Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(1040)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: server/settings/admin/handlers.go

Issue 2830443003: auth: Refactor how authentication methods are passed to server/auth library. (Closed)
Patch Set: fix test Created 3 years, 8 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « server/auth/state.go ('k') | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2016 The LUCI Authors. All rights reserved. 1 // Copyright 2016 The LUCI Authors. All rights reserved.
2 // Use of this source code is governed under the Apache License, Version 2.0 2 // Use of this source code is governed under the Apache License, Version 2.0
3 // that can be found in the LICENSE file. 3 // that can be found in the LICENSE file.
4 4
5 // Package admin implements HTTP routes for settings UI. 5 // Package admin implements HTTP routes for settings UI.
6 package admin 6 package admin
7 7
8 import ( 8 import (
9 "html/template" 9 "html/template"
10 "net" 10 "net"
11 "net/http" 11 "net/http"
12 12
13 "golang.org/x/net/context" 13 "golang.org/x/net/context"
14 14
15 "github.com/luci/luci-go/common/errors" 15 "github.com/luci/luci-go/common/errors"
16 "github.com/luci/luci-go/common/logging"
16 17
17 "github.com/luci/luci-go/server/auth" 18 "github.com/luci/luci-go/server/auth"
18 "github.com/luci/luci-go/server/auth/authdb" 19 "github.com/luci/luci-go/server/auth/authdb"
19 "github.com/luci/luci-go/server/auth/identity" 20 "github.com/luci/luci-go/server/auth/identity"
20 "github.com/luci/luci-go/server/auth/xsrf" 21 "github.com/luci/luci-go/server/auth/xsrf"
21 "github.com/luci/luci-go/server/router" 22 "github.com/luci/luci-go/server/router"
22 "github.com/luci/luci-go/server/templates" 23 "github.com/luci/luci-go/server/templates"
23 24
24 "github.com/luci/luci-go/server/settings/admin/internal/assets" 25 "github.com/luci/luci-go/server/settings/admin/internal/assets"
25 ) 26 )
(...skipping 27 matching lines...) Expand all
53 54
54 adminDB := adminBypassDB{ 55 adminDB := adminBypassDB{
55 authdb.ErroringDB{ 56 authdb.ErroringDB{
56 Error: errors.New("admin: unexpected call to authdb.DB o n admin page"), 57 Error: errors.New("admin: unexpected call to authdb.DB o n admin page"),
57 }, 58 },
58 } 59 }
59 60
60 rr := r.Subrouter("/admin/settings") 61 rr := r.Subrouter("/admin/settings")
61 rr.Use(base.Extend( 62 rr.Use(base.Extend(
62 templates.WithTemplates(tmpl), 63 templates.WithTemplates(tmpl),
63 auth.Use(auth.Authenticator{adminAuth}),
64 adminDB.install, 64 adminDB.install,
65 » » auth.Autologin, 65 » » auth.Authenticate(adminAuth),
66 » » adminOnly, 66 » » adminAutologin,
67 )) 67 ))
68 68
69 rr.GET("", router.MiddlewareChain{}, indexPage) 69 rr.GET("", router.MiddlewareChain{}, indexPage)
70 rr.GET("/:SettingsKey", router.MiddlewareChain{}, settingsPageGET) 70 rr.GET("/:SettingsKey", router.MiddlewareChain{}, settingsPageGET)
71 rr.POST("/:SettingsKey", router.NewMiddlewareChain(xsrf.WithTokenCheck), settingsPagePOST) 71 rr.POST("/:SettingsKey", router.NewMiddlewareChain(xsrf.WithTokenCheck), settingsPagePOST)
72 } 72 }
73 73
74 // replyError sends HTML error page with status 500 on transient errors or 400 74 // replyError sends HTML error page with status 500 on transient errors or 400
75 // on fatal ones. 75 // on fatal ones.
76 func replyError(c context.Context, rw http.ResponseWriter, err error) { 76 func replyError(c context.Context, rw http.ResponseWriter, err error) {
(...skipping 29 matching lines...) Expand all
106 106
107 func (d adminBypassDB) install(c *router.Context, next router.Handler) { 107 func (d adminBypassDB) install(c *router.Context, next router.Handler) {
108 c.Context = auth.ModifyConfig(c.Context, func(cfg *auth.Config) { 108 c.Context = auth.ModifyConfig(c.Context, func(cfg *auth.Config) {
109 cfg.DBProvider = func(context.Context) (authdb.DB, error) { 109 cfg.DBProvider = func(context.Context) (authdb.DB, error) {
110 return d, nil 110 return d, nil
111 } 111 }
112 }) 112 })
113 next(c) 113 next(c)
114 } 114 }
115 115
116 // adminOnly is middleware that ensures authenticated user is local site admin 116 // adminAutologin is middleware that ensures authenticated user is local site
117 // aka superuser. On GAE it grants access only to users that have Editor or 117 // admin (aka superuser).
118 // Owner roles in the Cloud Project. 118 //
119 func adminOnly(c *router.Context, next router.Handler) { 119 // On GAE it grants access only to users that have Editor or Owner roles in
120 » if !auth.CurrentUser(c.Context).Superuser { 120 // the Cloud Project.
121 //
122 // It redirect anonymous users to login page, and displays "Access denied" page
123 // to authenticated non-admin users.
124 func adminAutologin(c *router.Context, next router.Handler) {
125 » u := auth.CurrentUser(c.Context)
126
127 » // Redirect anonymous users to a login page that redirects back to the c urrent
128 » // page.
129 » if u.Identity == identity.AnonymousIdentity {
130 » » // Make the current URL relative to the host.
131 » » destURL := *c.Request.URL
132 » » destURL.Host = ""
133 » » destURL.Scheme = ""
134 » » url, err := auth.LoginURL(c.Context, destURL.String())
135 » » if err != nil {
136 » » » logging.WithError(err).Errorf(c.Context, "Error when gen erating login URL")
137 » » » if errors.IsTransient(err) {
138 » » » » http.Error(c.Writer, "Transient error when gener ating login URL, see logs", 500)
139 » » » } else {
140 » » » » http.Error(c.Writer, "Can't generate login URL, see logs", 401)
141 » » » }
142 » » » return
143 » » }
144 » » http.Redirect(c.Writer, c.Request, url, 302)
145 » » return
146 » }
147
148 » // Non anonymous users must be admins to proceed.
149 » if !u.Superuser {
121 c.Writer.WriteHeader(http.StatusForbidden) 150 c.Writer.WriteHeader(http.StatusForbidden)
122 templates.MustRender(c.Context, c.Writer, "pages/access_denied.h tml", nil) 151 templates.MustRender(c.Context, c.Writer, "pages/access_denied.h tml", nil)
123 return 152 return
124 } 153 }
154
125 next(c) 155 next(c)
126 } 156 }
OLDNEW
« no previous file with comments | « server/auth/state.go ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698