mirror of
https://github.com/astaxie/beego.git
synced 2024-11-25 21:01:31 +00:00
Adapter: plugin
This commit is contained in:
parent
1dae2c9eb3
commit
f1950482c2
94
pkg/adapter/plugins/apiauth/apiauth.go
Normal file
94
pkg/adapter/plugins/apiauth/apiauth.go
Normal file
@ -0,0 +1,94 @@
|
|||||||
|
// Copyright 2014 beego Author. All Rights Reserved.
|
||||||
|
//
|
||||||
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
// you may not use this file except in compliance with the License.
|
||||||
|
// You may obtain a copy of the License at
|
||||||
|
//
|
||||||
|
// http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
//
|
||||||
|
// Unless required by applicable law or agreed to in writing, software
|
||||||
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
// See the License for the specific language governing permissions and
|
||||||
|
// limitations under the License.
|
||||||
|
|
||||||
|
// Package apiauth provides handlers to enable apiauth support.
|
||||||
|
//
|
||||||
|
// Simple Usage:
|
||||||
|
// import(
|
||||||
|
// "github.com/astaxie/beego"
|
||||||
|
// "github.com/astaxie/beego/plugins/apiauth"
|
||||||
|
// )
|
||||||
|
//
|
||||||
|
// func main(){
|
||||||
|
// // apiauth every request
|
||||||
|
// beego.InsertFilter("*", beego.BeforeRouter,apiauth.APIBaiscAuth("appid","appkey"))
|
||||||
|
// beego.Run()
|
||||||
|
// }
|
||||||
|
//
|
||||||
|
// Advanced Usage:
|
||||||
|
//
|
||||||
|
// func getAppSecret(appid string) string {
|
||||||
|
// // get appsecret by appid
|
||||||
|
// // maybe store in configure, maybe in database
|
||||||
|
// }
|
||||||
|
//
|
||||||
|
// beego.InsertFilter("*", beego.BeforeRouter,apiauth.APISecretAuth(getAppSecret, 360))
|
||||||
|
//
|
||||||
|
// Information:
|
||||||
|
//
|
||||||
|
// In the request user should include these params in the query
|
||||||
|
//
|
||||||
|
// 1. appid
|
||||||
|
//
|
||||||
|
// appid is assigned to the application
|
||||||
|
//
|
||||||
|
// 2. signature
|
||||||
|
//
|
||||||
|
// get the signature use apiauth.Signature()
|
||||||
|
//
|
||||||
|
// when you send to server remember use url.QueryEscape()
|
||||||
|
//
|
||||||
|
// 3. timestamp:
|
||||||
|
//
|
||||||
|
// send the request time, the format is yyyy-mm-dd HH:ii:ss
|
||||||
|
//
|
||||||
|
package apiauth
|
||||||
|
|
||||||
|
import (
|
||||||
|
"net/url"
|
||||||
|
|
||||||
|
beego "github.com/astaxie/beego/pkg/adapter"
|
||||||
|
"github.com/astaxie/beego/pkg/adapter/context"
|
||||||
|
beecontext "github.com/astaxie/beego/pkg/server/web/context"
|
||||||
|
"github.com/astaxie/beego/pkg/server/web/filter/apiauth"
|
||||||
|
)
|
||||||
|
|
||||||
|
// AppIDToAppSecret is used to get appsecret throw appid
|
||||||
|
type AppIDToAppSecret apiauth.AppIDToAppSecret
|
||||||
|
|
||||||
|
// APIBasicAuth use the basic appid/appkey as the AppIdToAppSecret
|
||||||
|
func APIBasicAuth(appid, appkey string) beego.FilterFunc {
|
||||||
|
f := apiauth.APIBasicAuth(appid, appkey)
|
||||||
|
return func(c *context.Context) {
|
||||||
|
f((*beecontext.Context)(c))
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// APIBaiscAuth calls APIBasicAuth for previous callers
|
||||||
|
func APIBaiscAuth(appid, appkey string) beego.FilterFunc {
|
||||||
|
return APIBasicAuth(appid, appkey)
|
||||||
|
}
|
||||||
|
|
||||||
|
// APISecretAuth use AppIdToAppSecret verify and
|
||||||
|
func APISecretAuth(f AppIDToAppSecret, timeout int) beego.FilterFunc {
|
||||||
|
ft := apiauth.APISecretAuth(apiauth.AppIDToAppSecret(f), timeout)
|
||||||
|
return func(ctx *context.Context) {
|
||||||
|
ft((*beecontext.Context)(ctx))
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// Signature used to generate signature with the appsecret/method/params/RequestURI
|
||||||
|
func Signature(appsecret, method string, params url.Values, requestURL string) string {
|
||||||
|
return apiauth.Signature(appsecret, method, params, requestURL)
|
||||||
|
}
|
20
pkg/adapter/plugins/apiauth/apiauth_test.go
Normal file
20
pkg/adapter/plugins/apiauth/apiauth_test.go
Normal file
@ -0,0 +1,20 @@
|
|||||||
|
package apiauth
|
||||||
|
|
||||||
|
import (
|
||||||
|
"net/url"
|
||||||
|
"testing"
|
||||||
|
)
|
||||||
|
|
||||||
|
func TestSignature(t *testing.T) {
|
||||||
|
appsecret := "beego secret"
|
||||||
|
method := "GET"
|
||||||
|
RequestURL := "http://localhost/test/url"
|
||||||
|
params := make(url.Values)
|
||||||
|
params.Add("arg1", "hello")
|
||||||
|
params.Add("arg2", "beego")
|
||||||
|
|
||||||
|
signature := "mFdpvLh48ca4mDVEItE9++AKKQ/IVca7O/ZyyB8hR58="
|
||||||
|
if Signature(appsecret, method, params, RequestURL) != signature {
|
||||||
|
t.Error("Signature error")
|
||||||
|
}
|
||||||
|
}
|
81
pkg/adapter/plugins/auth/basic.go
Normal file
81
pkg/adapter/plugins/auth/basic.go
Normal file
@ -0,0 +1,81 @@
|
|||||||
|
// Copyright 2014 beego Author. All Rights Reserved.
