harbor/utils/registry/auth/handler.go

/*
   Copyright (c) 2016 VMware, Inc. All Rights Reserved.
   Licensed under the Apache License, Version 2.0 (the "License");
   you may not use this file except in compliance with the License.
   You may obtain a copy of the License at

       http://www.apache.org/licenses/LICENSE-2.0

   Unless required by applicable law or agreed to in writing, software
   distributed under the License is distributed on an "AS IS" BASIS,
   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   See the License for the specific language governing permissions and
   limitations under the License.
*/

package auth

import (
	"encoding/json"
	"errors"
	"fmt"
	"io/ioutil"
	"net/http"
	"net/url"
	"strings"

	token_util "github.com/vmware/harbor/service/token"
	"github.com/vmware/harbor/utils/log"
	registry_errors "github.com/vmware/harbor/utils/registry/errors"
)

// Handler authorizes the request when encounters a 401 error
type Handler interface {
	// Schema : basic, bearer
	Schema() string
	//AuthorizeRequest adds basic auth or token auth to the header of request
	AuthorizeRequest(req *http.Request, params map[string]string) error
}

// Credential ...
type Credential struct {
	// Username ...
	Username string
	// Password ...
	Password string
	// SecretKey ...
	SecretKey string
}

type token struct {
	Token string `json:"token"`
}

type standardTokenHandler struct {
	client     *http.Client
	credential *Credential
}

// NewStandardTokenHandler returns a standard token handler. The handler will request a token
// from token server whose URL is specified in the "WWW-authentication" header and add it to
// the origin request
// TODO deal with https
func NewStandardTokenHandler(credential *Credential) Handler {
	return &standardTokenHandler{
		client: &http.Client{
			Transport: http.DefaultTransport,
		},
		credential: credential,
	}
}

// Schema implements the corresponding method in interface AuthHandler
func (t *standardTokenHandler) Schema() string {
	return "bearer"
}

// AuthorizeRequest implements the corresponding method in interface AuthHandler
func (t *standardTokenHandler) AuthorizeRequest(req *http.Request, params map[string]string) error {
	realm, ok := params["realm"]
	if !ok {
		return errors.New("no realm")
	}

	service := params["service"]
	scope := params["scope"]

	u, err := url.Parse(realm)
	if err != nil {
		return err
	}

	q := u.Query()
	q.Add("service", service)

	for _, s := range strings.Split(scope, " ") {
		q.Add("scope", s)
	}

	u.RawQuery = q.Encode()

	r, err := http.NewRequest("GET", u.String(), nil)
	if err != nil {
		return err
	}

	// TODO support secretKey
	r.SetBasicAuth(t.credential.Username, t.credential.Password)

	resp, err := t.client.Do(r)
	if err != nil {
		return err
	}

	defer resp.Body.Close()

	b, err := ioutil.ReadAll(resp.Body)
	if err != nil {
		return err
	}

	if resp.StatusCode != http.StatusOK {
		return registry_errors.Error{
			StatusCode: resp.StatusCode,
			Message:    string(b),
		}
	}

	decoder := json.NewDecoder(resp.Body)

	tk := &token{}
	if err = decoder.Decode(tk); err != nil {
		return err
	}

	req.Header.Add(http.CanonicalHeaderKey("Authorization"), fmt.Sprintf("Bearer %s", tk.Token))

	log.Debugf("standardTokenHandler generated token successfully | %s %s", req.Method, req.URL)

	return nil
}

type usernameTokenHandler struct {
	username string
}

// NewUsernameTokenHandler returns a handler which will generate
// a token according the user's privileges
func NewUsernameTokenHandler(username string) Handler {
	return &usernameTokenHandler{
		username: username,
	}
}

// Schema implements the corresponding method in interface AuthHandler
func (u *usernameTokenHandler) Schema() string {
	return "bearer"
}

