-
Notifications
You must be signed in to change notification settings - Fork 1.1k
/
Copy pathmiddleware_access_rights.go
140 lines (127 loc) · 4.36 KB
/
middleware_access_rights.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
package main
import "net/http"
import (
"errors"
"github.com/Sirupsen/logrus"
"github.com/gorilla/context"
)
// AccessRightsCheck is a midleware that will check if the key bing used to access the API has
// permission to access the specific version. If no permission data is in the SessionState, then
// it is assumed that the user can go through.
type AccessRightsCheck struct {
TykMiddleware
}
// New lets you do any initialisations for the object can be done here
func (a *AccessRightsCheck) New() {}
// GetConfig retrieves the configuration from the API config - we user mapstructure for this for simplicity
func (a *AccessRightsCheck) GetConfig() (interface{}, error) {
return nil, nil
}
// ProcessRequest will run any checks on the request on the way through the system, return an error to have the chain fail
func (a *AccessRightsCheck) ProcessRequest(w http.ResponseWriter, r *http.Request, configuration interface{}) (error, int) {
accessingVersion := a.Spec.getVersionFromRequest(r)
thisSessionState := context.Get(r, SessionData).(SessionState)
authHeaderValue := context.Get(r, AuthHeaderValue)
// If there's nothing in our profile, we let them through to the next phase
if len(thisSessionState.AccessRights) > 0 {
// Otherwise, run auth checks
versionList, apiExists := thisSessionState.AccessRights[a.Spec.APIID]
if !apiExists {
log.WithFields(logrus.Fields{
"path": r.URL.Path,
"origin": r.RemoteAddr,
"key": authHeaderValue,
"api_found": false,
}).Info("Attempted access to unauthorised API.")
return errors.New("Access to this API has been disallowed"), 403
}
// Find the version in their key access details
found := false
if a.Spec.VersionData.NotVersioned {
// Not versioned, no point checking version access rights
found = true
} else {
for _, vInfo := range versionList.Versions {
if vInfo == accessingVersion {
found = true
break
}
}
}
if !found {
// Not found? Bounce
log.WithFields(logrus.Fields{
"path": r.URL.Path,
"origin": r.RemoteAddr,
"key": authHeaderValue,
"api_found": true,
"version_found": false,
}).Info("Attempted access to unauthorised API version.")
return errors.New("Access to this API has been disallowed"), 403
}
}
return nil, 200
}
//// New creates a new HttpHandler for the alice middleware package
//func (a AccessRightsCheck) New() func(http.Handler) http.Handler {
// aliceHandler := func(h http.Handler) http.Handler {
// thisHandler := func(w http.ResponseWriter, r *http.Request) {
//
// accessingVersion := a.Spec.getVersionFromRequest(r)
// thisSessionState := context.Get(r, SessionData).(SessionState)
// authHeaderValue := context.Get(r, AuthHeaderValue)
//
// // If there's nothing in our profile, we let them through to the next phase
// if len(thisSessionState.AccessRights) > 0 {
// // Otherwise, run auth checks
// versionList, apiExists := thisSessionState.AccessRights[a.Spec.APIID]
// if !apiExists {
// log.WithFields(logrus.Fields{
// "path": r.URL.Path,
// "origin": r.RemoteAddr,
// "key": authHeaderValue,
// "api_found": false,
// }).Info("Attempted access to unauthorised API.")
// handler := ErrorHandler{a.TykMiddleware}
// handler.HandleError(w, r, "Access to this API has been disallowed", 403)
// return
// }
//
// // Find the version in their key access details
// found := false
// if a.Spec.VersionData.NotVersioned {
// // Not versioned, no point checking version access rights
// found = true
// } else {
// for _, vInfo := range versionList.Versions {
// if vInfo == accessingVersion {
// found = true
// break
// }
// }
// }
//
// if !found {
// // Not found? Bounce
// log.WithFields(logrus.Fields{
// "path": r.URL.Path,
// "origin": r.RemoteAddr,
// "key": authHeaderValue,
// "api_found": true,
// "version_found": false,
// }).Info("Attempted access to unauthorised API version.")
// handler := ErrorHandler{a.TykMiddleware}
// handler.HandleError(w, r, "Access to this API has been disallowed", 403)
// return
// }
// }
//
// // No gates failed, request is valid, carry on
// h.ServeHTTP(w, r)
// }
//
// return http.HandlerFunc(thisHandler)
// }
//
// return aliceHandler
//}