Home Explore Help
Sign In
golang
/
netmaker
mirror of https://github.com/gravitl/netmaker
2
0
Fork 0
Files Issues 0 Wiki
Tree: 7a39ef3e4e
Branches Tags
netmaker
/
logic
/
security.go

security.go 2.2 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384 
  1. package logic
    2. 

  2. 

  3. import (
    4. 

  4. 	"net/http"
    5. 

  5. 	"strings"
    6. 

  6. 

  7. 	"github.com/gorilla/mux"
    8. 

  8. 	"github.com/gravitl/netmaker/models"
    9. 

  9. 	"github.com/gravitl/netmaker/servercfg"
    10. 

  10. )
    11. 

  11. 

  12. const (
    13. 

  13. 	MasterUser       = "masteradministrator"
    14. 

  14. 	Forbidden_Msg    = "forbidden"
    15. 

  15. 	Forbidden_Err    = models.Error(Forbidden_Msg)
    16. 

  16. 	Unauthorized_Msg = "unauthorized"
    17. 

  17. 	Unauthorized_Err = models.Error(Unauthorized_Msg)
    18. 

  18. )
    19. 

  19. 

  20. // SecurityCheck - Check if user has appropriate permissions
    21. 

  21. func SecurityCheck(reqAdmin bool, next http.Handler) http.HandlerFunc {
    22. 

  22. 

  23. 	return func(w http.ResponseWriter, r *http.Request) {
    24. 

  24. 		r.Header.Set("ismaster", "no")
    25. 

  25. 		bearerToken := r.Header.Get("Authorization")
    26. 

  26. 		username, err := UserPermissions(reqAdmin, bearerToken)
    27. 

  27. 		if err != nil {
    28. 

  28. 			ReturnErrorResponse(w, r, FormatError(err, err.Error()))
    29. 

  29. 			return
    30. 

  30. 		}
    31. 

  31. 		// detect masteradmin
    32. 

  32. 		if username == MasterUser {
    33. 

  33. 			r.Header.Set("ismaster", "yes")
    34. 

  34. 		}
    35. 

  35. 		r.Header.Set("user", username)
    36. 

  36. 		next.ServeHTTP(w, r)
    37. 

  37. 	}
    38. 

  38. }
    39. 

  39. 

  40. // UserPermissions - checks token stuff
    41. 

  41. func UserPermissions(reqAdmin bool, token string) (string, error) {
    42. 

  42. 	var tokenSplit = strings.Split(token, " ")
    43. 

  43. 	var authToken = ""
    44. 

  44. 

  45. 	if len(tokenSplit) < 2 {
    46. 

  46. 		return "", Unauthorized_Err
    47. 

  47. 	} else {
    48. 

  48. 		authToken = tokenSplit[1]
    49. 

  49. 	}
    50. 

  50. 	//all endpoints here require master so not as complicated
    51. 

  51. 	if authenticateMaster(authToken) {
    52. 

  52. 		// TODO log in as an actual admin user
    53. 

  53. 		return MasterUser, nil
    54. 

  54. 	}
    55. 

  55. 	username, issuperadmin, isadmin, err := VerifyUserToken(authToken)
    56. 

  56. 	if err != nil {
    57. 

  57. 		return username, Unauthorized_Err
    58. 

  58. 	}
    59. 

  59. 	if reqAdmin && !(issuperadmin || isadmin) {
    60. 

  60. 		return username, Forbidden_Err
    61. 

  61. 	}
    62. 

  62. 

  63. 	return username, nil
    64. 

  64. }
    65. 

  65. 

  66. // Consider a more secure way of setting master key
    67. 

  67. func authenticateMaster(tokenString string) bool {
    68. 

  68. 	return tokenString == servercfg.GetMasterKey() && servercfg.GetMasterKey() != ""
    69. 

  69. }
    70. 

  70. 

  71. func ContinueIfUserMatch(next http.Handler) http.HandlerFunc {
    72. 

  72. 	return func(w http.ResponseWriter, r *http.Request) {
    73. 

  73. 		var errorResponse = models.ErrorResponse{
    74. 

  74. 			Code: http.StatusForbidden, Message: Forbidden_Msg,
    75. 

  75. 		}
    76. 

  76. 		var params = mux.Vars(r)
    77. 

  77. 		var requestedUser = params["username"]
    78. 

  78. 		if requestedUser != r.Header.Get("user") {
    79. 

  79. 			ReturnErrorResponse(w, r, errorResponse)
    80. 

  80. 			return
    81. 

  81. 		}
    82. 

  82. 		next.ServeHTTP(w, r)
    83. 

  83. 	}
    84. 

  84. }
    85.