impl authorization + filter

upctl/super.hcl

@@ -0,0 +1,2 @@
+endpoint = "http://localhost:8080/api/v1"
+apikey = "0fddbff5d8010f81cd28a7d77f3e38981b13d6164c2fd6e1c3f60a4287630c37"

upd/api/db.go

@@ -105,7 +105,7 @@ func (db *Db) Delete(apicontext string, id string) error {
 	return err
 }
 
-func (db *Db) List(apicontext string) (*Uploads, error) {
+func (db *Db) List(apicontext string, filter string) (*Uploads, error) {
 	uploads := &Uploads{}
 
 	err := db.bolt.View(func(tx *bolt.Tx) error {
@@ -120,14 +120,20 @@ func (db *Db) List(apicontext string) (*Uploads, error) {
 				return fmt.Errorf("unable to unmarshal json: %s", err)
 			}
 
+			fmt.Printf("apicontext: %s, filter: %s\n", apicontext, filter)
 			if apicontext != "" && db.cfg.Super != apicontext {
 				// only return the uploads for this context
 				if apicontext == upload.Context {
-					uploads.Entries = append(uploads.Entries, upload)
+					// unless a filter needed OR no filter specified
+					if (filter != "" && upload.Context == filter) || filter == "" {
+						uploads.Entries = append(uploads.Entries, upload)
+					}
 				}
 			} else {
-				// return all, because there are no contexts or current==super
+				// return all, because we operate a public service or current==super
-				uploads.Entries = append(uploads.Entries, upload)
+				if (filter != "" && upload.Context == filter) || filter == "" {
+					uploads.Entries = append(uploads.Entries, upload)
+				}
 			}
 
 			return nil

upd/api/handlers.go

@@ -28,6 +28,10 @@ import (
 	"time"
 )
 
+type SetContext struct {
+	Apicontext string `json:"apicontext" form:"apicontext"`
+}
+
 func FilePut(c *fiber.Ctx, cfg *cfg.Config, db *Db) error {
 	// supports upload of multiple files with:
 	//
@@ -201,13 +205,28 @@ func DeleteUpload(c *fiber.Ctx, cfg *cfg.Config, db *Db) error {
 
 // returns the whole list + error code, no post processing by server
 func List(c *fiber.Ctx, cfg *cfg.Config, db *Db) error {
-	apicontext, err := Untaint(c.Params("apicontext"), cfg.RegKey)
+	// fetch filter from body(json expected)
-	if err != nil {
+	setcontext := new(SetContext)
+	if err := c.BodyParser(setcontext); err != nil {
 		return JsonStatus(c, fiber.StatusForbidden,
-			"Invalid api context provided!")
+			"Unable to parse body: "+err.Error())
 	}
 
-	uploads, err := db.List(apicontext)
+	filter, err := Untaint(setcontext.Apicontext, cfg.RegKey)
+	if err != nil {
+		return JsonStatus(c, fiber.StatusForbidden,
+			"Invalid api context filter provided!")
+	}
+
+	// retrieve the API Context name from the session
+	apicontext, err := GetApicontext(c)
+	if err != nil {
+		return JsonStatus(c, fiber.StatusInternalServerError,
+			"Unable to initialize session store from context: "+err.Error())
+	}
+
+	// get list
+	uploads, err := db.List(apicontext, filter)
 	if err != nil {
 		return JsonStatus(c, fiber.StatusForbidden,
 			"Unable to list uploads: "+err.Error())

upd/upd.hcl

@@ -4,7 +4,7 @@ bodylimit = 10000
 
 apicontext = [
   {
-    context = "default"
+    context = "root"
     key = "0fddbff5d8010f81cd28a7d77f3e38981b13d6164c2fd6e1c3f60a4287630c37",
   },
   {
@@ -14,3 +14,6 @@ apicontext = [
 ]
 
 url = "https://sokrates.daemon.de"
+
+# this is the root context with all permissions
+super = "root"