frostfs-s3-gw/api/user_auth.go

package api

import (
	"context"
	"net/http"

	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/auth"
	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/errors"
	"github.com/gorilla/mux"
	"go.uber.org/zap"
)

// KeyWrapper is wrapper for context keys.
type KeyWrapper string

// AuthHeaders is a wrapper for authentication headers of a request.
var AuthHeaders = KeyWrapper("__context_auth_headers_key")

// BoxData is an ID used to store accessbox.Box in a context.
var BoxData = KeyWrapper("__context_box_key")

// ClientTime is an ID used to store client time.Time in a context.
var ClientTime = KeyWrapper("__context_client_time")

// AuthMiddleware adds user authentication via center to router using log for logging.
func AuthMiddleware(log *zap.Logger, center auth.Center) mux.MiddlewareFunc {
	return func(h http.Handler) http.Handler {
		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
			var ctx context.Context
			box, err := center.Authenticate(r)
			if err != nil {
				if err == auth.ErrNoAuthorizationHeader {
					reqLogOrDefault(ctx, log).Debug("couldn't receive access box for gate key, random key will be used")
					ctx = r.Context()
				} else {
					reqLogOrDefault(ctx, log).Error("failed to pass authentication", zap.Error(err))
					if _, ok := err.(errors.Error); !ok {
						err = errors.GetAPIError(errors.ErrAccessDenied)
					}
					WriteErrorResponse(w, GetReqInfo(r.Context()), err)
					return
				}
			} else {
				ctx = context.WithValue(r.Context(), BoxData, box.AccessBox)
				if !box.ClientTime.IsZero() {
					ctx = context.WithValue(ctx, ClientTime, box.ClientTime)
				}
				ctx = context.WithValue(ctx, AuthHeaders, box.AuthHeaders)
			}

			h.ServeHTTP(w, r.WithContext(ctx))
		})
	}
}

func reqLogOrDefault(ctx context.Context, log *zap.Logger) *zap.Logger {
	reqLog := GetReqLog(ctx)
	if reqLog != nil {
		return reqLog
	}
	return log
}