Home Explore Help
Sign In
akillibulut
/
porter
mirror of https://github.com/porter-dev/porter
2
0
Fork 0
Files Issues 0 Wiki
Tree: a1956e9782
Branches Tags
porter
/
api
/
server
/
authn
/
handler.go

handler.go 6.2 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206 
  1. package authn
    2. 

  2. 

  3. import (
    4. 

  4. 	"context"
    5. 

  5. 	"fmt"
    6. 

  6. 	"net/http"
    7. 

  7. 	"strings"
    8. 

  8. 

  9. 	"github.com/gorilla/sessions"
    10. 

  10. 	"github.com/porter-dev/porter/api/server/shared/apierrors"
    11. 

  11. 	"github.com/porter-dev/porter/api/server/shared/config"
    12. 

  12. 	"github.com/porter-dev/porter/api/types"
    13. 

  13. 	"github.com/porter-dev/porter/internal/auth/token"
    14. 

  14. 	"github.com/porter-dev/porter/internal/models"
    15. 

  15. 	"golang.org/x/crypto/bcrypt"
    16. 

  16. )
    17. 

  17. 

  18. // AuthNFactory generates a middleware handler `AuthN`
    19. 

  19. type AuthNFactory struct {
    20. 

  20. 	config *config.Config
    21. 

  21. }
    22. 

  22. 

  23. // NewAuthNFactory returns an `AuthNFactory` that uses the passed-in server
    24. 

  24. // config
    25. 

  25. func NewAuthNFactory(
    26. 

  26. 	config *config.Config,
    27. 

  27. ) *AuthNFactory {
    28. 

  28. 	return &AuthNFactory{config}
    29. 

  29. }
    30. 

  30. 

  31. // NewAuthenticated creates a new instance of `AuthN` that implements the http.Handler
    32. 

  32. // interface.
    33. 

  33. func (f *AuthNFactory) NewAuthenticated(next http.Handler) http.Handler {
    34. 

  34. 	return &AuthN{next, f.config, false}
    35. 

  35. }
    36. 

  36. 

  37. // NewAuthenticatedWithRedirect creates a new instance of `AuthN` that implements the http.Handler
    38. 

  38. // interface. This handler redirects the user to login if the user is not attached, and stores a
    39. 

  39. // redirect URI in the session, if the session exists.
    40. 

  40. func (f *AuthNFactory) NewAuthenticatedWithRedirect(next http.Handler) http.Handler {
    41. 

  41. 	return &AuthN{next, f.config, true}
    42. 

  42. }
    43. 

  43. 

  44. // AuthN implements the authentication middleware
    45. 

  45. type AuthN struct {
    46. 

  46. 	next     http.Handler
    47. 

  47. 	config   *config.Config
    48. 

  48. 	redirect bool
    49. 

  49. }
    50. 

  50. 

  51. // ServeHTTP attaches an authenticated subject to the request context,
    52. 

  52. // or serves a forbidden error. If authenticated, it calls the next handler.
    53. 

  53. //
    54. 

  54. // A token can either be issued for a specific project id or for a user. In the case
    55. 

  55. // of a project id, we attach a service account to the context. In the case of a
    56. 

  56. // user, we attach that user to the context.
    57. 

  57. func (authn *AuthN) ServeHTTP(w http.ResponseWriter, r *http.Request) {
    58. 

  58. 	// first check for a bearer token
    59. 

  59. 	tok, err := authn.getTokenFromRequest(r)
    60. 

  60. 

  61. 	// if the error is not an invalid auth error, the token was invalid, and we throw error
    62. 

  62. 	// forbidden. If the error was an invalid auth error, we look for a cookie.
    63. 

  63. 	if err != nil && err != errInvalidAuthHeader {
    64. 

  64. 		authn.sendForbiddenError(err, w, r)
    65. 

  65. 		return
    66. 

  66. 	} else if err == nil && tok != nil {
    67. 

  67. 		authn.verifyTokenWithNext(w, r, tok)
    68. 

  68. 		return
    69. 

  69. 	}
    70. 

  70. 

  71. 	// if the bearer token is not found, look for a request cookie
    72. 

  72. 	session, err := authn.config.Store.Get(r, authn.config.ServerConf.CookieName)
    73. 

  73. 

  74. 	if err != nil {
    75. 

  75. 		session.Values["authenticated"] = false
    76. 

  76. 

  77. 		// we attempt to save the session, but do not catch the error since we send the
    78. 

  78. 		// forbidden error regardless
    79. 

  79. 		session.Save(r, w)
    80. 

  80. 

  81. 		authn.sendForbiddenError(err, w, r)
    82. 

  82. 		return
    83. 

  83. 	}
    84. 

  84. 

  85. 	if auth, ok := session.Values["authenticated"].(bool); !auth || !ok {
    86. 

  86. 		authn.handleForbiddenForSession(w, r, fmt.Errorf("stored cookie was not authenticated"), session)
    87. 

  87. 		return
    88. 

  88. 	}
    89. 

  89. 

  90. 	// read the user id in the token
    91. 

  91. 	userID, ok := session.Values["user_id"].(uint)
    92. 

  92. 

  93. 	if !ok {
    94. 

  94. 		authn.handleForbiddenForSession(w, r, fmt.Errorf("could not cast user_id to uint"), session)
    95. 

  95. 		return
    96. 

  96. 	}
    97. 

  97. 

  98. 	authn.nextWithUserID(w, r, userID)
    99. 

  99. }
    100. 

  100. 

  101. func (authn *AuthN) handleForbiddenForSession(
    102. 

  102. 	w http.ResponseWriter,
    103. 

  103. 	r *http.Request,
    104. 

  104. 	err error,
    105. 

