From 11802a56e94264528c3f13a90dccde81d2d548a9 Mon Sep 17 00:00:00 2001 From: Thomas von Dein Date: Thu, 16 Mar 2023 16:35:55 +0100 Subject: [PATCH] impl authorization + filter --- upctl/super.hcl | 2 ++ upd/api/db.go | 14 ++++++++++---- upd/api/handlers.go | 27 +++++++++++++++++++++++---- upd/upd.hcl | 5 ++++- 4 files changed, 39 insertions(+), 9 deletions(-) create mode 100644 upctl/super.hcl diff --git a/upctl/super.hcl b/upctl/super.hcl new file mode 100644 index 0000000..a8f0e45 --- /dev/null +++ b/upctl/super.hcl @@ -0,0 +1,2 @@ +endpoint = "http://localhost:8080/api/v1" +apikey = "0fddbff5d8010f81cd28a7d77f3e38981b13d6164c2fd6e1c3f60a4287630c37" diff --git a/upd/api/db.go b/upd/api/db.go index 8b4fbcb..332180e 100644 --- a/upd/api/db.go +++ b/upd/api/db.go @@ -105,7 +105,7 @@ func (db *Db) Delete(apicontext string, id string) error { return err } -func (db *Db) List(apicontext string) (*Uploads, error) { +func (db *Db) List(apicontext string, filter string) (*Uploads, error) { uploads := &Uploads{} err := db.bolt.View(func(tx *bolt.Tx) error { @@ -120,14 +120,20 @@ func (db *Db) List(apicontext string) (*Uploads, error) { return fmt.Errorf("unable to unmarshal json: %s", err) } + fmt.Printf("apicontext: %s, filter: %s\n", apicontext, filter) if apicontext != "" && db.cfg.Super != apicontext { // only return the uploads for this context if apicontext == upload.Context { - uploads.Entries = append(uploads.Entries, upload) + // unless a filter needed OR no filter specified + if (filter != "" && upload.Context == filter) || filter == "" { + uploads.Entries = append(uploads.Entries, upload) + } } } else { - // return all, because there are no contexts or current==super - uploads.Entries = append(uploads.Entries, upload) + // return all, because we operate a public service or current==super + if (filter != "" && upload.Context == filter) || filter == "" { + uploads.Entries = append(uploads.Entries, upload) + } } return nil diff --git a/upd/api/handlers.go b/upd/api/handlers.go index 4504874..5ae3738 100644 --- a/upd/api/handlers.go +++ b/upd/api/handlers.go @@ -28,6 +28,10 @@ import ( "time" ) +type SetContext struct { + Apicontext string `json:"apicontext" form:"apicontext"` +} + func FilePut(c *fiber.Ctx, cfg *cfg.Config, db *Db) error { // supports upload of multiple files with: // @@ -201,13 +205,28 @@ func DeleteUpload(c *fiber.Ctx, cfg *cfg.Config, db *Db) error { // returns the whole list + error code, no post processing by server func List(c *fiber.Ctx, cfg *cfg.Config, db *Db) error { - apicontext, err := Untaint(c.Params("apicontext"), cfg.RegKey) - if err != nil { + // fetch filter from body(json expected) + setcontext := new(SetContext) + if err := c.BodyParser(setcontext); err != nil { return JsonStatus(c, fiber.StatusForbidden, - "Invalid api context provided!") + "Unable to parse body: "+err.Error()) } - uploads, err := db.List(apicontext) + filter, err := Untaint(setcontext.Apicontext, cfg.RegKey) + if err != nil { + return JsonStatus(c, fiber.StatusForbidden, + "Invalid api context filter provided!") + } + + // retrieve the API Context name from the session + apicontext, err := GetApicontext(c) + if err != nil { + return JsonStatus(c, fiber.StatusInternalServerError, + "Unable to initialize session store from context: "+err.Error()) + } + + // get list + uploads, err := db.List(apicontext, filter) if err != nil { return JsonStatus(c, fiber.StatusForbidden, "Unable to list uploads: "+err.Error()) diff --git a/upd/upd.hcl b/upd/upd.hcl index f6fce6b..ea3df2d 100644 --- a/upd/upd.hcl +++ b/upd/upd.hcl @@ -4,7 +4,7 @@ bodylimit = 10000 apicontext = [ { - context = "default" + context = "root" key = "0fddbff5d8010f81cd28a7d77f3e38981b13d6164c2fd6e1c3f60a4287630c37", }, { @@ -14,3 +14,6 @@ apicontext = [ ] url = "https://sokrates.daemon.de" + +# this is the root context with all permissions +super = "root"