276 lines
7.2 KiB
Go
276 lines
7.2 KiB
Go
package main
|
|
|
|
import (
|
|
//"context"
|
|
"encoding/json"
|
|
"errors"
|
|
"fmt"
|
|
garage "git.deuxfleurs.fr/garage-sdk/garage-admin-sdk-golang"
|
|
"github.com/go-ldap/ldap/v3"
|
|
"github.com/gorilla/mux"
|
|
"log"
|
|
"net/http"
|
|
"strings"
|
|
)
|
|
|
|
func checkLoginAPI(w http.ResponseWriter, r *http.Request) (*LoginStatus, error) {
|
|
username, password, ok := r.BasicAuth()
|
|
if !ok {
|
|
w.Header().Set("WWW-Authenticate", `Basic realm="restricted", charset="UTF-8"`)
|
|
http.Error(w, "Unauthorized", http.StatusUnauthorized)
|
|
return nil, errors.New("Missing or invalid 'Authenticate: Basic' field")
|
|
}
|
|
user_dn := buildUserDN(username)
|
|
|
|
login_info := &LoginInfo{
|
|
DN: user_dn,
|
|
Username: username,
|
|
Password: password,
|
|
}
|
|
|
|
l := ldapOpen(w)
|
|
if l == nil {
|
|
log.Println("Unable to open LDAP connection")
|
|
return nil, errors.New("Unable to open LDAP connection")
|
|
}
|
|
|
|
err := l.Bind(login_info.DN, login_info.Password)
|
|
if err != nil {
|
|
w.Header().Set("WWW-Authenticate", `Basic realm="restricted", charset="UTF-8"`)
|
|
http.Error(w, "Unauthorized", http.StatusUnauthorized)
|
|
return nil, errors.New("Unable to bind this user+password combination on the LDAP server")
|
|
}
|
|
|
|
loginStatus := &LoginStatus{
|
|
Info: login_info,
|
|
conn: l,
|
|
}
|
|
|
|
requestKind := "(objectClass=organizationalPerson)"
|
|
|
|
if strings.EqualFold(login_info.DN, config.AdminAccount) {
|
|
requestKind = "(objectclass=*)"
|
|
}
|
|
searchRequest := ldap.NewSearchRequest(
|
|
login_info.DN,
|
|
ldap.ScopeBaseObject, ldap.NeverDerefAliases, 0, 0, false,
|
|
requestKind,
|
|
[]string{
|
|
"dn",
|
|
"displayname",
|
|
"givenname",
|
|
"sn",
|
|
"mail",
|
|
"memberof",
|
|
"description",
|
|
"garage_s3_access_key",
|
|
FIELD_NAME_DIRECTORY_VISIBILITY,
|
|
FIELD_NAME_PROFILE_PICTURE,
|
|
},
|
|
nil)
|
|
|
|
sr, err := l.Search(searchRequest)
|
|
if err != nil {
|
|
log.Println(err)
|
|
http.Error(w, "Internal server error", http.StatusInternalServerError)
|
|
return nil, errors.New("Unable to search essential information about the logged user on LDAP")
|
|
}
|
|
|
|
if len(sr.Entries) != 1 {
|
|
log.Println(fmt.Sprintf("Unable to find entry for %s", login_info.DN))
|
|
http.Error(w, "Internal server error", http.StatusInternalServerError)
|
|
return nil, errors.New("Not enough or too many entries for this user in the LDAP directory (expect a unique result)")
|
|
}
|
|
|
|
loginStatus.UserEntry = sr.Entries[0]
|
|
|
|
loginStatus.CanAdmin = strings.EqualFold(loginStatus.Info.DN, config.AdminAccount)
|
|
loginStatus.CanInvite = false
|
|
for _, attr := range loginStatus.UserEntry.Attributes {
|
|
if strings.EqualFold(attr.Name, "memberof") {
|
|
for _, group := range attr.Values {
|
|
if config.GroupCanInvite != "" && strings.EqualFold(group, config.GroupCanInvite) {
|
|
loginStatus.CanInvite = true
|
|
}
|
|
if config.GroupCanAdmin != "" && strings.EqualFold(group, config.GroupCanAdmin) {
|
|
loginStatus.CanAdmin = true
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
return loginStatus, nil
|
|
}
|
|
|
|
func checkLoginAndS3API(w http.ResponseWriter, r *http.Request) (*LoginStatus, *garage.KeyInfo, error) {
|
|
login, err := checkLoginAPI(w, r)
|
|
if err != nil {
|
|
return nil, nil, err
|
|
}
|
|
keyPair, err := checkS3(login)
|
|
return login, keyPair, err
|
|
}
|
|
|
|
type ApiQuotaView struct {
|
|
files *uint64
|
|
size *uint64
|
|
}
|
|
|
|
type ApiBucketView struct {
|
|
global *bool
|
|
max *ApiQuotaView
|
|
used *ApiQuotaView
|
|
}
|
|
|
|
type BucketRequest struct {
|
|
s3key *garage.KeyInfo
|
|
bucketName string
|
|
bucketId string
|
|
global bool
|
|
http *http.Request
|
|
}
|
|
|
|
func handleAPIGarageBucket(w http.ResponseWriter, r *http.Request) {
|
|
br, err := buildBucketRequest(w, r)
|
|
if err != nil {
|
|
return
|
|
}
|
|
|
|
if r.Method == http.MethodPatch {
|
|
patchGarageBucket(w, br)
|
|
return
|
|
}
|
|
|
|