// AuthorizeRequest implements the corresponding method in interface AuthHandler
func (u *usernameTokenHandler) AuthorizeRequest(req *http.Request, params map[string]string) error {
	service := params["service"]

	scopes := []string{}
	scope := params["scope"]
	if len(scope) != 0 {
		scopes = strings.Split(scope, " ")
	}

	token, err := token_util.GenTokenForUI(u.username, service, scopes)
	if err != nil {
		return err
	}

	req.Header.Add(http.CanonicalHeaderKey("Authorization"), fmt.Sprintf("Bearer %s", token))

	log.Debugf("usernameTokenHandler generated token successfully | %s %s", req.Method, req.URL)

	return nil
}
registry v2 API utility 2016-04-13 08:43:17 +02:00			`/*`
			`Copyright (c) 2016 VMware, Inc. All Rights Reserved.`
			`Licensed under the Apache License, Version 2.0 (the "License");`
			`you may not use this file except in compliance with the License.`
			`You may obtain a copy of the License at`

			`http://www.apache.org/licenses/LICENSE-2.0`

			`Unless required by applicable law or agreed to in writing, software`
			`distributed under the License is distributed on an "AS IS" BASIS,`
			`WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`See the License for the specific language governing permissions and`
			`limitations under the License.`
			`*/`

			`package auth`

			`import (`
			`"encoding/json"`
			`"errors"`
			`"fmt"`
bug fix: user does not have admin role if user is nil 2016-04-15 10:51:46 +02:00			`"io/ioutil"`
registry v2 API utility 2016-04-13 08:43:17 +02:00			`"net/http"`
			`"net/url"`
			`"strings"`

repo tag delete 2016-04-15 07:17:32 +02:00			`token_util "github.com/vmware/harbor/service/token"`
registry v2 API utility 2016-04-13 08:43:17 +02:00			`"github.com/vmware/harbor/utils/log"`
handler non-200 status code for standardAuthHandler 2016-04-15 11:01:59 +02:00			`registry_errors "github.com/vmware/harbor/utils/registry/errors"`
registry v2 API utility 2016-04-13 08:43:17 +02:00			`)`

			`// Handler authorizes the request when encounters a 401 error`
			`type Handler interface {`
add sessionTokenHandler 2016-04-13 09:54:29 +02:00			`// Schema : basic, bearer`
			`Schema() string`
registry v2 API utility 2016-04-13 08:43:17 +02:00			`//AuthorizeRequest adds basic auth or token auth to the header of request`
			`AuthorizeRequest(req *http.Request, params map[string]string) error`
			`}`

			`// Credential ...`
			`type Credential struct {`
			`// Username ...`
			`Username string`
			`// Password ...`
			`Password string`
add sessionTokenHandler 2016-04-13 09:54:29 +02:00			`// SecretKey ...`
registry v2 API utility 2016-04-13 08:43:17 +02:00			`SecretKey string`
			`}`

			`type token struct {`
			Token string `json:"token"`
			`}`

add sessionTokenHandler 2016-04-13 09:54:29 +02:00			`type standardTokenHandler struct {`
registry v2 API utility 2016-04-13 08:43:17 +02:00			`client *http.Client`
			`credential *Credential`
			`}`

repo tag delete 2016-04-15 07:17:32 +02:00			`// NewStandardTokenHandler returns a standard token handler. The handler will request a token`
			`// from token server whose URL is specified in the "WWW-authentication" header and add it to`
			`// the origin request`
registry v2 API utility 2016-04-13 08:43:17 +02:00			`// TODO deal with https`
add sessionTokenHandler 2016-04-13 09:54:29 +02:00			`func NewStandardTokenHandler(credential *Credential) Handler {`
			`return &standardTokenHandler{`
registry v2 API utility 2016-04-13 08:43:17 +02:00			`client: &http.Client{`
			`Transport: http.DefaultTransport,`
			`},`
			`credential: credential,`
			`}`
			`}`

repo tag delete 2016-04-15 07:17:32 +02:00			`// Schema implements the corresponding method in interface AuthHandler`
add sessionTokenHandler 2016-04-13 09:54:29 +02:00			`func (t *standardTokenHandler) Schema() string {`
registry v2 API utility 2016-04-13 08:43:17 +02:00			`return "bearer"`
			`}`

repo tag delete 2016-04-15 07:17:32 +02:00			`// AuthorizeRequest implements the corresponding method in interface AuthHandler`
add sessionTokenHandler 2016-04-13 09:54:29 +02:00			`func (t standardTokenHandler) AuthorizeRequest(req http.Request, params map[string]string) error {`
registry v2 API utility 2016-04-13 08:43:17 +02:00			`realm, ok := params["realm"]`
			`if !ok {`
			`return errors.New("no realm")`
			`}`

