-
Notifications
You must be signed in to change notification settings - Fork 302
/
server_authz.go
106 lines (95 loc) · 3.24 KB
/
server_authz.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
// Copyright © 2021 The Things Network Foundation, The Things Industries B.V.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package interop
import (
"context"
"net"
"net/url"
"strings"
"go.thethings.network/lorawan-stack/v3/pkg/types"
)
// Authorizer authorizes requests handled by the interop server.
type Authorizer struct{}
// RequireAuthorized returns an error if the given context is not authorized as neither Network Server nor Application Server.
func (a Authorizer) RequireAuthorized(ctx context.Context) error {
if ctx.Value(nsAuthInfoKey) != nil || ctx.Value(asAuthInfoKey) != nil {
return nil
}
return errUnauthenticated.New()
}
// RequireAddress returns an error if the given address is not authorized in the context.
func (a Authorizer) RequireAddress(ctx context.Context, addr string) error {
var authInfo authInfo
if nsAuthInfo, ok := NetworkServerAuthInfoFromContext(ctx); ok {
authInfo = nsAuthInfo
} else if asAuthInfo, ok := ApplicationServerAuthInfoFromContext(ctx); ok {
authInfo = asAuthInfo
} else {
return errUnauthenticated.New()
}
patterns := authInfo.addressPatterns()
if len(patterns) == 0 {
return errCallerNotAuthorized.WithAttributes("target", addr)
}
host := addr
if url, err := url.Parse(addr); err == nil && url.Host != "" {
host = url.Host
}
if h, _, err := net.SplitHostPort(addr); err == nil {
host = h
}
if len(host) == 0 {
return errCallerNotAuthorized.WithAttributes("target", addr)
}
hostParts := strings.Split(host, ".")
nextPattern:
for _, pattern := range patterns {
patternParts := strings.Split(pattern, ".")
if len(patternParts) != len(hostParts) {
return errCallerNotAuthorized.WithAttributes("target", addr)
}
for i, patternPart := range patternParts {
if i == 0 && patternPart == "*" {
continue
}
if patternPart != hostParts[i] {
continue nextPattern
}
}
return nil
}
return errCallerNotAuthorized.WithAttributes("target", addr)
}
// RequireID returns an error if the given NetID is not authorized in the context.
func (a Authorizer) RequireNetID(ctx context.Context, netID types.NetID) error {
nsAuthInfo, ok := NetworkServerAuthInfoFromContext(ctx)
if !ok {
return errCallerNotAuthorized.WithAttributes("target", netID.String())
}
if !nsAuthInfo.NetID.Equal(netID) {
return errCallerNotAuthorized.WithAttributes("target", netID.String())
}
return nil
}
// RequireID returns an error if the given AS-ID is not authorized in the context.
func (a Authorizer) RequireASID(ctx context.Context, id string) error {
asAuthInfo, ok := ApplicationServerAuthInfoFromContext(ctx)
if !ok {
return errCallerNotAuthorized.WithAttributes("target", id)
}
if asAuthInfo.ASID != id {
return errCallerNotAuthorized.WithAttributes("target", id)
}
return nil
}