api server

2025-11-02 19:54:05 +08:00 · 2024-02-01 21:03:43 +08:00
parent edba210c6a
commit 8d66706a75
46 changed files with 5736 additions and 2 deletions
--- a/backend/pkg/server/router/middleware/auth.go
+++ b/backend/pkg/server/router/middleware/auth.go
@@ -0,0 +1,98 @@
+// Package middleware
+package middleware
+
+import (
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"sync"
+
+	"github.com/gin-gonic/gin"
+	"go.uber.org/zap"
+
+	"github.com/veops/oneterm/pkg/conf"
+	"github.com/veops/oneterm/pkg/logger"
+	"github.com/veops/oneterm/pkg/server/auth/acl"
+)
+
+var (
+	basicAuthDb = sync.Map{}
+)
+
+func init() {
+	basicAuthDb.Store("admin", "admin")
+}
+
+func Auth() gin.HandlerFunc {
+	return func(c *gin.Context) {
+		var err error
+		var ok bool
+
+		if conf.Cfg.Auth.Acl != nil && conf.Cfg.Auth.Acl.Url != "" {
+			err, ok = authAcl(c)
+		} else {
+			// TODO: add your auth here
+			ok = true
+		}
+		if !ok {
+			logger.L.Warn(err.Error())
+			c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{
+				"message": "authorized refused",
+			})
+			return
+		}
+
+		c.Next()
+	}
+}
+
+func AuthToken() gin.HandlerFunc {
+	return func(c *gin.Context) {
+		if c.GetHeader("X-Token") != conf.Cfg.SshServer.Xtoken {
+			logger.L.Warn("invalid token", zap.String("X-Token", c.GetHeader("X-Token")))
+			c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{
+				"message": "authorized refused",
+			})
+			return
+		}
+
+		c.Next()
+	}
+}
+
+func authAcl(ctx *gin.Context) (error, bool) {
+	session := &acl.Session{}
+
+	sess, err := ctx.Cookie("session")
+	if err == nil && sess != "" {
+		s := acl.NewSignature(conf.Cfg.SecretKey, "cookie-session", "", "hmac", nil, nil)
+		content, err := s.Unsign(sess)
+		if err != nil {
+			return err, false
+		}
+
+		err = json.Unmarshal(content, &session)
+		if err != nil {
+			return err, false
+		}
+
+		ctx.Set("session", session)
+		return nil, true
+	}
+	return fmt.Errorf("no session"), false
+}
+
+//func authBasic(ctx *gin.Context) (error, bool) {
+//	if user, password, ok := ctx.Request.BasicAuth(); ok {
+//		if p, ok := basicAuthDb.Load(user); ok && p.(string) == password {
+//			return nil, true
+//		} else {
+//			return fmt.Errorf("invalid user or password"), false
+//		}
+//	}
+//	return fmt.Errorf("invalid user or password"), false
+//}
+
+//func authWithWhiteList(ip string) bool {
+//	return lo.Contains(viper.GetStringSlice("gateway.whiteList"), ip)
+//}