Marko Tikvić / webutility

Browse Code »

Commit 33d137a67174c4877300a83d5741f58c3f160c65

Authored by Marko Tikvić 2017-02-08 15:54:51 +0100

1 parent 3a5383589b

Exists in master and in 1 other branch

Functional role checking for API endpoints.

Showing 3 changed files with 61 additions and 9 deletions Show diff stats

auth_utility.go

Diff comments View file @33d137a

 package webutility
 import (
 	"errors"
 	"time"
 	"crypto/sha256"
 	"crypto/rand"
 	"encoding/hex"
 	"strings"
+	"net/http"
 	"github.com/dgrijalva/jwt-go"
+	"fmt"
 )
 const OneDay   = time.Hour*24
 const OneWeek  = OneDay*7
 const saltSize = 32
 const appName  = "korisnicki-centar"
 const secret   = "korisnicki-centar-api"
+const RoleAdmin    string = "ADMINISTRATOR"
+const RoleManager  string = "RUKOVODILAC"
+const RoleReporter string = "REPORTER"
+const RoleOperator string = "OPERATER"
 // TokenClaims are JWT token claims.
 type TokenClaims struct {
 	Username string `json:"username"`
 	Role     string `json:"role"`
 	jwt.StandardClaims
 }
 // CredentialsStruct is an instace of username/password values.
 type CredentialsStruct struct {
 	Username string `json:"username"`
 	Password string `json:"password"`
 }
 // generateSalt returns a string of random characters of 'saltSize' length.
 func generateSalt() (salt string, err error) {
 	rawsalt := make([]byte, saltSize)
 	_, err = rand.Read(rawsalt)
 	if err != nil {
 		return "", err
 	}
 	salt = hex.EncodeToString(rawsalt)
 	return salt, nil
 }
 // HashString hashes input string with SHA256 algorithm.
 // If the presalt parameter is not provided HashString will generate new salt string.
 // Returns hash and salt string or an error if it fails.
 func HashString(str string, presalt string) (hash, salt string, err error) {
 	// chech if message is presalted
 	if presalt == "" {
 		salt, err = generateSalt()
 		if err != nil {
 			return "", "", err
 		}
 	} else {
 		salt = presalt
 	}
 	// convert strings to raw byte slices
 	rawstr := []byte(str)
 	rawsalt, err := hex.DecodeString(salt)
 	if err != nil {
 		return "", "", err
 	}
 	rawdata := make([]byte, len(rawstr) + len(rawsalt))
 	rawdata = append(rawdata, rawstr...)
 	rawdata = append(rawdata, rawsalt...)
 	// hash message + salt
 	hasher := sha256.New()
 	hasher.Write(rawdata)
 	rawhash := hasher.Sum(nil)
 	hash = hex.EncodeToString(rawhash)
 	return hash, salt, nil
 }
 // CreateAPIToken returns JWT token with encoded username, role, expiration date and issuer claims.
 // It returns an error if it fails.
 func CreateAPIToken(username, role string) (string, error) {
 	var apiToken string
 	var err error
 	if err != nil {
 		return "", err
 	}
 	claims := TokenClaims{
 		username,
 		role,
 		jwt.StandardClaims{
 			ExpiresAt: (time.Now().Add(OneWeek)).Unix(),
 			Issuer:    appName,
 		},
 	}
