ClusterCockpit/cc-backend
1
0
Fork 0
mirror of https://github.com/ClusterCockpit/cc-backend synced 2025-07-23 04:51:39 +02:00
Code Issues Packages Releases Activity

Refactor auth and add docs

Browse Source 
Cleanup and reformat
This commit is contained in:
Jan Eitzinger
2023-07-05 09:50:44 +02:00
parent e7ecc260f8
commit df9fd77d06
3 changed files with 171 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
internal/auth/auth.go
View File

@@ -75,10 +75,7 @@ func getRoleEnum(roleStr string) Role {
}
func isValidRole(role string) bool {
if getRoleEnum(role) == RoleError {
return false
}
return true
return getRoleEnum(role) != RoleError
}
func (u *User) HasValidRole(role string) (hasRole bool, isValid bool) {
@@ -175,7 +172,7 @@ func GetValidRolesMap(user *User) (map[string]Role, error) {
}
return named, nil
}
return named, fmt.Errorf("Only known users are allowed to fetch a list of roles")
return named, fmt.Errorf("only known users are allowed to fetch a list of roles")
}
// Find highest role
@@ -300,6 +297,7 @@ func (auth *Authentication) AuthViaSession(
return nil, nil
}
// TODO Check if keys are present in session?
username, _ := session.Values["username"].(string)
projects, _ := session.Values["projects"].([]string)
roles, _ := session.Values["roles"].([]string)
@@ -320,11 +318,9 @@ func (auth *Authentication) Login(
err := errors.New("no authenticator applied")
username := r.FormValue("username")
user := (*User)(nil)
if username != "" {
if user, _ = auth.GetUser(username); err != nil {
// log.Warnf("login of unkown user %v", username)
_ = err
}
user, _ = auth.GetUser(username)
}
for _, authenticator := range auth.authenticators {

19
internal/auth/jwt.go
View File

@@ -103,7 +103,9 @@ func (ja *JWTAuthenticator) CanLogin(
rw http.ResponseWriter,
r *http.Request) bool {
return (user != nil && user.AuthSource == AuthViaToken) || r.Header.Get("Authorization") != "" || r.URL.Query().Get("login-token") != ""
return (user != nil && user.AuthSource == AuthViaToken) ||
r.Header.Get("Authorization") != "" ||
r.URL.Query().Get("login-token") != ""
}
func (ja *JWTAuthenticator) Login(
@@ -111,13 +113,9 @@ func (ja *JWTAuthenticator) Login(
rw http.ResponseWriter,
r *http.Request) (*User, error) {
rawtoken := r.Header.Get("X-Auth-Token")
rawtoken := strings.TrimPrefix(r.Header.Get("Authorization"), "Bearer ")
if rawtoken == "" {
rawtoken = r.Header.Get("Authorization")
rawtoken = strings.TrimPrefix(rawtoken, "Bearer ")
if rawtoken == "" {
rawtoken = r.URL.Query().Get("login-token")
}
rawtoken = r.URL.Query().Get("login-token")
}
token, err := jwt.Parse(rawtoken, func(t *jwt.Token) (interface{}, error) {
@@ -134,7 +132,7 @@ func (ja *JWTAuthenticator) Login(
return nil, err
}
if err := token.Claims.Valid(); err != nil {
if err = token.Claims.Valid(); err != nil {
log.Warn("jwt token claims are not valid")
return nil, err
}
@@ -220,7 +218,10 @@ func (ja *JWTAuthenticator) Auth(
}
// Is there more than one public key?
if ja.publicKeyCrossLogin != nil && ja.config != nil && ja.config.TrustedExternalIssuer != "" {
if ja.publicKeyCrossLogin != nil &&
ja.config != nil &&
ja.config.TrustedExternalIssuer != "" {
// Determine whether to use the external public key
unvalidatedIssuer, success := t.Claims.(jwt.MapClaims)["iss"].(string)
if success && unvalidatedIssuer == ja.config.TrustedExternalIssuer {