Improve websocket RPC API

This commit is contained in:
Tobie Morgan Hitchcock 2017-02-22 01:42:45 +00:00
parent 49b9b1ead2
commit e5a98d4c0c
2 changed files with 228 additions and 163 deletions

View file

@ -43,16 +43,18 @@ func cidr(ip net.IP, networks []*net.IPNet) bool {
} }
func auth() fibre.MiddlewareFunc { func auth() fibre.MiddlewareFunc {
user := []byte(cnf.Settings.Auth.User)
pass := []byte(cnf.Settings.Auth.Pass)
return func(h fibre.HandlerFunc) fibre.HandlerFunc { return func(h fibre.HandlerFunc) fibre.HandlerFunc {
return func(c *fibre.Context) (err error) { return func(c *fibre.Context) (err error) {
auth := &cnf.Auth{} auth := &cnf.Auth{}
c.Set("auth", auth) c.Set("auth", auth)
// Ensure that the authentication data
// object is initiated at the beginning
// so it is present when serialized.
auth.Data = make(map[string]interface{})
// Start off with an authentication level // Start off with an authentication level
// which prevents running any sql queries, // which prevents running any sql queries,
// and denies access to all data. // and denies access to all data.
@ -114,9 +116,12 @@ func auth() fibre.MiddlewareFunc {
// which might contain authn information. // which might contain authn information.
if len(head) == 0 { if len(head) == 0 {
for _, val := range websocket.Subprotocols(c.Request().Request) { for _, prot := range websocket.Subprotocols(c.Request().Request) {
if len(val) > 7 && val[0:7] == "bearer-" { if len(prot) > 7 && prot[0:7] == "bearer-" {
head = "Bearer " + val[7:] head = "Bearer " + prot[7:]
return checkBearer(c, prot[7:], func() error {
return h(c)
})
} }
} }
} }
@ -126,8 +131,52 @@ func auth() fibre.MiddlewareFunc {
// process this as root authentication. // process this as root authentication.
if len(head) > 0 && head[:5] == "Basic" { if len(head) > 0 && head[:5] == "Basic" {
return checkMaster(c, head[6:], func() error {
return h(c)
})
}
base, err := base64.StdEncoding.DecodeString(head[6:]) // Check whether the Authorization header
// is a Bearer Auth header, and if it is then
// process this as default authentication.
if len(head) > 0 && head[:6] == "Bearer" {
return checkBearer(c, head[6:], func() error {
return h(c)
})
}
return h(c)
}
}
}
func checkRoot(c *fibre.Context, user, pass string, callback func() error) (err error) {
auth := c.Get("auth").(*cnf.Auth)
if cidr(c.IP(), cnf.Settings.Auth.Nets) {
if user == cnf.Settings.Auth.User && pass == cnf.Settings.Auth.Pass {
auth.Kind = sql.AuthKV
auth.Possible.NS = "*"
auth.Possible.DB = "*"
}
}
return callback()
}
func checkMaster(c *fibre.Context, info string, callback func() error) (err error) {
auth := c.Get("auth").(*cnf.Auth)
user := []byte(cnf.Settings.Auth.User)
pass := []byte(cnf.Settings.Auth.Pass)
base, err := base64.StdEncoding.DecodeString(info)
if err == nil && cidr(c.IP(), cnf.Settings.Auth.Nets) { if err == nil && cidr(c.IP(), cnf.Settings.Auth.Nets) {
@ -137,18 +186,17 @@ func auth() fibre.MiddlewareFunc {
auth.Kind = sql.AuthKV auth.Kind = sql.AuthKV
auth.Possible.NS = "*" auth.Possible.NS = "*"
auth.Possible.DB = "*" auth.Possible.DB = "*"
return h(c)
} }
} }
return callback()
} }
// Check whether the Authorization header func checkBearer(c *fibre.Context, info string, callback func() error) (err error) {
// is a Bearer Auth header, and if it is then
// process this as default authentication.
if len(head) > 0 && head[:6] == "Bearer" { auth := c.Get("auth").(*cnf.Auth)
var txn kvs.TX var txn kvs.TX
var vars jwt.MapClaims var vars jwt.MapClaims
@ -167,7 +215,7 @@ func auth() fibre.MiddlewareFunc {
// Parse the specified JWT Token. // Parse the specified JWT Token.
token, err := jwt.Parse(head[7:], func(token *jwt.Token) (interface{}, error) { token, err := jwt.Parse(info, func(token *jwt.Token) (interface{}, error) {
vars = token.Claims.(jwt.MapClaims) vars = token.Claims.(jwt.MapClaims)
@ -195,7 +243,7 @@ func auth() fibre.MiddlewareFunc {
scp, err := mem.New(txn).GetSC(nsv, dbv, scv) scp, err := mem.New(txn).GetSC(nsv, dbv, scv)
if err != nil { if err != nil {
fmt.Errorf("Credentials failed") return nil, fmt.Errorf("Credentials failed")
} }
auth.Data["scope"] = scp.Name auth.Data["scope"] = scp.Name
@ -203,7 +251,7 @@ func auth() fibre.MiddlewareFunc {
if tkv != "default" { if tkv != "default" {
key, err := mem.New(txn).GetST(nsv, dbv, scv, tkv) key, err := mem.New(txn).GetST(nsv, dbv, scv, tkv)
if err != nil { if err != nil {
fmt.Errorf("Credentials failed") return nil, fmt.Errorf("Credentials failed")
} }
if token.Header["alg"] != key.Type { if token.Header["alg"] != key.Type {
return nil, fmt.Errorf("Unexpected signing method") return nil, fmt.Errorf("Unexpected signing method")
@ -220,7 +268,7 @@ func auth() fibre.MiddlewareFunc {
if tkv != "default" { if tkv != "default" {
key, err := mem.New(txn).GetDT(nsv, dbv, tkv) key, err := mem.New(txn).GetDT(nsv, dbv, tkv)
if err != nil { if err != nil {
fmt.Errorf("Credentials failed") return nil, fmt.Errorf("Credentials failed")
} }
if token.Header["alg"] != key.Type { if token.Header["alg"] != key.Type {
return nil, fmt.Errorf("Unexpected signing method") return nil, fmt.Errorf("Unexpected signing method")
@ -230,7 +278,7 @@ func auth() fibre.MiddlewareFunc {
} else if uok { } else if uok {
usr, err := mem.New(txn).GetDU(nsv, dbv, usv) usr, err := mem.New(txn).GetDU(nsv, dbv, usv)
if err != nil { if err != nil {
fmt.Errorf("Credentials failed") return nil, fmt.Errorf("Credentials failed")
} }
auth.Kind = sql.AuthDB auth.Kind = sql.AuthDB
return usr.Code, nil return usr.Code, nil
@ -241,7 +289,7 @@ func auth() fibre.MiddlewareFunc {
if tkv != "default" { if tkv != "default" {
key, err := mem.New(txn).GetNT(nsv, tkv) key, err := mem.New(txn).GetNT(nsv, tkv)
if err != nil { if err != nil {
fmt.Errorf("Credentials failed") return nil, fmt.Errorf("Credentials failed")
} }
if token.Header["alg"] != key.Type { if token.Header["alg"] != key.Type {
return nil, fmt.Errorf("Unexpected signing method") return nil, fmt.Errorf("Unexpected signing method")
@ -251,7 +299,7 @@ func auth() fibre.MiddlewareFunc {
} else if uok { } else if uok {
usr, err := mem.New(txn).GetNU(nsv, usv) usr, err := mem.New(txn).GetNU(nsv, usv)
if err != nil { if err != nil {
fmt.Errorf("Credentials failed") return nil, fmt.Errorf("Credentials failed")
} }
auth.Kind = sql.AuthNS auth.Kind = sql.AuthNS
return usr.Code, nil return usr.Code, nil
@ -285,14 +333,8 @@ func auth() fibre.MiddlewareFunc {
auth.Selected.DB = dbv auth.Selected.DB = dbv
} }
return h(c)
} }
} return callback()
return h(c)
} }
}
}

