From 3c5c26e784fda35087059bda4363ba5fca999d0d Mon Sep 17 00:00:00 2001 From: Max Resnick Date: Thu, 24 Nov 2022 08:41:22 -0800 Subject: rename file --- internal/authz/middleware.go | 61 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 61 insertions(+) create mode 100644 internal/authz/middleware.go (limited to 'internal/authz/middleware.go') diff --git a/internal/authz/middleware.go b/internal/authz/middleware.go new file mode 100644 index 0000000..1dd06e3 --- /dev/null +++ b/internal/authz/middleware.go @@ -0,0 +1,61 @@ +package authz + +import ( + "context" + "encoding/base64" + "fmt" + "log" + "net/http" + + "github.com/casbin/casbin/v2" + "golang.org/x/crypto/bcrypt" +) + +func Authentication(authMap TokenMap, next http.HandlerFunc) http.Handler { + return http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) { + u, p, ok := req.BasicAuth() + if !ok { + rw.Header().Set("WWW-Authenticate", `Basic realm="git"`) + http.Error(rw, "Authentication Required", http.StatusUnauthorized) + return + } + urn := fmt.Sprintf("uid:%s", u) + hash, ok := authMap[urn] + if !ok { + http.Error(rw, "Bad Request", http.StatusForbidden) + return + } + token, err := base64.URLEncoding.DecodeString(p) + if err != nil { + http.Error(rw, "Bad Request", http.StatusBadRequest) + return + } + if err := bcrypt.CompareHashAndPassword([]byte(hash), token); err != nil { + http.Error(rw, "Bad Request", http.StatusForbidden) + return + } + ctx := context.WithValue(req.Context(), "urn", urn) + next.ServeHTTP(rw, req.WithContext(ctx)) + }) +} + +// Authorization middleware to enforce authoirzation of all requests. +func Authorization(enf *casbin.Enforcer, next http.HandlerFunc) http.Handler { + return http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) { + ctx := req.Context() + urn := ctx.Value("urn") + repo := req.URL.Path + action := req.Method + ok, err := enf.Enforce(urn, repo, action) + if err != nil { + log.Printf("error running enforce %s", err) + http.Error(rw, "Bad Request", http.StatusBadRequest) + } + if !ok { + log.Printf("Access denied") + http.Error(rw, "Access denied", http.StatusForbidden) + } + log.Printf("Method %s Url %s", action, repo) + next.ServeHTTP(rw, req.WithContext(ctx)) + }) +} -- cgit v1.2.3