135/netdisco
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
c045a96a47c9e02020b8f9d6fcd05f47d76f896c
netdisco/lib/App/Netdisco/Web/AuthN.pm
Oliver Gorwits c045a96a47 add openapi tags to group operations
2019-01-01 12:37:19 +00:00

199 lines
6.4 KiB
Perl
Raw Blame History

package App::Netdisco::Web::AuthN;
use Dancer ':syntax';
use Dancer::Plugin::DBIC;
use Dancer::Plugin::Auth::Extensible;
use Dancer::Plugin::Swagger;
use MIME::Base64;
hook 'before' => sub {
params->{return_url} ||= ((request->path ne uri_for('/')->path)
? request->uri : uri_for('/inventory')->path);
# from the internals of Dancer::Plugin::Auth::Extensible
my $provider = Dancer::Plugin::Auth::Extensible::auth_provider('users');
if (! session('logged_in_user')
and request->path ne uri_for('/login')->path
and request->path ne uri_for('/logout')->path
and request->path ne uri_for('/swagger.json')->path
and index(request->path, uri_for('/swagger-ui')->path) != 0) {
if (setting('trust_x_remote_user')
and scalar request->header('X-REMOTE_USER')
and length scalar request->header('X-REMOTE_USER')) {
(my $user = scalar request->header('X-REMOTE_USER')) =~ s/@[^@]*$//;
return if setting('validate_remote_user')
and not $provider->get_user_details($user);
session(logged_in_user => $user);
session(logged_in_user_realm => 'users');
}
elsif (setting('trust_remote_user')
and defined $ENV{REMOTE_USER}
and length $ENV{REMOTE_USER}) {
(my $user = $ENV{REMOTE_USER}) =~ s/@[^@]*$//;
return if setting('validate_remote_user')
and not $provider->get_user_details($user);
session(logged_in_user => $user);
session(logged_in_user_realm => 'users');
}
elsif (setting('api_token_lifetime')
and (index(request->path, uri_for('/api/')->path) == 0
or request->path eq uri_for('/swagger.json')->path)) {
my $token = request->header('Authorization');
my $user = $provider->validate_api_token($token)
or return;
session(logged_in_user => $user);
session(logged_in_user_realm => 'users');
}
elsif (setting('no_auth')) {
session(logged_in_user => 'guest');
session(logged_in_user_realm => 'users');
}
else {
# user has no AuthN - force to handler for '/'
request->path_info('/');
}
}
};
get qr{^/(?:login(?:/denied)?)?} => sub {
# FIXME not sure this is the right approach
if (param('return_url') and param('return_url') =~ m{^/api/}) {
status('unauthorized');
return to_json {
error => 'not authorized',
return_url => param('return_url'),
};
}
else {
template 'index', { return_url => param('return_url') };
}
};
# override default login_handler so we can log access in the database
swagger_path {
description => 'Obtain an API Key using HTTP BasicAuth',
tags => ['Global'],
parameters => [],
responses => {
default => {
examples => {
'application/json' => { api_key => 'cc9d5c02d8898e5728b7d7a0339c0785' } } },
},
},
post '/login' => sub {
my $mode = (request->is_ajax ? 'WebData'
: request->header('Authorization') ? 'API'
: 'WebUI');
# get authN data from request (HTTP BasicAuth or URL params)
my $authheader = request->header('Authorization');
if (defined $authheader and $authheader =~ /^Basic (.*)$/i) {
my ($u, $p) = split(m/:/, (MIME::Base64::decode($1) || ":"));
params->{username} = $u;
params->{password} = $p;
}
# test authN
my ($success, $realm) = authenticate_user(param('username'),param('password'));
if ($success) {
my $user = schema('netdisco')->resultset('User')
->find({ username => { -ilike => quotemeta(param('username')) } });
session logged_in_user => $user->username;
session logged_in_fullname => $user->fullname;
session logged_in_user_realm => $realm;
schema('netdisco')->resultset('UserLog')->create({
username => session('logged_in_user'),
userip => request->remote_address,
event => "Login ($mode)",
details => param('return_url'),
});
$user->update({ last_on => \'now()' });
return if $mode eq 'WebData';
# if API return a token and record its lifetime
if ($mode eq 'API') {
$user->update({
token_from => time,
token => \'md5(random()::text)',
})->discard_changes();
return to_json { api_key => $user->token };
}
redirect param('return_url');
}
else {
session->destroy;
schema('netdisco')->resultset('UserLog')->create({
username => param('username'),
userip => request->remote_address,
event => "Login Failure ($mode)",
details => param('return_url'),
});
if ($mode eq 'WebData') {
status('unauthorized');
}
elsif ($mode ne 'API') {
status('unauthorized');
return to_json { error => 'authentication failed' };
}
else {
vars->{login_failed}++;
forward uri_for('/login'),
{ login_failed => 1, return_url => param('return_url') },
{ method => 'GET' };
}
}
};
# ugh, *puke*, but D::P::Swagger has no way to set this with swagger_path
Dancer::Plugin::Swagger->instance->doc->{paths}->{'/login'}
->{post}->{security}->[0]->{BasicAuth} = [];
# we override the default login_handler, so logout has to be handled as well
swagger_path {
description => 'Destroy user API Key and session cookie',
tags => ['Global'],
parameters => [],
responses => { default => { examples => { 'application/json' => {} } } },
},
get '/logout' => sub {
# clear out API token
my $user = schema('netdisco')->resultset('User')
->find({ username => session('logged_in_user')});
$user->update({token => undef, token_from => undef})->discard_changes()
if $user and $user->in_storage;
# invalidate session cookie
session->destroy;
schema('netdisco')->resultset('UserLog')->create({
username => session('logged_in_user'),
userip => request->remote_address,
event => "Logout",
details => '',
});
if (request->header('Accept') =~ m/(?:json|javascript)/i) {
return to_json {};
}
else {
redirect uri_for('/inventory')->path;
}
};
true;
Reference in New Issue View Git Blame Copy Permalink