Semaphore/api/auth.go

136 lines
3.0 KiB
Go
Raw Permalink Normal View History

2016-05-24 11:55:48 +02:00
package api
2016-01-05 00:32:53 +01:00
import (
"github.com/ansible-semaphore/semaphore/api/helpers"
"github.com/ansible-semaphore/semaphore/db"
"github.com/ansible-semaphore/semaphore/util"
"github.com/gorilla/context"
log "github.com/sirupsen/logrus"
2017-02-23 00:21:49 +01:00
"net/http"
"strings"
2016-01-05 00:32:53 +01:00
"time"
)
2023-03-13 14:04:58 +01:00
func authenticationHandler(w http.ResponseWriter, r *http.Request) bool {
var userID int
authHeader := strings.ToLower(r.Header.Get("authorization"))
if len(authHeader) > 0 && strings.Contains(authHeader, "bearer") {
token, err := helpers.Store(r).GetAPIToken(strings.Replace(authHeader, "bearer ", "", 1))
if err != nil {
if err != db.ErrNotFound {
log.Error(err)
}
w.WriteHeader(http.StatusUnauthorized)
2023-03-13 14:04:58 +01:00
return false
}
2016-01-05 00:32:53 +01:00
userID = token.UserID
} else {
// fetch session from cookie
cookie, err := r.Cookie("semaphore")
if err != nil {
w.WriteHeader(http.StatusUnauthorized)
2023-03-13 14:04:58 +01:00
return false
}
2016-01-05 00:32:53 +01:00
value := make(map[string]interface{})
if err = util.Cookie.Decode("semaphore", cookie.Value, &value); err != nil {
w.WriteHeader(http.StatusUnauthorized)
2023-03-13 14:04:58 +01:00
return false
}
2016-01-05 00:32:53 +01:00
user, ok := value["user"]
sessionVal, okSession := value["session"]
if !ok || !okSession {
w.WriteHeader(http.StatusUnauthorized)
2023-03-13 14:04:58 +01:00
return false
}
userID = user.(int)
sessionID := sessionVal.(int)
2016-01-05 00:32:53 +01:00
// fetch session
session, err := helpers.Store(r).GetSession(userID, sessionID)
2016-01-05 00:32:53 +01:00
if err != nil {
w.WriteHeader(http.StatusUnauthorized)
2023-03-13 14:04:58 +01:00
return false
}
2016-01-05 00:32:53 +01:00
2023-08-27 15:00:54 +02:00
if time.Since(session.LastActive).Hours() > 7*24 {
// more than week old unused session
// destroy.
if err := helpers.Store(r).ExpireSession(userID, sessionID); err != nil {
// it is internal error, it doesn't concern the user
log.Error(err)
}
w.WriteHeader(http.StatusUnauthorized)
2023-03-13 14:04:58 +01:00
return false
}
2016-01-05 00:32:53 +01:00
if err := helpers.Store(r).TouchSession(userID, sessionID); err != nil {
log.Error(err)
w.WriteHeader(http.StatusUnauthorized)
2023-03-13 14:04:58 +01:00
return false
}
}
user, err := helpers.Store(r).GetUser(userID)
if err != nil {
if err != db.ErrNotFound {
// internal error
log.Error(err)
}
w.WriteHeader(http.StatusUnauthorized)
2023-03-13 14:04:58 +01:00
return false
}
context.Set(r, "user", &user)
2023-03-13 14:04:58 +01:00
return true
}
// nolint: gocyclo
func authentication(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
2023-03-13 14:04:58 +01:00
ok := authenticationHandler(w, r)
if ok {
next.ServeHTTP(w, r)
}
})
}
// nolint: gocyclo
func authenticationWithStore(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
store := helpers.Store(r)
2023-03-13 14:04:58 +01:00
var ok bool
db.StoreSession(store, r.URL.String(), func() {
2023-03-13 14:04:58 +01:00
ok = authenticationHandler(w, r)
})
2023-03-13 14:04:58 +01:00
if ok {
next.ServeHTTP(w, r)
}
})
2016-01-05 00:32:53 +01:00
}
func adminMiddleware(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
user := context.Get(r, "user").(*db.User)
if !user.Admin {
w.WriteHeader(http.StatusForbidden)
return
}
next.ServeHTTP(w, r)
})
}