blob: a5ecd2d73bf3f4c2a93ec4b02d2a08f237a9adf6 [file] [log] [blame]
Ed Tanous8041f312017-04-03 09:47:01 -07001#include <boost/algorithm/string/predicate.hpp>
Ed Tanous1ccd57c2017-03-21 13:15:58 -07002#include <random>
Ed Tanousf9273472017-02-28 16:05:13 -08003#include <unordered_map>
Ed Tanousf9273472017-02-28 16:05:13 -08004
Ed Tanous1ccd57c2017-03-21 13:15:58 -07005#include <crow/logging.h>
Ed Tanousc4771fb2017-03-13 13:39:49 -07006#include <base64.hpp>
Ed Tanous8041f312017-04-03 09:47:01 -07007#include <token_authorization_middleware.hpp>
Ed Tanousf9273472017-02-28 16:05:13 -08008
Ed Tanousc4771fb2017-03-13 13:39:49 -07009namespace crow {
10
Ed Tanous8041f312017-04-03 09:47:01 -070011using random_bytes_engine =
12 std::independent_bits_engine<std::default_random_engine, CHAR_BIT,
13 unsigned char>;
Ed Tanousc4771fb2017-03-13 13:39:49 -070014
Ed Tanous8041f312017-04-03 09:47:01 -070015TokenAuthorizationMiddleware::TokenAuthorizationMiddleware()
16 : auth_token2(""){
Ed Tanousf9273472017-02-28 16:05:13 -080017
Ed Tanous8041f312017-04-03 09:47:01 -070018 };
19
20void TokenAuthorizationMiddleware::before_handle(crow::request& req,
21 response& res, context& ctx) {
Ed Tanous99923322017-03-03 14:21:24 -080022 auto return_unauthorized = [&req, &res]() {
23 res.code = 401;
24 res.end();
25 };
Ed Tanous1ccd57c2017-03-21 13:15:58 -070026
Ed Tanous1e94fa42017-04-03 13:41:19 -070027 auto return_bad_request = [&req, &res]() {
28 res.code = 400;
29 res.end();
30 };
31
Ed Tanous8041f312017-04-03 09:47:01 -070032 LOG(DEBUG) << "Token Auth Got route " << req.url;
Ed Tanous1ccd57c2017-03-21 13:15:58 -070033
Ed Tanous8041f312017-04-03 09:47:01 -070034 if (req.url == "/" || boost::starts_with(req.url, "/static/")) {
35 // TODO this is total hackery to allow the login page to work before the
36 // user is authenticated. Also, it will be quite slow for all pages instead
37 // of a one time hit for the whitelist entries. Ideally, this should be
38 // done
39 // in the url router handler, with tagged routes for the whitelist entries.
Ed Tanous1ccd57c2017-03-21 13:15:58 -070040 // Another option would be to whitelist a minimal
Ed Tanous9b65f1f2017-03-07 15:17:13 -080041 return;
42 }
43
Ed Tanous99923322017-03-03 14:21:24 -080044 if (req.url == "/login") {
Ed Tanous8041f312017-04-03 09:47:01 -070045 if (req.method != HTTPMethod::POST) {
Ed Tanousc4771fb2017-03-13 13:39:49 -070046 return_unauthorized();
47 return;
48 } else {
49 auto login_credentials = crow::json::load(req.body);
Ed Tanous8041f312017-04-03 09:47:01 -070050 if (!login_credentials) {
Ed Tanous1e94fa42017-04-03 13:41:19 -070051 return_bad_request();
52 return;
53 }
54 if (!login_credentials.has("username") || !login_credentials.has("password")){
55 return_bad_request();
Ed Tanousc4771fb2017-03-13 13:39:49 -070056 return;
57 }
58 auto username = login_credentials["username"].s();
59 auto password = login_credentials["password"].s();
Ed Tanous8041f312017-04-03 09:47:01 -070060
Ed Tanous1ccd57c2017-03-21 13:15:58 -070061 // TODO(ed) pull real passwords from PAM
Ed Tanous8041f312017-04-03 09:47:01 -070062 if (username == "dude" && password == "dude") {
63 // TODO(ed) the RNG should be initialized at start, not every time we
64 // want a token
Ed Tanousc4771fb2017-03-13 13:39:49 -070065 std::random_device rand;
66 random_bytes_engine rbe;
67 std::string token('a', 20);
68 std::generate(begin(token), end(token), std::ref(rbe));
69 std::string encoded_token;
70 base64::base64_encode(token, encoded_token);
71 ctx.auth_token = encoded_token;
72 this->auth_token2 = encoded_token;
Ed Tanous8041f312017-04-03 09:47:01 -070073 crow::json::wvalue x;
74 auto auth_token = ctx.auth_token;
75 x["token"] = auth_token;
76
77 res.write(json::dump(x));
Ed Tanousb4a7bfa2017-04-04 17:23:00 -070078 res.add_header("Content-Type", "application/json");
Ed Tanous8041f312017-04-03 09:47:01 -070079 res.end();
Ed Tanousc4771fb2017-03-13 13:39:49 -070080 } else {
81 return_unauthorized();
82 return;
83 }
84 }
Ed Tanous8041f312017-04-03 09:47:01 -070085
Ed Tanousc4771fb2017-03-13 13:39:49 -070086 } else if (req.url == "/logout") {
87 this->auth_token2 = "";
Ed Tanous8041f312017-04-03 09:47:01 -070088 res.code = 200;
89 res.end();
90 } else { // Normal, non login, non static file request
Ed Tanousc4771fb2017-03-13 13:39:49 -070091 // Check to make sure we're logged in
Ed Tanous8041f312017-04-03 09:47:01 -070092 if (this->auth_token2.empty()) {
Ed Tanousc4771fb2017-03-13 13:39:49 -070093 return_unauthorized();
94 return;
95 }
96 // Check for an authorization header, reject if not present
97 if (req.headers.count("Authorization") != 1) {
98 return_unauthorized();
99 return;
100 }
101
102 std::string auth_header = req.get_header_value("Authorization");
103 // If the user is attempting any kind of auth other than token, reject
104 if (!boost::starts_with(auth_header, "Token ")) {
105 return_unauthorized();
106 return;
107 }
108
Ed Tanous8041f312017-04-03 09:47:01 -0700109 // TODO(ed), use span here instead of constructing a new string
110 if (auth_header.substr(6) != this->auth_token2) {
Ed Tanousc4771fb2017-03-13 13:39:49 -0700111 return_unauthorized();
112 return;
113 }
Ed Tanous1ccd57c2017-03-21 13:15:58 -0700114 // else let the request continue unharmed
Ed Tanous99923322017-03-03 14:21:24 -0800115 }
116}
Ed Tanousf9273472017-02-28 16:05:13 -0800117
Ed Tanous8041f312017-04-03 09:47:01 -0700118void TokenAuthorizationMiddleware::after_handle(request& req, response& res,
119 context& ctx) {}
Ed Tanousc4771fb2017-03-13 13:39:49 -0700120}