2016-05-24 11:55:48 +02:00
|
|
|
package api
|
2016-01-05 00:32:53 +01:00
|
|
|
|
|
|
|
import (
|
2020-12-03 14:51:15 +01:00
|
|
|
"github.com/ansible-semaphore/semaphore/api/helpers"
|
|
|
|
"github.com/ansible-semaphore/semaphore/db"
|
2022-11-09 17:30:35 +01:00
|
|
|
"github.com/ansible-semaphore/semaphore/util"
|
|
|
|
"github.com/gorilla/context"
|
2024-07-08 13:15:04 +02:00
|
|
|
log "github.com/sirupsen/logrus"
|
2017-02-23 00:21:49 +01:00
|
|
|
"net/http"
|
2016-04-09 21:09:57 +02:00
|
|
|
"strings"
|
2016-01-05 00:32:53 +01:00
|
|
|
"time"
|
|
|
|
)
|
|
|
|
|
2023-03-13 14:04:58 +01:00
|
|
|
func authenticationHandler(w http.ResponseWriter, r *http.Request) bool {
|
2022-11-09 17:30:35 +01:00
|
|
|
var userID int
|
2016-04-09 21:09:57 +02:00
|
|
|
|
2022-11-09 17:30:35 +01:00
|
|
|
authHeader := strings.ToLower(r.Header.Get("authorization"))
|
2020-12-03 14:51:15 +01:00
|
|
|
|
2022-11-09 17:30:35 +01:00
|
|
|
if len(authHeader) > 0 && strings.Contains(authHeader, "bearer") {
|
|
|
|
token, err := helpers.Store(r).GetAPIToken(strings.Replace(authHeader, "bearer ", "", 1))
|
2019-07-09 09:21:49 +02:00
|
|
|
|
2022-11-09 17:30:35 +01:00
|
|
|
if err != nil {
|
|
|
|
if err != db.ErrNotFound {
|
|
|
|
log.Error(err)
|
2016-04-09 21:09:57 +02:00
|
|
|
}
|
|
|
|
|
2022-11-09 17:30:35 +01:00
|
|
|
w.WriteHeader(http.StatusUnauthorized)
|
2023-03-13 14:04:58 +01:00
|
|
|
return false
|
2022-11-09 17:30:35 +01:00
|
|
|
}
|
2016-01-05 00:32:53 +01:00
|
|
|
|
2022-11-09 17:30:35 +01:00
|
|
|
userID = token.UserID
|
|
|
|
} else {
|
|
|
|
// fetch session from cookie
|
|
|
|
cookie, err := r.Cookie("semaphore")
|
|
|
|
if err != nil {
|
|
|
|
w.WriteHeader(http.StatusUnauthorized)
|
2023-03-13 14:04:58 +01:00
|
|
|
return false
|
2022-11-09 17:30:35 +01:00
|
|
|
}
|
2016-01-05 00:32:53 +01:00
|
|
|
|
2022-11-09 17:30:35 +01:00
|
|
|
value := make(map[string]interface{})
|
|
|
|
if err = util.Cookie.Decode("semaphore", cookie.Value, &value); err != nil {
|
|
|
|
w.WriteHeader(http.StatusUnauthorized)
|
2023-03-13 14:04:58 +01:00
|
|
|
return false
|
2022-11-09 17:30:35 +01:00
|
|
|
}
|
2016-01-05 00:32:53 +01:00
|
|
|
|
2022-11-09 17:30:35 +01:00
|
|
|
user, ok := value["user"]
|
|
|
|
sessionVal, okSession := value["session"]
|
|
|
|
if !ok || !okSession {
|
|
|
|
w.WriteHeader(http.StatusUnauthorized)
|
2023-03-13 14:04:58 +01:00
|
|
|
return false
|
2022-11-09 17:30:35 +01:00
|
|
|
}
|
2020-12-03 14:51:15 +01:00
|
|
|
|
2022-11-09 17:30:35 +01:00
|
|
|
userID = user.(int)
|
|
|
|
sessionID := sessionVal.(int)
|
2016-01-05 00:32:53 +01:00
|
|
|
|
2022-11-09 17:30:35 +01:00
|
|
|
// fetch session
|
|
|
|
session, err := helpers.Store(r).GetSession(userID, sessionID)
|
2016-01-05 00:32:53 +01:00
|
|
|
|
2022-11-09 17:30:35 +01:00
|
|
|
if err != nil {
|
|
|
|
w.WriteHeader(http.StatusUnauthorized)
|
2023-03-13 14:04:58 +01:00
|
|
|
return false
|
2022-11-09 17:30:35 +01:00
|
|
|
}
|
2016-01-05 00:32:53 +01:00
|
|
|
|
2023-08-27 15:00:54 +02:00
|
|
|
if time.Since(session.LastActive).Hours() > 7*24 {
|
2022-11-09 17:30:35 +01:00
|
|
|
// more than week old unused session
|
|
|
|
// destroy.
