gateway: only admin or the same logged user can create an user token

This commit is contained in:
Simone Gotti 2019-04-05 15:56:06 +02:00
parent 200aef20b9
commit ac28731d11
3 changed files with 56 additions and 12 deletions

View File

@ -59,6 +59,7 @@ func (h *CreateUserHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
u, err := h.ch.CreateUser(ctx, creq) u, err := h.ch.CreateUser(ctx, creq)
if httpError(w, err) { if httpError(w, err) {
h.log.Errorf("err: %+v", err)
return return
} }
@ -68,7 +69,6 @@ func (h *CreateUserHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
http.Error(w, err.Error(), http.StatusInternalServerError) http.Error(w, err.Error(), http.StatusInternalServerError)
return return
} }
} }
type DeleteUserHandler struct { type DeleteUserHandler struct {
@ -375,12 +375,12 @@ type CreateUserTokenResponse struct {
} }
type CreateUserTokenHandler struct { type CreateUserTokenHandler struct {
log *zap.SugaredLogger log *zap.SugaredLogger
configstoreClient *csapi.Client ch *command.CommandHandler
} }
func NewCreateUserTokenHandler(logger *zap.Logger, configstoreClient *csapi.Client) *CreateUserTokenHandler { func NewCreateUserTokenHandler(logger *zap.Logger, ch *command.CommandHandler) *CreateUserTokenHandler {
return &CreateUserTokenHandler{log: logger.Sugar(), configstoreClient: configstoreClient} return &CreateUserTokenHandler{log: logger.Sugar(), ch: ch}
} }
func (h *CreateUserTokenHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) { func (h *CreateUserTokenHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
@ -395,20 +395,19 @@ func (h *CreateUserTokenHandler) ServeHTTP(w http.ResponseWriter, r *http.Reques
return return
} }
creq := &csapi.CreateUserTokenRequest{ creq := &command.CreateUserTokenRequest{
UserName: userName,
TokenName: req.TokenName, TokenName: req.TokenName,
} }
h.log.Infof("creating user %q token", userName) h.log.Infof("creating user %q token", userName)
cresp, _, err := h.configstoreClient.CreateUserToken(ctx, userName, creq) token, err := h.ch.CreateUserToken(ctx, creq)
if err != nil { if httpError(w, err) {
h.log.Errorf("err: %+v", err) h.log.Errorf("err: %+v", err)
http.Error(w, err.Error(), http.StatusInternalServerError)
return return
} }
h.log.Infof("user %q token created", userName)
resp := &CreateUserTokenResponse{ resp := &CreateUserTokenResponse{
Token: cresp.Token, Token: token,
} }
if err := json.NewEncoder(w).Encode(resp); err != nil { if err := json.NewEncoder(w).Encode(resp); err != nil {
http.Error(w, err.Error(), http.StatusInternalServerError) http.Error(w, err.Error(), http.StatusInternalServerError)

View File

@ -54,6 +54,51 @@ func (c *CommandHandler) CreateUser(ctx context.Context, req *CreateUserRequest)
return u, nil return u, nil
} }
type CreateUserTokenRequest struct {
UserName string
TokenName string
}
func (c *CommandHandler) CreateUserToken(ctx context.Context, req *CreateUserTokenRequest) (string, error) {
var userID string
userIDVal := ctx.Value("userid")
if userIDVal != nil {
userID = userIDVal.(string)
}
isAdmin := false
isAdminVal := ctx.Value("admin")
if isAdminVal != nil {
isAdmin = isAdminVal.(bool)
}
userName := req.UserName
user, _, err := c.configstoreClient.GetUserByName(ctx, userName)
if err != nil {
return "", errors.Wrapf(err, "failed to get user %q", userID)
}
// only admin or the same logged user can create a token
if !isAdmin && user.ID != userID {
return "", util.NewErrBadRequest(errors.Errorf("logged in user cannot create token for another user"))
}
if _, ok := user.Tokens[req.TokenName]; ok {
return "", util.NewErrBadRequest(errors.Errorf("user %q already have a token with name %q", userName, req.TokenName))
}
c.log.Infof("creating user token")
creq := &csapi.CreateUserTokenRequest{
TokenName: req.TokenName,
}
res, _, err := c.configstoreClient.CreateUserToken(ctx, userName, creq)
if err != nil {
return "", errors.Wrapf(err, "failed to create user token")
}
c.log.Infof("token %q for user %q created", req.TokenName, userName)
return res.Token, nil
}
type CreateUserLARequest struct { type CreateUserLARequest struct {
UserName string UserName string
RemoteSourceName string RemoteSourceName string

View File

@ -174,7 +174,7 @@ func (g *Gateway) Run(ctx context.Context) error {
createUserLAHandler := api.NewCreateUserLAHandler(logger, g.ch) createUserLAHandler := api.NewCreateUserLAHandler(logger, g.ch)
deleteUserLAHandler := api.NewDeleteUserLAHandler(logger, g.configstoreClient) deleteUserLAHandler := api.NewDeleteUserLAHandler(logger, g.configstoreClient)
createUserTokenHandler := api.NewCreateUserTokenHandler(logger, g.configstoreClient) createUserTokenHandler := api.NewCreateUserTokenHandler(logger, g.ch)
deleteUserTokenHandler := api.NewDeleteUserTokenHandler(logger, g.configstoreClient) deleteUserTokenHandler := api.NewDeleteUserTokenHandler(logger, g.configstoreClient)
remoteSourceHandler := api.NewRemoteSourceHandler(logger, g.configstoreClient) remoteSourceHandler := api.NewRemoteSourceHandler(logger, g.configstoreClient)