forked from lawilog/registry-auth
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathserver.go
106 lines (96 loc) · 2.67 KB
/
server.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
package registry
import (
"encoding/base64"
"encoding/json"
"fmt"
"net/http"
"strings"
)
const signAuth = "AUTH"
// AuthServer is the token authentication server
type AuthServer struct {
authorizer Authorizer
authenticator Authenticator
tokenGenerator TokenGenerator
crt, key string
}
// NewAuthServer creates a new AuthServer
func NewAuthServer(opt *Option) (*AuthServer, error) {
if opt.Authenticator == nil {
opt.Authenticator = &DefaultAuthenticator{}
}
if opt.Authorizer == nil {
opt.Authorizer = &DefaultAuthorizer{}
}
pb, prk, err := loadCertAndKey(opt.Certfile, opt.Keyfile)
if err != nil {
return nil, err
}
tk := &TokenOption{Expire: opt.TokenExpiration, Issuer: opt.TokenIssuer}
if opt.TokenGenerator == nil {
opt.TokenGenerator = newTokenGenerator(pb, prk, tk)
}
return &AuthServer{
authorizer: opt.Authorizer,
authenticator: opt.Authenticator,
tokenGenerator: opt.TokenGenerator, crt: opt.Certfile, key: opt.Keyfile,
}, nil
}
func (srv *AuthServer) ServeHTTP(w http.ResponseWriter, r *http.Request) {
// grab user's auth parameters
username, password, ok := r.BasicAuth()
if !ok {
http.Error(w, "unauthorized", http.StatusUnauthorized)
return
}
if err := srv.authenticator.Authenticate(username, password); err != nil {
http.Error(w, "unauthorized: invalid auth credentials", http.StatusUnauthorized)
return
}
req := srv.parseRequest(r, username)
actions, err := srv.authorizer.Authorize(req)
if err != nil {
http.Error(w, err.Error(), http.StatusUnauthorized)
return
}
// create token for this user using the actions returned
// from the authorization check
tk, err := srv.tokenGenerator.Generate(req, actions)
if err != nil {
http.Error(w, "server error", http.StatusInternalServerError)
return
}
srv.ok(w, tk)
}
func (srv *AuthServer) parseRequest(r *http.Request, username string) *AuthorizationRequest {
q := r.URL.Query()
req := &AuthorizationRequest{
Service: q.Get("service"),
Account: username,
}
parts := strings.Split(r.URL.Query().Get("scope"), ":")
if len(parts) > 0 {
req.Type = parts[0]
}
if len(parts) > 1 {
req.Name = parts[1]
}
if len(parts) > 2 {
req.Actions = strings.Split(parts[2], ",")
}
return req
}
func (srv *AuthServer) Run(addr string) error {
http.Handle("/", srv)
fmt.Printf("Authentication server running at %s", addr)
return http.ListenAndServeTLS(addr, srv.crt, srv.key, nil)
}
func (srv *AuthServer) ok(w http.ResponseWriter, tk *Token) {
data, _ := json.Marshal(tk)
w.Header().Set("Content-Type", "application/json")
w.WriteHeader(http.StatusOK)
w.Write(data)
}
func encodeBase64(b []byte) string {
return strings.TrimRight(base64.URLEncoding.EncodeToString(b), "=")
}