-
Notifications
You must be signed in to change notification settings - Fork 176
/
token_authz.go
115 lines (94 loc) · 3.4 KB
/
token_authz.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
// Copyright 2020 ZUP IT SERVICOS EM TECNOLOGIA E INOVACAO SA
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package middlewares
import (
"context"
"github.com/ZupIT/horusec/development-kit/pkg/utils/hash"
"net/http"
"time"
"github.com/ZupIT/horusec/development-kit/pkg/databases/relational"
tokenRepository "github.com/ZupIT/horusec/development-kit/pkg/databases/relational/repository/token"
"github.com/ZupIT/horusec/development-kit/pkg/entities/api"
"github.com/google/uuid"
"github.com/ZupIT/horusec/development-kit/pkg/enums/errors"
httpUtil "github.com/ZupIT/horusec/development-kit/pkg/utils/http"
)
type CtxKey string
const RepositoryIDCtxKey CtxKey = "repositoryID"
const CompanyIDCtxKey CtxKey = "companyID"
type ITokenAuthz interface {
IsAuthorized(next http.Handler) http.Handler
}
type TokenAuthz struct {
repository tokenRepository.IRepository
}
func NewTokenAuthz(postgresRead relational.InterfaceRead) ITokenAuthz {
return &TokenAuthz{
repository: tokenRepository.NewTokenRepository(postgresRead, nil),
}
}
func (t *TokenAuthz) IsAuthorized(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
tokenValue, err := t.getTokenHashFromAuthorizationHeader(r)
if err != nil {
httpUtil.StatusUnauthorized(w, errors.ErrorUnauthorized)
return
}
ctx, err := t.getContextAndValidateIsValidToken(tokenValue, r)
if err != nil {
t.verifyValidateTokenErrors(w, err)
return
}
next.ServeHTTP(w, r.WithContext(ctx))
})
}
func (t *TokenAuthz) verifyValidateTokenErrors(w http.ResponseWriter, err error) {
if err == errors.ErrorTokenExpired {
httpUtil.StatusUnauthorized(w, errors.ErrorTokenExpired)
return
}
httpUtil.StatusUnauthorized(w, errors.ErrorUnauthorized)
}
func (t *TokenAuthz) getTokenHashFromAuthorizationHeader(r *http.Request) (string, error) {
tokenStr := r.Header.Get("X-Horusec-Authorization")
if tokenStr == "" {
return "", errors.ErrorUnauthorized
}
return hash.GenerateSHA256(tokenStr)
}
func (t *TokenAuthz) getContextAndValidateIsValidToken(
tokenValue string, r *http.Request) (context.Context, error) {
ctx := r.Context()
token, err := t.repository.GetByValue(tokenValue)
if err != nil {
return nil, err
}
if token.RepositoryID != nil {
ctx = t.bindRepositoryIDCtx(ctx, *token.RepositoryID)
}
ctx = t.bindCompanyIDCtx(ctx, token.CompanyID)
return ctx, t.returnErrorIfTokenIsExpired(token)
}
func (t *TokenAuthz) bindRepositoryIDCtx(ctx context.Context, repositoryID uuid.UUID) context.Context {
return context.WithValue(ctx, RepositoryIDCtxKey, repositoryID)
}
func (t *TokenAuthz) bindCompanyIDCtx(ctx context.Context, companyID uuid.UUID) context.Context {
return context.WithValue(ctx, CompanyIDCtxKey, companyID)
}
func (t *TokenAuthz) returnErrorIfTokenIsExpired(token *api.Token) error {
if token.CreatedAt.AddDate(0, 3, 0).Before(time.Now()) {
return errors.ErrorTokenExpired
}
return nil
}