From de259ccc1c4505b1d119068f7fbd8aa3e4c7713e Mon Sep 17 00:00:00 2001 From: Bharat Kathi Date: Thu, 29 Aug 2024 17:15:18 -0700 Subject: [PATCH 1/9] created new auth middleware helpers --- controller/route_controller.go | 26 +++++++++++++++++--------- controller/user_controller.go | 9 +++++++-- 2 files changed, 24 insertions(+), 11 deletions(-) diff --git a/controller/route_controller.go b/controller/route_controller.go index 92e2d4b..521934a 100644 --- a/controller/route_controller.go +++ b/controller/route_controller.go @@ -106,23 +106,31 @@ func UnauthorizedPanicHandler() gin.HandlerFunc { } } -// RequireAll checks if all conditions are true, otherwise aborts the request -func RequireAll(c *gin.Context, conditions ...bool) { +// Require checks if a condition is true, otherwise aborts the request +func Require(c *gin.Context, condition bool) { + if !condition { + panic("Unauthorized") + } +} + +// Any checks if any condition is true, otherwise returns false +func Any(conditions ...bool) bool { for _, condition := range conditions { - if !condition { - panic("Unauthorized") + if condition { + return true } } + return false } -// RequireAny checks if any condition is true, otherwise aborts the request -func RequireAny(c *gin.Context, conditions ...bool) { +// All checks if all conditions are true, otherwise returns false +func All(conditions ...bool) bool { for _, condition := range conditions { - if condition { - return + if !condition { + return false } } - panic("Unauthorized") + return true } func RequestUserHasID(c *gin.Context, id string) bool { diff --git a/controller/user_controller.go b/controller/user_controller.go index c560df6..3f089ac 100644 --- a/controller/user_controller.go +++ b/controller/user_controller.go @@ -16,8 +16,13 @@ func GetAllUsers(c *gin.Context) { } func GetUserByID(c *gin.Context) { - RequireAny(c, RequestTokenHasScope(c, "sentinel:all"), RequestTokenHasScope(c, "user:read")) - RequireAny(c, RequestUserHasID(c, c.Param("userID")), RequestUserHasRole(c, "d_admin")) + Require(c, Any( + RequestTokenHasScope(c, "sentinel:all"), + All( + RequestTokenHasScope(c, "user:read"), + Any(RequestUserHasID(c, c.Param("userID")), RequestUserHasRole(c, "d_admin")), + ), + )) result := service.GetUserByID(c.Param("userID")) if result.ID == "" { From e7edc5f6f9ad49b4e1e16ef5e69d7fac3bc8310f Mon Sep 17 00:00:00 2001 From: Bharat Kathi Date: Thu, 29 Aug 2024 17:21:01 -0700 Subject: [PATCH 2/9] updated user endpoints --- controller/user_controller.go | 31 +++++++++++++++++++++++++------ 1 file changed, 25 insertions(+), 6 deletions(-) diff --git a/controller/user_controller.go b/controller/user_controller.go index 3f089ac..26ad399 100644 --- a/controller/user_controller.go +++ b/controller/user_controller.go @@ -9,7 +9,13 @@ import ( ) func GetAllUsers(c *gin.Context) { - RequireAny(c, RequestTokenHasScope(c, "sentinel:all")) + Require(c, Any( + RequestTokenHasScope(c, "sentinel:all"), + All( + RequestTokenHasScope(c, "user:read"), + RequestUserHasRole(c, "d_admin"), + ), + )) result := service.GetAllUsers() c.JSON(http.StatusOK, result) @@ -33,7 +39,10 @@ func GetUserByID(c *gin.Context) { } func GetCurrentUser(c *gin.Context) { - RequireAny(c, RequestTokenHasScope(c, "sentinel:all"), RequestTokenHasScope(c, "user:read")) + Require(c, Any( + RequestTokenHasScope(c, "sentinel:all"), + RequestTokenHasScope(c, "user:read"), + )) user := service.GetUserByID(GetRequestUserID(c)) if user.ID == "" { @@ -44,8 +53,16 @@ func GetCurrentUser(c *gin.Context) { } func CreateUser(c *gin.Context) { - RequireAny(c, RequestTokenHasScope(c, "sentinel:all"), RequestTokenHasScope(c, "user:write")) - RequireAny(c, RequestUserHasID(c, c.Param("userID")), RequestUserHasRole(c, "d_admin")) + Require(c, All( + Any( + RequestTokenHasScope(c, "sentinel:all"), + RequestTokenHasScope(c, "user:write"), + ), + Any( + RequestUserHasID(c, c.Param("userID")), + RequestUserHasRole(c, "d_admin"), + ), + )) var user model.User if err := c.ShouldBindJSON(&user); err != nil { @@ -62,8 +79,10 @@ func CreateUser(c *gin.Context) { } func DeleteUser(c *gin.Context) { - RequireAny(c, RequestTokenHasScope(c, "sentinel:all")) - RequireAny(c, RequestUserHasRole(c, "d_admin")) + Require(c, All( + RequestTokenHasScope(c, "sentinel:all"), + RequestUserHasRole(c, "d_admin"), + )) id := c.Param("id") err := service.DeleteUser(id) From 87ac1133f4e0357eddaca094535c20c7ea53b2a5 Mon Sep 17 00:00:00 2001 From: Bharat Kathi Date: Thu, 29 Aug 2024 17:22:36 -0700 Subject: [PATCH 3/9] updated role endpoints --- controller/role_controller.go | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/controller/role_controller.go b/controller/role_controller.go index fc5dd0d..99c8bde 100644 --- a/controller/role_controller.go +++ b/controller/role_controller.go @@ -7,16 +7,23 @@ import ( ) func GetAllRolesForUser(c *gin.Context) { - RequireAny(c, RequestTokenHasScope(c, "sentinel:all"), RequestTokenHasScope(c, "user:read")) - RequireAny(c, RequestUserHasID(c, c.Param("userID")), RequestUserHasRole(c, "d_admin")) + Require(c, Any( + RequestTokenHasScope(c, "sentinel:all"), + All( + RequestTokenHasScope(c, "user:read"), + Any(RequestUserHasID(c, c.Param("userID")), RequestUserHasRole(c, "d_admin")), + ), + )) roles := service.GetRolesForUser(c.Param("userID")) c.JSON(200, roles) } func SetRolesForUser(c *gin.Context) { - RequireAny(c, RequestTokenHasScope(c, "sentinel:all")) - RequireAny(c, RequestUserHasID(c, c.Param("userID")), RequestUserHasRole(c, "d_admin")) + Require(c, All( + RequestTokenHasScope(c, "sentinel:all"), + RequestUserHasRole(c, "d_admin"), + )) var roles []string if err := c.ShouldBindJSON(&roles); err != nil { From 88c335f9552614f03c29845857d8ee0bfe7f6cd8 Mon Sep 17 00:00:00 2001 From: Bharat Kathi Date: Thu, 29 Aug 2024 17:30:32 -0700 Subject: [PATCH 4/9] updated oauth endpoints --- controller/oauth_controller.go | 48 ++++++++++++++++++++++++---------- 1 file changed, 34 insertions(+), 14 deletions(-) diff --git a/controller/oauth_controller.go b/controller/oauth_controller.go index 46b2cb4..45f93ec 100644 --- a/controller/oauth_controller.go +++ b/controller/oauth_controller.go @@ -16,15 +16,26 @@ func GetValidOauthScopes(c *gin.Context) { } func GetAllClientApplications(c *gin.Context) { - RequireAny(c, RequestTokenHasScope(c, "sentinel:all")) + Require(c, Any( + RequestTokenHasScope(c, "sentinel:all"), + All( + RequestTokenHasScope(c, "applications:read"), + RequestUserHasRole(c, "d_admin"), + ), + )) apps := service.GetAllClientApplications() c.JSON(http.StatusOK, apps) } func GetClientApplicationsForUser(c *gin.Context) { - RequireAny(c, RequestTokenHasScope(c, "sentinel:all"), RequestTokenHasScope(c, "applications:read")) - RequireAny(c, RequestUserHasID(c, c.Param("userID")), RequestUserHasRole(c, "d_admin")) + Require(c, Any( + RequestTokenHasScope(c, "sentinel:all"), + All( + RequestTokenHasScope(c, "applications:read"), + Any(RequestUserHasID(c, c.Param("userID")), RequestUserHasRole(c, "d_admin")), + ), + )) userID := c.Param("userID") apps := service.GetClientApplicationsForUser(userID) @@ -39,29 +50,36 @@ func GetClientApplicationByID(c *gin.Context) { return } - if !RequestTokenHasScope(c, "sentinel:all") { - RequireAny(c, RequestTokenHasScope(c, "applications:read")) - RequireAny(c, RequestUserHasRole(c, "d_admin"), RequestUserHasID(c, app.UserID)) - } + Require(c, Any( + RequestTokenHasScope(c, "sentinel:all"), + All( + RequestTokenHasScope(c, "applications:read"), + Any(RequestUserHasID(c, app.UserID), RequestUserHasRole(c, "d_admin")), + ), + )) c.JSON(http.StatusOK, app) } func CreateClientApplication(c *gin.Context) { - RequireAny(c, RequestTokenHasScope(c, "sentinel:all")) + Require(c, RequestTokenHasScope(c, "sentinel:all")) var app model.ClientApplication if err := c.ShouldBindJSON(&app); err != nil { c.JSON(http.StatusBadRequest, gin.H{"message": err.Error()}) return } + if app.ID != "" { existing := service.GetClientApplicationByID(app.ID) - RequireAny(c, RequestUserHasID(c, existing.UserID), RequestUserHasRole(c, "d_admin")) + Require(c, Any( + RequestUserHasID(c, existing.UserID), + RequestUserHasRole(c, "d_admin"), + )) + } else { + app.UserID = GetRequestUserID(c) } - app.UserID = GetRequestUserID(c) - created, err := service.CreateClientApplication(app) if err != nil { c.JSON(http.StatusInternalServerError, gin.H{"message": err.Error()}) @@ -78,8 +96,10 @@ func DeleteClientApplication(c *gin.Context) { return } - RequireAny(c, RequestTokenHasScope(c, "sentinel:all")) - RequireAny(c, RequestUserHasRole(c, "d_admin"), RequestUserHasID(c, app.UserID)) + Require(c, All( + RequestTokenHasScope(c, "sentinel:all"), + Any(RequestUserHasID(c, app.UserID), RequestUserHasRole(c, "d_admin")), + )) err := service.DeleteClientApplication(appID) if err != nil { @@ -90,7 +110,7 @@ func DeleteClientApplication(c *gin.Context) { } func OauthAuthorize(c *gin.Context) { - RequireAny(c, RequestTokenHasScope(c, "sentinel:all")) + Require(c, RequestTokenHasScope(c, "sentinel:all")) clientID := c.Query("client_id") if clientID == "" { From 0e4a1b5a02590869e966afe7be25e84f16dd8b2a Mon Sep 17 00:00:00 2001 From: Bharat Kathi Date: Thu, 29 Aug 2024 17:32:21 -0700 Subject: [PATCH 5/9] updated login endpoints --- controller/login_controller.go | 24 ++++++++++++++++-------- 1 file changed, 16 insertions(+), 8 deletions(-) diff --git a/controller/login_controller.go b/controller/login_controller.go index 5cf5fca..7018d23 100644 --- a/controller/login_controller.go +++ b/controller/login_controller.go @@ -9,15 +9,20 @@ import ( ) func GetAllLogins(c *gin.Context) { - RequireAny(c, RequestTokenHasScope(c, "sentinel:all")) + Require(c, RequestTokenHasScope(c, "sentinel:all")) logins := service.GetAllLogins() c.JSON(http.StatusOK, logins) } func GetLoginsForUser(c *gin.Context) { - RequireAny(c, RequestTokenHasScope(c, "sentinel:all"), RequestTokenHasScope(c, "logins:read")) - RequireAny(c, RequestUserHasID(c, c.Param("userID")), RequestUserHasRole(c, "d_admin")) + Require(c, Any( + RequestTokenHasScope(c, "sentinel:all"), + All( + RequestTokenHasScope(c, "logins:read"), + Any(RequestUserHasID(c, c.Param("userID")), RequestUserHasRole(c, "d_admin")), + ), + )) userID := c.Param("userID") if c.Query("count") != "" { @@ -35,7 +40,7 @@ func GetLoginsForUser(c *gin.Context) { } func GetLoginsForDestination(c *gin.Context) { - RequireAny(c, RequestTokenHasScope(c, "sentinel:all")) + Require(c, RequestTokenHasScope(c, "sentinel:all")) destination := c.Param("appID") if c.Query("count") != "" { @@ -60,10 +65,13 @@ func GetLoginByID(c *gin.Context) { return } - if !RequestTokenHasScope(c, "sentinel:all") { - RequireAny(c, RequestTokenHasScope(c, "logins:read")) - RequireAny(c, RequestUserHasRole(c, "d_admin"), RequestUserHasID(c, login.UserID)) - } + Require(c, Any( + RequestTokenHasScope(c, "sentinel:all"), + All( + RequestTokenHasScope(c, "logins:read"), + Any(RequestUserHasID(c, login.UserID), RequestUserHasRole(c, "d_admin")), + ), + )) c.JSON(http.StatusOK, login) } From 06a775484f5157581782edd23103c7f078af097a Mon Sep 17 00:00:00 2001 From: Bharat Kathi Date: Thu, 29 Aug 2024 17:32:55 -0700 Subject: [PATCH 6/9] updated github endpoints --- controller/github_controller.go | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/controller/github_controller.go b/controller/github_controller.go index f4bbd6f..8822c41 100644 --- a/controller/github_controller.go +++ b/controller/github_controller.go @@ -9,8 +9,13 @@ import ( ) func GetGithubStatusForUser(c *gin.Context) { - RequireAny(c, RequestTokenHasScope(c, "sentinel:all"), RequestTokenHasScope(c, "github:read")) - RequireAny(c, RequestUserHasID(c, c.Param("userID")), RequestUserHasRole(c, "d_admin")) + Require(c, Any( + RequestTokenHasScope(c, "sentinel:all"), + All( + RequestTokenHasScope(c, "github:read"), + Any(RequestUserHasID(c, c.Param("userID")), RequestUserHasRole(c, "d_admin")), + ), + )) userID := c.Param("userID") user := service.GetUserByID(userID) @@ -27,8 +32,13 @@ func GetGithubStatusForUser(c *gin.Context) { } func AddUserToGithub(c *gin.Context) { - RequireAny(c, RequestTokenHasScope(c, "sentinel:all"), RequestTokenHasScope(c, "github:write")) - RequireAny(c, RequestUserHasID(c, c.Param("userID")), RequestUserHasRole(c, "d_admin")) + Require(c, Any( + RequestTokenHasScope(c, "sentinel:all"), + All( + RequestTokenHasScope(c, "github:write"), + Any(RequestUserHasID(c, c.Param("userID")), RequestUserHasRole(c, "d_admin")), + ), + )) var input model.GithubInvite if err := c.ShouldBindJSON(&input); err != nil { From 9fdc543c4243a2ff976f1257b92a56dd52f3d462 Mon Sep 17 00:00:00 2001 From: Bharat Kathi Date: Thu, 29 Aug 2024 17:33:43 -0700 Subject: [PATCH 7/9] updated drive endpoints --- controller/drive_controller.go | 27 +++++++++++++++++++++------ 1 file changed, 21 insertions(+), 6 deletions(-) diff --git a/controller/drive_controller.go b/controller/drive_controller.go index 676e141..3d61b83 100644 --- a/controller/drive_controller.go +++ b/controller/drive_controller.go @@ -10,8 +10,13 @@ import ( ) func GetDriveStatusForUser(c *gin.Context) { - RequireAny(c, RequestTokenHasScope(c, "sentinel:all"), RequestTokenHasScope(c, "drive:read")) - RequireAny(c, RequestUserHasID(c, c.Param("userID")), RequestUserHasRole(c, "d_admin")) + Require(c, Any( + RequestTokenHasScope(c, "sentinel:all"), + All( + RequestTokenHasScope(c, "drive:read"), + Any(RequestUserHasID(c, c.Param("userID")), RequestUserHasRole(c, "d_admin")), + ), + )) userID := c.Param("userID") user := service.GetUserByID(userID) @@ -31,8 +36,13 @@ func GetDriveStatusForUser(c *gin.Context) { } func AddUserToDrive(c *gin.Context) { - RequireAny(c, RequestTokenHasScope(c, "sentinel:all"), RequestTokenHasScope(c, "drive:write")) - RequireAny(c, RequestUserHasID(c, c.Param("userID")), RequestUserHasRole(c, "d_admin")) + Require(c, Any( + RequestTokenHasScope(c, "sentinel:all"), + All( + RequestTokenHasScope(c, "drive:write"), + Any(RequestUserHasID(c, c.Param("userID")), RequestUserHasRole(c, "d_admin")), + ), + )) userID := c.Param("userID") user := service.GetUserByID(userID) @@ -53,8 +63,13 @@ func AddUserToDrive(c *gin.Context) { } func RemoveUserFromDrive(c *gin.Context) { - RequireAny(c, RequestTokenHasScope(c, "sentinel:all"), RequestTokenHasScope(c, "drive:write")) - RequireAny(c, RequestUserHasID(c, c.Param("userID")), RequestUserHasRole(c, "d_admin")) + Require(c, Any( + RequestTokenHasScope(c, "sentinel:all"), + All( + RequestTokenHasScope(c, "drive:write"), + Any(RequestUserHasID(c, c.Param("userID")), RequestUserHasRole(c, "d_admin")), + ), + )) userID := c.Param("userID") user := service.GetUserByID(userID) From 6a1e4c1b0e3043f11bfb4cdfb2cfefebb404085c Mon Sep 17 00:00:00 2001 From: Bharat Kathi Date: Thu, 29 Aug 2024 17:36:45 -0700 Subject: [PATCH 8/9] updated auth endpoints --- controller/auth_controller.go | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/controller/auth_controller.go b/controller/auth_controller.go index 3a5017a..3a43472 100644 --- a/controller/auth_controller.go +++ b/controller/auth_controller.go @@ -15,7 +15,7 @@ func GetJWKS(c *gin.Context) { } func RegisterAccountPassword(c *gin.Context) { - RequireAny(c, RequestTokenHasScope(c, "sentinel:all")) + Require(c, RequestTokenHasScope(c, "sentinel:all")) var input model.UserAuth if err := c.ShouldBindJSON(&input); err != nil { @@ -27,7 +27,8 @@ func RegisterAccountPassword(c *gin.Context) { c.JSON(http.StatusInternalServerError, gin.H{"message": "No account with this email exists. Make sure to verify your account on the discord server first!"}) return } - RequireAny(c, RequestUserHasID(c, user.ID), RequestUserHasRole(c, "d_admin")) + + Require(c, Any(RequestUserHasID(c, user.ID), RequestUserHasRole(c, "d_admin"))) token, err := service.RegisterEmailPassword(input.Email, input.Password) if err != nil { @@ -55,7 +56,7 @@ func RegisterAccountPassword(c *gin.Context) { } func ResetAccountPassword(c *gin.Context) { - RequireAny(c, RequestTokenHasScope(c, "sentinel:all")) + Require(c, RequestTokenHasScope(c, "sentinel:all")) userID := c.Param("userID") user := service.GetUserByID(userID) @@ -64,7 +65,7 @@ func ResetAccountPassword(c *gin.Context) { return } - RequireAny(c, RequestUserHasID(c, user.ID), RequestUserHasRole(c, "d_admin")) + Require(c, Any(RequestUserHasID(c, user.ID), RequestUserHasRole(c, "d_admin"))) auth := service.GetUserAuthByID(userID) if auth.ID == "" { @@ -154,8 +155,10 @@ func LoginDiscord(c *gin.Context) { } func GetAuthForUser(c *gin.Context) { - RequireAny(c, RequestTokenHasScope(c, "sentinel:all")) - RequireAny(c, RequestUserHasID(c, c.Param("userID")), RequestUserHasRole(c, "d_admin")) + Require(c, All( + RequestTokenHasScope(c, "sentinel:all"), + Any(RequestUserHasID(c, c.Param("userID")), RequestUserHasRole(c, "d_admin")), + )) userID := c.Param("userID") user := service.GetUserByID(userID) From 9976110e149baacca54ecad483c2d9ccea1dff57 Mon Sep 17 00:00:00 2001 From: Bharat Kathi Date: Thu, 29 Aug 2024 17:37:09 -0700 Subject: [PATCH 9/9] version bump --- config/config.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/config.go b/config/config.go index 853edac..1b757e5 100644 --- a/config/config.go +++ b/config/config.go @@ -5,7 +5,7 @@ import ( "os" ) -var Version = "3.3.2" +var Version = "3.4.0" var Env = os.Getenv("ENV") var Port = os.Getenv("PORT") var Prefix = os.Getenv("PREFIX")