if r.Method == http.MethodGet {
|
|
getGarageBucket(w, br)
|
|
return
|
|
}
|
|
|
|
http.Error(w, "This method is not implemented for this endpoint", http.StatusNotImplemented)
|
|
return
|
|
}
|
|
|
|
func buildBucketRequest(w http.ResponseWriter, r *http.Request) (*BucketRequest, error) {
|
|
_, s3key, err := checkLoginAndS3API(w, r)
|
|
if err != nil {
|
|
//http.Error(w, "Unable to connect on LDAP", http.StatusUnauthorized)
|
|
return nil, err
|
|
}
|
|
|
|
// FETCH BUCKET ID by iterating over buckets owned by this key
|
|
bucketName := mux.Vars(r)["bucket"]
|
|
var bucketId *string
|
|
var global *bool
|
|
|
|
findBucketIdLoop:
|
|
for _, bucket := range s3key.Buckets {
|
|
for _, localAlias := range bucket.LocalAliases {
|
|
if localAlias == bucketName {
|
|
bucketId = bucket.Id
|
|
*global = false
|
|
break findBucketIdLoop
|
|
}
|
|
}
|
|
for _, globalAlias := range bucket.GlobalAliases {
|
|
if globalAlias == bucketName {
|
|
bucketId = bucket.Id
|
|
*global = true
|
|
break findBucketIdLoop
|
|
}
|
|
}
|
|
}
|
|
|
|
if bucketId == nil || global == nil {
|
|
http.Error(w, "Bucket not found in this account", http.StatusNotFound)
|
|
return nil, errors.New("Unable to fetch bucket ID")
|
|
}
|
|
|
|
return &BucketRequest{
|
|
s3key: s3key,
|
|
bucketName: bucketName,
|
|
bucketId: *bucketId,
|
|
global: *global,
|
|
http: r,
|
|
}, nil
|
|
}
|
|
|
|
func patchGarageBucket(w http.ResponseWriter, br *BucketRequest) {
|
|
var err error
|
|
|
|
// DECODE BODY
|
|
var queuedChange ApiBucketView
|
|
decoder := json.NewDecoder(br.http.Body)
|
|
err = decoder.Decode(&queuedChange)
|
|
if err != nil {
|
|
log.Println(err)
|
|
http.Error(w, "Unable to decode the body", http.StatusBadRequest)
|
|
return
|
|
}
|
|
|
|
// SET THE GLOBAL FLAG
|
|
if queuedChange.global != nil {
|
|
if *queuedChange.global && !br.global {
|
|
_, err = grgAddGlobalAlias(br.bucketId, br.bucketName)
|
|
if err != nil {
|
|
http.Error(w, "Unable to add the requested name as global alias for this bucket", http.StatusInternalServerError)
|
|
return
|
|
}
|
|
_, err = grgDelLocalAlias(br.bucketId, *br.s3key.AccessKeyId, br.bucketName)
|
|
if err != nil {
|
|
http.Error(w, "Unable to remove the local alias for this bucket", http.StatusInternalServerError)
|
|
return
|
|
}
|
|
} else if !*queuedChange.global && br.global {
|
|
grgAddLocalAlias(br.bucketId, *br.s3key.AccessKeyId, br.bucketName)
|
|
if err != nil {
|
|
http.Error(w, "Unable to add the requested name as local alias for this bucket", http.StatusInternalServerError)
|
|
return
|
|
}
|
|
grgDelGlobalAlias(br.bucketId, br.bucketName)
|
|
if err != nil {
|
|
http.Error(w, "Unable to remove the global alias for this bucket", http.StatusInternalServerError)
|
|
return
|
|
}
|
|
}
|
|
}
|
|
|
|
// CHECK IF QUOTA MUST BE ADDED TO THIS BUCKET
|
|
|
|
// VALIDATE IT
|
|
// --- global ---
|
|
// 1. can be true, false, or nil (use pointers)
|
|
// 2. if nil do nothing
|
|
// 3. if false, throw "not yet implemented" (501)
|
|
// 4. if true, check that the bucket name does not exist yet in the global namespace, throw "forbidden" (403)
|
|
// --- quota.size ---
|
|
// 1. if no quota on the bucket + this field is none, set to 50MB
|
|
// 2. if lower than 50MB, set to 50MB. If higher than 200MB, set to 200MB
|
|
// --- quota.files ---
|
|
// 1. if no quota on the bucket + this field is none, set to 10k
|
|
// 2. if lower than 10k, set to 10k. If higher than 40k, set to 40k
|
|
// READ BODY JSON
|
|
|
|
// IF BODY.GLOBAL is not NONE
|
|
// DO: Add an alias
|
|
|
|
// IF BODY.QUOTA.SIZE is not NONE
|
|
// DO: Change quota
|
|
|
|
// IF BODY.QUOTA.FILE is not NONE
|
|
// DO: Change quota
|
|
|
|
getGarageBucket(w, br)
|
|
}
|
|
|
|
func getGarageBucket(w http.ResponseWriter, br *BucketRequest) {
|
|
// FETCH AN UPDATED BUCKET VIEW
|
|
bucket, err := grgGetBucket(br.bucketId)
|
|
if err != nil {
|
|
http.Error(w, "Unable to fetch bucket details", http.StatusInternalServerError)
|
|
return
|
|
}
|
|
|
|
// BUILD A VIEW
|
|
log.Println(bucket)
|
|
}
|