-
Notifications
You must be signed in to change notification settings - Fork 10
/
auth.go
122 lines (107 loc) · 2.52 KB
/
auth.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
package iprepd
import (
"bytes"
"crypto/sha256"
"errors"
"io"
"io/ioutil"
"mime"
"net/http"
"strings"
"time"
log "github.com/sirupsen/logrus"
"go.mozilla.org/hawk"
)
func auth(rf func(http.ResponseWriter, *http.Request), needsWrite bool) func(http.ResponseWriter, *http.Request) {
return func(w http.ResponseWriter, r *http.Request) {
if !sruntime.cfg.Auth.DisableAuth {
hdr := r.Header.Get("Authorization")
v, wr := false, false
if strings.HasPrefix(hdr, "Hawk ") {
v, wr = hawkAuth(r)
} else if strings.HasPrefix(hdr, "APIKey ") {
v, wr = apiAuth(r)
}
if !v {
w.WriteHeader(http.StatusUnauthorized)
return
}
if needsWrite && !wr {
w.WriteHeader(http.StatusUnauthorized)
return
}
}
rf(w, r)
}
}
func apiAuth(r *http.Request) (bool, bool) {
hdr := r.Header.Get("Authorization")
hdr = strings.TrimPrefix(hdr, "APIKey ")
for _, v := range sruntime.cfg.Auth.APIKey {
if hdr == v {
return true, true
}
}
for _, v := range sruntime.cfg.Auth.ROAPIKey {
if hdr == v {
return true, false
}
}
return false, false
}
func hawkAuth(r *http.Request) (bool, bool) {
wr := false
credsLookupFunc := func(creds *hawk.Credentials) error {
creds.Key = "-"
creds.Hash = sha256.New
key, ok := sruntime.cfg.Auth.Hawk[creds.ID]
if ok {
wr = true
creds.Key = key
return nil
}
key, ok = sruntime.cfg.Auth.ROHawk[creds.ID]
if ok {
creds.Key = key
return nil
}
return errors.New("unknown hawk id")
}
nonceCheckFunc := func(n string, t time.Time, creds *hawk.Credentials) bool { return true }
auth, err := hawk.NewAuthFromRequest(r, credsLookupFunc, nonceCheckFunc)
if err != nil {
log.Warnf(err.Error())
return false, false
}
err = auth.Valid()
if err != nil {
log.Warnf(err.Error())
return false, false
}
contentType := r.Header.Get("Content-Type")
if r.Method != "GET" && r.Method != "DELETE" && contentType == "" {
log.Warnf("hawk: missing content-type")
return false, false
}
var mediaType string
if contentType != "" {
mediaType, _, err = mime.ParseMediaType(contentType)
if err != nil && contentType != "" {
log.Warnf(err.Error())
return false, false
}
buf, err := ioutil.ReadAll(r.Body)
if err != nil {
log.Warnf(err.Error())
return false, false
}
r.Body = ioutil.NopCloser(bytes.NewBuffer(buf))
hash := auth.PayloadHash(mediaType)
io.Copy(hash, ioutil.NopCloser(bytes.NewBuffer(buf)))
if !auth.ValidHash(hash) {
log.Warnf("hawk: invalid payload hash")
return false, false
}
}
return true, wr
}