atsebay.t/auth.go

package main

import (
	"encoding/base64"
	"net/http"
	"strings"
	"time"
	"unicode"

	"github.com/gin-gonic/gin"
)

var LocalAuthFunc = checkAuthKrb5
var allowLocalAuth bool
var localAuthUsers arrayFlags
var mainBanner string

type loginForm struct {
	Login    string `json:"username"`
	Password string `json:"password"`
}

func declareAPIAuthRoutes(router *gin.RouterGroup) {
	router.GET("/auth", validateAuthToken)
	router.POST("/auth", func(c *gin.Context) {
		LocalAuthFunc(c)
	})
	router.POST("/auth/logout", logout)
}

func declareAPIAdminAuthRoutes(router *gin.RouterGroup) {
	router.POST("/auth/impersonate", func(c *gin.Context) {
		session := c.MustGet("Session").(*Session)

		var u *User
		if err := c.ShouldBindJSON(&u); err != nil {
			c.AbortWithStatusJSON(http.StatusBadRequest, gin.H{"errmsg": err.Error()})
			return
		}

		newuser, err := getUser(int(u.Id))
		if err != nil {
			c.AbortWithStatusJSON(http.StatusBadRequest, gin.H{"errmsg": err.Error()})
			return
		}

		session.IdUser = &newuser.Id
		session.Update()

		c.JSON(http.StatusOK, authToken{
			User:          newuser,
			CurrentPromo:  currentPromo,
			MessageBanner: mainBanner,
		})
	})
}

type authToken struct {
	*User
	CurrentPromo  uint     `json:"current_promo"`
	Groups        []string `json:"groups"`
	MessageBanner string   `json:"banner,omitempty"`
}

func validateAuthToken(c *gin.Context) {
	if u, ok := c.Get("LoggedUser"); !ok || u.(*User) == nil {
		c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"errmsg": "Not connected"})
		return
	} else {
		t := authToken{User: u.(*User), CurrentPromo: currentPromo, MessageBanner: mainBanner}

		t.Groups = strings.Split(strings.TrimFunc(t.User.Groups, func(r rune) bool { return !unicode.IsLetter(r) }), ",")

		c.JSON(http.StatusOK, t)
	}
}

func logout(c *gin.Context) {
	eraseCookie(c)
	c.JSON(http.StatusOK, true)
}

func completeAuth(c *gin.Context, username string, email string, firstname string, lastname string, promo uint, groups string, session *Session) (usr *User, err error) {
	if !userExists(username) {
		if promo == 0 {
			promo = currentPromo
		}
		if usr, err = NewUser(username, email, firstname, lastname, promo, groups); err != nil {
			return
		}
	} else if usr, err = getUserByLogin(username); err != nil {
		return
	}

	upd_user := false

	// Update user's promo if it has changed
	if promo != 0 && promo != usr.Promo {
		usr.Promo = promo
		upd_user = true
	}

	// Update user's group if they have been modified
	if len(groups) > 0 {
		if len(groups) > 255 {
			groups = groups[:255]
		}
		if usr.Groups != groups {
			usr.Groups = groups
			upd_user = true
		}
	}

	if upd_user {
		usr.Update()
	}

	if session == nil {
		session, err = usr.NewSession()
	} else {
		_, err = session.SetUser(usr)
	}

	if err != nil {
		return
	}

	http.SetCookie(c.Writer, &http.Cookie{
		Name:     "auth",
		Value:    base64.StdEncoding.EncodeToString(session.Id),
		Path:     baseURL + "/",
		Expires:  time.Now().Add(30 * 24 * time.Hour),
		HttpOnly: true,
		SameSite: http.SameSiteStrictMode,
		Secure:   true,
	})

	return
}

func eraseCookie(c *gin.Context) {
	http.SetCookie(c.Writer, &http.Cookie{
		Name:     "auth",
		Value:    "",
		Path:     baseURL + "/",
		Expires:  time.Unix(0, 0),
		HttpOnly: true,
		SameSite: http.SameSiteStrictMode,
	})
}

func dummyAuth(c *gin.Context) {
	var lf map[string]string
	if err := c.ShouldBindJSON(&lf); err != nil {
		c.AbortWithStatusJSON(http.StatusBadRequest, gin.H{"errmsg": err.Error()})
		return
	}

	if usr, err := completeAuth(c, lf["username"], lf["email"], lf["firstname"], lf["lastname"], currentPromo, "", nil); err != nil {
		c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"errmsg": err.Error()})
		return
	} else {
		c.JSON(http.StatusOK, authToken{User: usr, CurrentPromo: currentPromo, MessageBanner: mainBanner})
	}
}
Initial commit 2020-03-04 11:07:12 +00:00			`package main`