			`service := params["service"]`
			`scope := params["scope"]`

			`u, err := url.Parse(realm)`
			`if err != nil {`
			`return err`
			`}`

			`q := u.Query()`
			`q.Add("service", service)`

			`for _, s := range strings.Split(scope, " ") {`
			`q.Add("scope", s)`
			`}`

			`u.RawQuery = q.Encode()`

			`r, err := http.NewRequest("GET", u.String(), nil)`
			`if err != nil {`
			`return err`
			`}`

			`// TODO support secretKey`
repo tag delete 2016-04-15 07:17:32 +02:00			`r.SetBasicAuth(t.credential.Username, t.credential.Password)`
registry v2 API utility 2016-04-13 08:43:17 +02:00
			`resp, err := t.client.Do(r)`
			`if err != nil {`
			`return err`
			`}`

bug fix: user does not have admin role if user is nil 2016-04-15 10:51:46 +02:00			`defer resp.Body.Close()`

			`b, err := ioutil.ReadAll(resp.Body)`
			`if err != nil {`
			`return err`
registry v2 API utility 2016-04-13 08:43:17 +02:00			`}`

bug fix: user does not have admin role if user is nil 2016-04-15 10:51:46 +02:00			`if resp.StatusCode != http.StatusOK {`
handler non-200 status code for standardAuthHandler 2016-04-15 11:01:59 +02:00			`return registry_errors.Error{`
bug fix: user does not have admin role if user is nil 2016-04-15 10:51:46 +02:00			`StatusCode: resp.StatusCode,`
			`Message: string(b),`
			`}`
			`}`
registry v2 API utility 2016-04-13 08:43:17 +02:00
			`decoder := json.NewDecoder(resp.Body)`

			`tk := &token{}`
			`if err = decoder.Decode(tk); err != nil {`
			`return err`
			`}`

			`req.Header.Add(http.CanonicalHeaderKey("Authorization"), fmt.Sprintf("Bearer %s", tk.Token))`

add sessionTokenHandler 2016-04-13 09:54:29 +02:00			`log.Debugf("standardTokenHandler generated token successfully \| %s %s", req.Method, req.URL)`

			`return nil`
			`}`

repo tag delete 2016-04-15 07:17:32 +02:00			`type usernameTokenHandler struct {`
			`username string`
add sessionTokenHandler 2016-04-13 09:54:29 +02:00			`}`

repo tag delete 2016-04-15 07:17:32 +02:00			`// NewUsernameTokenHandler returns a handler which will generate`
			`// a token according the user's privileges`
			`func NewUsernameTokenHandler(username string) Handler {`
			`return &usernameTokenHandler{`
			`username: username,`
add sessionTokenHandler 2016-04-13 09:54:29 +02:00			`}`
			`}`

repo tag delete 2016-04-15 07:17:32 +02:00			`// Schema implements the corresponding method in interface AuthHandler`
			`func (u *usernameTokenHandler) Schema() string {`
add sessionTokenHandler 2016-04-13 09:54:29 +02:00			`return "bearer"`
			`}`

repo tag delete 2016-04-15 07:17:32 +02:00			`// AuthorizeRequest implements the corresponding method in interface AuthHandler`
			`func (u usernameTokenHandler) AuthorizeRequest(req http.Request, params map[string]string) error {`
add sessionTokenHandler 2016-04-13 09:54:29 +02:00			`service := params["service"]`

			`scopes := []string{}`
			`scope := params["scope"]`
			`if len(scope) != 0 {`
			`scopes = strings.Split(scope, " ")`
			`}`

repo tag delete 2016-04-15 07:17:32 +02:00			`token, err := token_util.GenTokenForUI(u.username, service, scopes)`
add sessionTokenHandler 2016-04-13 09:54:29 +02:00			`if err != nil {`
			`return err`
			`}`

			`req.Header.Add(http.CanonicalHeaderKey("Authorization"), fmt.Sprintf("Bearer %s", token))`

repo tag delete 2016-04-15 07:17:32 +02:00			`log.Debugf("usernameTokenHandler generated token successfully \| %s %s", req.Method, req.URL)`
registry v2 API utility 2016-04-13 08:43:17 +02:00
			`return nil`
			`}`