diff options
author | Quentin Dufour <quentin@deuxfleurs.fr> | 2023-09-15 14:32:44 +0200 |
---|---|---|
committer | Quentin Dufour <quentin@deuxfleurs.fr> | 2023-09-15 14:32:44 +0200 |
commit | 74113fad490ccdaa00961c5818eaa107781dfd79 (patch) | |
tree | 9b3e83b8c47b4a9838983ce23458abaf650cc396 | |
parent | 02e384f99eb10ab299805073c37ac2f4ed3f2cdc (diff) | |
download | guichet-74113fad490ccdaa00961c5818eaa107781dfd79.tar.gz guichet-74113fad490ccdaa00961c5818eaa107781dfd79.zip |
WIP auth API
-rw-r--r-- | api.go | 114 | ||||
-rw-r--r-- | main.go | 5 |
2 files changed, 116 insertions, 3 deletions
@@ -0,0 +1,114 @@ +package main + +import ( + //"context" + //"errors" + "fmt" + //garage "git.deuxfleurs.fr/garage-sdk/garage-admin-sdk-golang" + "github.com/go-ldap/ldap/v3" + //"github.com/gorilla/mux" + "log" + "net/http" + "strings" +) + +func checkLoginAPI(w http.ResponseWriter, r *http.Request) *LoginStatus { + username, password, ok := r.BasicAuth() + if !ok { + w.Header().Set("WWW-Authenticate", `Basic realm="restricted", charset="UTF-8"`) + http.Error(w, "Unauthorized", http.StatusUnauthorized) + return nil + } + user_dn := buildUserDN(username) + + login_info := &LoginInfo{ + DN: user_dn, + Username: username, + Password: password, + } + + l := ldapOpen(w) + if l == nil { + log.Println(l) + http.Error(w, "Internal server error", http.StatusInternalServerError) + return nil + } + + err := l.Bind(login_info.DN, login_info.Password) + if err != nil { + w.Header().Set("WWW-Authenticate", `Basic realm="restricted", charset="UTF-8"`) + http.Error(w, "Unauthorized", http.StatusUnauthorized) + return nil + } + + loginStatus := &LoginStatus{ + Info: login_info, + conn: l, + } + + requestKind := "(objectClass=organizationalPerson)" + + if strings.EqualFold(login_info.DN, config.AdminAccount) { + requestKind = "(objectclass=*)" + } + searchRequest := ldap.NewSearchRequest( + login_info.DN, + ldap.ScopeBaseObject, ldap.NeverDerefAliases, 0, 0, false, + requestKind, + []string{ + "dn", + "displayname", + "givenname", + "sn", + "mail", + "memberof", + "description", + "garage_s3_access_key", + FIELD_NAME_DIRECTORY_VISIBILITY, + FIELD_NAME_PROFILE_PICTURE, + }, + nil) + + sr, err := l.Search(searchRequest) + if err != nil { + log.Println(err) + http.Error(w, "Internal server error", http.StatusInternalServerError) + return nil + } + + if len(sr.Entries) != 1 { + log.Println(fmt.Sprintf("Unable to find entry for %s", login_info.DN)) + http.Error(w, "Internal server error", http.StatusInternalServerError) + return nil + } + + loginStatus.UserEntry = sr.Entries[0] + + loginStatus.CanAdmin = strings.EqualFold(loginStatus.Info.DN, config.AdminAccount) + loginStatus.CanInvite = false + for _, attr := range loginStatus.UserEntry.Attributes { + if strings.EqualFold(attr.Name, "memberof") { + for _, group := range attr.Values { + if config.GroupCanInvite != "" && strings.EqualFold(group, config.GroupCanInvite) { + loginStatus.CanInvite = true + } + if config.GroupCanAdmin != "" && strings.EqualFold(group, config.GroupCanAdmin) { + loginStatus.CanAdmin = true + } + } + } + } + + return loginStatus +} + +func handleAPIGarageBucket(w http.ResponseWriter, r *http.Request) { + login, s3key, err := checkLoginAndS3(w, r) + if err != nil { + log.Println(err) + return + } + log.Println(login,s3key) + + return +} @@ -130,6 +130,8 @@ func main() { r.HandleFunc("/", handleHome) r.HandleFunc("/logout", handleLogout) + r.HandleFunc("/api/unstable/garage/bucket/{b}", handleAPIGarageBucket) + r.HandleFunc("/profile", handleProfile) r.HandleFunc("/passwd", handlePasswd) r.HandleFunc("/picture/{name}", handleDownloadPicture) @@ -198,9 +200,6 @@ func logRequest(handler http.Handler) http.Handler { func checkLogin(w http.ResponseWriter, r *http.Request) *LoginStatus { var login_info *LoginInfo - //@FIXME check authentication header - - session, err := store.Get(r, SESSION_NAME) if err == nil { username, ok := session.Values["login_username"] |