closed-social
/
gitea
3
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
10016 Commits
2 Branches
178 MiB
Tree: 3270e7a443
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '3270e7a443'
${ noResults }
gitea/vendor/github.com/go-openapi/runtime/security/authenticator.go

276 lines
8.8 KiB
Raw Normal View History

Use vendored go-swagger (#8087) * Use vendored go-swagger * vendor go-swagger * revert un wanteed change * remove un-needed GO111MODULE * Update Makefile Co-Authored-By: techknowlogick <matti@mdranta.net>
4 years ago
[Vendor] update go-swagger v0.21.0 -> v0.25.0 (#12670) * Update go-swagger * vendor
3 years ago
Use vendored go-swagger (#8087) * Use vendored go-swagger * vendor go-swagger * revert un wanteed change * remove un-needed GO111MODULE * Update Makefile Co-Authored-By: techknowlogick <matti@mdranta.net>
4 years ago
 
  1. // Copyright 2015 go-swagger maintainers

  2. //

  3. // Licensed under the Apache License, Version 2.0 (the "License");

  4. // you may not use this file except in compliance with the License.

  5. // You may obtain a copy of the License at

  6. //

  7. //    http://www.apache.org/licenses/LICENSE-2.0

  8. //

  9. // Unless required by applicable law or agreed to in writing, software

  10. // distributed under the License is distributed on an "AS IS" BASIS,

  11. // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

  12. // See the License for the specific language governing permissions and

  13. // limitations under the License.

  14. 

  15. package security
  16. 

  17. import (
  18. 	"context"
  19. 	"net/http"
  20. 	"strings"
  21. 

  22. 	"github.com/go-openapi/errors"
  23. 

  24. 	"github.com/go-openapi/runtime"
  25. )
  26. 

  27. const (
  28. 	query  = "query"
  29. 	header = "header"
  30. )
  31. 

  32. // HttpAuthenticator is a function that authenticates a HTTP request

  33. func HttpAuthenticator(handler func(*http.Request) (bool, interface{}, error)) runtime.Authenticator {
  34. 	return runtime.AuthenticatorFunc(func(params interface{}) (bool, interface{}, error) {
  35. 		if request, ok := params.(*http.Request); ok {
  36. 			return handler(request)
  37. 		}
  38. 		if scoped, ok := params.(*ScopedAuthRequest); ok {
  39. 			return handler(scoped.Request)
  40. 		}
  41. 		return false, nil, nil
  42. 	})
  43. }
  44. 

  45. // ScopedAuthenticator is a function that authenticates a HTTP request against a list of valid scopes

  46. func ScopedAuthenticator(handler func(*ScopedAuthRequest) (bool, interface{}, error)) runtime.Authenticator {
  47. 	return runtime.AuthenticatorFunc(func(params interface{}) (bool, interface{}, error) {
  48. 		if request, ok := params.(*ScopedAuthRequest); ok {
  49. 			return handler(request)
  50. 		}
  51. 		return false, nil, nil
  52. 	})
  53. }
  54. 

  55. // UserPassAuthentication authentication function

  56. type UserPassAuthentication func(string, string) (interface{}, error)
  57. 

  58. // UserPassAuthenticationCtx authentication function with context.Context

  59. type UserPassAuthenticationCtx func(context.Context, string, string) (context.Context, interface{}, error)
  60. 

  61. // TokenAuthentication authentication function

  62. type TokenAuthentication func(string) (interface{}, error)
  63. 

  64. // TokenAuthenticationCtx authentication function with context.Context

  65. type TokenAuthenticationCtx func(context.Context, string) (context.Context, interface{}, error)
  66. 

  67. // ScopedTokenAuthentication authentication function

  68. type ScopedTokenAuthentication func(string, []string) (interface{}, error)
  69. 

  70. // ScopedTokenAuthenticationCtx authentication function with context.Context

  71. type ScopedTokenAuthenticationCtx func(context.Context, string, []string) (context.Context, interface{}, error)
  72. 

  73. var DefaultRealmName = "API"
  74. 

  75. type secCtxKey uint8
  76. 

  77. const (
  78. 	failedBasicAuth secCtxKey = iota
  79. 	oauth2SchemeName
  80. )
  81. 

  82. func FailedBasicAuth(r *http.Request) string {
  83. 	return FailedBasicAuthCtx(r.Context())
  84. }
  85. 