|
||||||
|
//
|
||||||
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
// you may not use this file except in compliance with the License.
|
||||||
|
// You may obtain a copy of the License at
|
||||||
|
//
|
||||||
|
// http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
//
|
||||||
|
// Unless required by applicable law or agreed to in writing, software
|
||||||
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
// See the License for the specific language governing permissions and
|
||||||
|
// limitations under the License.
|
||||||
|
|
||||||
|
// Package auth provides handlers to enable basic auth support.
|
||||||
|
// Simple Usage:
|
||||||
|
// import(
|
||||||
|
// "github.com/astaxie/beego"
|
||||||
|
// "github.com/astaxie/beego/plugins/auth"
|
||||||
|
// )
|
||||||
|
//
|
||||||
|
// func main(){
|
||||||
|
// // authenticate every request
|
||||||
|
// beego.InsertFilter("*", beego.BeforeRouter,auth.Basic("username","secretpassword"))
|
||||||
|
// beego.Run()
|
||||||
|
// }
|
||||||
|
//
|
||||||
|
//
|
||||||
|
// Advanced Usage:
|
||||||
|
//
|
||||||
|
// func SecretAuth(username, password string) bool {
|
||||||
|
// return username == "astaxie" && password == "helloBeego"
|
||||||
|
// }
|
||||||
|
// authPlugin := auth.NewBasicAuthenticator(SecretAuth, "Authorization Required")
|
||||||
|
// beego.InsertFilter("*", beego.BeforeRouter,authPlugin)
|
||||||
|
package auth
|
||||||
|
|
||||||
|
import (
|
||||||
|
"net/http"
|
||||||
|
|
||||||
|
beego "github.com/astaxie/beego/pkg/adapter"
|
||||||
|
"github.com/astaxie/beego/pkg/adapter/context"
|
||||||
|
beecontext "github.com/astaxie/beego/pkg/server/web/context"
|
||||||
|
"github.com/astaxie/beego/pkg/server/web/filter/auth"
|
||||||
|
)
|
||||||
|
|
||||||
|
// Basic is the http basic auth
|
||||||
|
func Basic(username string, password string) beego.FilterFunc {
|
||||||
|
return func(c *context.Context) {
|
||||||
|
f := auth.Basic(username, password)
|
||||||
|
f((*beecontext.Context)(c))
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// NewBasicAuthenticator return the BasicAuth
|
||||||
|
func NewBasicAuthenticator(secrets SecretProvider, realm string) beego.FilterFunc {
|
||||||
|
f := auth.NewBasicAuthenticator(auth.SecretProvider(secrets), realm)
|
||||||
|
return func(c *context.Context) {
|
||||||
|
f((*beecontext.Context)(c))
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// SecretProvider is the SecretProvider function
|
||||||
|
type SecretProvider auth.SecretProvider
|
||||||
|
|
||||||
|
// BasicAuth store the SecretProvider and Realm
|
||||||
|
type BasicAuth auth.BasicAuth
|
||||||
|
|
||||||
|
// CheckAuth Checks the username/password combination from the request. Returns
|
||||||
|
// either an empty string (authentication failed) or the name of the
|
||||||
|
// authenticated user.
|
||||||
|
// Supports MD5 and SHA1 password entries
|
||||||
|
func (a *BasicAuth) CheckAuth(r *http.Request) string {
|
||||||
|
return (*auth.BasicAuth)(a).CheckAuth(r)
|
||||||
|
}
|
||||||
|
|
||||||
|
// RequireAuth http.Handler for BasicAuth which initiates the authentication process
|
||||||
|
// (or requires reauthentication).
|
||||||
|
func (a *BasicAuth) RequireAuth(w http.ResponseWriter, r *http.Request) {
|
||||||
|
(*auth.BasicAuth)(a).RequireAuth(w, r)
|
||||||
|
}
|
80
pkg/adapter/plugins/authz/authz.go
Normal file
80
pkg/adapter/plugins/authz/authz.go
Normal file
@ -0,0 +1,80 @@
|
|||||||
|
// Copyright 2014 beego Author. All Rights Reserved.
