286 lines
7 KiB
Go
286 lines
7 KiB
Go
// Copyright © 2016 Abcum Ltd
|
|
//
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
// you may not use this file except in compliance with the License.
|
|
// You may obtain a copy of the License at
|
|
//
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
//
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
// See the License for the specific language governing permissions and
|
|
// limitations under the License.
|
|
|
|
package web
|
|
|
|
import (
|
|
"fmt"
|
|
|
|
"bytes"
|
|
"strings"
|
|
|
|
"encoding/base64"
|
|
|
|
"github.com/abcum/fibre"
|
|
"github.com/abcum/surreal/cnf"
|
|
"github.com/abcum/surreal/db"
|
|
"github.com/abcum/surreal/kvs"
|
|
"github.com/abcum/surreal/mem"
|
|
"github.com/abcum/surreal/sql"
|
|
"github.com/dgrijalva/jwt-go"
|
|
"github.com/gorilla/websocket"
|
|
)
|
|
|
|
func auth() fibre.MiddlewareFunc {
|
|
return func(h fibre.HandlerFunc) fibre.HandlerFunc {
|
|
return func(c *fibre.Context) (err error) {
|
|
|
|
auth := &cnf.Auth{}
|
|
c.Set("auth", auth)
|
|
|
|
// Start off with an authentication level
|
|
// which prevents running any sql queries,
|
|
// and denies access to all data.
|
|
|
|
auth.Kind = sql.AuthNO
|
|
|
|
// Set the default possible values for the
|
|
// possible and selected namespace / database
|
|
// so that they can be overridden.
|
|
|
|
auth.Possible.NS = ""
|
|
auth.Selected.NS = ""
|
|
auth.Possible.DB = ""
|
|
auth.Selected.DB = ""
|
|
|
|
// Retrieve the current domain host and
|
|
// if we are using a subdomain then set
|
|
// the NS and DB to the subdomain bits.
|
|
|
|
bits := strings.Split(c.Request().URL().Host, ".")
|
|
subs := strings.Split(bits[0], "-")
|
|
|
|
if len(subs) == 2 {
|
|
auth.Kind = sql.AuthSC
|
|
auth.Possible.NS = subs[0]
|
|
auth.Selected.NS = subs[0]
|
|
auth.Possible.DB = subs[1]
|
|
auth.Selected.DB = subs[1]
|
|
}
|
|
|
|
// If there is a namespace specified in
|
|
// the request headers, then mark it as
|
|
// the selected namespace.
|
|
|
|
if ns := c.Request().Header().Get("NS"); len(ns) != 0 {
|
|
auth.Kind = sql.AuthSC
|
|
auth.Possible.NS = ns
|
|
auth.Selected.NS = ns
|
|
}
|
|
|
|
// If there is a database specified in
|
|
// the request headers, then mark it as
|
|
// the selected database.
|
|
|
|
if db := c.Request().Header().Get("DB"); len(db) != 0 {
|
|
auth.Kind = sql.AuthSC
|
|
auth.Possible.DB = db
|
|
auth.Selected.DB = db
|
|
}
|
|
|
|
// Retrieve the HTTP Authorization header
|
|
// from the request, so that we can detect
|
|
// whether it is Basic auth or Bearer auth.
|
|
|
|
head := c.Request().Header().Get("Authorization")
|
|
|
|
// If there is no HTTP Authorization header,
|
|
// check if there are websocket subprotocols
|
|
// which might contain authn information.
|
|
|
|
if len(head) == 0 {
|
|
for _, val := range websocket.Subprotocols(c.Request().Request) {
|
|
if len(val) > 7 && val[0:7] == "bearer-" {
|
|
head = "Bearer " + val[7:]
|
|
}
|
|
}
|
|
}
|
|
|
|
// Check whether the Authorization header
|
|
// is a Basic Auth header, and if it is then
|
|
// process this as root authentication.
|
|
|
|
if len(head) > 0 && head[:5] == "Basic" {
|
|
|
|
base, err := base64.StdEncoding.DecodeString(head[6:])
|
|
|
|
if err == nil {
|
|
|
|
user := []byte(cnf.Settings.Auth.User)
|
|
pass := []byte(cnf.Settings.Auth.Pass)
|
|
cred := bytes.SplitN(base, []byte(":"), 2)
|
|
|
|
if len(cred) == 2 && bytes.Equal(cred[0], user) && bytes.Equal(cred[1], pass) {
|
|
auth.Kind = sql.AuthKV
|
|
auth.Possible.NS = "*"
|
|
auth.Possible.DB = "*"
|
|
return h(c)
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
// Check whether the Authorization header
|
|
// is a Bearer Auth header, and if it is then
|
|
// process this as default authentication.