|
|
|
|
if err := helpers.Store(r).ExpireSession(userID, sessionID); err != nil {
|
|
|
|
// it is internal error, it doesn't concern the user
|
2020-12-03 14:51:15 +01:00
|
|
|
log.Error(err)
|
2016-04-30 14:28:47 +02:00
|
|
|
}
|
2022-11-09 17:30:35 +01:00
|
|
|
|
|
|
|
w.WriteHeader(http.StatusUnauthorized)
|
2023-03-13 14:04:58 +01:00
|
|
|
return false
|
2019-07-09 09:21:49 +02:00
|
|
|
}
|
2016-01-05 00:32:53 +01:00
|
|
|
|
2022-11-09 17:30:35 +01:00
|
|
|
if err := helpers.Store(r).TouchSession(userID, sessionID); err != nil {
|
|
|
|
log.Error(err)
|
2018-10-22 09:19:33 +02:00
|
|
|
w.WriteHeader(http.StatusUnauthorized)
|
2023-03-13 14:04:58 +01:00
|
|
|
return false
|
2016-04-30 14:28:47 +02:00
|
|
|
}
|
2022-11-09 17:30:35 +01:00
|
|
|
}
|
2016-04-09 21:09:57 +02:00
|
|
|
|
2022-11-09 17:30:35 +01:00
|
|
|
user, err := helpers.Store(r).GetUser(userID)
|
|
|
|
if err != nil {
|
|
|
|
if err != db.ErrNotFound {
|
|
|
|
// internal error
|
|
|
|
log.Error(err)
|
|
|
|
}
|
|
|
|
w.WriteHeader(http.StatusUnauthorized)
|
2023-03-13 14:04:58 +01:00
|
|
|
return false
|
2022-11-09 17:30:35 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
context.Set(r, "user", &user)
|
2023-03-13 14:04:58 +01:00
|
|
|
return true
|
2022-11-09 17:30:35 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
// nolint: gocyclo
|
|
|
|
func authentication(next http.Handler) http.Handler {
|
|
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
2023-03-13 14:04:58 +01:00
|
|
|
ok := authenticationHandler(w, r)
|
|
|
|
if ok {
|
|
|
|
next.ServeHTTP(w, r)
|
|
|
|
}
|
2022-11-09 17:30:35 +01:00
|
|
|
})
|
|
|
|
}
|
|
|
|
|
|
|
|
// nolint: gocyclo
|
|
|
|
func authenticationWithStore(next http.Handler) http.Handler {
|
|
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
2022-11-09 18:04:35 +01:00
|
|
|
store := helpers.Store(r)
|
2022-11-09 17:30:35 +01:00
|
|
|
|
2023-03-13 14:04:58 +01:00
|
|
|
var ok bool
|
2023-08-26 13:16:25 +02:00
|
|
|
|
2022-11-18 23:23:30 +01:00
|
|
|
db.StoreSession(store, r.URL.String(), func() {
|
2023-03-13 14:04:58 +01:00
|
|
|
ok = authenticationHandler(w, r)
|
2022-11-18 23:23:30 +01:00
|
|
|
})
|
2019-07-09 18:14:06 +02:00
|
|
|
|
2023-03-13 14:04:58 +01:00
|
|
|
if ok {
|
|
|
|
next.ServeHTTP(w, r)
|
|
|
|
}
|
2019-07-09 09:21:49 +02:00
|
|
|
})
|
2016-01-05 00:32:53 +01:00
|
|
|
}
|
2024-07-08 13:15:04 +02:00
|
|
|
|
|
|
|
func adminMiddleware(next http.Handler) http.Handler {
|
|
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
|
|
user := context.Get(r, "user").(*db.User)
|
|
|
|
|
|
|
|
if !user.Admin {
|
|
|
|
w.WriteHeader(http.StatusForbidden)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
next.ServeHTTP(w, r)
|
|
|
|
})
|
|
|
|
}
|