  105. 	session *sessions.Session,
    106. 

  106. ) {
    107. 

  107. 	if authn.redirect {
    108. 

  108. 		// need state parameter to validate when redirected
    109. 

  109. 		if r.URL.RawQuery == "" {
    110. 

  110. 			session.Values["redirect_uri"] = r.URL.Path
    111. 

  111. 		} else {
    112. 

  112. 			session.Values["redirect_uri"] = r.URL.Path + "?" + r.URL.RawQuery
    113. 

  113. 		}
    114. 

  114. 

  115. 		session.Save(r, w)
    116. 

  116. 

  117. 		http.Redirect(w, r, "/dashboard", 302)
    118. 

  118. 	} else {
    119. 

  119. 		authn.sendForbiddenError(err, w, r)
    120. 

  120. 	}
    121. 

  121. 

  122. 	return
    123. 

  123. }
    124. 

  124. 

  125. func (authn *AuthN) verifyTokenWithNext(w http.ResponseWriter, r *http.Request, tok *token.Token) {
    126. 

  126. 	// if the token has a stored token id and secret we check that the token is valid in the database
    127. 

  127. 	if tok.Secret != "" && tok.TokenID != "" {
    128. 

  128. 		apiToken, err := authn.config.Repo.APIToken().ReadAPIToken(tok.ProjectID, tok.TokenID)
    129. 

  129. 

  130. 		if err != nil {
    131. 

  131. 			authn.sendForbiddenError(fmt.Errorf("token with id %s not valid", tok.TokenID), w, r)
    132. 

  132. 			return
    133. 

  133. 		}
    134. 

  134. 

  135. 		// compare the secret against the hashed version
    136. 

  136. 		if err := bcrypt.CompareHashAndPassword([]byte(apiToken.SecretKey), []byte(tok.Secret)); err != nil {
    137. 

  137. 			authn.sendForbiddenError(fmt.Errorf("incorrect secret key for token %s", tok.TokenID), w, r)
    138. 

  138. 			return
    139. 

  139. 		}
    140. 

  140. 

  141. 		authn.nextWithAPIToken(w, r, apiToken)
    142. 

  142. 	} else {
    143. 

  143. 		// otherwise we just use nextWithUser using the `iby` field for the token
    144. 

  144. 		authn.nextWithUserID(w, r, tok.IBy)
    145. 

  145. 	}
    146. 

  146. }
    147. 

  147. 

  148. // nextWithAPIToken sets the token in context
    149. 

  149. func (authn *AuthN) nextWithAPIToken(w http.ResponseWriter, r *http.Request, tok *models.APIToken) {
    150. 

  150. 	ctx := r.Context()
    151. 

  151. 	ctx = context.WithValue(ctx, "api_token", tok)
    152. 

  152. 

  153. 	r = r.Clone(ctx)
    154. 

  154. 	authn.next.ServeHTTP(w, r)
    155. 

  155. }
    156. 

  156. 

  157. // nextWithUserID calls the next handler with the user set in the context with key
    158. 

  158. // `types.UserScope`.
    159. 

  159. func (authn *AuthN) nextWithUserID(w http.ResponseWriter, r *http.Request, userID uint) {
    160. 

  160. 	// search for the user
    161. 

  161. 	user, err := authn.config.Repo.User().ReadUser(userID)
    162. 

  162. 

  163. 	if err != nil {
    164. 

  164. 		authn.sendForbiddenError(fmt.Errorf("user with id %d not found in database", userID), w, r)
    165. 

  165. 		return
    166. 

  166. 	}
    167. 

  167. 

  168. 	// add the user to the context
    169. 

  169. 	ctx := r.Context()
    170. 

  170. 	ctx = context.WithValue(ctx, types.UserScope, user)
    171. 

  171. 

  172. 	r = r.Clone(ctx)
    173. 

  173. 	authn.next.ServeHTTP(w, r)
    174. 

  174. }
    175. 

  175. 

  176. // sendForbiddenError sends a 403 Forbidden error to the end user while logging a
    177. 

  177. // specific error
    178. 

  178. func (authn *AuthN) sendForbiddenError(err error, w http.ResponseWriter, r *http.Request) {
    179. 

  179. 	reqErr := apierrors.NewErrForbidden(err)
    180. 

  180. 

  181. 	apierrors.HandleAPIError(authn.config.Logger, authn.config.Alerter, w, r, reqErr, true)
    182. 

  182. }
    183. 

  183. 

  184. var errInvalidToken = fmt.Errorf("authorization header exists, but token is not valid")
    185. 

  185. var errInvalidAuthHeader = fmt.Errorf("invalid authorization header in request")
    186. 

  186. 

  187. // getTokenFromRequest finds an `Authorization` header of the form `Bearer <token>`,
    188. 

  188. // and returns a valid token if it exists.
    189. 

  189. func (authn *AuthN) getTokenFromRequest(r *http.Request) (*token.Token, error) {
    190. 

  190. 	reqToken := r.Header.Get("Authorization")
    191. 

  191. 	splitToken := strings.Split(reqToken, "Bearer")
    192. 

  192. 

  193. 	if len(splitToken) != 2 {
    194. 

  194. 		return nil, errInvalidAuthHeader
    195. 

  195. 	}
    196. 

  196. 

  197. 	reqToken = strings.TrimSpace(splitToken[1])
    198. 

  198. 

  199. 	tok, err := token.GetTokenFromEncoded(reqToken, authn.config.TokenConf)
    200. 

  200. 

  201. 	if err != nil {
    202. 

  202. 		return nil, errInvalidToken
    203. 

  203. 	}
    204. 

  204. 

  205. 	return tok, nil
    206. 

  206. }
    207.