|
|
|
|
if len(head) > 0 && head[:6] == "Bearer" {
|
|
|
|
var txn kvs.TX
|
|
var vars jwt.MapClaims
|
|
var nok, dok, sok, tok, uok bool
|
|
var nsv, dbv, scv, tkv, usv string
|
|
|
|
// Start a new read transaction.
|
|
|
|
if txn, err = db.Begin(false); err != nil {
|
|
return fibre.NewHTTPError(500)
|
|
}
|
|
|
|
// Ensure the transaction closes.
|
|
|
|
defer txn.Cancel()
|
|
|
|
// Parse the specified JWT Token.
|
|
|
|
token, err := jwt.Parse(head[7:], func(token *jwt.Token) (interface{}, error) {
|
|
|
|
vars = token.Claims.(jwt.MapClaims)
|
|
|
|
if err := vars.Valid(); err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
if val, ok := vars["auth"].(map[string]interface{}); ok {
|
|
auth.Data = val
|
|
}
|
|
|
|
nsv, nok = vars["NS"].(string) // Namespace
|
|
dbv, dok = vars["DB"].(string) // Database
|
|
scv, sok = vars["SC"].(string) // Scope
|
|
tkv, tok = vars["TK"].(string) // Token
|
|
usv, uok = vars["US"].(string) // Login
|
|
|
|
if tkv == "default" {
|
|
if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
|
|
return nil, fmt.Errorf("Unexpected signing method")
|
|
}
|
|
}
|
|
|
|
if nok && dok && sok && tok {
|
|
|
|
scp, err := mem.New(txn).GetSC(nsv, dbv, scv)
|
|
if err != nil {
|
|
fmt.Errorf("Credentials failed")
|
|
}
|
|
|
|
auth.Data["scope"] = scp.Name
|
|
|
|
if tkv != "default" {
|
|
key, err := mem.New(txn).GetST(nsv, dbv, scv, tkv)
|
|
if err != nil {
|
|
fmt.Errorf("Credentials failed")
|
|
}
|
|
if token.Header["alg"] != key.Type {
|
|
return nil, fmt.Errorf("Unexpected signing method")
|
|
}
|
|
auth.Kind = sql.AuthSC
|
|
return key.Code, nil
|
|
} else {
|
|
auth.Kind = sql.AuthSC
|
|
return scp.Code, nil
|
|
}
|
|
|
|
} else if nok && dok && tok {
|
|
|
|
if tkv != "default" {
|
|
key, err := mem.New(txn).GetDT(nsv, dbv, tkv)
|
|
if err != nil {
|
|
fmt.Errorf("Credentials failed")
|
|
}
|
|
if token.Header["alg"] != key.Type {
|
|
return nil, fmt.Errorf("Unexpected signing method")
|
|
}
|
|
auth.Kind = sql.AuthDB
|
|
return key.Code, nil
|
|
} else if uok {
|
|
usr, err := mem.New(txn).GetDU(nsv, dbv, usv)
|
|
if err != nil {
|
|
fmt.Errorf("Credentials failed")
|
|
}
|
|
auth.Kind = sql.AuthDB
|
|
return usr.Code, nil
|
|
}
|
|
|
|
} else if nok && tok {
|
|
|
|
if tkv != "default" {
|
|
key, err := mem.New(txn).GetNT(nsv, tkv)
|
|
if err != nil {
|
|
fmt.Errorf("Credentials failed")
|
|
}
|
|
if token.Header["alg"] != key.Type {
|
|
return nil, fmt.Errorf("Unexpected signing method")
|
|
}
|
|
auth.Kind = sql.AuthNS
|
|
return key.Code, nil
|
|
} else if uok {
|
|
usr, err := mem.New(txn).GetNU(nsv, usv)
|
|
if err != nil {
|
|
fmt.Errorf("Credentials failed")
|
|
}
|
|
auth.Kind = sql.AuthNS
|
|
return usr.Code, nil
|
|
}
|
|
|
|
}
|
|
|
|
return nil, fmt.Errorf("No available token")
|
|
|
|
})
|
|
|
|
if err == nil && token.Valid {
|
|
|
|
if auth.Kind == sql.AuthNS {
|
|
auth.Possible.NS = nsv
|
|
auth.Selected.NS = nsv
|
|
auth.Possible.DB = "*"
|
|
}
|
|
|
|
if auth.Kind == sql.AuthDB {
|
|
auth.Possible.NS = nsv
|
|
auth.Selected.NS = nsv
|
|
auth.Possible.DB = dbv
|
|
auth.Selected.DB = dbv
|
|
}
|
|
|
|
if auth.Kind == sql.AuthSC {
|
|
auth.Possible.NS = nsv
|
|
auth.Selected.NS = nsv
|
|
auth.Possible.DB = dbv
|
|
auth.Selected.DB = dbv
|
|
}
|
|
|
|
return h(c)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return h(c)
|
|
|
|
}
|
|
}
|
|
}
|