123 lines
3.2 KiB
Go
123 lines
3.2 KiB
Go
package app
|
|
|
|
import (
|
|
"context"
|
|
"errors"
|
|
"net/http"
|
|
|
|
"github.com/gorilla/mux"
|
|
"go.signoz.io/signoz/pkg/query-service/auth"
|
|
"go.signoz.io/signoz/pkg/query-service/constants"
|
|
"go.signoz.io/signoz/pkg/query-service/model"
|
|
)
|
|
|
|
type AuthMiddleware struct {
|
|
GetUserFromRequest func(r *http.Request) (*model.UserPayload, error)
|
|
}
|
|
|
|
func NewAuthMiddleware(f func(r *http.Request) (*model.UserPayload, error)) *AuthMiddleware {
|
|
return &AuthMiddleware{
|
|
GetUserFromRequest: f,
|
|
}
|
|
}
|
|
|
|
func (am *AuthMiddleware) OpenAccess(f func(http.ResponseWriter, *http.Request)) http.HandlerFunc {
|
|
return func(w http.ResponseWriter, r *http.Request) {
|
|
f(w, r)
|
|
}
|
|
}
|
|
|
|
func (am *AuthMiddleware) ViewAccess(f func(http.ResponseWriter, *http.Request)) http.HandlerFunc {
|
|
return func(w http.ResponseWriter, r *http.Request) {
|
|
user, err := am.GetUserFromRequest(r)
|
|
if err != nil {
|
|
RespondError(w, &model.ApiError{
|
|
Typ: model.ErrorUnauthorized,
|
|
Err: err,
|
|
}, nil)
|
|
return
|
|
}
|
|
|
|
if !(auth.IsViewer(user) || auth.IsEditor(user) || auth.IsAdmin(user)) {
|
|
RespondError(w, &model.ApiError{
|
|
Typ: model.ErrorForbidden,
|
|
Err: errors.New("API is accessible to viewers/editors/admins"),
|
|
}, nil)
|
|
return
|
|
}
|
|
ctx := context.WithValue(r.Context(), constants.ContextUserKey, user)
|
|
r = r.WithContext(ctx)
|
|
f(w, r)
|
|
}
|
|
}
|
|
|
|
func (am *AuthMiddleware) EditAccess(f func(http.ResponseWriter, *http.Request)) http.HandlerFunc {
|
|
return func(w http.ResponseWriter, r *http.Request) {
|
|
user, err := am.GetUserFromRequest(r)
|
|
if err != nil {
|
|
RespondError(w, &model.ApiError{
|
|
Typ: model.ErrorUnauthorized,
|
|
Err: err,
|
|
}, nil)
|
|
return
|
|
}
|
|
if !(auth.IsEditor(user) || auth.IsAdmin(user)) {
|
|
RespondError(w, &model.ApiError{
|
|
Typ: model.ErrorForbidden,
|
|
Err: errors.New("API is accessible to editors/admins"),
|
|
}, nil)
|
|
return
|
|
}
|
|
ctx := context.WithValue(r.Context(), constants.ContextUserKey, user)
|
|
r = r.WithContext(ctx)
|
|
f(w, r)
|
|
}
|
|
}
|
|
|
|
func (am *AuthMiddleware) SelfAccess(f func(http.ResponseWriter, *http.Request)) http.HandlerFunc {
|
|
return func(w http.ResponseWriter, r *http.Request) {
|
|
user, err := am.GetUserFromRequest(r)
|
|
if err != nil {
|
|
RespondError(w, &model.ApiError{
|
|
Typ: model.ErrorUnauthorized,
|
|
Err: err,
|
|
}, nil)
|
|
return
|
|
}
|
|
id := mux.Vars(r)["id"]
|
|
if !(auth.IsSelfAccessRequest(user, id) || auth.IsAdmin(user)) {
|
|
RespondError(w, &model.ApiError{
|
|
Typ: model.ErrorForbidden,
|
|
Err: errors.New("API is accessible for self access or to the admins"),
|
|
}, nil)
|
|
return
|
|
}
|
|
ctx := context.WithValue(r.Context(), constants.ContextUserKey, user)
|
|
r = r.WithContext(ctx)
|
|
f(w, r)
|
|
}
|
|
}
|
|
|
|
func (am *AuthMiddleware) AdminAccess(f func(http.ResponseWriter, *http.Request)) http.HandlerFunc {
|
|
return func(w http.ResponseWriter, r *http.Request) {
|
|
user, err := am.GetUserFromRequest(r)
|
|
if err != nil {
|
|
RespondError(w, &model.ApiError{
|
|
Typ: model.ErrorUnauthorized,
|
|
Err: err,
|
|
}, nil)
|
|
return
|
|
}
|
|
if !auth.IsAdmin(user) {
|
|
RespondError(w, &model.ApiError{
|
|
Typ: model.ErrorForbidden,
|
|
Err: errors.New("API is accessible to admins only"),
|
|
}, nil)
|
|
return
|
|
}
|
|
ctx := context.WithValue(r.Context(), constants.ContextUserKey, user)
|
|
r = r.WithContext(ctx)
|
|
f(w, r)
|
|
}
|
|
}
|