portainer/api/http/handler/auth.go

package handler

import (
	"github.com/portainer/portainer"

	"encoding/json"
	"log"
	"net/http"
	"os"

	"github.com/asaskevich/govalidator"
	"github.com/gorilla/mux"
	httperror "github.com/portainer/portainer/http/error"
	"github.com/portainer/portainer/http/security"
)

// AuthHandler represents an HTTP API handler for managing authentication.
type AuthHandler struct {
	*mux.Router
	Logger        *log.Logger
	authDisabled  bool
	UserService   portainer.UserService
	CryptoService portainer.CryptoService
	JWTService    portainer.JWTService
}

const (
	// ErrInvalidCredentialsFormat is an error raised when credentials format is not valid
	ErrInvalidCredentialsFormat = portainer.Error("Invalid credentials format")
	// ErrInvalidCredentials is an error raised when credentials for a user are invalid
	ErrInvalidCredentials = portainer.Error("Invalid credentials")
	// ErrAuthDisabled is an error raised when trying to access the authentication endpoints
	// when the server has been started with the --no-auth flag
	ErrAuthDisabled = portainer.Error("Authentication is disabled")
)

// NewAuthHandler returns a new instance of AuthHandler.
func NewAuthHandler(bouncer *security.RequestBouncer, authDisabled bool) *AuthHandler {
	h := &AuthHandler{
		Router:       mux.NewRouter(),
		Logger:       log.New(os.Stderr, "", log.LstdFlags),
		authDisabled: authDisabled,
	}
	h.Handle("/auth",
		bouncer.PublicAccess(http.HandlerFunc(h.handlePostAuth)))

	return h
}

func (handler *AuthHandler) handlePostAuth(w http.ResponseWriter, r *http.Request) {
	if r.Method != http.MethodPost {
		httperror.WriteMethodNotAllowedResponse(w, []string{http.MethodPost})
		return
	}

	if handler.authDisabled {
		httperror.WriteErrorResponse(w, ErrAuthDisabled, http.StatusServiceUnavailable, handler.Logger)
		return
	}

	var req postAuthRequest
	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
		httperror.WriteErrorResponse(w, ErrInvalidJSON, http.StatusBadRequest, handler.Logger)
		return
	}

	_, err := govalidator.ValidateStruct(req)
	if err != nil {
		httperror.WriteErrorResponse(w, ErrInvalidCredentialsFormat, http.StatusBadRequest, handler.Logger)
		return
	}

	var username = req.Username
	var password = req.Password

	u, err := handler.UserService.UserByUsername(username)
	if err == portainer.ErrUserNotFound {
		httperror.WriteErrorResponse(w, err, http.StatusNotFound, handler.Logger)
		return
	} else if err != nil {
		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
		return
	}

	err = handler.CryptoService.CompareHashAndData(u.Password, password)
	if err != nil {
		httperror.WriteErrorResponse(w, ErrInvalidCredentials, http.StatusUnprocessableEntity, handler.Logger)
		return
	}

	tokenData := &portainer.TokenData{
		ID:       u.ID,
		Username: u.Username,
		Role:     u.Role,
	}
	token, err := handler.JWTService.GenerateToken(tokenData)
	if err != nil {
		httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)
		return
	}

	encodeJSON(w, &postAuthResponse{JWT: token}, handler.Logger)
}

type postAuthRequest struct {
	Username string `valid:"required"`
	Password string `valid:"required"`
}

type postAuthResponse struct {
	JWT string `json:"jwt"`
}
feat(global): introduce user teams and new UAC system (#868) 8 years ago			`package handler`
refactor(api): API overhaul (#392) 8 years ago
			`import (`
			`"github.com/portainer/portainer"`

			`"encoding/json"`
			`"log"`
			`"net/http"`
			`"os"`
feat(global): multi endpoint management (#407) 8 years ago
			`"github.com/asaskevich/govalidator"`
			`"github.com/gorilla/mux"`
feat(global): introduce user teams and new UAC system (#868) 8 years ago			`httperror "github.com/portainer/portainer/http/error"`
			`"github.com/portainer/portainer/http/security"`
refactor(api): API overhaul (#392) 8 years ago			`)`

			`// AuthHandler represents an HTTP API handler for managing authentication.`
			`type AuthHandler struct {`
			`*mux.Router`
			`Logger *log.Logger`
feat(authentication): add a --no-auth flag to disable authentication (#553) 8 years ago			`authDisabled bool`
refactor(api): API overhaul (#392) 8 years ago			`UserService portainer.UserService`
			`CryptoService portainer.CryptoService`
			`JWTService portainer.JWTService`
			`}`

