wg-portal/internal/domain/context.go

package domain

import (
	"context"
	"fmt"
	"github.com/sirupsen/logrus"

	"github.com/gin-gonic/gin"
)

const CtxUserInfo = "userInfo"

const (
	CtxSystemAdminId = "_WG_SYS_ADMIN_"
	CtxUnknownUserId = "_WG_SYS_UNKNOWN_"
)

type ContextUserInfo struct {
	Id      UserIdentifier
	IsAdmin bool
}

func (u *ContextUserInfo) String() string {
	return fmt.Sprintf("%s|%t", u.Id, u.IsAdmin)
}

func (u *ContextUserInfo) UserId() string {
	return string(u.Id)
}

func DefaultContextUserInfo() *ContextUserInfo {
	return &ContextUserInfo{
		Id:      CtxUnknownUserId,
		IsAdmin: false,
	}
}

func SystemAdminContextUserInfo() *ContextUserInfo {
	return &ContextUserInfo{
		Id:      CtxSystemAdminId,
		IsAdmin: true,
	}
}

func SetUserInfoFromGin(c *gin.Context) context.Context {
	ginUserInfo, exists := c.Get(CtxUserInfo)

	info := DefaultContextUserInfo()
	if exists {
		if ginInfo, ok := ginUserInfo.(*ContextUserInfo); ok {
			info = ginInfo
		}
	}

	ctx := SetUserInfo(c.Request.Context(), info)
	return ctx
}

func SetUserInfo(ctx context.Context, info *ContextUserInfo) context.Context {
	ctx = context.WithValue(ctx, CtxUserInfo, info)
	return ctx
}

func GetUserInfo(ctx context.Context) *ContextUserInfo {
	rawInfo := ctx.Value(CtxUserInfo)
	if rawInfo == nil {
		return DefaultContextUserInfo()
	}

	if info, ok := rawInfo.(*ContextUserInfo); ok {
		return info
	}

	return DefaultContextUserInfo()
}

func ValidateUserAccessRights(ctx context.Context, requiredUser UserIdentifier) error {
	sessionUser := GetUserInfo(ctx)

	if sessionUser.IsAdmin {
		return nil // Admins can do everything
	}

	if sessionUser.Id == requiredUser {
		return nil // User can access own data
	}

	logrus.Warnf("insufficient permissions for %s (want %s), stack: %s", sessionUser.Id, requiredUser, GetStackTrace())
	return fmt.Errorf("insufficient permissions")
}

func ValidateAdminAccessRights(ctx context.Context) error {
	sessionUser := GetUserInfo(ctx)

	if sessionUser.IsAdmin {
		return nil
	}

	logrus.Warnf("insufficient admin permissions for %s, stack: %s", sessionUser.Id, GetStackTrace())
	return fmt.Errorf("insufficient permissions")
}
V2 alpha - initial version (#172) Initial alpha codebase for version 2 of WireGuard Portal. This version is considered unstable and incomplete (for example, no public REST API)! Use with care! Fixes/Implements the following issues: - OAuth support #154, #1 - New Web UI with internationalisation support #98, #107, #89, #62 - Postgres Support #49 - Improved Email handling #47, #119 - DNS Search Domain support #46 - Bugfixes #94, #48 --------- Co-authored-by: Fabian Wechselberger <wechselbergerf@hotmail.com> 2023-08-04 11:34:18 +00:00			`package domain`

			`import (`
			`"context"`
			`"fmt"`
fix REST API permission checks (#209) 2024-01-31 20:14:36 +00:00			`"github.com/sirupsen/logrus"`
V2 alpha - initial version (#172) Initial alpha codebase for version 2 of WireGuard Portal. This version is considered unstable and incomplete (for example, no public REST API)! Use with care! Fixes/Implements the following issues: - OAuth support #154, #1 - New Web UI with internationalisation support #98, #107, #89, #62 - Postgres Support #49 - Improved Email handling #47, #119 - DNS Search Domain support #46 - Bugfixes #94, #48 --------- Co-authored-by: Fabian Wechselberger <wechselbergerf@hotmail.com> 2023-08-04 11:34:18 +00:00
			`"github.com/gin-gonic/gin"`
			`)`

			`const CtxUserInfo = "userInfo"`

			`const (`
			`CtxSystemAdminId = "_WG_SYS_ADMIN_"`
			`CtxUnknownUserId = "_WG_SYS_UNKNOWN_"`
			`)`

			`type ContextUserInfo struct {`
			`Id UserIdentifier`
			`IsAdmin bool`
			`}`

			`func (u *ContextUserInfo) String() string {`
			`return fmt.Sprintf("%s\|%t", u.Id, u.IsAdmin)`
			`}`

			`func (u *ContextUserInfo) UserId() string {`
			`return string(u.Id)`
			`}`

			`func DefaultContextUserInfo() *ContextUserInfo {`
			`return &ContextUserInfo{`
			`Id: CtxUnknownUserId,`
			`IsAdmin: false,`
			`}`
			`}`

			`func SystemAdminContextUserInfo() *ContextUserInfo {`
			`return &ContextUserInfo{`
			`Id: CtxSystemAdminId,`
			`IsAdmin: true,`
			`}`
			`}`

			`func SetUserInfoFromGin(c *gin.Context) context.Context {`
			`ginUserInfo, exists := c.Get(CtxUserInfo)`

			`info := DefaultContextUserInfo()`
			`if exists {`
			`if ginInfo, ok := ginUserInfo.(*ContextUserInfo); ok {`
			`info = ginInfo`
			`}`
			`}`

			`ctx := SetUserInfo(c.Request.Context(), info)`
			`return ctx`
			`}`

			`func SetUserInfo(ctx context.Context, info *ContextUserInfo) context.Context {`
			`ctx = context.WithValue(ctx, CtxUserInfo, info)`
			`return ctx`
			`}`

			`func GetUserInfo(ctx context.Context) *ContextUserInfo {`
			`rawInfo := ctx.Value(CtxUserInfo)`
			`if rawInfo == nil {`
			`return DefaultContextUserInfo()`
			`}`

			`if info, ok := rawInfo.(*ContextUserInfo); ok {`
			`return info`
			`}`

			`return DefaultContextUserInfo()`
			`}`
fix REST API permission checks (#209) 2024-01-31 20:14:36 +00:00
			`func ValidateUserAccessRights(ctx context.Context, requiredUser UserIdentifier) error {`
			`sessionUser := GetUserInfo(ctx)`

			`if sessionUser.IsAdmin {`
			`return nil // Admins can do everything`
			`}`

			`if sessionUser.Id == requiredUser {`
			`return nil // User can access own data`
			`}`

			`logrus.Warnf("insufficient permissions for %s (want %s), stack: %s", sessionUser.Id, requiredUser, GetStackTrace())`
			`return fmt.Errorf("insufficient permissions")`
			`}`

			`func ValidateAdminAccessRights(ctx context.Context) error {`
			`sessionUser := GetUserInfo(ctx)`

			`if sessionUser.IsAdmin {`
			`return nil`
			`}`

			`logrus.Warnf("insufficient admin permissions for %s, stack: %s", sessionUser.Id, GetStackTrace())`
			`return fmt.Errorf("insufficient permissions")`
			`}`