			`import (`
			`"encoding/base64"`
			`"net/http"`
Interpret Groups field in authToken 2022-08-02 09:41:13 +00:00			`"strings"`
Initial commit 2020-03-04 11:07:12 +00:00			`"time"`
Interpret Groups field in authToken 2022-08-02 09:41:13 +00:00			`"unicode"`
Initial commit 2020-03-04 11:07:12 +00:00
Use gin-gonic instead of httprouter 2022-07-09 17:42:00 +00:00			`"github.com/gin-gonic/gin"`
Initial commit 2020-03-04 11:07:12 +00:00			`)`

Add fallback authentication through Kerberos 2021-09-22 15:02:30 +00:00			`var LocalAuthFunc = checkAuthKrb5`
New option to enable local auth for everyone 2022-09-07 12:08:23 +00:00			`var allowLocalAuth bool`
Add fallback authentication through Kerberos 2021-09-22 15:02:30 +00:00			`var localAuthUsers arrayFlags`
New parameter to display a message at the top of the screen 2023-03-07 01:53:47 +00:00			`var mainBanner string`
Add fallback authentication through Kerberos 2021-09-22 15:02:30 +00:00
			`type loginForm struct {`
			Login string `json:"username"`
			Password string `json:"password"`
			`}`

Use gin-gonic instead of httprouter 2022-07-09 17:42:00 +00:00			`func declareAPIAuthRoutes(router *gin.RouterGroup) {`
			`router.GET("/auth", validateAuthToken)`
			`router.POST("/auth", func(c *gin.Context) {`
			`LocalAuthFunc(c)`
			`})`
			`router.POST("/auth/logout", logout)`
Initial commit 2020-03-04 11:07:12 +00:00			`}`

Add impersonation route 2022-09-10 23:05:51 +00:00			`func declareAPIAdminAuthRoutes(router *gin.RouterGroup) {`
			`router.POST("/auth/impersonate", func(c *gin.Context) {`
			`session := c.MustGet("Session").(*Session)`

			`var u *User`
			`if err := c.ShouldBindJSON(&u); err != nil {`
			`c.AbortWithStatusJSON(http.StatusBadRequest, gin.H{"errmsg": err.Error()})`
			`return`
			`}`

			`newuser, err := getUser(int(u.Id))`
			`if err != nil {`
			`c.AbortWithStatusJSON(http.StatusBadRequest, gin.H{"errmsg": err.Error()})`
			`return`
			`}`

			`session.IdUser = &newuser.Id`
			`session.Update()`

			`c.JSON(http.StatusOK, authToken{`
New parameter to display a message at the top of the screen 2023-03-07 01:53:47 +00:00			`User: newuser,`
			`CurrentPromo: currentPromo,`
			`MessageBanner: mainBanner,`
Add impersonation route 2022-09-10 23:05:51 +00:00			`})`
			`})`
			`}`

Display a message if not in the current promo 2022-02-21 08:21:30 +00:00			`type authToken struct {`
			`*User`
New parameter to display a message at the top of the screen 2023-03-07 01:53:47 +00:00			CurrentPromo uint `json:"current_promo"`
			Groups []string `json:"groups"`
			MessageBanner string `json:"banner,omitempty"`
Display a message if not in the current promo 2022-02-21 08:21:30 +00:00			`}`

Use gin-gonic instead of httprouter 2022-07-09 17:42:00 +00:00			`func validateAuthToken(c *gin.Context) {`
			`if u, ok := c.Get("LoggedUser"); !ok \|\| u.(*User) == nil {`
			`c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"errmsg": "Not connected"})`
			`return`
WIP Svelte 2021-11-18 11:12:28 +00:00			`} else {`
New parameter to display a message at the top of the screen 2023-03-07 01:53:47 +00:00			`t := authToken{User: u.(*User), CurrentPromo: currentPromo, MessageBanner: mainBanner}`
Interpret Groups field in authToken 2022-08-02 09:41:13 +00:00
			`t.Groups = strings.Split(strings.TrimFunc(t.User.Groups, func(r rune) bool { return !unicode.IsLetter(r) }), ",")`

			`c.JSON(http.StatusOK, t)`
WIP Svelte 2021-11-18 11:12:28 +00:00			`}`
Initial commit 2020-03-04 11:07:12 +00:00			`}`

Use gin-gonic instead of httprouter 2022-07-09 17:42:00 +00:00			`func logout(c *gin.Context) {`
			`eraseCookie(c)`
			`c.JSON(http.StatusOK, true)`
Initial commit 2020-03-04 11:07:12 +00:00			`}`