			`const (`
			`// ErrInvalidCredentialsFormat is an error raised when credentials format is not valid`
			`ErrInvalidCredentialsFormat = portainer.Error("Invalid credentials format")`
			`// ErrInvalidCredentials is an error raised when credentials for a user are invalid`
			`ErrInvalidCredentials = portainer.Error("Invalid credentials")`
feat(authentication): add a --no-auth flag to disable authentication (#553) 8 years ago			`// ErrAuthDisabled is an error raised when trying to access the authentication endpoints`
			`// when the server has been started with the --no-auth flag`
			`ErrAuthDisabled = portainer.Error("Authentication is disabled")`
refactor(api): API overhaul (#392) 8 years ago			`)`

feat(global): multi endpoint management (#407) 8 years ago			`// NewAuthHandler returns a new instance of AuthHandler.`
feat(global): introduce user teams and new UAC system (#868) 8 years ago			`func NewAuthHandler(bouncer security.RequestBouncer, authDisabled bool) AuthHandler {`
refactor(api): API overhaul (#392) 8 years ago			`h := &AuthHandler{`
feat(global): introduce user teams and new UAC system (#868) 8 years ago			`Router: mux.NewRouter(),`
			`Logger: log.New(os.Stderr, "", log.LstdFlags),`
			`authDisabled: authDisabled,`
refactor(api): API overhaul (#392) 8 years ago			`}`
feat(uac): add multi user management and UAC (#647) 8 years ago			`h.Handle("/auth",`
feat(global): introduce user teams and new UAC system (#868) 8 years ago			`bouncer.PublicAccess(http.HandlerFunc(h.handlePostAuth)))`
feat(uac): add multi user management and UAC (#647) 8 years ago
refactor(api): API overhaul (#392) 8 years ago			`return h`
			`}`

			`func (handler AuthHandler) handlePostAuth(w http.ResponseWriter, r http.Request) {`
feat(global): multi endpoint management (#407) 8 years ago			`if r.Method != http.MethodPost {`
feat(global): introduce user teams and new UAC system (#868) 8 years ago			`httperror.WriteMethodNotAllowedResponse(w, []string{http.MethodPost})`
refactor(api): API overhaul (#392) 8 years ago			`return`
			`}`

feat(authentication): add a --no-auth flag to disable authentication (#553) 8 years ago			`if handler.authDisabled {`
feat(global): introduce user teams and new UAC system (#868) 8 years ago			`httperror.WriteErrorResponse(w, ErrAuthDisabled, http.StatusServiceUnavailable, handler.Logger)`
feat(authentication): add a --no-auth flag to disable authentication (#553) 8 years ago			`return`
			`}`

refactor(api): API overhaul (#392) 8 years ago			`var req postAuthRequest`
			`if err := json.NewDecoder(r.Body).Decode(&req); err != nil {`
feat(global): introduce user teams and new UAC system (#868) 8 years ago			`httperror.WriteErrorResponse(w, ErrInvalidJSON, http.StatusBadRequest, handler.Logger)`
refactor(api): API overhaul (#392) 8 years ago			`return`
			`}`

			`_, err := govalidator.ValidateStruct(req)`
			`if err != nil {`
feat(global): introduce user teams and new UAC system (#868) 8 years ago			`httperror.WriteErrorResponse(w, ErrInvalidCredentialsFormat, http.StatusBadRequest, handler.Logger)`
refactor(api): API overhaul (#392) 8 years ago			`return`
			`}`

			`var username = req.Username`
			`var password = req.Password`

feat(uac): add multi user management and UAC (#647) 8 years ago			`u, err := handler.UserService.UserByUsername(username)`
refactor(api): API overhaul (#392) 8 years ago			`if err == portainer.ErrUserNotFound {`
feat(global): introduce user teams and new UAC system (#868) 8 years ago			`httperror.WriteErrorResponse(w, err, http.StatusNotFound, handler.Logger)`
refactor(api): API overhaul (#392) 8 years ago			`return`
			`} else if err != nil {`
feat(global): introduce user teams and new UAC system (#868) 8 years ago			`httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)`
refactor(api): API overhaul (#392) 8 years ago			`return`
			`}`

			`err = handler.CryptoService.CompareHashAndData(u.Password, password)`
			`if err != nil {`
feat(global): introduce user teams and new UAC system (#868) 8 years ago			`httperror.WriteErrorResponse(w, ErrInvalidCredentials, http.StatusUnprocessableEntity, handler.Logger)`
refactor(api): API overhaul (#392) 8 years ago			`return`
			`}`

			`tokenData := &portainer.TokenData{`
feat(uac): add multi user management and UAC (#647) 8 years ago			`ID: u.ID,`
			`Username: u.Username,`
			`Role: u.Role,`
refactor(api): API overhaul (#392) 8 years ago			`}`
			`token, err := handler.JWTService.GenerateToken(tokenData)`
			`if err != nil {`
feat(global): introduce user teams and new UAC system (#868) 8 years ago			`httperror.WriteErrorResponse(w, err, http.StatusInternalServerError, handler.Logger)`
refactor(api): API overhaul (#392) 8 years ago			`return`
			`}`

			`encodeJSON(w, &postAuthResponse{JWT: token}, handler.Logger)`
			`}`

			`type postAuthRequest struct {`
feat(global): introduce user teams and new UAC system (#868) 8 years ago			Username string `valid:"required"`
refactor(api): API overhaul (#392) 8 years ago			Password string `valid:"required"`
			`}`

			`type postAuthResponse struct {`
			JWT string `json:"jwt"`
			`}`