ホーム エクスプローラ ヘルプ
登録 サインイン
zhouyuhuan
/
Cloudpods
1
0
フォーク 0
ファイル 課題 0 プルリクエスト 0 Wiki
ブランチ: feature/cloudpods
ブランチ タグ
Cloudpods
/
backend
/
pkg
/
apigateway
/
handler
/
middleware.go

middleware.go 4.5 KB
パーマリンク 履歴 Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140 
  1. // Copyright 2019 Yunion
    2. 

  2. //
    3. 

  3. // Licensed under the Apache License, Version 2.0 (the "License");
    4. 

  4. // you may not use this file except in compliance with the License.
    5. 

  5. // You may obtain a copy of the License at
    6. 

  6. //
    7. 

  7. //     http://www.apache.org/licenses/LICENSE-2.0
    8. 

  8. //
    9. 

  9. // Unless required by applicable law or agreed to in writing, software
    10. 

  10. // distributed under the License is distributed on an "AS IS" BASIS,
    11. 

  11. // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12. 

  12. // See the License for the specific language governing permissions and
    13. 

  13. // limitations under the License.
    14. 

  14. 

  15. package handler
    16. 

  16. 

  17. import (
    18. 

  18. 	"context"
    19. 

  19. 	"encoding/base64"
    20. 

  20. 	"net/http"
    21. 

  21. 	"strings"
    22. 

  22. 

  23. 	"yunion.io/x/jsonutils"
    24. 

  24. 	"yunion.io/x/log"
    25. 

  25. 	"yunion.io/x/pkg/appctx"
    26. 

  26. 	"yunion.io/x/pkg/errors"
    27. 

  27. 

  28. 	"yunion.io/x/onecloud/pkg/apigateway/clientman"
    29. 

  29. 	"yunion.io/x/onecloud/pkg/apigateway/constants"
    30. 

  30. 	"yunion.io/x/onecloud/pkg/httperrors"
    31. 

  31. 	"yunion.io/x/onecloud/pkg/mcclient"
    32. 

  32. )
    33. 

  33. 

  34. func Base64UrlEncode(data []byte) string {
    35. 

  35. 	str := base64.StdEncoding.EncodeToString(data)
    36. 

  36. 	str = strings.Replace(str, "+", "-", -1)
    37. 

  37. 	str = strings.Replace(str, "/", "_", -1)
    38. 

  38. 	str = strings.Replace(str, "=", "", -1)
    39. 

  39. 	return str
    40. 

  40. }
    41. 

  41. 

  42. func Base64UrlDecode(str string) ([]byte, error) {
    43. 

  43. 	if strings.ContainsAny(str, "+/") {
    44. 

  44. 		return nil, errors.Wrap(httperrors.ErrInputParameter, "invalid base64url encoding")
    45. 

  45. 	}
    46. 

  46. 	str = strings.Replace(str, "-", "+", -1)
    47. 

  47. 	str = strings.Replace(str, "_", "/", -1)
    48. 

  48. 	for len(str)%4 != 0 {
    49. 

  49. 		str += "="
    50. 

  50. 	}
    51. 

  51. 	return base64.StdEncoding.DecodeString(str)
    52. 

  52. }
    53. 

  53. 

  54. func getAuthToken(r *http.Request) string {
    55. 

  55. 	auth := r.Header.Get(constants.AUTH_HEADER)
    56. 

  56. 	if len(auth) > 0 && auth[:len(constants.AUTH_PREFIX)] == constants.AUTH_PREFIX {
    57. 

  57. 		return auth[len(constants.AUTH_PREFIX):]
    58. 

  58. 	} else {
    59. 

  59. 		return ""
    60. 

  60. 	}
    61. 

  61. }
    62. 

  62. 

  63. func getAuthCookie(r *http.Request) string {
    64. 

  64. 	return getCookie(r, constants.YUNION_AUTH_COOKIE)
    65. 

  65. }
    66. 

  66. 

  67. /*func setAuthHeader(w http.ResponseWriter, tid string) {
    68. 

  68. 	w.Header().Set(constants.AUTH_HEADER, fmt.Sprintf("%s%s", constants.AUTH_PREFIX, tid))
    69. 

  69. }*/
    70. 

  70. 

  71. func fetchAuthInfo(ctx context.Context, r *http.Request) (mcclient.TokenCredential, *clientman.SAuthToken, error) {
    72. 

  72. 	var token mcclient.TokenCredential
    73. 

