package routers import ( "reflect" "strings" "cloud.o-forge.io/core/deprecated-oc-catalog/controllers" "cloud.o-forge.io/core/deprecated-oc-catalog/models" "github.com/beego/beego/v2/core/logs" beego "github.com/beego/beego/v2/server/web" "github.com/beego/beego/v2/server/web/context" "github.com/beego/beego/v2/server/web/swagger" ) func setStatus403(ctx *context.Context) { ctx.Output.SetStatus(403) ctx.Output.Body([]byte("")) } // TODO: Force swagger regeneration during startup to ensure consistency func initAuthMiddleware() { var FilterAuthTags = func(ctx *context.Context) { patternMatch := ctx.Input.GetData("RouterPattern").(string) patternMatchPath := strings.Replace(patternMatch, rootapi.BasePath, "", 1) //Discovery path if patternMatch == "/" { return } // First letter Uppercase and the rest lowercase reqMethod := strings.ToUpper(string(ctx.Request.Method[0])) + strings.ToLower(string(ctx.Request.Method[1:])) val := reflect.ValueOf(rootapi.Paths[patternMatchPath]). Elem().FieldByName(reqMethod). Elem().Interface().(swagger.Operation) // Make sure never omit a security declaration canaryVar := false for _, securityItem := range val.Security { canaryVar = true for securityItemName := range securityItem { switch t := rootapi.SecurityDefinitions[securityItemName]; t.Type { case "basic": user, pass, containBasic := ctx.Request.BasicAuth() if containBasic { if models.Login(user, pass) { //TODO: Decide behaviour with multiple security return } ctx.Output.SetStatus(403) ctx.Output.Body([]byte("")) //We must create some kind of output to force beego abort the request return } ctx.Output.Header("WWW-Authenticate", `Basic realm="Restricted"`) ctx.Output.SetStatus(401) ctx.Output.Body([]byte("")) //We must create some kind of output to force beego abort the request return case "apiKey": var jwtTokenString string switch t.In { case "header": jwtTokenString = ctx.Request.Header.Get(t.Name) case "query": jwtTokenString = ctx.Request.URL.Query().Get(t.Name) default: logs.Warn("BUG: API auth with token of type " + t.In + " not implemented.") setStatus403(ctx) return } if jwtTokenString != "" { // We have a token _, err := controllers.IsValidToken(jwtTokenString) if err != nil { //Bad token ctx.Output.SetStatus(401) ctx.Output.Body([]byte(err.Error())) return } ctx.Input.SetData("jwtAPIToken", jwtTokenString) return //Go to Controller } // No token at all logs.Debug("No access token provided") setStatus403(ctx) return default: ctx.Output.SetStatus(501) ctx.Output.Body([]byte("Authentication with " + t.Type + " not implemented")) return } } } if canaryVar { // If we are here, that means some Security declaration exist and was skipped. // Must avoid giving access, but should inform about it logs.Critical("Probably a BUG related to authentication process") setStatus403(ctx) } } beego.InsertFilter("/*", beego.BeforeExec, FilterAuthTags) }