View file

@ -22,7 +22,15 @@ import (
type rpc struct{} type rpc struct{}
func (r *rpc) Sql(c *fibre.Context, sql string, vars map[string]interface{}) (interface{}, error) { func (r *rpc) Info(c *fibre.Context) (interface{}, error) {
return c.Get("auth"), nil
}
func (r *rpc) Auth(c *fibre.Context, auth string) (interface{}, error) {
return nil, checkBearer(c, auth, func() error { return nil })
}
func (r *rpc) Query(c *fibre.Context, sql string, vars map[string]interface{}) (interface{}, error) {
return db.Execute(c, sql, vars) return db.Execute(c, sql, vars)
} }
@ -69,6 +77,21 @@ func (r *rpc) Update(c *fibre.Context, class string, thing interface{}, data map
} }
} }
func (r *rpc) Change(c *fibre.Context, class string, thing interface{}, data map[string]interface{}) (interface{}, error) {
switch thing.(type) {
case *fibre.RPCNull:
return db.Execute(c, "UPDATE $class MERGE $data RETURN AFTER", map[string]interface{}{
"class": sql.NewTable(class),
"data": data,
})
default:
return db.Execute(c, "UPDATE $thing MERGE $data RETURN AFTER", map[string]interface{}{
"thing": sql.NewThing(class, thing),
"data": data,
})
}
}
func (r *rpc) Modify(c *fibre.Context, class string, thing interface{}, data map[string]interface{}) (interface{}, error) { func (r *rpc) Modify(c *fibre.Context, class string, thing interface{}, data map[string]interface{}) (interface{}, error) {
switch thing.(type) { switch thing.(type) {
case *fibre.RPCNull: case *fibre.RPCNull: