v5.10.1

分支 (195)

标签 (247)

管理

管理

main

fallbackPipeline

sudhanshu#5009/DOS-fix

change-password-feature

bugfix/manualCheckExe_5002

sudhanshu#2608-fix

francis#2608-fix

feature/new-silence-attributes

bugfix/5002_manualCheckexe

develop/6

release/6.11

feature-silenced-change

sudhanshu/5009

500

dependabot/go_modules/golang.org/x/crypto-0.17.0

fix-types-wrapper-lift

bump-core-modules

dependabot/go_modules/google.golang.org/grpc-1.56.3

remove-context-emptyCtx-assertions

justin-debug

v6.11.0

types/v0.13.0

types/v0.12.0-alpha10

types/v0.12.0-alpha9

v7.0.0-alpha1

v6.10.0

v6.9.2

types/v0.12.0

types/v0.12.0-alpha8

types/v0.12.0-alpha7

v6.9.1

v6.9.0

types/v0.12.0-alpha6

types/v0.12.0-alpha5

types/v0.12.0-alpha4

types/v0.12.0-alpha3

types/v0.12.0-alpha2

types/v0.12.0-alpha1

v6.8.2

api/core/v2.16.0

sensu-go
/
backend
/
apid
/
middlewares
/
authentication.go

package middlewares

import (
	"context"
	"net/http"

	"github.com/sensu/sensu-go/backend/apid/actions"
	"github.com/sensu/sensu-go/backend/authentication/jwt"
	"github.com/sensu/sensu-go/types"
)

// AuthStore specifies the storage requirements for auth types.
type AuthStore interface {
	// AuthenticateUser attempts to authenticate a user with the given username
	// and hashed password. An error is returned if the user does not exist, is
	// disabled or the given password does not match.
	AuthenticateUser(ctx context.Context, user, pass string) (*types.User, error)
}

// Authentication is a HTTP middleware that enforces authentication
type Authentication struct {
	// IgnoreUnauthorized configures the middleware to continue the handler chain
	// in the case where an access token was not present.
	IgnoreUnauthorized bool
}

// Then middleware
func (a Authentication) Then(next http.Handler) http.Handler {
	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		ctx := r.Context()
		tokenString := jwt.ExtractBearerToken(r)
		if tokenString != "" {
			token, err := jwt.ValidateToken(tokenString)
			if err != nil {
				logger.WithError(err).Warn("invalid token")
				writeErr(w, actions.NewErrorf(actions.Unauthenticated, "invalid credentials"))
				return
			}

			// Set the claims into the request context
			ctx = jwt.SetClaimsIntoContext(r, token.Claims.(*types.Claims))
			next.ServeHTTP(w, r.WithContext(ctx))

			return
		}

		// The user is not authenticated
		if a.IgnoreUnauthorized {
			next.ServeHTTP(w, r.WithContext(ctx))
			return
		}

		writeErr(w, actions.NewErrorf(actions.Unauthenticated, "bad credentials"))
	})
}

// BasicAuthentication is HTTP middleware for basic authentication
func BasicAuthentication(next http.Handler, store AuthStore) http.Handler {
	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		username, password, ok := r.BasicAuth()
		if !ok {
			writeErr(w, actions.NewErrorf(actions.Unauthenticated, "missing credentials"))
			return
		}

		// Authenticate against the provider
		user, err := store.AuthenticateUser(r.Context(), username, password)
		if err != nil {
			logger.
				WithField("user", username).
				WithError(err).
				Error("invalid username and/or password")
			writeErr(w, actions.NewErrorf(actions.Unauthenticated, "bad credentials"))
			return
		}

		// The user was authenticated against the local store, therefore add the
		// system:user group so it can view itself and change its password
		user.Groups = append(user.Groups, "system:user")

		// TODO: eventually break out authroization details in context from jwt
		// claims; in this method they are too tightly bound
		claims, _ := jwt.NewClaims(user)
		ctx := jwt.SetClaimsIntoContext(r, claims)
		next.ServeHTTP(w, r.WithContext(ctx))
	})
}