Chromium Code Reviews Chromium Code Reviews
Issue 2830443003:
auth: Refactor how authentication methods are passed to server/auth library. (Closed)
| OLD | NEW |
|---|---|
| 1 // Copyright 2016 The LUCI Authors. All rights reserved. | 1 // Copyright 2016 The LUCI Authors. All rights reserved. |
| 2 // Use of this source code is governed under the Apache License, Version 2.0 | 2 // Use of this source code is governed under the Apache License, Version 2.0 |
| 3 // that can be found in the LICENSE file. | 3 // that can be found in the LICENSE file. |
| 4 | 4 |
| 5 // Package admin implements HTTP routes for settings UI. | 5 // Package admin implements HTTP routes for settings UI. |
| 6 package admin | 6 package admin |
| 7 | 7 |
| 8 import ( | 8 import ( |
| 9 "fmt" | |
| 9 "html/template" | 10 "html/template" |
| 10 "net" | 11 "net" |
| 11 "net/http" | 12 "net/http" |
| 12 | 13 |
| 13 "golang.org/x/net/context" | 14 "golang.org/x/net/context" |
| 14 | 15 |
| 15 "github.com/luci/luci-go/common/errors" | 16 "github.com/luci/luci-go/common/errors" |
| 16 | 17 |
| 17 "github.com/luci/luci-go/server/auth" | 18 "github.com/luci/luci-go/server/auth" |
| 18 "github.com/luci/luci-go/server/auth/authdb" | 19 "github.com/luci/luci-go/server/auth/authdb" |
| (...skipping 34 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 53 | 54 |
| 54 adminDB := adminBypassDB{ | 55 adminDB := adminBypassDB{ |
| 55 authdb.ErroringDB{ | 56 authdb.ErroringDB{ |
| 56 Error: errors.New("admin: unexpected call to authdb.DB o n admin page"), | 57 Error: errors.New("admin: unexpected call to authdb.DB o n admin page"), |
| 57 }, | 58 }, |
| 58 } | 59 } |
| 59 | 60 |
| 60 rr := r.Subrouter("/admin/settings") | 61 rr := r.Subrouter("/admin/settings") |
| 61 rr.Use(base.Extend( | 62 rr.Use(base.Extend( |
| 62 templates.WithTemplates(tmpl), | 63 templates.WithTemplates(tmpl), |
| 63 auth.Use(auth.Authenticator{adminAuth}), | |
| 64 adminDB.install, | 64 adminDB.install, |
| 65 » » auth.Autologin, | 65 » » auth.Authenticate(adminAuth), |
| 66 » » adminOnly, | 66 » » adminAutologin, |
| 67 )) | 67 )) |
| 68 | 68 |
| 69 rr.GET("", router.MiddlewareChain{}, indexPage) | 69 rr.GET("", router.MiddlewareChain{}, indexPage) |
| 70 rr.GET("/:SettingsKey", router.MiddlewareChain{}, settingsPageGET) | 70 rr.GET("/:SettingsKey", router.MiddlewareChain{}, settingsPageGET) |
| 71 rr.POST("/:SettingsKey", router.NewMiddlewareChain(xsrf.WithTokenCheck), settingsPagePOST) | 71 rr.POST("/:SettingsKey", router.NewMiddlewareChain(xsrf.WithTokenCheck), settingsPagePOST) |
| 72 } | 72 } |
| 73 | 73 |
| 74 // replyError sends HTML error page with status 500 on transient errors or 400 | 74 // replyError sends HTML error page with status 500 on transient errors or 400 |
| 75 // on fatal ones. | 75 // on fatal ones. |
| 76 func replyError(c context.Context, rw http.ResponseWriter, err error) { | 76 func replyError(c context.Context, rw http.ResponseWriter, err error) { |
| (...skipping 29 matching lines...) Expand all Loading... | |
| 106 | 106 |
| 107 func (d adminBypassDB) install(c *router.Context, next router.Handler) { | 107 func (d adminBypassDB) install(c *router.Context, next router.Handler) { |
| 108 c.Context = auth.ModifyConfig(c.Context, func(cfg *auth.Config) { | 108 c.Context = auth.ModifyConfig(c.Context, func(cfg *auth.Config) { |
| 109 cfg.DBProvider = func(context.Context) (authdb.DB, error) { | 109 cfg.DBProvider = func(context.Context) (authdb.DB, error) { |
| 110 return d, nil | 110 return d, nil |
| 111 } | 111 } |
| 112 }) | 112 }) |
| 113 next(c) | 113 next(c) |
| 114 } | 114 } |
| 115 | 115 |
| 116 // adminOnly is middleware that ensures authenticated user is local site admin | 116 // adminAutologin is middleware that ensures authenticated user is local site |
| 117 // aka superuser. On GAE it grants access only to users that have Editor or | 117 // admin (aka superuser). |
| 118 // Owner roles in the Cloud Project. | 118 // |
| 119 func adminOnly(c *router.Context, next router.Handler) { | 119 // On GAE it grants access only to users that have Editor or Owner roles in |
| 120 » if !auth.CurrentUser(c.Context).Superuser { | 120 // the Cloud Project. |
| 121 // | |
| 122 // It redirect anonymous users to login page, and displays "Access denied" page | |
| 123 // to authenticated non-admin users. | |
| 124 func adminAutologin(c *router.Context, next router.Handler) { | |
| 125 » u := auth.CurrentUser(c.Context) | |
| 126 | |
| 127 » // Redirect anonymous users to a login page that redirects back to the c urrent | |
| 128 » // page. | |
| 129 » if u.Identity == identity.AnonymousIdentity { | |
| 130 » » // Make the current URL relative to the host. | |
| 131 » » destURL := *c.Request.URL | |
| 132 » » destURL.Host = "" | |
| 133 » » destURL.Scheme = "" | |
| 134 » » url, err := auth.LoginURL(c.Context, destURL.String()) | |
| 135 » » if err != nil { | |
| 136 » » » if errors.IsTransient(err) { | |
| 137 » » » » http.Error(c.Writer, fmt.Sprintf("Transient erro r during authentication - %s", err), 500) | |
| 138 » » » } else { | |
| 139 » » » » http.Error(c.Writer, fmt.Sprintf("Authentication error - %s", err), 401) | |
| 140 » » » } | |
| 141 » » » return | |
| 142 » » } | |
| 143 » » http.Redirect(c.Writer, c.Request, url, 302) | |
| 144 » » return | |
| 145 » } | |
| 146 | |
| 147 » // Non anonymous users must be admins to proceed. | |
| 148 » if !u.Superuser { | |
| 121 c.Writer.WriteHeader(http.StatusForbidden) | 149 c.Writer.WriteHeader(http.StatusForbidden) |
| 122 templates.MustRender(c.Context, c.Writer, "pages/access_denied.h tml", nil) | 150 templates.MustRender(c.Context, c.Writer, "pages/access_denied.h tml", nil) |
|
iannucci
2017/04/19 21:58:34
I assume this page already has a link to go to the
Vadim Sh.
2017/04/19 22:32:47
Yes. It has "logout" button, so you can login with
| |
| 123 return | 151 return |
| 124 } | 152 } |
| 153 | |
| 125 next(c) | 154 next(c) |
| 126 } | 155 } |
| OLD | NEW |
