feedpanel/panelui/middleware.go

package panelui

import (
	"context"
	"net"
	"net/http"
)

type ctxKey int

const (
	keyUser = iota
)

//HeaderAuth is a Negroni-compatible Middleware
type HeaderAuth struct {
	AllowedNames []string
	AllowedIPs   []net.IP
	RequireUser  bool
}

func _getSourceIP(req *http.Request) (net.IP, error) {
	ip, _, err := net.SplitHostPort(req.RemoteAddr)
	if err != nil {
		return net.IP{}, err
	}

	userIP := net.ParseIP(ip)
	if userIP == nil {
		return net.IP{}, err
	}
	return userIP, nil
}

func (ha HeaderAuth) ServeHTTP(rw http.ResponseWriter, r *http.Request, next http.HandlerFunc) {
	srcIP, err := _getSourceIP(r)
	if err != nil {
		rw.WriteHeader(501)
		return
	}
	found := false
	if len(ha.AllowedNames) == 0 && len(ha.AllowedIPs) == 0 {
		found = true
	}
	if !found && len(ha.AllowedIPs) > 0 {
		for _, allowedIP := range ha.AllowedIPs {
			if allowedIP.Equal(srcIP) {
				found = true
				break
			}
		}
	}
	if !found && len(ha.AllowedNames) > 0 {
		for _, name := range ha.AllowedNames {
			nameips, err := net.LookupIP(name)
			if err != nil {
				continue
			}
			for _, allowedIP := range nameips {
				if allowedIP.Equal(srcIP) {
					found = true
					break
				}
			}
		}
	}
	user := r.Header.Get("X-Forwarded-User")
	if !found || (ha.RequireUser && user == "") {
		rw.WriteHeader(http.StatusUnauthorized)
		return
	}
	ctx := r.Context()
	ctx = context.WithValue(ctx, keyUser, user)
	next(rw, r.WithContext(ctx))
	return
}
draft + refactoring + templates + resources (nothing useful) 2018-10-04 17:53:30 +02:00			`package panelui`
authorization middleware 2018-09-30 14:05:25 +02:00
			`import (`
			`"context"`
			`"net"`
			`"net/http"`
			`)`

			`type ctxKey int`

			`const (`
			`keyUser = iota`
			`)`

			`//HeaderAuth is a Negroni-compatible Middleware`
			`type HeaderAuth struct {`
			`AllowedNames []string`
			`AllowedIPs []net.IP`
			`RequireUser bool`
			`}`

			`func _getSourceIP(req *http.Request) (net.IP, error) {`
			`ip, _, err := net.SplitHostPort(req.RemoteAddr)`
			`if err != nil {`
			`return net.IP{}, err`
			`}`

			`userIP := net.ParseIP(ip)`
			`if userIP == nil {`
			`return net.IP{}, err`
			`}`
			`return userIP, nil`
			`}`

			`func (ha HeaderAuth) ServeHTTP(rw http.ResponseWriter, r *http.Request, next http.HandlerFunc) {`
			`srcIP, err := _getSourceIP(r)`
			`if err != nil {`
			`rw.WriteHeader(501)`
			`return`
			`}`
			`found := false`
			`if len(ha.AllowedNames) == 0 && len(ha.AllowedIPs) == 0 {`
			`found = true`
			`}`
			`if !found && len(ha.AllowedIPs) > 0 {`
			`for _, allowedIP := range ha.AllowedIPs {`
			`if allowedIP.Equal(srcIP) {`
			`found = true`
			`break`
			`}`
			`}`
			`}`
			`if !found && len(ha.AllowedNames) > 0 {`
			`for _, name := range ha.AllowedNames {`
			`nameips, err := net.LookupIP(name)`
			`if err != nil {`
			`continue`
			`}`
			`for _, allowedIP := range nameips {`
			`if allowedIP.Equal(srcIP) {`
			`found = true`
			`break`
			`}`
			`}`
			`}`
			`}`
			`user := r.Header.Get("X-Forwarded-User")`
			`if !found \|\| (ha.RequireUser && user == "") {`
			`rw.WriteHeader(http.StatusUnauthorized)`
			`return`
			`}`
			`ctx := r.Context()`
			`ctx = context.WithValue(ctx, keyUser, user)`
			`next(rw, r.WithContext(ctx))`
			`return`
			`}`