|
||||||
|
//
|
||||||
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
// you may not use this file except in compliance with the License.
|
||||||
|
// You may obtain a copy of the License at
|
||||||
|
//
|
||||||
|
// http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
//
|
||||||
|
// Unless required by applicable law or agreed to in writing, software
|
||||||
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
// See the License for the specific language governing permissions and
|
||||||
|
// limitations under the License.
|
||||||
|
|
||||||
|
// Package authz provides handlers to enable ACL, RBAC, ABAC authorization support.
|
||||||
|
// Simple Usage:
|
||||||
|
// import(
|
||||||
|
// "github.com/astaxie/beego"
|
||||||
|
// "github.com/astaxie/beego/plugins/authz"
|
||||||
|
// "github.com/casbin/casbin"
|
||||||
|
// )
|
||||||
|
//
|
||||||
|
// func main(){
|
||||||
|
// // mediate the access for every request
|
||||||
|
// beego.InsertFilter("*", beego.BeforeRouter, authz.NewAuthorizer(casbin.NewEnforcer("authz_model.conf", "authz_policy.csv")))
|
||||||
|
// beego.Run()
|
||||||
|
// }
|
||||||
|
//
|
||||||
|
//
|
||||||
|
// Advanced Usage:
|
||||||
|
//
|
||||||
|
// func main(){
|
||||||
|
// e := casbin.NewEnforcer("authz_model.conf", "")
|
||||||
|
// e.AddRoleForUser("alice", "admin")
|
||||||
|
// e.AddPolicy(...)
|
||||||
|
//
|
||||||
|
// beego.InsertFilter("*", beego.BeforeRouter, authz.NewAuthorizer(e))
|
||||||
|
// beego.Run()
|
||||||
|
// }
|
||||||
|
package authz
|
||||||
|
|
||||||
|
import (
|
||||||
|
"net/http"
|
||||||
|
|
||||||
|
"github.com/casbin/casbin"
|
||||||
|
|
||||||
|
beego "github.com/astaxie/beego/pkg/adapter"
|
||||||
|
"github.com/astaxie/beego/pkg/adapter/context"
|
||||||
|
beecontext "github.com/astaxie/beego/pkg/server/web/context"
|
||||||
|
"github.com/astaxie/beego/pkg/server/web/filter/authz"
|
||||||
|
)
|
||||||
|
|
||||||
|
// NewAuthorizer returns the authorizer.
|
||||||
|
// Use a casbin enforcer as input
|
||||||
|
func NewAuthorizer(e *casbin.Enforcer) beego.FilterFunc {
|
||||||
|
f := authz.NewAuthorizer(e)
|
||||||
|
return func(context *context.Context) {
|
||||||
|
f((*beecontext.Context)(context))
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// BasicAuthorizer stores the casbin handler
|
||||||
|
type BasicAuthorizer authz.BasicAuthorizer
|
||||||
|
|
||||||
|
// GetUserName gets the user name from the request.
|
||||||
|
// Currently, only HTTP basic authentication is supported
|
||||||
|
func (a *BasicAuthorizer) GetUserName(r *http.Request) string {
|
||||||
|
return (*authz.BasicAuthorizer)(a).GetUserName(r)
|
||||||
|
}
|
||||||
|
|
||||||
|
// CheckPermission checks the user/method/path combination from the request.
|
||||||
|
// Returns true (permission granted) or false (permission forbidden)
|
||||||
|
func (a *BasicAuthorizer) CheckPermission(r *http.Request) bool {
|
||||||
|
return (*authz.BasicAuthorizer)(a).CheckPermission(r)
|
||||||
|
}
|
||||||
|
|
||||||
|
// RequirePermission returns the 403 Forbidden to the client
|
||||||
|
func (a *BasicAuthorizer) RequirePermission(w http.ResponseWriter) {
|
||||||
|
(*authz.BasicAuthorizer)(a).RequirePermission(w)
|
||||||
|
}
|
14
pkg/adapter/plugins/authz/authz_model.conf
Normal file
14
pkg/adapter/plugins/authz/authz_model.conf
Normal file
@ -0,0 +1,14 @@
|
|||||||
|
[request_definition]
|
||||||
|
r = sub, obj, act
|
||||||
|
|
||||||
|
[policy_definition]
|
||||||
|
p = sub, obj, act
|
||||||
|
|
||||||
|
[role_definition]
|
||||||
|
g = _, _
|
||||||
|
|
||||||
|
[policy_effect]
|
||||||
|
e = some(where (p.eft == allow))
|
||||||
|
|
||||||
|
[matchers]
|
||||||
|
m = g(r.sub, p.sub) && keyMatch(r.obj, p.obj) && (r.act == p.act || p.act == "*")
|
7
pkg/adapter/plugins/authz/authz_policy.csv
Normal file
7
pkg/adapter/plugins/authz/authz_policy.csv
Normal file
@ -0,0 +1,7 @@
|
|||||||
|
p, alice, /dataset1/*, GET
|
||||||
|
p, alice, /dataset1/resource1, POST
|
||||||
|
p, bob, /dataset2/resource1, *
|
||||||
|
p, bob, /dataset2/resource2, GET
|
||||||
|
p, bob, /dataset2/folder1/*, POST
|
||||||
|
p, dataset1_admin, /dataset1/*, *
|
||||||
|
g, cathy, dataset1_admin
|
|
108
pkg/adapter/plugins/authz/authz_test.go
Normal file
108
pkg/adapter/plugins/authz/authz_test.go
Normal file
@ -0,0 +1,108 @@
|
|||||||
|
// Copyright 2014 beego Author. All Rights Reserved.
