-
Notifications
You must be signed in to change notification settings - Fork 0
/
security.go
197 lines (180 loc) · 5.66 KB
/
security.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
package security
import (
"errors"
"strconv"
"time"
"github.com/dgrijalva/jwt-go"
"github.com/javiercbk/ppv-crypto/server/models"
"github.com/labstack/echo/v4"
"github.com/labstack/echo/v4/middleware"
)
// UserNotFoundError is returned when a jwt token was not found in the request context
type UserNotFoundError string
func (e UserNotFoundError) Error() string {
return string(e)
}
// MalformedUserError is returned when a user cannot be parsed from the JWT user
type MalformedUserError string
func (e MalformedUserError) Error() string {
return string(e)
}
type permission string
const (
contextKey = "jwtUser"
userID = "id"
userFirstName = "firstName"
userLastName = "lastName"
userPermissions = "permissions"
userExpiry = "exp"
// ErrUserNotFound is returned when a jwt token was not found in the request context
ErrUserNotFound UserNotFoundError = "user was not found in the request context"
// ErrMalformedUser is returned when a user cannot be parsed from the JWT user
ErrMalformedUser MalformedUserError = "user data is malformed"
// Read is a permission that allows the user to read a resource
Read permission = "read"
// Write is a permission that allows the user to write a resource
Write permission = "write"
)
// PermissionMap is the user's permission map
type PermissionMap map[string][]permission
// JWTUser is the data being encoded in the JWT token
type JWTUser struct {
ID int64 `json:"id"`
FirstName string `json:"firstName"`
LastName string `json:"lastName"`
Expiry time.Time `json:"expiry"`
Permissions PermissionMap `json:"permissions"`
}
// JWTMiddlewareFactory creates a JWTMiddleware
func JWTMiddlewareFactory(jwtSecret string, optional bool) echo.MiddlewareFunc {
jwtMiddleware := middleware.JWTWithConfig(middleware.JWTConfig{
SigningKey: []byte(jwtSecret),
ContextKey: contextKey,
})
jwt.TimeFunc = time.Now().UTC
return func(next echo.HandlerFunc) echo.HandlerFunc {
return func(c echo.Context) error {
err := jwtMiddleware(next)(c)
// only if the error was ErrJWTMissing retry the request
if errors.Is(err, middleware.ErrJWTMissing) && optional {
// if it failed to find the JWTToken, then continue
// if and only if the user is optional
return next(c)
}
return err
}
}
}
// JWTEncode encodes a user into a jwt.MapClaims
func JWTEncode(user JWTUser, d time.Duration) jwt.MapClaims {
claims := jwt.MapClaims{}
claims[userID] = strconv.FormatInt(user.ID, 10)
claims[userFirstName] = user.FirstName
claims[userLastName] = user.LastName
claims[userPermissions] = user.Permissions
claims[userExpiry] = time.Now().UTC().Add(d).Unix()
return claims
}
// JWTDecode attempt to decode a user
func JWTDecode(c echo.Context, jwtUser *JWTUser) error {
var err error
user, ok := c.Get(contextKey).(*jwt.Token)
if !ok {
err = ErrUserNotFound
} else {
claims := user.Claims.(jwt.MapClaims)
var idStr string
if idStr, ok = claims[userID].(string); !ok {
err = ErrMalformedUser
}
jwtUser.ID, err = strconv.ParseInt(idStr, 10, 64)
if err != nil {
err = ErrMalformedUser
}
expiry := int64(claims[userExpiry].(float64))
jwtUser.Expiry = time.Unix(expiry, 0)
if jwtUser.FirstName, ok = claims[userFirstName].(string); !ok {
err = ErrMalformedUser
}
if jwtUser.LastName, ok = claims[userFirstName].(string); !ok {
err = ErrMalformedUser
}
var permissionMap map[string]interface{}
if permissionMap, ok = claims[userPermissions].(map[string]interface{}); !ok {
err = ErrMalformedUser
}
jwtUser.Permissions = make(PermissionMap)
for key, val := range permissionMap {
arr := val.([]interface{})
jwtUser.Permissions[key] = make([]permission, len(arr))
for i := range arr {
permStr := arr[i].(string)
if permStr == string(Write) {
jwtUser.Permissions[key][i] = Write
} else {
jwtUser.Permissions[key][i] = Read
}
}
}
}
return err
}
// CanReadResouceMiddleware returns a middleware that validates if a user can read a resource
func CanReadResouceMiddleware(jwtUser JWTUser, resouce string) echo.MiddlewareFunc {
return func(next echo.HandlerFunc) echo.HandlerFunc {
return func(c echo.Context) error {
if jwtUser.ID == 0 {
return echo.ErrUnauthorized
}
if _, ok := jwtUser.Permissions[resouce]; ok {
// if it has any permission, then it can read the resource
return next(c)
}
return echo.ErrForbidden
}
}
}
// CanWriteResouceMiddleware returns a middleware that validates if a user can read/write a resource
func CanWriteResouceMiddleware(jwtUser JWTUser, resouce string) echo.MiddlewareFunc {
return func(next echo.HandlerFunc) echo.HandlerFunc {
return func(c echo.Context) error {
if jwtUser.ID == 0 {
return echo.ErrUnauthorized
}
if permissions, ok := jwtUser.Permissions[resouce]; ok {
// if it has any permission, then it can read the resource
canWrite := false
for i := range permissions {
if permissions[i] == Write {
canWrite = true
break
}
}
if canWrite {
return next(c)
}
}
return echo.ErrForbidden
}
}
}
// ToPermissionsMap creates a permissionsMap out of a PermissionsSlice
func ToPermissionsMap(permissions models.PermissionsUserSlice) PermissionMap {
permMap := make(PermissionMap)
for i := range permissions {
prm := permissions[i]
if permMap[prm.Resource] == nil {
permMap[prm.Resource] = make([]permission, 1)
permMap[prm.Resource][0] = parsePermission(prm.Access)
} else {
permMap[prm.Resource] = append(permMap[prm.Resource], parsePermission(prm.Access))
}
}
return permMap
}
func parsePermission(access string) permission {
if access == string(Write) {
return Write
}
return Read
}