Implement scopes

2023-05-03 14:21:58 +02:00 · 2023-05-03 14:21:58 +02:00 · 064ae2f564
commit 064ae2f564
parent be07ac5d83
15 changed files with 232 additions and 137 deletions
--- a/internal/dis/component/auth/auth.go
+++ b/internal/dis/component/auth/auth.go
@ -18,9 +18,13 @@ type Auth struct {
 		SQL             *sql.SQL
 		UserDeleteHooks []component.UserDeleteHook
 		Templating      *templating.Templating
+		ScopeProviders  []component.ScopeProvider
 	}

 	store lazy.Lazy[sessions.Store]
+
+	scopeInfos lazy.Lazy[[]component.ScopeInfo]
+	scopeIndex lazy.Lazy[map[component.Scope]int]
 }

 var (
--- a/internal/dis/component/auth/next/next.go
+++ b/internal/dis/component/auth/next/next.go
@ -30,7 +30,7 @@ var (
 func (next *Next) Routes() component.Routes {
 	return component.Routes{
 		Prefix:    "/next/",
-		Decorator: next.Dependencies.Auth.Require(auth.User),
+		Decorator: next.Dependencies.Auth.Require(component.ScopeUserLoggedIn, nil),
 	}
 }

--- a/internal/dis/component/auth/panel/panel.go
+++ b/internal/dis/component/auth/panel/panel.go
@ -39,7 +39,7 @@ func (panel *UserPanel) Routes() component.Routes {
 	return component.Routes{
 		Prefix:    "/user/",
 		CSRF:      true,
-		Decorator: panel.Dependencies.Auth.Require(nil),
+		Decorator: panel.Dependencies.Auth.Require(component.ScopeUserLoggedIn, nil),
 	}
 }

@ -115,7 +115,7 @@ func (panel *UserPanel) HandleRoute(ctx context.Context, route string) (http.Han
 	}

 	// ensure that the user is logged in!
-	return panel.Dependencies.Auth.Protect(router, nil), nil
+	return panel.Dependencies.Auth.Protect(router, component.ScopeUserLoggedIn, nil), nil
 }

 type userFormContext struct {
--- a/internal/dis/component/auth/permission.go
+++ b/internal/dis/component/auth/permission.go
@ -1,88 +0,0 @@
-package auth
-
-import (
-	"errors"
-	"net/http"
-)
-
-// Permission represents a permission granted to a user.
-//
-// The nil permission represents any authenticated user.
-type Permission func(user *AuthUser, r *http.Request) (ok Grant, err error)
-
-// Grant represents an object that either grants or denies access for a certain permission
-type Grant interface {
-	isGranted()
-
-	// Granted returns a boolean indicating if permission to the resource in question
-	// has been granted
-	Granted() bool
-
-	// Denied returns a string containing an error message to display to the user when permission is denied.
-	// When Granted() returns true, the behaviour is undefined.
-	Denied() string
-}
-
-// Bool2Grant returns a new grant that returns granted for the given boolean, and message as the denied message.
-func Bool2Grant(granted bool, message string) Grant {
-	if granted {
-		return grantAllow{}
-	}
-	return grantDeny(message)
-}
-
-type grantAllow struct{}
-
-func (grantAllow) isGranted()     {}
-func (grantAllow) Granted() bool  { return true }
-func (grantAllow) Denied() string { return "" }
-
-type grantDeny string
-
-func (grantDeny) isGranted()      {}
-func (g grantDeny) Granted() bool { return false }
-func (g grantDeny) Denied() string {
-	if g == "" {
-		return "Forbidden"
-	}
-	return string(g)
-}
-
-// AllPermissions returns a new permission that checks if all the given permissions are set
-func AllPermissions(clauses ...Permission) Permission {
-	return func(user *AuthUser, r *http.Request) (ok Grant, err error) {
-		for _, clause := range clauses {
-			perm, err := clause.Permit(user, r)
-			if err != nil {
-				return perm, err
-			}
-			if !perm.Granted() {
-				return perm, nil
-			}
-		}
-
-		// everything was fine
-		return grantAllow{}, nil
-	}
-}
-
-var errPermissionPanic = errors.New("permission: `panic()'")
-
-// Permit checks if the given user has this permission.
-func (perm Permission) Permit(user *AuthUser, r *http.Request) (ok Grant, err error) {
-	// if there is no permission, then we just check if there is some user
-	if perm == nil {
-		return Bool2Grant(user != nil, ""), nil
-	}
-
-	// recover any panic()ed permission call
-	// to prevent the handler from panic()ing
-	defer func() {
-		if p := recover(); p != nil {
-			ok = Bool2Grant(false, "unknown error")
-			err = errPermissionPanic
-		}
-	}()
-
-	return perm(user, r)
-}
--- a/internal/dis/component/auth/protect.go
+++ b/internal/dis/component/auth/protect.go
@ -5,17 +5,19 @@ import (
 	"net/http"
 	"net/url"