 	jwtToken := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
 	apiToken, err = jwtToken.SignedString([]byte(secret))
 	if err != nil {
 		return "", err
 	}
 	return apiToken, nil
 }
 // RefreshAPIToken prolongs JWT token's expiration date for one week.
 // It returns new JWT token or an error if it fails.
 func RefreshAPIToken(tokenString string) (string, error) {
 	var newToken string
 	tokenString = strings.TrimPrefix(tokenString, "Bearer ")
 	token, err := jwt.ParseWithClaims(tokenString, &TokenClaims{}, secretFunc)
 	if err != nil {
 		return "", err
 	}
 	// type assertion
 	claims, ok := token.Claims.(*TokenClaims)
 	if !ok || !token.Valid {
 		return "", errors.New("token is not valid")
 	}
 	claims.ExpiresAt = (time.Now().Add(OneWeek)).Unix()
 	jwtToken := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
 	newToken, err = jwtToken.SignedString([]byte(secret))
 	if err != nil {
 		return "", err
 	}
 	return newToken, nil
 }
 // ParseAPIToken parses JWT token claims.
 // It returns a pointer to TokenClaims struct or an error if it fails.
 func ParseAPIToken(tokenString string) (*TokenClaims, error) {
 	if ok := strings.HasPrefix(tokenString, "Bearer "); ok {
 		tokenString = strings.TrimPrefix(tokenString, "Bearer ")
 	} else {
 		return &TokenClaims{}, errors.New("Authorization header is incomplete")
 	}
 	token, err := jwt.ParseWithClaims(tokenString, &TokenClaims{}, secretFunc)
 	if err != nil {
 		return &TokenClaims{}, err
 	}
 	// type assertion
 	claims, ok := token.Claims.(*TokenClaims)
 	if !ok || !token.Valid {
 		return &TokenClaims{}, errors.New("token is not valid")
 	}
 	return claims, nil
 }
+func GetTokenClaims(r *http.Request) (claims *TokenClaims, err error) {
+	token := r.Header.Get("Authorization")
+	if ok := strings.HasPrefix(token, "Bearer "); ok {
+		token = strings.TrimPrefix(token, "Bearer ")
+	} else {
+		return &TokenClaims{}, errors.New("Authorization header is incomplete")
+	}
+	parsedToken, err := jwt.ParseWithClaims(token, &TokenClaims{}, secretFunc)
+	if err != nil {
+		return &TokenClaims{}, err
+	}
+	// type assertion
+	claims, ok := parsedToken.Claims.(*TokenClaims)
+	if !ok || !parsedToken.Valid {
+		return &TokenClaims{}, errors.New("token is not valid")
+	}
+	return claims, err
+}
 // secretFunc returns byte slice of API secret keyword.
 func secretFunc(token *jwt.Token) (interface{}, error) {
 	return []byte(secret), nil
 }
+// roleAuthorized returns true if role from userClaims matches any of the authorizedRoles
+// or if authorizedRoles contains "*".
+func roleAuthorized(authorizedRoles []string, userClaims *TokenClaims) bool {
+	if userClaims == nil {
+		return false
+	}
+	for _, r := range authorizedRoles {
+		fmt.Printf("comparing %s with %s\n", userClaims.Role, r)
+		if userClaims.Role == r || r == "*" {
+			return true
+		}
+	}
+	return false
+}