|
||||||
|
//
|
||||||
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
// you may not use this file except in compliance with the License.
|
||||||
|
// You may obtain a copy of the License at
|
||||||
|
//
|
||||||
|
// http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
//
|
||||||
|
// Unless required by applicable law or agreed to in writing, software
|
||||||
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
// See the License for the specific language governing permissions and
|
||||||
|
// limitations under the License.
|
||||||
|
|
||||||
|
package authz
|
||||||
|
|
||||||
|
import (
|
||||||
|
"net/http"
|
||||||
|
"net/http/httptest"
|
||||||
|
"testing"
|
||||||
|
|
||||||
|
beego "github.com/astaxie/beego/pkg/adapter"
|
||||||
|
"github.com/astaxie/beego/pkg/adapter/context"
|
||||||
|
"github.com/astaxie/beego/pkg/adapter/plugins/auth"
|
||||||
|
"github.com/casbin/casbin"
|
||||||
|
)
|
||||||
|
|
||||||
|
func testRequest(t *testing.T, handler *beego.ControllerRegister, user string, path string, method string, code int) {
|
||||||
|
r, _ := http.NewRequest(method, path, nil)
|
||||||
|
r.SetBasicAuth(user, "123")
|
||||||
|
w := httptest.NewRecorder()
|
||||||
|
handler.ServeHTTP(w, r)
|
||||||
|
|
||||||
|
if w.Code != code {
|
||||||
|
t.Errorf("%s, %s, %s: %d, supposed to be %d", user, path, method, w.Code, code)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestBasic(t *testing.T) {
|
||||||
|
handler := beego.NewControllerRegister()
|
||||||
|
|
||||||
|
handler.InsertFilter("*", beego.BeforeRouter, auth.Basic("alice", "123"))
|
||||||
|
handler.InsertFilter("*", beego.BeforeRouter, NewAuthorizer(casbin.NewEnforcer("authz_model.conf", "authz_policy.csv")))
|
||||||
|
|
||||||
|
handler.Any("*", func(ctx *context.Context) {
|
||||||
|
ctx.Output.SetStatus(200)
|
||||||
|
})
|
||||||
|
|
||||||
|
testRequest(t, handler, "alice", "/dataset1/resource1", "GET", 200)
|
||||||
|
testRequest(t, handler, "alice", "/dataset1/resource1", "POST", 200)
|
||||||
|
testRequest(t, handler, "alice", "/dataset1/resource2", "GET", 200)
|
||||||
|
testRequest(t, handler, "alice", "/dataset1/resource2", "POST", 403)
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestPathWildcard(t *testing.T) {
|
||||||
|
handler := beego.NewControllerRegister()
|
||||||
|
|
||||||
|
handler.InsertFilter("*", beego.BeforeRouter, auth.Basic("bob", "123"))
|
||||||
|
handler.InsertFilter("*", beego.BeforeRouter, NewAuthorizer(casbin.NewEnforcer("authz_model.conf", "authz_policy.csv")))
|
||||||
|
|
||||||
|
handler.Any("*", func(ctx *context.Context) {
|
||||||
|
ctx.Output.SetStatus(200)
|
||||||
|
})
|
||||||
|
|
||||||
|
testRequest(t, handler, "bob", "/dataset2/resource1", "GET", 200)
|
||||||
|
testRequest(t, handler, "bob", "/dataset2/resource1", "POST", 200)
|
||||||
|
testRequest(t, handler, "bob", "/dataset2/resource1", "DELETE", 200)
|
||||||
|
testRequest(t, handler, "bob", "/dataset2/resource2", "GET", 200)
|
||||||
|
testRequest(t, handler, "bob", "/dataset2/resource2", "POST", 403)
|
||||||
|
testRequest(t, handler, "bob", "/dataset2/resource2", "DELETE", 403)
|
||||||
|
|
||||||
|
testRequest(t, handler, "bob", "/dataset2/folder1/item1", "GET", 403)
|
||||||
|
testRequest(t, handler, "bob", "/dataset2/folder1/item1", "POST", 200)
|
||||||
|
testRequest(t, handler, "bob", "/dataset2/folder1/item1", "DELETE", 403)
|
||||||
|
testRequest(t, handler, "bob", "/dataset2/folder1/item2", "GET", 403)
|
||||||
|
testRequest(t, handler, "bob", "/dataset2/folder1/item2", "POST", 200)
|
||||||
|
testRequest(t, handler, "bob", "/dataset2/folder1/item2", "DELETE", 403)
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestRBAC(t *testing.T) {
|
||||||
|
handler := beego.NewControllerRegister()
|
||||||
|
|
||||||
|
handler.InsertFilter("*", beego.BeforeRouter, auth.Basic("cathy", "123"))
|
||||||
|
e := casbin.NewEnforcer("authz_model.conf", "authz_policy.csv")
|
||||||
|
handler.InsertFilter("*", beego.BeforeRouter, NewAuthorizer(e))
|
||||||
|
|
||||||
|
handler.Any("*", func(ctx *context.Context) {
|
||||||
|
ctx.Output.SetStatus(200)
|
||||||
|
})
|
||||||
|
|
||||||
|
// cathy can access all /dataset1/* resources via all methods because it has the dataset1_admin role.
|
||||||
|
testRequest(t, handler, "cathy", "/dataset1/item", "GET", 200)
|
||||||
|
testRequest(t, handler, "cathy", "/dataset1/item", "POST", 200)
|
||||||
|
testRequest(t, handler, "cathy", "/dataset1/item", "DELETE", 200)
|
||||||
|
testRequest(t, handler, "cathy", "/dataset2/item", "GET", 403)
|
||||||
|
testRequest(t, handler, "cathy", "/dataset2/item", "POST", 403)
|
||||||
|
testRequest(t, handler, "cathy", "/dataset2/item", "DELETE", 403)
|
||||||
|
|
||||||
|
// delete all roles on user cathy, so cathy cannot access any resources now.
|
||||||
|
e.DeleteRolesForUser("cathy")
|
||||||
|
|
||||||
|
testRequest(t, handler, "cathy", "/dataset1/item", "GET", 403)
|
||||||
|
testRequest(t, handler, "cathy", "/dataset1/item", "POST", 403)
|
||||||
|
testRequest(t, handler, "cathy", "/dataset1/item", "DELETE", 403)
|
||||||
|
testRequest(t, handler, "cathy", "/dataset2/item", "GET", 403)
|
||||||
|
testRequest(t, handler, "cathy", "/dataset2/item", "POST", 403)
|
||||||
|
testRequest(t, handler, "cathy", "/dataset2/item", "DELETE", 403)
|
||||||
|
}
|
71
pkg/adapter/plugins/cors/cors.go
Normal file
71
pkg/adapter/plugins/cors/cors.go
Normal file
@ -0,0 +1,71 @@
|
|||||||
|
// Copyright 2014 beego Author. All Rights Reserved.
|
||||||
|
//
|
||||||
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
// you may not use this file except in compliance with the License.
|
||||||
|
// You may obtain a copy of the License at
|
||||||
|
//
|
||||||
|
// http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
//
|
||||||
|
// Unless required by applicable law or agreed to in writing, software
|
||||||
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
// See the License for the specific language governing permissions and
|
||||||
|
// limitations under the License.
|
||||||
|
|
||||||
|
// Package cors provides handlers to enable CORS support.
|
||||||
|
// Usage
|
||||||
|
// import (
|
||||||
|
// "github.com/astaxie/beego"
|
||||||
|
// "github.com/astaxie/beego/plugins/cors"
|
||||||
|
// )
|
||||||
|
//
|
||||||
|
// func main() {
|
||||||
|
// // CORS for https://foo.* origins, allowing:
|
||||||
|
// // - PUT and PATCH methods
|
||||||
|
// // - Origin header
|
||||||
|
// // - Credentials share
|
||||||
|
// beego.InsertFilter("*", beego.BeforeRouter, cors.Allow(&cors.Options{
|
||||||
|
// AllowOrigins: []string{"https://*.foo.com"},
|
||||||
|
// AllowMethods: []string{"PUT", "PATCH"},
|
||||||
|
// AllowHeaders: []string{"Origin"},
|
||||||
|
// ExposeHeaders: []string{"Content-Length"},
|
||||||
|
// AllowCredentials: true,
|
||||||
|
// }))
|
||||||
|
// beego.Run()
|
||||||
|
// }
|
||||||
|
package cors
|
||||||
|
|
||||||
|
import (
|
||||||
|
beego "github.com/astaxie/beego/pkg/adapter"
|
||||||
|
beecontext "github.com/astaxie/beego/pkg/server/web/context"
|
||||||
|
"github.com/astaxie/beego/pkg/server/web/filter/cors"
|
||||||
|
|
||||||
|
"github.com/astaxie/beego/pkg/adapter/context"
|
||||||
|
)
|
||||||
|
|
||||||
|
// Options represents Access Control options.
|
||||||
|
type Options cors.Options
|
||||||
|
|
||||||
|
// Header converts options into CORS headers.
|
||||||
|
func (o *Options) Header(origin string) (headers map[string]string) {
|
||||||
|
return (*cors.Options)(o).Header(origin)
|
||||||
|
}
|
||||||
|
|
||||||
|
// PreflightHeader converts options into CORS headers for a preflight response.
|
||||||
|
func (o *Options) PreflightHeader(origin, rMethod, rHeaders string) (headers map[string]string) {
|
||||||
|
return (*cors.Options)(o).PreflightHeader(origin, rMethod, rHeaders)
|
||||||
|
}
|
||||||
|
|
||||||
|
// IsOriginAllowed looks up if the origin matches one of the patterns
|
||||||
|
// generated from Options.AllowOrigins patterns.
