1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
|
package main
import (
//"context"
"errors"
"fmt"
garage "git.deuxfleurs.fr/garage-sdk/garage-admin-sdk-golang"
"github.com/go-ldap/ldap/v3"
//"github.com/gorilla/mux"
"log"
"net/http"
"strings"
)
func checkLoginAPI(w http.ResponseWriter, r *http.Request) (*LoginStatus, error) {
username, password, ok := r.BasicAuth()
if !ok {
w.Header().Set("WWW-Authenticate", `Basic realm="restricted", charset="UTF-8"`)
http.Error(w, "Unauthorized", http.StatusUnauthorized)
return nil, errors.New("Missing or invalid 'Authenticate: Basic' field")
}
user_dn := buildUserDN(username)
login_info := &LoginInfo{
DN: user_dn,
Username: username,
Password: password,
}
l := ldapOpen(w)
if l == nil {
log.Println(l)
http.Error(w, "Internal server error", http.StatusInternalServerError)
return nil, errors.New("Unable to open LDAP connection")
}
err := l.Bind(login_info.DN, login_info.Password)
if err != nil {
w.Header().Set("WWW-Authenticate", `Basic realm="restricted", charset="UTF-8"`)
http.Error(w, "Unauthorized", http.StatusUnauthorized)
return nil, errors.New("Unable to bind this user+password combination on the LDAP server")
}
loginStatus := &LoginStatus{
Info: login_info,
conn: l,
}
requestKind := "(objectClass=organizationalPerson)"
if strings.EqualFold(login_info.DN, config.AdminAccount) {
requestKind = "(objectclass=*)"
}
searchRequest := ldap.NewSearchRequest(
login_info.DN,
ldap.ScopeBaseObject, ldap.NeverDerefAliases, 0, 0, false,
requestKind,
[]string{
"dn",
"displayname",
"givenname",
"sn",
"mail",
"memberof",
"description",
"garage_s3_access_key",
FIELD_NAME_DIRECTORY_VISIBILITY,
FIELD_NAME_PROFILE_PICTURE,
},
nil)
sr, err := l.Search(searchRequest)
if err != nil {
log.Println(err)
http.Error(w, "Internal server error", http.StatusInternalServerError)
return nil, errors.New("Unable to search essential information about the logged user on LDAP")
}
if len(sr.Entries) != 1 {
log.Println(fmt.Sprintf("Unable to find entry for %s", login_info.DN))
http.Error(w, "Internal server error", http.StatusInternalServerError)
return nil, errors.New("Not enough or too many entries for this user in the LDAP directory (expect a unique result)")
}
loginStatus.UserEntry = sr.Entries[0]
loginStatus.CanAdmin = strings.EqualFold(loginStatus.Info.DN, config.AdminAccount)
loginStatus.CanInvite = false
for _, attr := range loginStatus.UserEntry.Attributes {
if strings.EqualFold(attr.Name, "memberof") {
for _, group := range attr.Values {
if config.GroupCanInvite != "" && strings.EqualFold(group, config.GroupCanInvite) {
loginStatus.CanInvite = true
}
if config.GroupCanAdmin != "" && strings.EqualFold(group, config.GroupCanAdmin) {
loginStatus.CanAdmin = true
}
}
}
}
return loginStatus, nil
}
func checkLoginAndS3API(w http.ResponseWriter, r *http.Request) (*LoginStatus, *garage.KeyInfo, error) {
login, err := checkLoginAPI(w, r)
if err != nil {
return nil, nil, err
}
keyPair, err := checkS3(login)
return login, keyPair, err
}
func handleAPIGarageBucket(w http.ResponseWriter, r *http.Request) {
login, s3key, err := checkLoginAndS3API(w, r)
if err != nil {
log.Println(err)
return
}
// CHECK PATCH REQUEST
// READ BODY JSON
// VALIDATE OBJECT
// --- bucket query parameter ---
// 1. bucket must be owned by the key with owner permission, otherwise throw "unauthorized" (401)
// 2. must not end with deuxfleurs.fr or deuxfleurs.org, otherwise throw "forbidden" (403)
// --- global ---
// 1. can be true, false, or nil (use pointers)
// 2. if nil do nothing
// 3. if false, throw "not yet implemented" (501)
// 4. if true, check that the bucket name does not exist yet in the global namespace, throw "forbidden" (403)
// --- quota.size ---
// 1. if no quota on the bucket + this field is none, set to 50MB
// 2. if lower than 50MB, set to 50MB. If higher than 200MB, set to 200MB
// --- quota.files ---
// 1. if no quota on the bucket + this field is none, set to 10k
// 2. if lower than 10k, set to 10k. If higher than 40k, set to 40k
// IF BODY.GLOBAL is not NONE
// Add an alias
// IF BODY.QUOTA.SIZE is not NONE
// Change quota
// IF BODY.QUOTA.FILE is not NONE
// Change quota
log.Println(login, s3key)
return
}
|
