WorkspaceAuthHandler rejects requests which are not authenticated or authorized to access a workspace.
(domain string, info WorkspaceInfoProvider)
| 18 | |
| 19 | // WorkspaceAuthHandler rejects requests which are not authenticated or authorized to access a workspace. |
| 20 | func WorkspaceAuthHandler(domain string, info WorkspaceInfoProvider) mux.MiddlewareFunc { |
| 21 | return func(h http.Handler) http.Handler { |
| 22 | cookiePrefix := domain |
| 23 | for _, c := range []string{" ", "-", "."} { |
| 24 | cookiePrefix = strings.ReplaceAll(cookiePrefix, c, "_") |
| 25 | } |
| 26 | cookiePrefix = "_" + cookiePrefix + "_ws_" |
| 27 | |
| 28 | return http.HandlerFunc(func(resp http.ResponseWriter, req *http.Request) { |
| 29 | var ( |
| 30 | log = getLog(req.Context()) |
| 31 | vars = mux.Vars(req) |
| 32 | wsID = vars[workspaceIDIdentifier] |
| 33 | port = vars[workspacePortIdentifier] |
| 34 | ) |
| 35 | if wsID == "" { |
| 36 | log.Warn("workspace request without workspace ID") |
| 37 | resp.WriteHeader(http.StatusForbidden) |
| 38 | |
| 39 | return |
| 40 | } |
| 41 | |
| 42 | ws := info.WorkspaceInfo(wsID) |
| 43 | if ws == nil { |
| 44 | log.WithField("workspaceId", wsID).Warn("did not find workspace info") |
| 45 | resp.WriteHeader(http.StatusNotFound) |
| 46 | |
| 47 | return |
| 48 | } |
| 49 | |
| 50 | if ws.Auth != nil && ws.Auth.Admission == api.AdmissionLevel_ADMIT_EVERYONE { |
| 51 | // workspace is free for all - no tokens or cookies matter |
| 52 | h.ServeHTTP(resp, req) |
| 53 | |
| 54 | return |
| 55 | } |
| 56 | |
| 57 | if port != "" { |
| 58 | // this is a workspace port request and ports can be public or private. |
| 59 | // For public ports no tokens or cookies matter, private ports are subject |
| 60 | // to the same access policies as the workspace itself is. |
| 61 | var isPublic bool |
| 62 | |
| 63 | prt, err := strconv.ParseUint(port, 10, 16) |
| 64 | if err != nil { |
| 65 | log.WithField("port", port).WithError(err).Error("cannot convert port to int") |
| 66 | } else { |
| 67 | for _, p := range ws.Ports { |
| 68 | if p.Port == uint32(prt) { |
| 69 | isPublic = p.Visibility == api.PortVisibility_PORT_VISIBILITY_PUBLIC |
| 70 | |
| 71 | break |
| 72 | } |
| 73 | } |
| 74 | } |
| 75 | |
| 76 | if isPublic { |
| 77 | // workspace port is free for all - no tokens or cookies matter |