-
Notifications
You must be signed in to change notification settings - Fork 0
/
auth.go
131 lines (117 loc) · 3.31 KB
/
auth.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
package routers
import (
"errors"
"net/http"
"strings"
"github.com/dgrijalva/jwt-go"
"github.com/mitchellh/mapstructure"
"github.com/spidernest-go/logger"
"github.com/spidernest-go/mux"
)
type jwtExtendedClaims struct {
RealmAccess struct {
Roles []string `json:"roles,omitempty"`
} `json:"realm_access,omitempty"`
ResourceAccess struct {
ApplicationServices struct {
Roles []string `json:"roles,omitempty"`
} `json:"application-services,omitempty"`
} `json:"resource_access,omitempty"`
Scope string `json:"scope"`
PreferredUsername string `json:"preferred_username,omitempty"`
Audience string `json:"aud,omitempty"`
ExpiresAt int64 `json:"exp,omitempty"`
Id string `json:"jti,omitempty"`
IssuedAt int64 `json:"iat,omitempty"`
Issuer string `json:"iss,omitempty"`
NotBefore int64 `json:"nbf,omitempty"`
Subject string `json:"sub,omitempty"`
//jwt.StandardClaims
}
var (
ErrAuthParse = errors.New("authorization token could not be parsed")
ErrPermissions = errors.New("insufficient permissions")
)
func decodeToClaims(src, dst interface{}) error {
//BUGFIX: Introduced in b7fdf80, I'd like to get rid of this function
dec, err := mapstructure.NewDecoder(&mapstructure.DecoderConfig{
TagName: "json",
Result: dst,
})
if err != nil {
logger.Error().
Err(err).
Msg("mapstructure decoder could not be initialized")
return err
}
err = dec.Decode(src)
if err != nil {
logger.Error().
Err(err).
Msg("structure could not be decoded")
return err
}
return nil
}
func HasRole(c echo.Context, reqrole string) bool {
user := c.Get("user").(*jwt.Token)
claims := new(jwtExtendedClaims)
err := decodeToClaims(user.Claims, claims)
if err != nil {
logger.Warn().
Err(err).
Msg("Claims were malformed or nonexistant, returning false.")
return false
}
for _, role := range claims.
ResourceAccess.
ApplicationServices.
Roles {
if role == reqrole {
return true
}
}
return false
}
func FullAuthCheck(c echo.Context) error {
user := c.Get("user").(*jwt.Token)
//claims := user.Claims.(*jwtExtendedClaims)
claims := new(jwtExtendedClaims)
err := decodeToClaims(user.Claims, claims)
if err != nil {
return c.JSON(http.StatusInternalServerError, &struct {
Message string
}{
Message: "Authorization Token could not be parsed."})
}
auth := strings.Contains(claims.Scope, "board:write") || strings.Contains(claims.Scope, "board:admin")
admin := strings.Contains(claims.Scope, "board:admin")
if !admin || !auth {
return c.JSON(http.StatusUnauthorized, &struct {
Message string
}{
Message: "Insufficient Permissions."})
}
return nil
}
func AuthorizationCheck(c echo.Context) (bool, bool) {
user := c.Get("user").(*jwt.Token)
//claims := user.Claims.(*jwtExtendedClaims)
claims := new(jwtExtendedClaims)
err := decodeToClaims(user.Claims, claims)
if err != nil {
return false, false
}
auth := strings.Contains(claims.Scope, "board:write") || strings.Contains(claims.Scope, "board:admin")
admin := strings.Contains(claims.Scope, "board:admin")
return admin, auth
}
func SelfAuthCheck(c echo.Context) *jwtExtendedClaims {
user := c.Get("user").(*jwt.Token)
claims := new(jwtExtendedClaims)
err := decodeToClaims(user.Claims, claims)
if err != nil {
return nil
}
return claims
}