-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathauth.go
108 lines (87 loc) · 2.54 KB
/
auth.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
package rmsgo
import (
"context"
"net/http"
"strings"
)
type (
User interface {
Permission(name string) Level
// @todo: Root() string // get user's storage root?
// @todo: Quota() int64 ?
}
// UserReadOnly is a User with read access to any folder and document.
UserReadOnly struct{}
// UserReadWrite is a User with read and write access to any folder and document.
UserReadWrite struct{}
// UserReadPublic is a User with read permissions only to public documents.
// Public are documents whose path starts with /public/.
UserReadPublic struct{}
Level string
key int
)
const userKey key = iota
var (
LevelNone Level = ""
LevelRead Level = ":r"
LevelReadWrite Level = ":rw"
)
var _ User = (*UserReadOnly)(nil)
var _ User = (*UserReadWrite)(nil)
var _ User = (*UserReadPublic)(nil)
func (UserReadOnly) Permission(name string) Level {
return LevelRead
}
func (UserReadWrite) Permission(name string) Level {
return LevelReadWrite
}
func (UserReadPublic) Permission(name string) Level {
return LevelNone
}
func UserFromContext(ctx context.Context) (User, bool) {
u, ok := ctx.Value(userKey).(User)
return u, ok
}
func handleAuthorization(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
bearer := r.Header.Get("Authorization")
bearer = strings.TrimPrefix(bearer, "Bearer ")
user, isAuthenticated := g.authenticate(r, bearer)
if isAuthenticated {
nc := context.WithValue(r.Context(), userKey, user)
r = r.WithContext(nc)
}
// @todo: UseMiddleware option to insert a middleware after authentication
// might want to split authentication and authorization up into two
// separate middleware stages
isAuthorized := isAuthorized(r, user)
if isAuthorized {
next.ServeHTTP(w, r)
} else if isAuthenticated {
w.WriteHeader(http.StatusForbidden)
} else {
w.WriteHeader(http.StatusUnauthorized)
}
})
}
func isAuthorized(r *http.Request, user User) bool {
rname, isPublic, isFolder := parsePath(r.URL.Path)
isRequestRead := r.Method == http.MethodGet || r.Method == http.MethodHead
if user != nil {
switch user.Permission(rname) {
case LevelNone:
return isPublic && !isFolder && isRequestRead
case LevelRead:
return isRequestRead
case LevelReadWrite:
return true
}
}
return isPublic && !isFolder && isRequestRead
}
func parsePath(path string) (rname string, isPublic, isFolder bool) {
rname = strings.TrimPrefix(path, g.rroot)
isPublic = strings.HasPrefix(rname, "/public/")
isFolder = rname[len(rname)-1] == '/'
return
}