|
||||||
|
func (o *Options) IsOriginAllowed(origin string) bool {
|
||||||
|
return (*cors.Options)(o).IsOriginAllowed(origin)
|
||||||
|
}
|
||||||
|
|
||||||
|
// Allow enables CORS for requests those match the provided options.
|
||||||
|
func Allow(opts *Options) beego.FilterFunc {
|
||||||
|
f := cors.Allow((*cors.Options)(opts))
|
||||||
|
return func(c *context.Context) {
|
||||||
|
f((*beecontext.Context)(c))
|
||||||
|
}
|
||||||
|
}
|
253
pkg/adapter/plugins/cors/cors_test.go
Normal file
253
pkg/adapter/plugins/cors/cors_test.go
Normal file
@ -0,0 +1,253 @@
|
|||||||
|
// Copyright 2014 beego Author. All Rights Reserved.
|
||||||
|
//
|
||||||
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
// you may not use this file except in compliance with the License.
|
||||||
|
// You may obtain a copy of the License at
|
||||||
|
//
|
||||||
|
// http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
//
|
||||||
|
// Unless required by applicable law or agreed to in writing, software
|
||||||
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
// See the License for the specific language governing permissions and
|
||||||
|
// limitations under the License.
|
||||||
|
|
||||||
|
package cors
|
||||||
|
|
||||||
|
import (
|
||||||
|
"net/http"
|
||||||
|
"net/http/httptest"
|
||||||
|
"strings"
|
||||||
|
"testing"
|
||||||
|
"time"
|
||||||
|
|
||||||
|
"github.com/astaxie/beego"
|
||||||
|
"github.com/astaxie/beego/context"
|
||||||
|
)
|
||||||
|
|
||||||
|
// HTTPHeaderGuardRecorder is httptest.ResponseRecorder with own http.Header
|
||||||
|
type HTTPHeaderGuardRecorder struct {
|
||||||
|
*httptest.ResponseRecorder
|
||||||
|
savedHeaderMap http.Header
|
||||||
|
}
|
||||||
|
|
||||||
|
// NewRecorder return HttpHeaderGuardRecorder
|
||||||
|
func NewRecorder() *HTTPHeaderGuardRecorder {
|
||||||
|
return &HTTPHeaderGuardRecorder{httptest.NewRecorder(), nil}
|
||||||
|
}
|
||||||
|
|
||||||
|
func (gr *HTTPHeaderGuardRecorder) WriteHeader(code int) {
|
||||||
|
gr.ResponseRecorder.WriteHeader(code)
|
||||||
|
gr.savedHeaderMap = gr.ResponseRecorder.Header()
|
||||||
|
}
|
||||||
|
|
||||||
|
func (gr *HTTPHeaderGuardRecorder) Header() http.Header {
|
||||||
|
if gr.savedHeaderMap != nil {
|
||||||
|
// headers were written. clone so we don't get updates
|
||||||
|
clone := make(http.Header)
|
||||||
|
for k, v := range gr.savedHeaderMap {
|
||||||
|
clone[k] = v
|
||||||
|
}
|
||||||
|
return clone
|
||||||
|
}
|
||||||
|
return gr.ResponseRecorder.Header()
|
||||||
|
}
|
||||||
|
|
||||||
|
func Test_AllowAll(t *testing.T) {
|
||||||
|
recorder := httptest.NewRecorder()
|
||||||
|
handler := beego.NewControllerRegister()
|
||||||
|
handler.InsertFilter("*", beego.BeforeRouter, Allow(&Options{
|
||||||
|
AllowAllOrigins: true,
|
||||||
|
}))
|
||||||
|
handler.Any("/foo", func(ctx *context.Context) {
|
||||||
|
ctx.Output.SetStatus(500)
|
||||||
|
})
|
||||||
|
r, _ := http.NewRequest("PUT", "/foo", nil)
|
||||||
|
handler.ServeHTTP(recorder, r)
|
||||||
|
|
||||||
|
if recorder.HeaderMap.Get(headerAllowOrigin) != "*" {
|
||||||
|
t.Errorf("Allow-Origin header should be *")
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func Test_AllowRegexMatch(t *testing.T) {
|
||||||
|
recorder := httptest.NewRecorder()
|
||||||
|
handler := beego.NewControllerRegister()
|
||||||
|
handler.InsertFilter("*", beego.BeforeRouter, Allow(&Options{
|
||||||
|
AllowOrigins: []string{"https://aaa.com", "https://*.foo.com"},
|
||||||
|
}))
|
||||||
|
handler.Any("/foo", func(ctx *context.Context) {
|
||||||
|
ctx.Output.SetStatus(500)
|
||||||
|
})
|
||||||
|
origin := "https://bar.foo.com"
|
||||||
|
r, _ := http.NewRequest("PUT", "/foo", nil)
|
||||||
|
r.Header.Add("Origin", origin)
|
||||||
|
handler.ServeHTTP(recorder, r)
|
||||||
|
|
||||||
|