http_utility.go

Diff comments View file @33d137a

 package webutility
 import (
 	"net/http"
 	"encoding/json"
+	"fmt"
 )
 const templateHttpErr500_EN = "An internal server error has occurred."
 const templateHttpErr500_RS = "Došlo je do greške na serveru."
 const templateHttpErr400_EN = "Bad request: invalid request body."
 const templateHttpErr400_RS = "Neispravan zahtev."
 const templateHttpErr401_EN = "Unauthorized request."
 const templateHttpErr401_RS = "Neautorizovan zahtev."
 type httpError struct {
 	Error   []HttpErrorDesc `json:"error"`
 	Request string          `json:"request"`
 }
 type HttpErrorDesc struct {
 	Lang string `json:"lang"`
 	Desc string `json:"description"`
 }
 // ErrorResponse writes HTTP error to w.
 func ErrorResponse(w http.ResponseWriter, r *http.Request, code int, desc []HttpErrorDesc) {
 	err := httpError{ desc, r.Method + " " + r.URL.Path }
 	w.WriteHeader(code)
 	json.NewEncoder(w).Encode(err)
 }
 // BadRequestResponse writes HTTP error 400 to w.
 func BadRequestResponse(w http.ResponseWriter, req *http.Request) {
 	ErrorResponse(w, req, http.StatusBadRequest, []HttpErrorDesc{
 		{ "en", templateHttpErr400_EN },
 		{ "rs", templateHttpErr400_RS },
 	})
 }
 // InternalSeverErrorResponse writes HTTP error 500 to w.
 func InternalServerErrorResponse(w http.ResponseWriter, req *http.Request) {
 	ErrorResponse(w, req, http.StatusInternalServerError, []HttpErrorDesc{
 		{ "en", templateHttpErr500_EN },
 		{ "rs", templateHttpErr500_RS },
 	})
 }
 // UnauthorizedError writes HTTP error 401 to w.
 func UnauthorizedResponse(w http.ResponseWriter, req *http.Request) {
 	ErrorResponse(w, req, http.StatusUnauthorized, []HttpErrorDesc{
 		{ "en", templateHttpErr401_EN },
 		{ "rs", templateHttpErr401_RS },
 	})
 }
 // TODO: Check for content type
-// WrapHandler sets common headers, checks for token validity and performs access control.
+// WrapHandler sets common headers, checks for token validity and performs access control checks.
 // If authentication passes it calls the handlerFunc.
-func WrapHandler(handlerFunc http.HandlerFunc, auth bool) http.HandlerFunc {
+func WrapHandler(handlerFunc http.HandlerFunc, authorizedRoles []string) http.HandlerFunc {
 	return func(w http.ResponseWriter, req *http.Request) {
 		w.Header().Set("Access-Control-Allow-Origin", "*")
 		w.Header().Set("Access-Control-Allow-Methods",
 			"POST, GET, PUT, DELETE, OPTIONS")
 		w.Header().Set("Access-Control-Allow-Headers",
 			`Accept, Content-Type, Content-Length,
 			Accept-Encoding, X-CSRF-Token, Authorization`)
 		w.Header().Set("Content-Type", "application/json; charset=utf-8")
 		if req.Method == "OPTIONS" {
 			return
 		}
-		if auth {
+		if authorizedRoles != nil {
 			token := req.Header.Get("Authorization")
-			if _, err := ParseAPIToken(token); err != nil {
+			claims, err := ParseAPIToken(token);
+			if err != nil || !roleAuthorized(authorizedRoles, claims) {
+				fmt.Printf("not authorized %s %s...\n", claims.Username, claims.Role)
 				UnauthorizedResponse(w, req)
 				return
 			}
 		}
 		err := req.ParseForm()
 		if err != nil {
 			BadRequestResponse(w, req)
 			return
 		}
 		// execute HandlerFunc
 		handlerFunc(w, req)
 	}
 }
 // NotFoundHandler writes HTTP error 404 to w.
 func NotFoundHandler(w http.ResponseWriter, req *http.Request) {
 	ErrorResponse(w, req, http.StatusNotFound, []HttpErrorDesc{
 		{ "en", "Not found." },
 		{ "rs", "Traženi resurs ne postoji." },
 	})
 }

