extern/netbird
1
0
Fork 0
mirror of https://github.com/netbirdio/netbird.git synced 2025-08-09 23:27:58 +02:00
Code Issues Packages Projects Releases Wiki Activity

Hide setup key from non-admin users (#539)

Browse Source
This commit is contained in:
Misha Bragin
2022-11-03 17:02:31 +01:00
committed by GitHub
parent 2e0bf61e9a
commit 6aa7a2c5e1
5 changed files with 48 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
management/server/http/middleware/access_control.go
View File

@ -1,32 +1,38 @@
package middleware
import (
"context"
"fmt"
"net/http"
"github.com/netbirdio/netbird/management/server/jwtclaims"
)
const (
IsUserAdminProperty = "isAdminUser"
)
type IsUserAdminFunc func(claims jwtclaims.AuthorizationClaims) (bool, error)
// AccessControll middleware to restrict to make POST/PUT/DELETE requests by admin only
type AccessControll struct {
// AccessControl middleware to restrict to make POST/PUT/DELETE requests by admin only
type AccessControl struct {
jwtExtractor jwtclaims.ClaimsExtractor
isUserAdmin IsUserAdminFunc
audience string
}
// NewAccessControll instance constructor
func NewAccessControll(audience string, isUserAdmin IsUserAdminFunc) *AccessControll {
return &AccessControll{
// NewAccessControl instance constructor
func NewAccessControl(audience string, isUserAdmin IsUserAdminFunc) *AccessControl {
return &AccessControl{
isUserAdmin: isUserAdmin,
audience: audience,
jwtExtractor: *jwtclaims.NewClaimsExtractor(nil),
}
}
// Handler method of the middleware which forbinneds all modify requests for non admin users
func (a *AccessControll) Handler(h http.Handler) http.Handler {
// Handler method of the middleware which forbids all modify requests for non admin users
// It also adds
func (a *AccessControl) Handler(h http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
jwtClaims := a.jwtExtractor.ExtractClaimsFromRequestContext(r, a.audience)
@ -34,7 +40,6 @@ func (a *AccessControll) Handler(h http.Handler) http.Handler {
if err != nil {
http.Error(w, fmt.Sprintf("error get user from JWT: %v", err), http.StatusUnauthorized)
return
}
if !ok {
@ -45,6 +50,10 @@ func (a *AccessControll) Handler(h http.Handler) http.Handler {
}
}
newRequest := r.Clone(context.WithValue(r.Context(), IsUserAdminProperty, ok)) //nolint
// Update the current request with the new context information.
*r = *newRequest
h.ServeHTTP(w, r)
})
}