Add no-op permission APIs to authenticators

Author: retrixe

auth/authenticator.go

@@ -19,8 +19,14 @@ type Authenticator interface {
 	// else returns an empty string.
 	Validate(r *http.Request) (string, error)
 	// ValidateAndReject is called on an HTTP API request and returns the username if request
-	// is authenticated, else the request is rejected.
+	// is authenticated, else returns an empty string and rejects the request.
 	ValidateAndReject(w http.ResponseWriter, r *http.Request) string
+	// HasPerm returns a boolean indicating whether or not the user has the requested permission.
+	HasPerm(username string, permission string) (bool, error)
+	// ValidatePermAndReject is called on an HTTP API request and returns the username if request is
+	// authenticated, and a boolean indicating whether or not the user has the requested permission.
+	// If unauthenticated or forbidden, the request is rejected with a 401 or 403 error respectively.
+	ValidatePermAndReject(w http.ResponseWriter, r *http.Request, permission string) (string, bool)
 	// CanManageAuth returns whether or not this authenticator can manage auth, i.e. users and tokens.
 	CanManageAuth() bool
 	// Login allows logging in a user and returning the token.
@@ -68,6 +74,22 @@ func (a *ReplaceableAuthenticator) ValidateAndReject(w http.ResponseWriter, r *h
 	return a.Engine.ValidateAndReject(w, r)
 }
 
+// HasPerm returns a boolean indicating whether or not the user has the requested permission.
+func (a *ReplaceableAuthenticator) HasPerm(username string, permission string) (bool, error) {
+	a.EngineMutex.RLock()
+	defer a.EngineMutex.RUnlock()
+	return a.Engine.HasPerm(username, permission)
+}
+
+// ValidatePermAndReject is called on an HTTP API request and returns the username if request is
+// authenticated, and a boolean indicating whether or not the user has the requested permission.
+// If unauthenticated or forbidden, the request is rejected with a 401 or 403 error respectively.
+func (a *ReplaceableAuthenticator) ValidatePermAndReject(w http.ResponseWriter, r *http.Request, permission string) (string, bool) {
+	a.EngineMutex.RLock()
+	defer a.EngineMutex.RUnlock()
+	return a.Engine.ValidatePermAndReject(w, r, permission)
+}
+
 // CanManageAuth returns whether or not this authenticator can manage auth, i.e. users and tokens.
 func (a *ReplaceableAuthenticator) CanManageAuth() bool {
 	a.EngineMutex.RLock()

auth/memory.go

@@ -82,7 +82,7 @@ func (a *MemoryAuthenticator) Validate(r *http.Request) (string, error) {
 }
 
 // ValidateAndReject is called on an HTTP API request and returns the username if request
-// is authenticated, else the request is rejected.
+// is authenticated, else returns an empty string and rejects the request.
 func (a *MemoryAuthenticator) ValidateAndReject(w http.ResponseWriter, r *http.Request) string {
 	username, err := a.Validate(r)
 	if err != nil {
@@ -99,6 +99,34 @@ func (a *MemoryAuthenticator) ValidateAndReject(w http.ResponseWriter, r *http.R
 	return username
 }
 
+// HasPerm returns a boolean indicating whether or not the user has the requested permission.
+func (a *MemoryAuthenticator) HasPerm(username string, permission string) (bool, error) {
+	return true, nil
+}
+
+// ValidatePermAndReject is called on an HTTP API request and returns the username if request is
+// authenticated, and a boolean indicating whether or not the user has the requested permission.
+// If unauthenticated or forbidden, the request is rejected with a 401 or 403 error respectively.
+func (a *MemoryAuthenticator) ValidatePermAndReject(w http.ResponseWriter, r *http.Request, permission string) (string, bool) {
+	username := a.ValidateAndReject(w, r)
+	if username == "" {
+		return "", false
+	}
+	hasPerm, err := a.HasPerm(username, permission)
+	if err != nil {
+		w.Header().Set("content-type", "application/json")
+		log.Println("An error occurred while validating authorization for an HTTP request!", err)
+		http.Error(w, "{\"error\": \"Internal Server Error!\"}", http.StatusInternalServerError)
+		return "", false
+	} else if !hasPerm {
+		w.Header().Set("content-type", "application/json")
+		http.Error(w, "{\"error\": \"You are not allowed to access this resource!\"}",
+			http.StatusForbidden)
+		return "", false
+	}
+	return username, true
+}
+
 // CanManageAuth returns whether or not this authenticator can manage auth, i.e. users and tokens.
 func (*MemoryAuthenticator) CanManageAuth() bool {
 	return true

auth/redis.go

@@ -149,7 +149,7 @@ func (a *RedisAuthenticator) getTokenData(conn redis.Conn, token string) (string
 }
 
 // ValidateAndReject is called on an HTTP API request and returns the username if request
-// is authenticated, else the request is rejected.
+// is authenticated, else returns an empty string and rejects the request.
 func (a *RedisAuthenticator) ValidateAndReject(w http.ResponseWriter, r *http.Request) string {
 	username, err := a.Validate(r)
 	if err != nil {
@@ -166,6 +166,34 @@ func (a *RedisAuthenticator) ValidateAndReject(w http.ResponseWriter, r *http.Re
 	return username
 }
 
+// HasPerm returns a boolean indicating whether or not the user has the requested permission.
+func (a *RedisAuthenticator) HasPerm(username string, permission string) (bool, error) {
+	return true, nil
+}
+
+// ValidatePermAndReject is called on an HTTP API request and returns the username if request is
+// authenticated, and a boolean indicating whether or not the user has the requested permission.
+// If unauthenticated or forbidden, the request is rejected with a 401 or 403 error respectively.
+func (a *RedisAuthenticator) ValidatePermAndReject(w http.ResponseWriter, r *http.Request, permission string) (string, bool) {
+	username := a.ValidateAndReject(w, r)
+	if username == "" {
+		return "", false
+	}
+	hasPerm, err := a.HasPerm(username, permission)
+	if err != nil {
+		w.Header().Set("content-type", "application/json")
+		log.Println("An error occurred while validating authorization for an HTTP request!", err)
+		http.Error(w, "{\"error\": \"Internal Server Error!\"}", http.StatusInternalServerError)
+		return "", false
+	} else if !hasPerm {
+		w.Header().Set("content-type", "application/json")
+		http.Error(w, "{\"error\": \"You are not allowed to access this resource!\"}",
+			http.StatusForbidden)
+		return "", false
+	}
+	return username, true
+}
+
 // CanManageAuth returns whether or not this authenticator can manage auth, i.e. users and tokens.
 func (a *RedisAuthenticator) CanManageAuth() bool {
 	return a.stopUserUpdates != nil