OIDC: Retrieve promotion from OIDC claims 2022-11-11 10:14:43 +00:00			`func completeAuth(c gin.Context, username string, email string, firstname string, lastname string, promo uint, groups string, session Session) (usr *User, err error) {`
Initial commit 2020-03-04 11:07:12 +00:00			`if !userExists(username) {`
OIDC: Retrieve promotion from OIDC claims 2022-11-11 10:14:43 +00:00			`if promo == 0 {`
			`promo = currentPromo`
			`}`
			`if usr, err = NewUser(username, email, firstname, lastname, promo, groups); err != nil {`
WIP Svelte 2021-11-18 11:12:28 +00:00			`return`
Initial commit 2020-03-04 11:07:12 +00:00			`}`
			`} else if usr, err = getUserByLogin(username); err != nil {`
WIP Svelte 2021-11-18 11:12:28 +00:00			`return`
Initial commit 2020-03-04 11:07:12 +00:00			`}`

OIDC: Retrieve promotion from OIDC claims 2022-11-11 10:14:43 +00:00			`upd_user := false`

			`// Update user's promo if it has changed`
			`if promo != 0 && promo != usr.Promo {`
			`usr.Promo = promo`
			`upd_user = true`
			`}`

			`// Update user's group if they have been modified`
WIP Svelte 2021-11-18 11:12:28 +00:00			`if len(groups) > 0 {`
			`if len(groups) > 255 {`
			`groups = groups[:255]`
			`}`
			`if usr.Groups != groups {`
			`usr.Groups = groups`
OIDC: Retrieve promotion from OIDC claims 2022-11-11 10:14:43 +00:00			`upd_user = true`
WIP Svelte 2021-11-18 11:12:28 +00:00			`}`
Handle student groups 2021-09-15 22:26:09 +00:00			`}`

OIDC: Retrieve promotion from OIDC claims 2022-11-11 10:14:43 +00:00			`if upd_user {`
			`usr.Update()`
			`}`

Initial commit 2020-03-04 11:07:12 +00:00			`if session == nil {`
Use gin-gonic instead of httprouter 2022-07-09 17:42:00 +00:00			`session, err = usr.NewSession()`
Initial commit 2020-03-04 11:07:12 +00:00			`} else {`
			`_, err = session.SetUser(usr)`
			`}`

			`if err != nil {`
WIP Svelte 2021-11-18 11:12:28 +00:00			`return`
Initial commit 2020-03-04 11:07:12 +00:00			`}`

Use gin-gonic instead of httprouter 2022-07-09 17:42:00 +00:00			`http.SetCookie(c.Writer, &http.Cookie{`
Add sameSite attribute to cookies 2020-09-13 14:36:07 +00:00			`Name: "auth",`
			`Value: base64.StdEncoding.EncodeToString(session.Id),`
			`Path: baseURL + "/",`
			`Expires: time.Now().Add(30 * 24 * time.Hour),`
Initial commit 2020-03-04 11:07:12 +00:00			`HttpOnly: true,`
Add sameSite attribute to cookies 2020-09-13 14:36:07 +00:00			`SameSite: http.SameSiteStrictMode,`
Reenable Secure cookies 2022-05-15 10:35:03 +00:00			`Secure: true,`
Initial commit 2020-03-04 11:07:12 +00:00			`})`

WIP Svelte 2021-11-18 11:12:28 +00:00			`return`
Initial commit 2020-03-04 11:07:12 +00:00			`}`

Use gin-gonic instead of httprouter 2022-07-09 17:42:00 +00:00			`func eraseCookie(c *gin.Context) {`
			`http.SetCookie(c.Writer, &http.Cookie{`
			`Name: "auth",`
			`Value: "",`
			`Path: baseURL + "/",`
			`Expires: time.Unix(0, 0),`
			`HttpOnly: true,`
			`SameSite: http.SameSiteStrictMode,`
			`})`
			`}`

			`func dummyAuth(c *gin.Context) {`
Initial commit 2020-03-04 11:07:12 +00:00			`var lf map[string]string`
Use gin-gonic instead of httprouter 2022-07-09 17:42:00 +00:00			`if err := c.ShouldBindJSON(&lf); err != nil {`
			`c.AbortWithStatusJSON(http.StatusBadRequest, gin.H{"errmsg": err.Error()})`
			`return`
Initial commit 2020-03-04 11:07:12 +00:00			`}`

OIDC: Retrieve promotion from OIDC claims 2022-11-11 10:14:43 +00:00			`if usr, err := completeAuth(c, lf["username"], lf["email"], lf["firstname"], lf["lastname"], currentPromo, "", nil); err != nil {`
Use gin-gonic instead of httprouter 2022-07-09 17:42:00 +00:00			`c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"errmsg": err.Error()})`
			`return`
			`} else {`
New parameter to display a message at the top of the screen 2023-03-07 01:53:47 +00:00			`c.JSON(http.StatusOK, authToken{User: usr, CurrentPromo: currentPromo, MessageBanner: mainBanner})`
Use gin-gonic instead of httprouter 2022-07-09 17:42:00 +00:00			`}`
Initial commit 2020-03-04 11:07:12 +00:00			`}`