harness-drone/handler/web/login.go

216 lines
5.6 KiB
Go
Raw Normal View History

2019-03-13 21:47:47 +00:00
// Copyright 2019 Drone IO, Inc.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
2019-02-19 23:56:41 +00:00
package web
import (
"context"
"database/sql"
"errors"
"fmt"
"net/http"
"time"
"github.com/drone/drone/core"
"github.com/drone/drone/logger"
"github.com/drone/go-login/login"
"github.com/dchest/uniuri"
"github.com/sirupsen/logrus"
)
// period at which the user account is synchronized
// with the remote system. Default is weekly.
var syncPeriod = time.Hour * 24 * 7
// period at which the sync should timeout
var syncTimeout = time.Minute * 30
// HandleLogin creates and http.HandlerFunc that handles user
// authentication and session initialization.
func HandleLogin(
users core.UserStore,
userz core.UserService,
syncer core.Syncer,
session core.Session,
admission core.AdmissionService,
sender core.WebhookSender,
) http.HandlerFunc {
return func(w http.ResponseWriter, r *http.Request) {
ctx := r.Context()
err := login.ErrorFrom(ctx)
if err != nil {
writeLoginError(w, r, err)
logrus.Debugf("cannot authenticate user: %s", err)
return
}
// The authorization token is passed from the
// login middleware in the context.
tok := login.TokenFrom(ctx)
account, err := userz.Find(ctx, tok.Access, tok.Refresh)
if err != nil {
writeLoginError(w, r, err)
logrus.Debugf("cannot find remote user: %s", err)
return
}
logger := logrus.WithField("login", account.Login)
logger.Debugf("attempting authentication")
user, err := users.FindLogin(ctx, account.Login)
if err == sql.ErrNoRows {
user = &core.User{
Login: account.Login,
Email: account.Email,
Avatar: account.Avatar,
Admin: false,
Machine: false,
Active: true,
Syncing: true,
Synced: 0,
LastLogin: time.Now().Unix(),
Created: time.Now().Unix(),
Updated: time.Now().Unix(),
Token: tok.Access,
Refresh: tok.Refresh,
Hash: uniuri.NewLen(32),
}
if !tok.Expires.IsZero() {
user.Expiry = tok.Expires.Unix()
}
err = admission.Admit(ctx, user)
if err != nil {
writeLoginError(w, r, err)
logger.Errorf("cannot admit user: %s", err)
return
}
err = users.Create(ctx, user)
if err != nil {
writeLoginError(w, r, err)
logger.Errorf("cannot create user: %s", err)
return
}
err = sender.Send(ctx, &core.WebhookData{
Event: core.WebhookEventUser,
Action: core.WebhookActionCreated,
User: user,
})
if err != nil {
logger.Errorf("cannot send webhook: %s", err)
} else {
logger.Debugf("successfully created user")
}
} else if err != nil {
writeLoginError(w, r, err)
logger.Errorf("cannot find user: %s", err)
return
}
if user.Machine {
writeLoginErrorStr(w, r, "Machine account login is forbidden")
return
}
if user.Active == false {
writeLoginErrorStr(w, r, "Account is not active")
return
}
user.Avatar = account.Avatar
user.Email = account.Email
user.Token = tok.Access
user.Refresh = tok.Refresh
user.LastLogin = time.Now().Unix()
if !tok.Expires.IsZero() {
user.Expiry = tok.Expires.Unix()
}
// If the user account has never been synchrnoized we
// execute the synchonrization logic.
if time.Unix(user.Synced, 0).Add(syncPeriod).Before(time.Now()) {
user.Syncing = true
}
err = users.Update(ctx, user)
if err != nil {
// if the account update fails we should still
// proceed to create the user session. This is
// considered a non-fatal error.
logger.Errorf("cannot update user: %s", err)
}
// launch the synchrnoization process in a go-routine,
// since it is a long-running process and can take up
// to a few minutes.
if user.Syncing {
go synchornize(ctx, syncer, user)
}
logger.Debugf("authentication successful")
session.Create(w, user)
http.Redirect(w, r, "/", 303)
}
}
func synchornize(ctx context.Context, syncer core.Syncer, user *core.User) {
log := logrus.WithField("login", user.Login)
log.Debugf("begin synchronization")
timeout, cancel := context.WithTimeout(context.Background(), syncTimeout)
timeout = logger.WithContext(timeout, log)
defer cancel()
_, err := syncer.Sync(timeout, user)
if err != nil {
log.Debugf("synchronization failed: %s", err)
} else {
log.Debugf("synchronization success")
}
}
func writeLoginError(w http.ResponseWriter, r *http.Request, err error) {
http.Redirect(w, r, "/login/error?message="+err.Error(), 303)
}
func writeLoginErrorStr(w http.ResponseWriter, r *http.Request, s string) {
writeLoginError(w, r, errors.New(s))
}
func writeCookie(w http.ResponseWriter, cookie *http.Cookie) {
w.Header().Set("Set-Cookie", cookie.String()+"; SameSite=lax")
}
// HandleLoginForm creates and http.HandlerFunc that presents the
// user with an Login form for password-based authentication.
func HandleLoginForm() http.HandlerFunc {
return func(w http.ResponseWriter, r *http.Request) {
w.Header().Set("Content-Type", "text/html")
fmt.Fprint(w, loginForm)
}
}
// html page displayed to collect credentials.
var loginForm = `
<form method="POST" action="/login">
<input type="text" name="username" />
<input type="password" name="password" />
<input type="submit" />
</form>
`