headerValue := recorder.HeaderMap.Get(headerAllowOrigin)
|
||||||
|
if headerValue != origin {
|
||||||
|
t.Errorf("Allow-Origin header should be %v, found %v", origin, headerValue)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func Test_AllowRegexNoMatch(t *testing.T) {
|
||||||
|
recorder := httptest.NewRecorder()
|
||||||
|
handler := beego.NewControllerRegister()
|
||||||
|
handler.InsertFilter("*", beego.BeforeRouter, Allow(&Options{
|
||||||
|
AllowOrigins: []string{"https://*.foo.com"},
|
||||||
|
}))
|
||||||
|
handler.Any("/foo", func(ctx *context.Context) {
|
||||||
|
ctx.Output.SetStatus(500)
|
||||||
|
})
|
||||||
|
origin := "https://ww.foo.com.evil.com"
|
||||||
|
r, _ := http.NewRequest("PUT", "/foo", nil)
|
||||||
|
r.Header.Add("Origin", origin)
|
||||||
|
handler.ServeHTTP(recorder, r)
|
||||||
|
|
||||||
|
headerValue := recorder.HeaderMap.Get(headerAllowOrigin)
|
||||||
|
if headerValue != "" {
|
||||||
|
t.Errorf("Allow-Origin header should not exist, found %v", headerValue)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func Test_OtherHeaders(t *testing.T) {
|
||||||
|
recorder := httptest.NewRecorder()
|
||||||
|
handler := beego.NewControllerRegister()
|
||||||
|
handler.InsertFilter("*", beego.BeforeRouter, Allow(&Options{
|
||||||
|
AllowAllOrigins: true,
|
||||||
|
AllowCredentials: true,
|
||||||
|
AllowMethods: []string{"PATCH", "GET"},
|
||||||
|
AllowHeaders: []string{"Origin", "X-whatever"},
|
||||||
|
ExposeHeaders: []string{"Content-Length", "Hello"},
|
||||||
|
MaxAge: 5 * time.Minute,
|
||||||
|
}))
|
||||||
|
handler.Any("/foo", func(ctx *context.Context) {
|
||||||
|
ctx.Output.SetStatus(500)
|
||||||
|
})
|
||||||
|
r, _ := http.NewRequest("PUT", "/foo", nil)
|
||||||
|
handler.ServeHTTP(recorder, r)
|
||||||
|
|
||||||
|
credentialsVal := recorder.HeaderMap.Get(headerAllowCredentials)
|
||||||
|
methodsVal := recorder.HeaderMap.Get(headerAllowMethods)
|
||||||
|
headersVal := recorder.HeaderMap.Get(headerAllowHeaders)
|
||||||
|
exposedHeadersVal := recorder.HeaderMap.Get(headerExposeHeaders)
|
||||||
|
maxAgeVal := recorder.HeaderMap.Get(headerMaxAge)
|
||||||
|
|
||||||
|
if credentialsVal != "true" {
|
||||||
|
t.Errorf("Allow-Credentials is expected to be true, found %v", credentialsVal)
|
||||||
|
}
|
||||||
|
|
||||||
|
if methodsVal != "PATCH,GET" {
|
||||||
|
t.Errorf("Allow-Methods is expected to be PATCH,GET; found %v", methodsVal)
|
||||||
|
}
|
||||||
|
|
||||||
|
if headersVal != "Origin,X-whatever" {
|
||||||
|
t.Errorf("Allow-Headers is expected to be Origin,X-whatever; found %v", headersVal)
|
||||||
|
}
|
||||||
|
|
||||||
|
if exposedHeadersVal != "Content-Length,Hello" {
|
||||||
|
t.Errorf("Expose-Headers are expected to be Content-Length,Hello. Found %v", exposedHeadersVal)
|
||||||
|
}
|
||||||
|
|
||||||
|
if maxAgeVal != "300" {
|
||||||
|
t.Errorf("Max-Age is expected to be 300, found %v", maxAgeVal)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func Test_DefaultAllowHeaders(t *testing.T) {
|
||||||
|
recorder := httptest.NewRecorder()
|
||||||
|
handler := beego.NewControllerRegister()
|
||||||
|
handler.InsertFilter("*", beego.BeforeRouter, Allow(&Options{
|
||||||
|
AllowAllOrigins: true,
|
||||||
|
}))
|
||||||
|
handler.Any("/foo", func(ctx *context.Context) {
|
||||||
|
ctx.Output.SetStatus(500)
|
||||||
|
})
|
||||||
|
|
||||||
|
r, _ := http.NewRequest("PUT", "/foo", nil)
|
||||||
|
handler.ServeHTTP(recorder, r)
|
||||||
|
|
||||||
|
headersVal := recorder.HeaderMap.Get(headerAllowHeaders)
|
||||||
|
if headersVal != "Origin,Accept,Content-Type,Authorization" {
|
||||||
|
t.Errorf("Allow-Headers is expected to be Origin,Accept,Content-Type,Authorization; found %v", headersVal)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func Test_Preflight(t *testing.T) {
|
||||||
|