  86. func FailedBasicAuthCtx(ctx context.Context) string {
  87. 	v, ok := ctx.Value(failedBasicAuth).(string)
  88. 	if !ok {
  89. 		return ""
  90. 	}
  91. 	return v
  92. }
  93. 

  94. func OAuth2SchemeName(r *http.Request) string {
  95. 	return OAuth2SchemeNameCtx(r.Context())
  96. }
  97. 

  98. func OAuth2SchemeNameCtx(ctx context.Context) string {
  99. 	v, ok := ctx.Value(oauth2SchemeName).(string)
  100. 	if !ok {
  101. 		return ""
  102. 	}
  103. 	return v
  104. }
  105. 

  106. // BasicAuth creates a basic auth authenticator with the provided authentication function

  107. func BasicAuth(authenticate UserPassAuthentication) runtime.Authenticator {
  108. 	return BasicAuthRealm(DefaultRealmName, authenticate)
  109. }
  110. 

  111. // BasicAuthRealm creates a basic auth authenticator with the provided authentication function and realm name

  112. func BasicAuthRealm(realm string, authenticate UserPassAuthentication) runtime.Authenticator {
  113. 	if realm == "" {
  114. 		realm = DefaultRealmName
  115. 	}
  116. 

  117. 	return HttpAuthenticator(func(r *http.Request) (bool, interface{}, error) {
  118. 		if usr, pass, ok := r.BasicAuth(); ok {
  119. 			p, err := authenticate(usr, pass)
  120. 			if err != nil {
  121. 				*r = *r.WithContext(context.WithValue(r.Context(), failedBasicAuth, realm))
  122. 			}
  123. 			return true, p, err
  124. 		}
  125. 		*r = *r.WithContext(context.WithValue(r.Context(), failedBasicAuth, realm))
  126. 		return false, nil, nil
  127. 	})
  128. }
  129. 

  130. // BasicAuthCtx creates a basic auth authenticator with the provided authentication function with support for context.Context

  131. func BasicAuthCtx(authenticate UserPassAuthenticationCtx) runtime.Authenticator {
  132. 	return BasicAuthRealmCtx(DefaultRealmName, authenticate)
  133. }
  134. 

  135. // BasicAuthRealmCtx creates a basic auth authenticator with the provided authentication function and realm name with support for context.Context

  136. func BasicAuthRealmCtx(realm string, authenticate UserPassAuthenticationCtx) runtime.Authenticator {
  137. 	if realm == "" {
  138. 		realm = DefaultRealmName
  139. 	}
  140. 

  141. 	return HttpAuthenticator(func(r *http.Request) (bool, interface{}, error) {
  142. 		if usr, pass, ok := r.BasicAuth(); ok {
  143. 			ctx, p, err := authenticate(r.Context(), usr, pass)
  144. 			if err != nil {
  145. 				ctx = context.WithValue(ctx, failedBasicAuth, realm)
  146. 			}
  147. 			*r = *r.WithContext(ctx)
  148. 			return true, p, err
  149. 		}
  150. 		*r = *r.WithContext(context.WithValue(r.Context(), failedBasicAuth, realm))
  151. 		return false, nil, nil
  152. 	})
  153. }
  154. 

  155. // APIKeyAuth creates an authenticator that uses a token for authorization.

  156. // This token can be obtained from either a header or a query string

  157. func APIKeyAuth(name, in string, authenticate TokenAuthentication) runtime.Authenticator {
  158. 	inl := strings.ToLower(in)
  159. 	if inl != query && inl != header {
  160. 		// panic because this is most likely a typo

  161. 		panic(errors.New(500, "api key auth: in value needs to be either \"query\" or \"header\"."))
  162. 	}
  163. 

  164. 	var getToken func(*http.Request) string
  165. 	switch inl {
  166. 	case header:
  167. 		getToken = func(r *http.Request) string { return r.Header.Get(name) }
  168. 	case query:
  169. 		getToken = func(r *http.Request) string { return r.URL.Query().Get(name) }
  170. 	}
  171. 

  172. 	return HttpAuthenticator(func(r *http.Request) (bool, interface{}, error) {
  173. 		token := getToken(r)
  174. 		if token == "" {
  175. 			return false, nil, nil
  176. 		}
  177. 

  178. 		p, err := authenticate(token)
  179. 		return true, p, err
  180. 	})
  181. }
  182. 

