github.com/billybanfield/evergreen@v0.0.0-20170525200750-eeee692790f7/apiv3/route/authenticator.go

github.com/billybanfield/evergreen@v0.0.0-20170525200750-eeee692790f7/apiv3/route/authenticator.go (about)

     1  package route
     2  
     3  import (
     4  	"net/http"
     5  
     6  	"github.com/evergreen-ci/evergreen/apiv3"
     7  	"github.com/evergreen-ci/evergreen/apiv3/servicecontext"
     8  	"github.com/evergreen-ci/evergreen/auth"
     9  	"github.com/evergreen-ci/evergreen/util"
    10  )
    11  
    12  // Authenticator is an interface which defines how requests can authenticate
    13  // against the API service.
    14  type Authenticator interface {
    15  	Authenticate(servicecontext.ServiceContext, *http.Request) error
    16  }
    17  
    18  // NoAuthAuthenticator is an authenticator which allows all requests to pass
    19  // through.
    20  type NoAuthAuthenticator struct{}
    21  
    22  // Authenticate does not examine the request and allows all requests to pass
    23  // through.
    24  func (n *NoAuthAuthenticator) Authenticate(sc servicecontext.ServiceContext,
    25  	r *http.Request) error {
    26  	return nil
    27  }
    28  
    29  // SuperUserAuthenticator only allows user in the SuperUsers field of the
    30  // settings file to complete the request
    31  type SuperUserAuthenticator struct{}
    32  
    33  // Authenticate fetches the user information from the http request
    34  // and checks if it matches the users in the settings file. If no SuperUsers
    35  // exist in the settings file, all users are considered super. It returns
    36  // 'NotFound' errors to prevent leaking sensitive information.
    37  func (s *SuperUserAuthenticator) Authenticate(sc servicecontext.ServiceContext,
    38  	r *http.Request) error {
    39  	u := GetUser(r)
    40  
    41  	if auth.IsSuperUser(sc.GetSuperUsers(), u) {
    42  		return nil
    43  	}
    44  	return apiv3.APIError{
    45  		StatusCode: http.StatusNotFound,
    46  		Message:    "Not found",
    47  	}
    48  }
    49  
    50  // ProjectOwnerAuthenticator only allows the owner of the project and
    51  // superusers access to the information. It requires that the project be
    52  // available and that the user also be set.
    53  type ProjectAdminAuthenticator struct{}
    54  
    55  // ProjectAdminAuthenticator checks that the user is either a super user or is
    56  // part of the project context's project admins.
    57  func (p *ProjectAdminAuthenticator) Authenticate(sc servicecontext.ServiceContext,
    58  	r *http.Request) error {
    59  	projCtx := MustHaveProjectContext(r)
    60  	u := GetUser(r)
    61  
    62  	// If either a superuser or admin, request is allowed to proceed.
    63  	if auth.IsSuperUser(sc.GetSuperUsers(), u) ||
    64  		util.SliceContains(projCtx.ProjectRef.Admins, u.Username()) {
    65  		return nil
    66  	}
    67  
    68  	return apiv3.APIError{
    69  		StatusCode: http.StatusNotFound,
    70  		Message:    "Not found",
    71  	}
    72  }
    73  
    74  // RequireUserAuthenticator requires that a user be attached to a request.
    75  type RequireUserAuthenticator struct{}
    76  
    77  // Authenticate checks that a user is set on the request. If one is
    78  // set, it is because PrefetchUser already set it, which checks the validity of
    79  // the APIKey, so that is no longer needed to be checked.
    80  func (rua *RequireUserAuthenticator) Authenticate(sc servicecontext.ServiceContext,
    81  	r *http.Request) error {
    82  	u := GetUser(r)
    83  	if u == nil {
    84  		return apiv3.APIError{
    85  			StatusCode: http.StatusNotFound,
    86  			Message:    "Not found",
    87  		}
    88  
    89  	}
    90  	return nil
    91  }