lywsvip/cloudpods
1
0
Fork 0
mirror of https://github.com/yunionio/cloudpods.git synced 2026-05-21 01:53:14 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
0127b3872ef3fe6a2202bfc8564f3aabeb737ba2
cloudpods/pkg/apigateway/handler/middleware.go

128 lines
3.6 KiB
Go
Raw Blame History

// Copyright 2019 Yunion
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package handler
import (
"context"
"encoding/base64"
"fmt"
"net/http"
"strings"
"github.com/pkg/errors"
"yunion.io/x/jsonutils"
"yunion.io/x/log"
"yunion.io/x/onecloud/pkg/apigateway/clientman"
"yunion.io/x/onecloud/pkg/apigateway/constants"
"yunion.io/x/onecloud/pkg/appctx"
"yunion.io/x/onecloud/pkg/httperrors"
"yunion.io/x/onecloud/pkg/mcclient"
)
func Base64UrlEncode(data []byte) string {
str := base64.StdEncoding.EncodeToString(data)
str = strings.Replace(str, "+", "-", -1)
str = strings.Replace(str, "/", "_", -1)
str = strings.Replace(str, "=", "", -1)
return str
}
func Base64UrlDecode(str string) ([]byte, error) {
if strings.ContainsAny(str, "+/") {
return nil, errors.New("invalid base64url encoding")
}
str = strings.Replace(str, "-", "+", -1)
str = strings.Replace(str, "_", "/", -1)
for len(str)%4 != 0 {
str += "="
}
return base64.StdEncoding.DecodeString(str)
}
func getAuthToken(r *http.Request) string {
auth := r.Header.Get(constants.AUTH_HEADER)
if len(auth) > 0 && auth[:len(constants.AUTH_PREFIX)] == constants.AUTH_PREFIX {
return auth[len(constants.AUTH_PREFIX):]
} else {
return ""
}
}
func getAuthCookie(r *http.Request) string {
return getCookie(r, constants.YUNION_AUTH_COOKIE)
}
func setAuthHeader(w http.ResponseWriter, tid string) {
w.Header().Set(constants.AUTH_HEADER, fmt.Sprintf("%s%s", constants.AUTH_PREFIX, tid))
}
func SetAuthToken(ctx context.Context, w http.ResponseWriter, r *http.Request) (context.Context, error) {
var token mcclient.TokenCredential
auth1 := getAuthToken(r)
auth := "" // getAuthToken(r)
if len(auth) == 0 {
authCookieStr := getAuthCookie(r)
if len(authCookieStr) > 0 {
authCookie, err := jsonutils.ParseString(authCookieStr)
if err != nil {
return ctx, fmt.Errorf("Auth cookie decode error: %s", err)
}
auth, err = authCookie.GetString("session")
if err != nil {
return ctx, err
}
}
}
if len(auth) > 0 && auth != auth1 { // hack!!! browser cache problem???
log.Errorf("XXXX Auth cookie and header mismatch!!! %s:%s", auth, auth1)
auth = auth1
}
if len(auth) > 0 {
token = clientman.TokenMan.Get(auth)
}
if token == nil {
return ctx, fmt.Errorf("No token in header")
} else if !token.IsValid() {
return ctx, fmt.Errorf("Token in header invalid")
}
setAuthHeader(w, auth)
ctx = context.WithValue(ctx, appctx.AppContextKey(constants.AUTH_TOKEN), token)
return ctx, nil
}
func FetchAuthToken(f func(context.Context, http.ResponseWriter, *http.Request)) func(context.Context, http.ResponseWriter, *http.Request) {
return func(ctx context.Context, w http.ResponseWriter, r *http.Request) {
ctx, err := SetAuthToken(ctx, w, r)
if err != nil {
httperrors.InvalidCredentialError(w, "invalid token: %v", err)
return
}
// 启用双因子认证
t := AppContextToken(ctx)
if isUserEnableTotp(ctx, r, t) {
tid := getAuthToken(r)
totp := clientman.TokenMan.GetTotp(tid)
if !totp.IsVerified() {
httperrors.UnauthorizedError(w, "TOTP authentication failed")
return
}
}
f(ctx, w, r)
}
}
Reference in New Issue View Git Blame Copy Permalink