  183. // APIKeyAuthCtx creates an authenticator that uses a token for authorization with support for context.Context.

  184. // This token can be obtained from either a header or a query string

  185. func APIKeyAuthCtx(name, in string, authenticate TokenAuthenticationCtx) runtime.Authenticator {
  186. 	inl := strings.ToLower(in)
  187. 	if inl != query && inl != header {
  188. 		// panic because this is most likely a typo

  189. 		panic(errors.New(500, "api key auth: in value needs to be either \"query\" or \"header\"."))
  190. 	}
  191. 

  192. 	var getToken func(*http.Request) string
  193. 	switch inl {
  194. 	case header:
  195. 		getToken = func(r *http.Request) string { return r.Header.Get(name) }
  196. 	case query:
  197. 		getToken = func(r *http.Request) string { return r.URL.Query().Get(name) }
  198. 	}
  199. 

  200. 	return HttpAuthenticator(func(r *http.Request) (bool, interface{}, error) {
  201. 		token := getToken(r)
  202. 		if token == "" {
  203. 			return false, nil, nil
  204. 		}
  205. 

  206. 		ctx, p, err := authenticate(r.Context(), token)
  207. 		*r = *r.WithContext(ctx)
  208. 		return true, p, err
  209. 	})
  210. }
  211. 

  212. // ScopedAuthRequest contains both a http request and the required scopes for a particular operation

  213. type ScopedAuthRequest struct {
  214. 	Request        *http.Request
  215. 	RequiredScopes []string
  216. }
  217. 

  218. // BearerAuth for use with oauth2 flows

  219. func BearerAuth(name string, authenticate ScopedTokenAuthentication) runtime.Authenticator {
  220. 	const prefix = "Bearer "
  221. 	return ScopedAuthenticator(func(r *ScopedAuthRequest) (bool, interface{}, error) {
  222. 		var token string
  223. 		hdr := r.Request.Header.Get("Authorization")
  224. 		if strings.HasPrefix(hdr, prefix) {
  225. 			token = strings.TrimPrefix(hdr, prefix)
  226. 		}
  227. 		if token == "" {
  228. 			qs := r.Request.URL.Query()
  229. 			token = qs.Get("access_token")
  230. 		}
  231. 		//#nosec

  232. 		ct, _, _ := runtime.ContentType(r.Request.Header)
  233. 		if token == "" && (ct == "application/x-www-form-urlencoded" || ct == "multipart/form-data") {
  234. 			token = r.Request.FormValue("access_token")
  235. 		}
  236. 

  237. 		if token == "" {
  238. 			return false, nil, nil
  239. 		}
  240. 

  241. 		rctx := context.WithValue(r.Request.Context(), oauth2SchemeName, name)
  242. 		*r.Request = *r.Request.WithContext(rctx)
  243. 		p, err := authenticate(token, r.RequiredScopes)
  244. 		return true, p, err
  245. 	})
  246. }
  247. 

  248. // BearerAuthCtx for use with oauth2 flows with support for context.Context.

  249. func BearerAuthCtx(name string, authenticate ScopedTokenAuthenticationCtx) runtime.Authenticator {
  250. 	const prefix = "Bearer "
  251. 	return ScopedAuthenticator(func(r *ScopedAuthRequest) (bool, interface{}, error) {
  252. 		var token string
  253. 		hdr := r.Request.Header.Get("Authorization")
  254. 		if strings.HasPrefix(hdr, prefix) {
  255. 			token = strings.TrimPrefix(hdr, prefix)
  256. 		}
  257. 		if token == "" {
  258. 			qs := r.Request.URL.Query()
  259. 			token = qs.Get("access_token")
  260. 		}
  261. 		//#nosec

  262. 		ct, _, _ := runtime.ContentType(r.Request.Header)
  263. 		if token == "" && (ct == "application/x-www-form-urlencoded" || ct == "multipart/form-data") {
  264. 			token = r.Request.FormValue("access_token")
  265. 		}
  266. 

  267. 		if token == "" {
  268. 			return false, nil, nil
  269. 		}
  270. 

  271. 		rctx := context.WithValue(r.Request.Context(), oauth2SchemeName, name)
  272. 		ctx, p, err := authenticate(rctx, token, r.RequiredScopes)
  273. 		*r.Request = *r.Request.WithContext(ctx)
  274. 		return true, p, err
  275. 	})
  276. }