authcheck.go 2.2 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687
  1. package auth
  2. import (
  3. "context"
  4. "net/http"
  5. "connectrpc.com/connect"
  6. types "github.com/OliveTin/OliveTin/internal/auth/authpublic"
  7. otjwt "github.com/OliveTin/OliveTin/internal/auth/otjwt"
  8. "github.com/OliveTin/OliveTin/internal/config"
  9. log "github.com/sirupsen/logrus"
  10. )
  11. var authChain = []func(*types.AuthCheckingContext) *types.AuthenticatedUser{
  12. checkUserFromHeaders,
  13. checkUserFromLocalSession,
  14. otjwt.CheckUserFromJwtHeader,
  15. otjwt.CheckUserFromJwtCookie,
  16. }
  17. // Handlers like the OAuth2's handler are "instance methods", so they need to be added to the auth chain after the other handlers.
  18. func AddAuthChainFunction(check func(*types.AuthCheckingContext) *types.AuthenticatedUser) {
  19. authChain = append(authChain, check)
  20. }
  21. func runAuthChain[T any](req *connect.Request[T], cfg *config.Config) *types.AuthenticatedUser {
  22. var user *types.AuthenticatedUser
  23. authCtx := &types.AuthCheckingContext{
  24. Request: &http.Request{Header: req.Header()},
  25. Config: cfg,
  26. }
  27. for _, check := range authChain {
  28. user = check(authCtx)
  29. if user != nil && user.Username != "" {
  30. return user
  31. }
  32. }
  33. return nil
  34. }
  35. func UserFromApiCall[T any](ctx context.Context, req *connect.Request[T], cfg *config.Config) *types.AuthenticatedUser {
  36. user := runAuthChain(req, cfg)
  37. log.Tracef("UserFromApiCall Context: %+v", ctx)
  38. if user == nil || user.Username == "" {
  39. user = UserGuest(cfg)
  40. } else {
  41. user.BuildUserAcls(cfg)
  42. }
  43. path := ""
  44. if req != nil {
  45. path = req.Spec().Procedure
  46. }
  47. log.WithFields(log.Fields{
  48. "username": user.Username,
  49. "usergroupLine": user.UsergroupLine,
  50. "provider": user.Provider,
  51. "acls": user.Acls,
  52. "path": path,
  53. }).Debugf("Authenticated API request")
  54. return user
  55. }
  56. // UserFromHTTPRequest resolves the authenticated user from a plain HTTP request (same chain as Connect RPC).
  57. func UserFromHTTPRequest(r *http.Request, cfg *config.Config) *types.AuthenticatedUser {
  58. authCtx := &types.AuthCheckingContext{
  59. Request: r,
  60. Config: cfg,
  61. }
  62. var user *types.AuthenticatedUser
  63. for _, check := range authChain {
  64. user = check(authCtx)
  65. if user != nil && user.Username != "" {
  66. user.BuildUserAcls(cfg)
  67. return user
  68. }
  69. }
  70. return UserGuest(cfg)
  71. }