recorder := NewRecorder()
|
||||||
|
handler := beego.NewControllerRegister()
|
||||||
|
handler.InsertFilter("*", beego.BeforeRouter, Allow(&Options{
|
||||||
|
AllowAllOrigins: true,
|
||||||
|
AllowMethods: []string{"PUT", "PATCH"},
|
||||||
|
AllowHeaders: []string{"Origin", "X-whatever", "X-CaseSensitive"},
|
||||||
|
}))
|
||||||
|
|
||||||
|
handler.Any("/foo", func(ctx *context.Context) {
|
||||||
|
ctx.Output.SetStatus(200)
|
||||||
|
})
|
||||||
|
|
||||||
|
r, _ := http.NewRequest("OPTIONS", "/foo", nil)
|
||||||
|
r.Header.Add(headerRequestMethod, "PUT")
|
||||||
|
r.Header.Add(headerRequestHeaders, "X-whatever, x-casesensitive")
|
||||||
|
handler.ServeHTTP(recorder, r)
|
||||||
|
|
||||||
|
headers := recorder.Header()
|
||||||
|
methodsVal := headers.Get(headerAllowMethods)
|
||||||
|
headersVal := headers.Get(headerAllowHeaders)
|
||||||
|
originVal := headers.Get(headerAllowOrigin)
|
||||||
|
|
||||||
|
if methodsVal != "PUT,PATCH" {
|
||||||
|
t.Errorf("Allow-Methods is expected to be PUT,PATCH, found %v", methodsVal)
|
||||||
|
}
|
||||||
|
|
||||||
|
if !strings.Contains(headersVal, "X-whatever") {
|
||||||
|
t.Errorf("Allow-Headers is expected to contain X-whatever, found %v", headersVal)
|
||||||
|
}
|
||||||
|
|
||||||
|
if !strings.Contains(headersVal, "x-casesensitive") {
|
||||||
|
t.Errorf("Allow-Headers is expected to contain x-casesensitive, found %v", headersVal)
|
||||||
|
}
|
||||||
|
|
||||||
|
if originVal != "*" {
|
||||||
|
t.Errorf("Allow-Origin is expected to be *, found %v", originVal)
|
||||||
|
}
|
||||||
|
|
||||||
|
if recorder.Code != http.StatusOK {
|
||||||
|
t.Errorf("Status code is expected to be 200, found %d", recorder.Code)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func Benchmark_WithoutCORS(b *testing.B) {
|
||||||
|
recorder := httptest.NewRecorder()
|
||||||
|
handler := beego.NewControllerRegister()
|
||||||
|
beego.BConfig.RunMode = beego.PROD
|
||||||
|
handler.Any("/foo", func(ctx *context.Context) {
|
||||||
|
ctx.Output.SetStatus(500)
|
||||||
|
})
|
||||||
|
b.ResetTimer()
|
||||||
|
r, _ := http.NewRequest("PUT", "/foo", nil)
|
||||||
|
for i := 0; i < b.N; i++ {
|
||||||
|
handler.ServeHTTP(recorder, r)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func Benchmark_WithCORS(b *testing.B) {
|
||||||
|
recorder := httptest.NewRecorder()
|
||||||
|
handler := beego.NewControllerRegister()
|
||||||
|
beego.BConfig.RunMode = beego.PROD
|
||||||
|
handler.InsertFilter("*", beego.BeforeRouter, Allow(&Options{
|
||||||
|
AllowAllOrigins: true,
|
||||||
|
AllowCredentials: true,
|
||||||
|
AllowMethods: []string{"PATCH", "GET"},
|
||||||
|
AllowHeaders: []string{"Origin", "X-whatever"},
|
||||||
|
MaxAge: 5 * time.Minute,
|
||||||
|
}))
|
||||||
|
handler.Any("/foo", func(ctx *context.Context) {
|
||||||
|
ctx.Output.SetStatus(500)
|
||||||
|
})
|
||||||
|
b.ResetTimer()
|
||||||
|
r, _ := http.NewRequest("PUT", "/foo", nil)
|
||||||
|
for i := 0; i < b.N; i++ {
|
||||||
|
handler.ServeHTTP(recorder, r)
|
||||||
|
}
|
||||||
|
}
|
@ -83,11 +83,6 @@ func APIBasicAuth(appid, appkey string) web.FilterFunc {
|
|||||||
return APISecretAuth(ft, 300)
|
return APISecretAuth(ft, 300)
|
||||||
}
|
}
|
||||||
|
|
||||||
// APIBasicAuth calls APIBasicAuth for previous callers
|
|
||||||
func APIBaiscAuth(appid, appkey string) web.FilterFunc {
|
|
||||||
return APIBasicAuth(appid, appkey)
|
|
||||||
}
|
|
||||||
|
|
||||||
// APISecretAuth uses AppIdToAppSecret verify and
|
// APISecretAuth uses AppIdToAppSecret verify and
|
||||||
func APISecretAuth(f AppIDToAppSecret, timeout int) web.FilterFunc {
|
func APISecretAuth(f AppIDToAppSecret, timeout int) web.FilterFunc {
|
||||||
return func(ctx *context.Context) {
|
return func(ctx *context.Context) {
|
||||||
|
Loading…
Reference in New Issue
Block a user