4
0

restapi.go 4.5 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185
  1. package httpservers
  2. import (
  3. "context"
  4. "github.com/grpc-ecosystem/grpc-gateway/v2/runtime"
  5. log "github.com/sirupsen/logrus"
  6. "google.golang.org/grpc"
  7. "google.golang.org/grpc/metadata"
  8. "google.golang.org/protobuf/encoding/protojson"
  9. "google.golang.org/protobuf/reflect/protoreflect"
  10. "net/http"
  11. gw "github.com/OliveTin/OliveTin/gen/grpc"
  12. config "github.com/OliveTin/OliveTin/internal/config"
  13. cors "github.com/OliveTin/OliveTin/internal/cors"
  14. )
  15. var (
  16. cfg *config.Config
  17. )
  18. func parseHttpHeaderForAuth(req *http.Request) (string, string) {
  19. username, ok := req.Header[cfg.AuthHttpHeaderUsername]
  20. if !ok {
  21. log.Warnf("Config has AuthHttpHeaderUsername set to %v, but it was not found", cfg.AuthHttpHeaderUsername)
  22. return "", ""
  23. }
  24. if cfg.AuthHttpHeaderUserGroup != "" {
  25. usergroup, ok := req.Header[cfg.AuthHttpHeaderUserGroup]
  26. if ok {
  27. log.Debugf("HTTP Header Auth found a username and usergroup")
  28. return username[0], usergroup[0]
  29. } else {
  30. log.Warnf("Config has AuthHttpHeaderUserGroup set to %v, but it was not found", cfg.AuthHttpHeaderUserGroup)
  31. }
  32. }
  33. log.Debugf("HTTP Header Auth found a username, but usergroup is not being used")
  34. return username[0], ""
  35. }
  36. //gocyclo:ignore
  37. func parseRequestMetadata(ctx context.Context, req *http.Request) metadata.MD {
  38. username := ""
  39. usergroup := ""
  40. provider := "unknown"
  41. sid := ""
  42. if cfg.AuthJwtCookieName != "" {
  43. username, usergroup = parseJwtCookie(req)
  44. provider = "jwt-cookie"
  45. }
  46. if cfg.AuthHttpHeaderUsername != "" && username == "" {
  47. username, usergroup = parseHttpHeaderForAuth(req)
  48. provider = "http-header"
  49. }
  50. if len(cfg.AuthOAuth2Providers) > 0 && username == "" {
  51. username, usergroup, sid = parseOAuth2Cookie(req)
  52. provider = "oauth2"
  53. }
  54. if cfg.AuthLocalUsers.Enabled && username == "" {
  55. username, usergroup, sid = parseLocalUserCookie(req)
  56. provider = "local"
  57. }
  58. md := metadata.New(map[string]string{
  59. "username": username,
  60. "usergroup": usergroup,
  61. "provider": provider,
  62. "sid": sid,
  63. })
  64. log.Tracef("api request metadata: %+v", md)
  65. return md
  66. }
  67. func forwardResponseHandler(ctx context.Context, w http.ResponseWriter, msg protoreflect.ProtoMessage) error {
  68. md, ok := runtime.ServerMetadataFromContext(ctx)
  69. if !ok {
  70. log.Warn("Could not get ServerMetadata from context")
  71. return nil
  72. }
  73. forwardResponseHandlerLoginLocalUser(md.HeaderMD, w)
  74. forwardResponseHandlerLogout(md.HeaderMD, w)
  75. return nil
  76. }
  77. func forwardResponseHandlerLogout(md metadata.MD, w http.ResponseWriter) {
  78. if getMetadataKeyOrEmpty(md, "logout-provider") != "" {
  79. sid := getMetadataKeyOrEmpty(md, "logout-sid")
  80. delete(registeredStates, sid)
  81. http.SetCookie(
  82. w,
  83. &http.Cookie{
  84. Name: "olivetin-sid-oauth",
  85. Value: "",
  86. },
  87. )
  88. delete(localUserSessions, sid)
  89. http.SetCookie(
  90. w,
  91. &http.Cookie{
  92. Name: "olivetin-sid-local",
  93. MaxAge: 31556952, // 1 year
  94. Value: "",
  95. HttpOnly: true,
  96. Path: "/",
  97. },
  98. )
  99. w.Header().Set("Content-Type", "text/html")
  100. // We cannot send a HTTP redirect here, because we don't have access to req.
  101. w.Write([]byte("<script>window.location.href = '/';</script>"))
  102. }
  103. }
  104. func getMetadataKeyOrEmpty(md metadata.MD, key string) string {
  105. mdValues := md.Get(key)
  106. if len(mdValues) > 0 {
  107. return mdValues[0]
  108. }
  109. return ""
  110. }
  111. func SetGlobalRestConfig(config *config.Config) {
  112. cfg = config
  113. }
  114. func startRestAPIServer(globalConfig *config.Config) error {
  115. cfg = globalConfig
  116. log.WithFields(log.Fields{
  117. "address": cfg.ListenAddressRestActions,
  118. }).Info("Starting REST API")
  119. mux := newMux()
  120. return http.ListenAndServe(cfg.ListenAddressRestActions, cors.AllowCors(mux))
  121. }
  122. func newMux() *runtime.ServeMux {
  123. // The MarshalOptions set some important compatibility settings for the webui. See below.
  124. mux := runtime.NewServeMux(
  125. runtime.WithMetadata(parseRequestMetadata),
  126. runtime.WithForwardResponseOption(forwardResponseHandler),
  127. runtime.WithMarshalerOption(runtime.MIMEWildcard, &runtime.HTTPBodyMarshaler{
  128. Marshaler: &runtime.JSONPb{
  129. MarshalOptions: protojson.MarshalOptions{
  130. UseProtoNames: false, // eg: canExec for js instead of can_exec from protobuf
  131. EmitUnpopulated: true, // Emit empty fields so that javascript does not get "undefined" when accessing fields with empty values.
  132. },
  133. },
  134. }),
  135. )
  136. ctx := context.Background()
  137. opts := []grpc.DialOption{grpc.WithInsecure()}
  138. err := gw.RegisterOliveTinApiServiceHandlerFromEndpoint(ctx, mux, cfg.ListenAddressGrpcActions, opts)
  139. if err != nil {
  140. log.Panicf("Could not register REST API Handler %v", err)
  141. }
  142. return mux
  143. }