Adding authorisation options for API access

AUTHORS

@@ -63,3 +63,4 @@ List of contributors, in chronological order:
 * Ramón N.Rodriguez (https://github.com/runitonmetal)
 * Golf Hu (https://github.com/hudeng-go)
 * Cookie Fei (https://github.com/wuhuang26)
+* Brett Hawn (https://github.com/bpiraeus)

api/auth.go

@@ -0,0 +1,118 @@
+package api
+
+import (
+	"crypto/tls"
+	"fmt"
+	"strings"
+
+	"github.com/gin-contrib/sessions"
+	"github.com/gin-gonic/gin"
+	"github.com/go-ldap/ldap/v3"
+)
+
+func Authorize(username string, password string) (ok bool) {
+	config := context.Config()
+
+	if config.Auth.Type != "" {
+		switch strings.ToLower(config.Auth.Type) {
+		case "ldap":
+			ok = doLdapAuth(username, password)
+		default:
+			return false
+		}
+		if !ok  {
+			return false
+		}
+	}
+	return true
+}
+
+func doLdapAuth(username string, password string) bool {
+	config := context.Config()
+	attributes := []string{"DN", "CN"}
+
+	server := config.Auth.Server
+	dn := config.Auth.LdapDN
+	filter := fmt.Sprintf(config.Auth.LdapFilter, username)
+
+	// connect to ldap server
+	conn, err := ldap.Dial("tcp", server)
+	if err != nil {
+		return false
+	}
+	defer conn.Close()
+
+	// reconnect via tls
+	err = conn.StartTLS(&tls.Config{InsecureSkipVerify: config.Auth.SecureTLS})
+	if err != nil {
+		return false
+	}
+
+	// format our request and then fire it off
+	request := ldap.NewSearchRequest(dn, ldap.ScopeWholeSubtree, 0, 0, 0, false, filter, attributes, nil)
+	search, err := conn.Search(request)
+	if err != nil {
+		return false
+	}
+	// get our modified dn and then check our user for auth
+	udn := search.Entries[0].DN
+	err = conn.Bind(udn, password)
+	if err != nil {
+		return false
+	}
+	return true
+}
+
+func getGroups(c *gin.Context, username string) {
+
+	var groups []string
+	config := context.Config()
+	dn := config.Auth.LdapDN
+	session := sessions.Default(c)
+	// connect to ldap server
+	server := fmt.Sprintf("%s", config.Auth.Server)
+	conn, err := ldap.Dial("tcp", server)
+	if err != nil {
+		return
+	}
+	// reconnect via tls
+	err = conn.StartTLS(&tls.Config{InsecureSkipVerify: true})
+	if err != nil {
+		return
+	}
+	filter := fmt.Sprintf("(|(member=uid=%s,ou=people,dc=llnw,dc=com)(member=uid=%s,ou=people,dc=llnw,dc=com))", username, username)
+	request := ldap.NewSearchRequest(dn, ldap.ScopeWholeSubtree, 0, 0, 0, false, filter, []string{"dn", "cn"}, nil)
+	search, err := conn.Search(request)
+	if err != nil {
+		return
+	}
+	if len(search.Entries) < 1 {
+		return
+	}
+	for _, v := range search.Entries {
+		value := strings.Split(strings.TrimLeft(v.DN, "cn="), ",")[0]
+		groups = append(groups, fmt.Sprintf("%s,", value))
+	}
+	session.Set("Groups", groups)
+}
+
+func checkGroup(c *gin.Context, ldgroup string) bool {
+	session := sessions.Default(c)
+	groups := session.Get("Groups")
+	if ldgroup == "" {
+		return true
+	}
+	for _, v := range groups.([]string) {
+		if strings.Contains(v, ldgroup) {
+			return true
+		}
+	}
+	return false
+}
+
+func CheckGroup(c *gin.Context, ldgroup string) (err error) {
+	if !checkGroup(c, ldgroup) {
+		err = fmt.Errorf("Authorisation Failred")
+	}
+	return err
+}

api/publish.go

@@ -169,6 +169,11 @@ func apiPublishRepoOrSnapshot(c *gin.Context) {
 				return
 			}
 