+	"github.com/FAU-CDI/wisski-distillery/internal/dis/component"
 	"github.com/tkw1536/pkglib/httpx"
 )

-// Protect returns a new handler which requires a user to be logged in and pass the perm function.
+// Protect returns a new handler which requires a user to be logged in and have the provided scope and
 //
 // If an unauthenticated user attempts to access the returned handler, they are redirected to the login endpoint.
-// If an authenticated user is missing permissions, a Forbidden response is called.
+// If an authenticated user is missing the given scope, a Forbidden response is called.
 // If an authenticated calls the endpoint, and they have the given permissions, the original handler is called.
-func (auth *Auth) Protect(handler http.Handler, perm Permission) http.Handler {
+func (auth *Auth) Protect(handler http.Handler, scope component.Scope, param func(*http.Request) string) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		var grant Grant
+		var forbiddenMessage string
+		var paramValue string

 		// load the user in the session
 		user, err := auth.UserOf(r)
@ -38,16 +40,21 @@ func (auth *Auth) Protect(handler http.Handler, perm Permission) http.Handler {
 			return
 		}

+		// check if we need to load the parameter
+		if param != nil {
+			paramValue = param(r)
+		}
+
+		// check if we have the actual scope
 		{
-			var err error
-			// call the permission check
-			grant, err = perm.Permit(user, r)
+			err = auth.CheckScope(paramValue, scope, r)
+			if ade, ok := err.(component.AccessDeniedError); ok {
+				forbiddenMessage = ade.Error()
+				goto forbidden
+			}
 			if err != nil {
 				goto err
 			}
-			if !grant.Granted() {
-				goto forbidden
-			}
 		}

 		// store the user into the session, and then return the new session
@ -56,14 +63,10 @@ func (auth *Auth) Protect(handler http.Handler, perm Permission) http.Handler {
 		return
 	forbidden:
 		{
-			message := "Forbidden"
-			if grant != nil {
-				message = grant.Denied()
-			}
 			httpx.Response{
 				ContentType: "text/plain",
 				StatusCode:  http.StatusForbidden,
-				Body:        []byte(message),
+				Body:        []byte(forbiddenMessage),
 			}.ServeHTTP(w, r)
 			return
 		}
@ -72,31 +75,9 @@ func (auth *Auth) Protect(handler http.Handler, perm Permission) http.Handler {
 	})
 }

