Add simple authentication blueprint to extend further
This commit is contained in:
Tobie Morgan Hitchcock
parent
defe873d7d
commit
ee2f34bef0
3 changed files with 110 additions and 23 deletions
109
web/auth.go
Normal file
109
web/auth.go
Normal file
|
|
@ -0,0 +1,109 @@
|
|||
// Copyright © 2016 Abcum Ltd
|
||||
//
|
||||
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||
// you may not use this file except in compliance with the License.
|
||||
// You may obtain a copy of the License at
|
||||
//
|
||||
// http://www.apache.org/licenses/LICENSE-2.0
|
||||
//
|
||||
// Unless required by applicable law or agreed to in writing, software
|
||||
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
// See the License for the specific language governing permissions and
|
||||
// limitations under the License.
|
||||
|
||||
package web
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"encoding/base64"
|
||||
|
||||
"github.com/abcum/fibre"
|
||||
"github.com/abcum/surreal/cnf"
|
||||
"github.com/abcum/surreal/sql"
|
||||
)
|
||||
|
||||
func auth() fibre.MiddlewareFunc {
|
||||
return func(h fibre.HandlerFunc) fibre.HandlerFunc {
|
||||
return func(c *fibre.Context) error {
|
||||
|
||||
auth := map[string]string{"NS": "", "DB": ""}
|
||||
c.Set("auth", auth)
|
||||
|
||||
conf := map[string]string{"NS": "", "DB": ""}
|
||||
c.Set("conf", conf)
|
||||
|
||||
// ------------------------------
|
||||
// Deny authentication
|
||||
// ------------------------------
|
||||
|
||||
c.Set("kind", sql.AuthNO)
|
||||
|
||||
// ------------------------------
|
||||
// Root authentication
|
||||
// ------------------------------
|
||||
|
||||
head := c.Request().Header().Get("Authorization")
|
||||
|
||||
if head != "" && head[:5] == "Basic" {
|
||||
|
||||
base, err := base64.StdEncoding.DecodeString(head[6:])
|
||||
|
||||
if err == nil {
|
||||
|
||||
user := []byte(cnf.Settings.Auth.User)
|
||||
pass := []byte(cnf.Settings.Auth.Pass)
|
||||
cred := bytes.SplitN(base, []byte(":"), 2)
|
||||
|
||||
if len(cred) == 2 && bytes.Equal(cred[0], user) && bytes.Equal(cred[1], pass) {
|
||||
c.Set("kind", sql.AuthKV)
|
||||
auth["NS"] = "*" // Anything allowed
|
||||
conf["NS"] = "" // Must specify
|
||||
auth["DB"] = "*" // Anything allowed
|
||||
conf["DB"] = "" // Must specify
|
||||
return h(c)
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
// ------------------------------
|
||||
// Namespace authentication
|
||||
// ------------------------------
|
||||
|
||||
// c.Set("kind", sql.AuthNS)
|
||||
// auth["NS"] = "SPECIFIED" // Not allowed to change
|
||||
// conf["NS"] = "SPECIFIED" // Not allowed to change
|
||||
// auth["DB"] = "*" // Anything allowed
|
||||
// conf["DB"] = "" // Must specify
|
||||
|
||||
// ------------------------------
|
||||
// Database authentication
|
||||
// ------------------------------
|
||||
|
||||
// c.Set("kind", sql.AuthDB)
|
||||
// auth["NS"] = "SPECIFIED" // Not allowed to change
|
||||
// conf["NS"] = "SPECIFIED" // Not allowed to change
|
||||
// auth["DB"] = "SPECIFIED" // Not allowed to change
|
||||
// conf["DB"] = "SPECIFIED" // Not allowed to change
|
||||
|
||||
// ------------------------------
|
||||
// Scoped authentication
|
||||
// ------------------------------
|
||||
|
||||
// c.Set("kind", sql.AuthTB)
|
||||
// auth["NS"] = "SPECIFIED" // Not allowed to change
|
||||
// conf["NS"] = "SPECIFIED" // Not allowed to change
|
||||
// auth["DB"] = "SPECIFIED" // Not allowed to change
|
||||
// conf["DB"] = "SPECIFIED" // Not allowed to change
|
||||
|
||||
if c.Request().Header().Get("Upgrade") == "websocket" {
|
||||
return h(c)
|
||||
}
|
||||
|
||||
return fibre.NewHTTPError(401)
|
||||
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
@ -23,11 +23,6 @@ func conf() fibre.MiddlewareFunc {
|
|||
return func(h fibre.HandlerFunc) fibre.HandlerFunc {
|
||||
return func(c *fibre.Context) error {
|
||||
|
||||
opts := c.Fibre().Opts().(*cnf.Options)
|
||||
|
||||
c.Set("KV", opts.DB.Base)
|
||||
c.Set("NS", "*")
|
||||
c.Set("DB", "*")
|
||||
|
||||
return h(c)
|
||||
|
||||
|
|
|
|||
19
web/web.go
19
web/web.go
|
|
@ -37,6 +37,7 @@ func Setup(opts *cnf.Options) (err error) {
|
|||
// Setup middleware
|
||||
|
||||
s.Use(conf()) // Setup conf
|
||||
s.Use(auth()) // Setup auth
|
||||
s.Use(mw.Logs()) // Log requests
|
||||
s.Use(mw.Fail()) // Catch panics
|
||||
s.Use(mw.Gzip()) // Gzip responses
|
||||
|
|
@ -59,24 +60,6 @@ func Setup(opts *cnf.Options) (err error) {
|
|||
},
|
||||
}))
|
||||
|
||||
// Setup basic authentication
|
||||
|
||||
s.Use(mw.Auth(&mw.AuthOpts{
|
||||
User: []byte(opts.Auth.User),
|
||||
Pass: []byte(opts.Auth.Pass),
|
||||
}).PathIs("/import", "/export"))
|
||||
|
||||
// Setup special authentication
|
||||
|
||||
s.Use(mw.Sign(&mw.SignOpts{
|
||||
Key: []byte(opts.Auth.Token),
|
||||
Fnc: func(c *fibre.Context, h, d map[string]interface{}) error {
|
||||
c.Set("NS", d["ns"])
|
||||
c.Set("DB", d["db"])
|
||||
return nil
|
||||
},
|
||||
}).PathIs("/rpc", "/sql").PathBegsWith("/key"))
|
||||
|
||||
// Run the server
|
||||
|
||||
if len(opts.Cert.Crt) == 0 || len(opts.Cert.Key) == 0 {
|
||||
|
|
|
|||
Loading…
Reference in a new issue