github.com/greenpau/go-authcrunch@v1.0.50/pkg/authn/respond_json.go (about) 1 // Copyright 2022 Paul Greenberg greenpau@outlook.com 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 package authn 16 17 import ( 18 "context" 19 "encoding/json" 20 "github.com/greenpau/go-authcrunch/pkg/requests" 21 addrutil "github.com/greenpau/go-authcrunch/pkg/util/addr" 22 "go.uber.org/zap" 23 "net/http" 24 "strings" 25 "time" 26 ) 27 28 // AccessDeniedResponse is the access denied response. 29 type AccessDeniedResponse struct { 30 Error bool `json:"error,omitempty" xml:"error,omitempty" yaml:"error,omitempty"` 31 Message string `json:"message,omitempty" xml:"message,omitempty" yaml:"message,omitempty"` 32 Timestamp string `json:"timestamp,omitempty" xml:"timestamp,omitempty" yaml:"timestamp,omitempty"` 33 } 34 35 func newAccessDeniedResponse(msg string) *AccessDeniedResponse { 36 return &AccessDeniedResponse{ 37 Error: true, 38 Message: msg, 39 Timestamp: time.Now().UTC().Format(time.RFC3339Nano), 40 } 41 } 42 43 func (p *Portal) handleJSONErrorWithLog(ctx context.Context, w http.ResponseWriter, r *http.Request, rr *requests.Request, code int, msg string) error { 44 p.logger.Warn( 45 "Access denied", 46 zap.String("session_id", rr.Upstream.SessionID), 47 zap.String("request_id", rr.ID), 48 zap.String("error", msg), 49 ) 50 switch code { 51 case http.StatusBadRequest: 52 return p.handleJSONError(ctx, w, code, "Bad Request") 53 case http.StatusForbidden: 54 return p.handleJSONError(ctx, w, code, "Forbidden") 55 case http.StatusInternalServerError: 56 return p.handleJSONError(ctx, w, code, "Internal Server Error") 57 } 58 return p.handleJSONError(ctx, w, code, "Access denied") 59 } 60 61 func (p *Portal) handleJSONError(ctx context.Context, w http.ResponseWriter, code int, msg string) error { 62 resp := newAccessDeniedResponse(msg) 63 respBytes, _ := json.Marshal(resp) 64 w.WriteHeader(code) 65 w.Write(respBytes) 66 return nil 67 } 68 69 func (p *Portal) handleJSON(ctx context.Context, w http.ResponseWriter, r *http.Request, rr *requests.Request) error { 70 p.disableClientCache(w) 71 p.injectSessionID(ctx, w, r, rr) 72 w.Header().Set("Content-Type", "application/json") 73 p.logger.Debug( 74 "Received JSON API request", 75 zap.String("session_id", rr.Upstream.SessionID), 76 zap.String("request_id", rr.ID), 77 zap.String("url_path", r.URL.Path), 78 zap.String("source_address", addrutil.GetSourceAddress(r)), 79 ) 80 81 usr, err := p.authorizeRequest(ctx, w, r, rr) 82 if err != nil { 83 return p.handleJSONErrorWithLog(ctx, w, r, rr, http.StatusUnauthorized, err.Error()) 84 } 85 86 switch { 87 case strings.Contains(r.URL.Path, "/login"): 88 return p.handleJSONLogin(ctx, w, r, rr) 89 case strings.Contains(r.URL.Path, "/whoami"): 90 return p.handleJSONWhoami(ctx, w, r, rr, usr) 91 case strings.Contains(r.URL.Path, "/beacon"): 92 return p.handleJSONBeacon(ctx, w, r, rr, usr) 93 } 94 95 if usr != nil { 96 p.logger.Debug( 97 "No route found", 98 zap.String("session_id", rr.Upstream.SessionID), 99 zap.String("request_id", rr.ID), 100 zap.Any("user", usr.Claims), 101 ) 102 return p.handleJSONError(ctx, w, http.StatusBadRequest, "Bad Request") 103 } 104 return p.handleJSONError(ctx, w, http.StatusUnauthorized, "Access denied") 105 }