+			err = CheckGroup(c, localRepo.LdapGroup)
+			if err != nil {
+				c.AbortWithError(403, err)
+			}
+
 			resources = append(resources, string(localRepo.Key()))
 			err = localCollection.LoadComplete(localRepo)
 			if err != nil {

api/repos.go

@@ -87,6 +87,7 @@ func apiReposCreate(c *gin.Context) {
 		Comment             string
 		DefaultDistribution string
 		DefaultComponent    string
+		LdapGroup           string
 	}
 
 	if c.Bind(&b) != nil {
@@ -96,6 +97,7 @@ func apiReposCreate(c *gin.Context) {
 	repo := deb.NewLocalRepo(b.Name, b.Comment)
 	repo.DefaultComponent = b.DefaultComponent
 	repo.DefaultDistribution = b.DefaultDistribution
+	repo.LdapGroup = b.LdapGroup
 
 	collectionFactory := context.NewCollectionFactory()
 	collection := collectionFactory.LocalRepoCollection()
@@ -115,6 +117,7 @@ func apiReposEdit(c *gin.Context) {
 		Comment             *string
 		DefaultDistribution *string
 		DefaultComponent    *string
+		LdapGroup           *string
 	}
 
 	if c.Bind(&b) != nil {
@@ -130,6 +133,12 @@ func apiReposEdit(c *gin.Context) {
 		return
 	}
 
+	err = CheckGroup(c, repo.LdapGroup)
+	if err != nil {
+		c.AbortWithError(403, err)
+		return
+	}
+
 	if b.Name != nil {
 		_, err := collection.ByName(*b.Name)
 		if err == nil {
@@ -148,6 +157,9 @@ func apiReposEdit(c *gin.Context) {
 	if b.DefaultComponent != nil {
 		repo.DefaultComponent = *b.DefaultComponent
 	}
+	if b.LdapGroup != nil {
+		repo.LdapGroup = *b.LdapGroup
+	}
 
 	err = collection.Update(repo)
 	if err != nil {
@@ -196,6 +208,12 @@ func apiReposDrop(c *gin.Context) {
 		return
 	}
 
+	err = CheckGroup(c, repo.LdapGroup)
+	if err != nil {
+		c.AbortWithError(403, err)
+		return
+	}
+
 	resources := []string{string(repo.Key())}
 	taskName := fmt.Sprintf("Delete repo %s", name)
 	maybeRunTaskInBackground(c, taskName, resources, func(_ aptly.Progress, _ *task.Detail) (*task.ProcessReturnValue, error) {
@@ -260,6 +278,12 @@ func apiReposPackagesAddDelete(c *gin.Context, taskNamePrefix string, cb func(li
 		return
 	}
 
+	err = CheckGroup(c, repo.LdapGroup)
+	if err != nil {
+		c.AbortWithError(403, err)
+		return
+	}
+
 	resources := []string{string(repo.Key())}
 	maybeRunTaskInBackground(c, taskNamePrefix+repo.Name, resources, func(out aptly.Progress, _ *task.Detail) (*task.ProcessReturnValue, error) {
 		out.Printf("Loading packages...\n")
@@ -366,6 +390,12 @@ func apiReposPackageFromDir(c *gin.Context) {
 		return
 	}
 
+	err = CheckGroup(c, repo.LdapGroup)
+	if err != nil {
+		c.AbortWithError(403, err)
+		return
+	}
+
 	var taskName string
 	var sources []string
 	if fileParam == "" {
@@ -651,6 +681,11 @@ func apiReposIncludePackageFromDir(c *gin.Context) {
 			AbortWithJSONError(c, 404, err)
 			return
 		}
+		err = CheckGroup(c, repo.LdapGroup)
+		if err != nil {
+			c.AbortWithError(403, err)
+			return
+		}
 
 		resources = append(resources, string(repo.Key()))
 	}