
})
|
||||
|
||||
if err != nil {
|
||||
c.AbortWithError(403, err)
|
||||
return
|
||||
}
|
||||
claims := token.Claims
|
||||
|
||||
forwarded_host := c.Request.Header.Get("x-forwarded-host")
|
||||
forwarded_host := ctx.Request.Header.Get("x-forwarded-host")
|
||||
log.Printf("Checking auth of %s", forwarded_host)
|
||||
|
||||
domainSegments := strings.Split(forwarded_host, ".")
|
||||
|
||||
serverId, service := domainSegments[0], domainSegments[1]
|
||||
c.AddParam("server_id", serverId)
|
||||
|
||||
if service == "browsers" {
|
||||
if claims.(*AuthClaims).Permissions&models.Browse == models.Browse || claims.(*AuthClaims).Permissions&models.Admin == models.Admin || con.ServerAuthorized(models.Browse)(c) {
|
||||
c.Header("X-Username", claims.(*AuthClaims).Username)
|
||||
log.Printf("Set header X-Username %s", claims.(*AuthClaims).Username)
|
||||
c.Status(200)
|
||||
switch service {
|
||||
case "browsers":
|
||||
serverPermissions, err := con.serverAuthDbHandler.GetPermissions(ctx, claims.Username, serverId)
|
||||
if err != nil {
|
||||
ctx.AbortWithError(500, err)
|
||||
return
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
if service == "cloud" {
|
||||
if claims.(*AuthClaims).Permissions&models.Cloud == models.Cloud || claims.(*AuthClaims).Permissions&models.Admin == models.Admin {
|
||||
log.Printf("Set header X-Username %s", claims.(*AuthClaims).Username)
|
||||
c.Header("X-Username", claims.(*AuthClaims).Username)
|
||||
c.Status(200)
|
||||
if (claims.Permissions|serverPermissions)&models.Admin == models.Admin {
|
||||
ctx.Header("X-Username", claims.Username)
|
||||
log.Printf("Set header X-Username %s", claims.Username)
|
||||
ctx.Status(200)
|
||||
return
|
||||
}
|
||||
case "cloud":
|
||||
if claims.Permissions&models.Cloud == models.Cloud || claims.Permissions&models.Admin == models.Admin {
|
||||
log.Printf("Set header X-Username %s", claims.Username)
|
||||
ctx.Header("X-Username", claims.Username)
|
||||
ctx.Status(200)
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
c.Redirect(303, fmt.Sprintf("http://%s/login", DOMAIN))
|
||||
ctx.Redirect(303, fmt.Sprintf("http://%s/login", con.config.Domain))
|
||||
}
|
||||
func LoadGroup(group *gin.RouterGroup, client *mongo.Client, config models.GlobalConfig) {
|
||||
connection := Connection{DatabaseConnection: client}
|
||||
var userAuthHandler dbhandler.UserPassAuthanticationDbHandler
|
||||
var inviteHandler dbhandler.InviteTokenDbHandler
|
||||
var serverAuthHandler dbhandler.ServersAuthorizationDbHandler
|
||||
|
||||
secret = []byte(config.Key)
|
||||
method = config.Algorithm
|
||||
DOMAIN = config.Domain
|
||||
var err error
|
||||
|
||||
if config.Authentication.UserPass.Type == models.MONGO {
|
||||
userAuthHandler, err = mongo.NewUserPassAuthHandler(*config.Authentication.UserPass.Mongo)
|
||||
if err != nil {
|
||||
panic(err)
|
||||
}
|
||||
}
|
||||
|
||||
if config.Authentication.UserPass.InviteTokenDatabase.Type == models.MONGO {
|
||||
inviteHandler, err = mongo.NewInviteTokenDbHandler(*config.Authentication.UserPass.Mongo)
|
||||
if err != nil {
|
||||
panic(err)
|
||||
}
|
||||
}
|
||||
|
||||
mailClient = *mail.NewMailClient(config.Email)
|
||||
|
||||
connection := Connection{
|
||||
userPassAuthHandler: userAuthHandler,
|
||||
tokenHandler: inviteHandler,
|
||||
mailClient: mailClient,
|
||||
config: &config,
|
||||
}
|
||||
|
||||
connection := Connection{DatabaseConnection: client}
|
||||
|
||||
group.POST("/signin", connection.signIn)
|
||||
group.POST("/signup", AuthorizedTo(models.Admin), connection.signUp)
|
||||
group.Any("/verify", connection.verify)
|
||||
group.Any("/verify", connection.Verify)
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user