wings/api/auth.go

package api

import (
	"net/http"
	"strings"

	"github.com/Pterodactyl/wings/config"
	"github.com/Pterodactyl/wings/control"
	"github.com/gin-gonic/gin"
	log "github.com/sirupsen/logrus"
)

const (
	accessTokenHeader  = "X-Access-Token"
	accessServerHeader = "X-Access-Server"
)

type responseError struct {
	Error string `json:"error"`
}

// AuthHandler returns a HandlerFunc that checks request authentication
// permission is a permission string describing the required permission to access the route
func AuthHandler(permission string) gin.HandlerFunc {
	return func(c *gin.Context) {
		requestToken := c.Request.Header.Get(accessTokenHeader)
		requestServer := c.Request.Header.Get(accessServerHeader)

		if requestToken != "" {
			// c: master controller, permissions not related to specific server
			if strings.HasPrefix(permission, "c:") {
				if config.Get().ContainsAuthKey(requestToken) {
					return
				}
			} else {
				// All other permission strings not starting with c: require a server to be provided
				if requestServer != "" {
					server := control.GetServer(requestServer)
					if server != nil {
						if strings.HasPrefix(permission, "g:") {
							if config.Get().ContainsAuthKey(requestToken) {
								return
							}
						}

						if strings.HasPrefix(permission, "s:") {
							if server.HasPermission(requestToken, permission) {
								return
							}
						}
					} else {
						c.JSON(http.StatusNotFound, responseError{"Server defined in " + accessServerHeader + " is not known."})
					}
				} else {
					c.JSON(http.StatusBadRequest, responseError{"No " + accessServerHeader + " header provided."})
				}
			}
		} else {
			log.Debug("Token missing in request.")
			c.JSON(http.StatusBadRequest, responseError{"No " + accessTokenHeader + " header provided."})
		}
		c.JSON(http.StatusForbidden, responseError{"You are do not have permission to perform this action."})
		c.Abort()
	}
}
unmarshal config into struct with viper for consistent access 2017-06-26 09:07:53 +00:00			`package api`
implement auth middleware 2017-07-06 18:49:36 +00:00
			`import (`
			`"net/http"`
			`"strings"`

			`"github.com/Pterodactyl/wings/config"`
			`"github.com/Pterodactyl/wings/control"`
			`"github.com/gin-gonic/gin"`
			`log "github.com/sirupsen/logrus"`
			`)`

			`const (`
			`accessTokenHeader = "X-Access-Token"`
			`accessServerHeader = "X-Access-Server"`
			`)`

			`type responseError struct {`
			Error string `json:"error"`
			`}`

			`// AuthHandler returns a HandlerFunc that checks request authentication`
			`// permission is a permission string describing the required permission to access the route`
			`func AuthHandler(permission string) gin.HandlerFunc {`
			`return func(c *gin.Context) {`
			`requestToken := c.Request.Header.Get(accessTokenHeader)`
			`requestServer := c.Request.Header.Get(accessServerHeader)`

			`if requestToken != "" {`
			`// c: master controller, permissions not related to specific server`
			`if strings.HasPrefix(permission, "c:") {`
			`if config.Get().ContainsAuthKey(requestToken) {`
			`return`
			`}`
			`} else {`
			`// All other permission strings not starting with c: require a server to be provided`
			`if requestServer != "" {`
			`server := control.GetServer(requestServer)`
			`if server != nil {`
			`if strings.HasPrefix(permission, "g:") {`
			`if config.Get().ContainsAuthKey(requestToken) {`
			`return`
			`}`
			`}`

			`if strings.HasPrefix(permission, "s:") {`
			`if server.HasPermission(requestToken, permission) {`
			`return`
			`}`
			`}`
			`} else {`
			`c.JSON(http.StatusNotFound, responseError{"Server defined in " + accessServerHeader + " is not known."})`
			`}`
			`} else {`
			`c.JSON(http.StatusBadRequest, responseError{"No " + accessServerHeader + " header provided."})`
			`}`
			`}`
			`} else {`
			`log.Debug("Token missing in request.")`
			`c.JSON(http.StatusBadRequest, responseError{"No " + accessTokenHeader + " header provided."})`
			`}`
			`c.JSON(http.StatusForbidden, responseError{"You are do not have permission to perform this action."})`
			`c.Abort()`
			`}`
			`}`