-// Require returns a slice containing one decorator that acts like Protect(perm) on every request.
-// It returns
-func (auth *Auth) Require(perm Permission) func(http.Handler) http.Handler {
+// Require returns a slice containing one decorator that acts like Protect(scope,param) on every request.
+func (auth *Auth) Require(scope component.Scope, param func(*http.Request) string) func(http.Handler) http.Handler {
 	return func(h http.Handler) http.Handler {
-		return auth.Protect(h, perm)
+		return auth.Protect(h, scope, param)
 	}
 }
-
-// Has checks if the given request has the given permission.
-// If an error occurs, returns false.
-func (auth *Auth) Has(perm Permission, r *http.Request) bool {
-	user, err := auth.UserOf(r)
-	if err != nil || user == nil {
-		return false
-	}
-	ok, err := perm.Permit(user, r)
-	return err == nil && ok.Granted()
-}
-
-// Admin represents a permission that checks if a user is an administrator and has totp enabled.
-var Admin Permission = func(user *AuthUser, r *http.Request) (ok Grant, err error) {
-	return Bool2Grant(user != nil && user.IsAdmin() && user.IsTOTPEnabled(), "user needs to have admin permissions and passcode enabled"), nil
-}
-
-// User represents a permission that checks if a user is enabled
-var User Permission = func(user *AuthUser, r *http.Request) (ok Grant, err error) {
-	return Bool2Grant(user != nil && user.IsEnabled(), "user needs to be enabled"), nil
-}
--- a/internal/dis/component/auth/scope.go
+++ b/internal/dis/component/auth/scope.go
@ -0,0 +1,58 @@
+package auth
+
+import (
+	"errors"
+	"net/http"
+
+	"github.com/FAU-CDI/wisski-distillery/internal/dis/component"
+)
+
+var (
+	ErrUnknownScope  = errors.New("unknown scope")
+	ErrParamRequired = errors.New("scope requires parameter")
+	ErrNoParam       = errors.New("scope does not take parameter")
+)
+
+// CheckScope checks if the given session has the given scope.
+// If the user is denied a scope, the error will be of type AccessDeniedError.
+func (auth *Auth) CheckScope(param string, scope component.Scope, r *http.Request) error {
+	// get all the infos about all of the scopes
+	infos := auth.scopeInfos.Get(func() []component.ScopeInfo {
+		infos := make([]component.ScopeInfo, len(auth.Dependencies.ScopeProviders))
+		for i, p := range auth.Dependencies.ScopeProviders {
+			infos[i] = p.Scope()
+		}
+		return infos
+	})
+
+	// find where in teh list of parameters it is!
+	index, ok := auth.scopeIndex.Get(func() map[component.Scope]int {
+		m := make(map[component.Scope]int, len(infos))
+		for idx, i := range infos {
+			m[i.Scope] = idx
+		}
+		return m
+	})[scope]
+
+	if !ok {
+		return ErrUnknownScope
+	}
+
+	// check that we take a parameter
+	if infos[index].TakesParam && param == "" {
+		return ErrParamRequired
+	}
+	if !infos[index].TakesParam && param != "" {
+		return ErrNoParam
+	}
+
+	// call the checker and return an error
+	ok, err := auth.Dependencies.ScopeProviders[index].HasScope(param, r)
+	if err != nil {
+		return infos[index].CheckError(err)
+	}
+	if ok {
+		return nil
+	}
+	return infos[index].DeniedError()
+}
--- a/internal/dis/component/auth/scopes/admin.go
+++ b/internal/dis/component/auth/scopes/admin.go
@ -0,0 +1,33 @@
+package scopes
+
+import (
+	"net/http"
+
+	"github.com/FAU-CDI/wisski-distillery/internal/dis/component"
+	"github.com/FAU-CDI/wisski-distillery/internal/dis/component/auth"
+)
+
+type AdminLoggedIn struct {
+	component.Base
+	Dependencies struct {
+		Auth *auth.Auth
+	}
+}
+
+var (
+	_ component.ScopeProvider = (*UserLoggedIn)(nil)
+)
+
+func (*AdminLoggedIn) Scope() component.ScopeInfo {
+	return component.ScopeInfo{
+		Scope:         component.ScopeAdminLoggedIn,
+		Description:   "session has a signed in admin",
+		DeniedMessage: "user must be signed into an admin account with TOTP enabled",
+		TakesParam:    false,
+	}
+}
+
+func (al *AdminLoggedIn) HasScope(param string, r *http.Request) (bool, error) {
+	user, err := al.Dependencies.Auth.UserOf(r)
+	return user != nil && user.IsAdmin() && user.IsTOTPEnabled(), err
+}
--- a/internal/dis/component/auth/scopes/user.go
+++ b/internal/dis/component/auth/scopes/user.go
@ -0,0 +1,32 @@
+package scopes
+
+import (
+	"net/http"
+
+	"github.com/FAU-CDI/wisski-distillery/internal/dis/component"
+	"github.com/FAU-CDI/wisski-distillery/internal/dis/component/auth"
+)
+
+type UserLoggedIn struct {
+	component.Base
+	Dependencies struct {
+		Auth *auth.Auth
+	}
+}
+
+var (
+	_ component.ScopeProvider = (*UserLoggedIn)(nil)
+)
+
+func (*UserLoggedIn) Scope() component.ScopeInfo {
+	return component.ScopeInfo{
+		Scope:       component.ScopeUserLoggedIn,
+		Description: "session has an associated user",
+		TakesParam:  false,
+	}
+}
+
+func (iu *UserLoggedIn) HasScope(param string, r *http.Request) (bool, error) {
+	user, err := iu.Dependencies.Auth.UserOf(r)
+	return user != nil, err
+}