  73. 	var authToken *clientman.SAuthToken
    74. 

  74. 

  75. 	// no more use Auth header
    76. 

  76. 	// auth1 := getAuthToken(r)
    77. 

  77. 	auth := getAuthToken(r)
    78. 

  78. 	if len(auth) == 0 {
    79. 

  79. 		authCookieStr := getAuthCookie(r)
    80. 

  80. 		if len(authCookieStr) > 0 {
    81. 

  81. 			authCookie, err := jsonutils.ParseString(authCookieStr)
    82. 

  82. 			if err != nil {
    83. 

  83. 				return nil, nil, errors.Wrap(httperrors.ErrInputParameter, "Auth cookie decode")
    84. 

  84. 			}
    85. 

  85. 			auth, err = authCookie.GetString("session")
    86. 

  86. 			if err != nil {
    87. 

  87. 				return nil, nil, errors.Wrap(httperrors.ErrInputParameter, "authCookie missing session field")
    88. 

  88. 			}
    89. 

  89. 		}
    90. 

  90. 	}
    91. 

  91. 	// if len(auth) > 0 && auth != auth1 { // hack!!! browser cache problem???
    92. 

  92. 	//	log.Errorf("XXXX Auth cookie and header mismatch!!! %s:%s", auth, auth1)
    93. 

  93. 	//	auth = auth1
    94. 

  94. 	// }
    95. 

  95. 	if len(auth) > 0 {
    96. 

  96. 		var err error
    97. 

  97. 		authToken, err = clientman.Decode(auth)
    98. 

  98. 		if err != nil {
    99. 

  99. 			log.Errorf("clientman.Decode auth token fail: %v", err)
    100. 

  100. 			return nil, nil, errors.Wrap(httperrors.ErrInputParameter, "clientman.Decode auth token fail")
    101. 

  101. 		}
    102. 

  102. 		token, err = authToken.GetToken(ctx)
    103. 

  103. 		if err != nil {
    104. 

  104. 			log.Errorf("authToken.GetToken fail: %v", err)
    105. 

  105. 			return nil, nil, errors.Wrap(httperrors.ErrInputParameter, "authToken.GetToken fail")
    106. 

  106. 		}
    107. 

  107. 	}
    108. 

  108. 	if token == nil {
    109. 

  109. 		return nil, nil, errors.Wrap(httperrors.ErrInvalidCredential, "No token in header")
    110. 

  110. 	} else if !token.IsValid() {
    111. 

  111. 		return nil, nil, errors.Wrap(httperrors.ErrInvalidCredential, "Token in header invalid")
    112. 

  112. 	}
    113. 

  113. 	return token, authToken, nil
    114. 

  114. }
    115. 

  115. 

  116. func fetchAndSetAuthContext(ctx context.Context, w http.ResponseWriter, r *http.Request) (context.Context, error) {
    117. 

  117. 	token, authToken, err := fetchAuthInfo(ctx, r)
    118. 

  118. 	if err != nil {
    119. 

  119. 		return ctx, errors.Wrap(err, "fetchAuthInfo")
    120. 

  120. 	}
    121. 

  121. 	// 启用双因子认证
    122. 

  122. 	if !authToken.IsTotpVerified() {
    123. 

  123. 		return ctx, errors.Wrap(httperrors.ErrInvalidCredential, "TOTP authentication failed")
    124. 

  124. 	}
    125. 

  125. 	// no more send auth header, save auth info in cookie
    126. 

  126. 	// setAuthHeader(w, authHeader)
    127. 

  127. 	ctx = context.WithValue(ctx, appctx.APP_CONTEXT_KEY_AUTH_TOKEN, token)
    128. 

  128. 	return ctx, nil
    129. 

  129. }
    130. 

  130. 

  131. func FetchAuthToken(f func(context.Context, http.ResponseWriter, *http.Request)) func(context.Context, http.ResponseWriter, *http.Request) {
    132. 

  132. 	return func(ctx context.Context, w http.ResponseWriter, r *http.Request) {
    133. 

  133. 		ctx, err := fetchAndSetAuthContext(ctx, w, r)
    134. 

  134. 		if err != nil {
    135. 

  135. 			httperrors.InvalidCredentialError(ctx, w, "No token in header: %v", err)
    136. 

  136. 			return
    137. 

  137. 		}
    138. 

  138. 		f(ctx, w, r)
    139. 

  139. 	}
    140. 

  140. }
    141.