json_utility.go

Diff comments View file @33d137a

 package webutility
 import (
 	"net/http"
 	"encoding/json"
 	"errors"
 	"gopkg.in/rana/ora.v3"
 	"io"
 	"io/ioutil"
 	"sync"
 )
 var mu = &sync.Mutex{}
 var payloads []payloadBuff
 type LangMap map[string]map[string]string
 type Field struct {
 	Parameter  string `json:"param"`
 	Type       string `json:"type"`
 	Visible    bool   `json:"visible"`
 	Editable   bool   `json:"editable"`
 }
 type CorrelationField struct {
 	Result   string   `json:"result"`
 	Elements []string `json:"elements"`
 	Type     string   `json:"type"`
 }
 type Translation struct {
 	Language     string            `json:"language"`
 	FieldsLabels map[string]string `json:"fieldsLabels"`
 }
 type payloadBuff struct {
 	Type         string             `json:"tableType"`
 	Method	     string             `json:"method"`
 	Params	     map[string]string  `json:"params"`
 	Lang	     []Translation      `json:"lang"`
 	Fields	     []Field            `json:"fields"`
 	Correlations []CorrelationField `json:"correlationFields"`
 	IdField      string             `json:"idField"`
 	// Data can only hold slices of any type. It can't be used for itteration
 	Data	     interface{}        `json:"data"`
 }
 type Payload struct {
 	Method	     string             `json:"method"`
 	Params	     map[string]string  `json:"params"`
 	Lang	     []Translation      `json:"lang"`
 	Fields	     []Field            `json:"fields"`
 	Correlations []CorrelationField `json:"correlationFields"`
 	IdField      string             `json:"idField"`
 	// Data can only hold slices of any type. It can't be used for itteration
 	Data	     interface{}        `json:"data"`
 }
 // NewPayload returs a payload sceleton for provided table.
 func NewPayload(r *http.Request, table string) Payload {
 	var pload Payload
 	pload.Method = r.Method + " " + r.URL.Path
 	if table != "" {
 		pload.Params = make(map[string]string, 0)
 		pload.Lang = translations(table)
 		pload.Fields = fields(table)
 		pload.IdField = id(table)
 		pload.Correlations = correlations(table)
 	}
 	return pload
 }
 // DeliverPayload encodes payload to w.
 func DeliverPayload(w http.ResponseWriter, payload Payload) {
 	json.NewEncoder(w).Encode(payload)
 	payload.Data = nil
 }
 // translations returns a slice of translations for a payload/table of ptype type.
 func translations(ptype string) []Translation {
 	var translations []Translation
 	for _, pload := range payloads {
 		if pload.Type == ptype {
 			for _, t := range pload.Lang {
 				translations = append(translations, Translation{
 					Language: t.Language,
 					FieldsLabels: t.FieldsLabels,
 				})
 			}
 		}
 	}
 	return translations
 }
 // fields returns a slice of fields for a payload/table of ptype type.
 func fields(ptype string) []Field {
 	var fields []Field
 	for _, pload := range payloads {
 		if pload.Type == ptype {
 			for _, f := range pload.Fields {
 				fields = append(fields, f)
 			}
 		}
 	}
 	return fields
 }
 // id returns the name of ID field of a payload/table of ptype type.
 func id(ptype string) string {
 	for _, pload := range payloads {
 		if pload.Type == ptype {
 			return pload.IdField
 		}
 	}
 	return ""
 }
 // correlations returns a slice of correlation fields for a payload/table of ptype type.
 func correlations(ptype string) []CorrelationField {
 	var corr []CorrelationField
 	for _, pload := range payloads {
 		if pload.Type == ptype {
 			for _, c := range pload.Correlations {
 				corr = append(corr, c)
 			}
 		}
 	}
 	return corr
 }
 // InitTables loads all payloads in the payloads variable.
 // Returns an error if it fails.
 func InitTables(db *ora.Ses, project string) error {
 	jsonbuf, _ := fetchJSON(db, EqualQuotes(project))
 	mu.Lock()
 	defer mu.Unlock()
 	json.Unmarshal(jsonbuf, &payloads)
 	if len(payloads) == 0 {
 		return errors.New("tables config is corrupt")
 	}
 	return nil
 }
 // fetchJSON returns a byte slice of JSON configuration file from TABLES_CONFIG table.
 // Returns an error if it fails.
 func fetchJSON(db *ora.Ses, project string) ([]byte, error) {
 	stmt, err := db.Prep(`SELECT
 		JSON_CLOB
 		FROM TABLES_CONFIG
 		WHERE PROJEKAT` + project, ora.S)
 	defer stmt.Close()
 	if err != nil {
 		return nil, err
 	}
 	rset, err := stmt.Qry()
 	if err != nil {
 		return nil, err
 	}
 	bytes := make([]byte, 0)
 	if rset.Next() {
 		lob := rset.Row[0].(io.Reader)
-		bytes, err = ioutil.ReadAll(lob)
+		if lob != nil {
-		if err != nil {
+			bytes, err = ioutil.ReadAll(lob)
-			// Ignore for now, it's some weird streaming read/write LOB error.
+			if err != nil {
-			// TODO: Find a fix for this.
+				// TODO: Find a fix for this.
-			//return nil, err
+				// Some weird streaming read/write LOB error.
+				// Ignore for now.
+				//return nil, err
+			}
+		} else {
+			return nil, errors.New("json config is null")
 		}
 	}
 	return bytes, nil
 }
 // DecodeJSON decodes JSON data from r to v.
 // Returns an error if it fails.
 func DecodeJSON(r io.Reader, v interface{}) error {
 	return json.NewDecoder(r).Decode(v)
 }