couchdb-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From rnew...@apache.org
Subject chttpd commit: updated refs/heads/master to 3e09dea
Date Wed, 11 Jun 2014 17:54:59 GMT
Repository: couchdb-chttpd
Updated Branches:
  refs/heads/master 1f148b7b9 -> 3e09dea9b


Authorize requests through chttpd


Project: http://git-wip-us.apache.org/repos/asf/couchdb-chttpd/repo
Commit: http://git-wip-us.apache.org/repos/asf/couchdb-chttpd/commit/3e09dea9
Tree: http://git-wip-us.apache.org/repos/asf/couchdb-chttpd/tree/3e09dea9
Diff: http://git-wip-us.apache.org/repos/asf/couchdb-chttpd/diff/3e09dea9

Branch: refs/heads/master
Commit: 3e09dea9b18adfea948bea8dd7d4cb026d63bf67
Parents: 1f148b7
Author: Robert Newson <rnewson@apache.org>
Authored: Wed Jun 11 18:49:24 2014 +0100
Committer: Robert Newson <rnewson@apache.org>
Committed: Wed Jun 11 18:54:47 2014 +0100

----------------------------------------------------------------------
 src/chttpd.erl              |  2 +-
 src/chttpd_auth_request.erl | 82 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 83 insertions(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/couchdb-chttpd/blob/3e09dea9/src/chttpd.erl
----------------------------------------------------------------------
diff --git a/src/chttpd.erl b/src/chttpd.erl
index c556fa7..d753ca2 100644
--- a/src/chttpd.erl
+++ b/src/chttpd.erl
@@ -203,7 +203,7 @@ handle_request(MochiReq) ->
         case authenticate_request(HttpReq, AuthenticationFuns) of
         #httpd{} = Req ->
             HandlerFun = url_handler(HandlerKey),
-            HandlerFun(possibly_hack(Req));
+            HandlerFun(chttpd_auth_request:authorize_request(possibly_hack(Req)));
         Response ->
             Response
         end

http://git-wip-us.apache.org/repos/asf/couchdb-chttpd/blob/3e09dea9/src/chttpd_auth_request.erl
----------------------------------------------------------------------
diff --git a/src/chttpd_auth_request.erl b/src/chttpd_auth_request.erl
new file mode 100644
index 0000000..f7b52f1
--- /dev/null
+++ b/src/chttpd_auth_request.erl
@@ -0,0 +1,82 @@
+% Licensed under the Apache License, Version 2.0 (the "License"); you may not
+% use this file except in compliance with the License. You may obtain a copy of
+% the License at
+%
+%   http://www.apache.org/licenses/LICENSE-2.0
+%
+% Unless required by applicable law or agreed to in writing, software
+% distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+% WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+% License for the specific language governing permissions and limitations under
+% the License.
+
+-module(chttpd_auth_request).
+-export([authorize_request/1]).
+-include_lib("couch/include/couch_db.hrl").
+
+authorize_request(#httpd{auth=Auth, user_ctx=Ctx} = Req) ->
+    try
+	authorize_request_int(Req)
+    catch
+	throw:{forbidden, Msg} ->
+	    case {Auth, Ctx} of
+		{{cookie_auth_failed, {Error, Reason}}, _} ->
+		    throw({forbidden, {Error, Reason}});
+		{_, #user_ctx{name=null}} ->
+		    throw({unauthorized, Msg});
+		{_, _} ->
+		    throw({forbidden, Msg})
+	    end
+    end.
+
+authorize_request_int(#httpd{path_parts=[]}=Req) ->
+    Req;
+authorize_request_int(#httpd{path_parts=[<<"favicon.ico">>|_]}=Req) ->
+    Req;
+authorize_request_int(#httpd{path_parts=[<<"_replicator">>], method='PUT'}=Req)
->
+    require_admin(Req);
+authorize_request_int(#httpd{path_parts=[<<"_replicator">>], method='DELETE'}=Req)
->
+    require_admin(Req);
+authorize_request_int(#httpd{path_parts=[<<"_replicator">>|_]}=Req) ->
+    db_authorization_check(Req);
+authorize_request_int(#httpd{path_parts=[<<"_users">>], method='PUT'}=Req) ->
+    require_admin(Req);
+authorize_request_int(#httpd{path_parts=[<<"_users">>], method='DELETE'}=Req)
->
+    require_admin(Req);
+authorize_request_int(#httpd{path_parts=[<<"_users">>|_]}=Req) ->
+    db_authorization_check(Req);
+authorize_request_int(#httpd{path_parts=[<<"_", _/binary>>|_]}=Req) ->
+    server_authorization_check(Req);
+authorize_request_int(#httpd{path_parts=[_DbName], method='PUT'}=Req) ->
+    require_admin(Req);
+authorize_request_int(#httpd{path_parts=[_DbName], method='DELETE'}=Req) ->
+    require_admin(Req);
+authorize_request_int(#httpd{path_parts=[_DbName|_]}=Req) ->
+    db_authorization_check(Req).
+
+
+server_authorization_check(#httpd{path_parts=[<<"_up">>]}=Req) ->
+    Req;
+server_authorization_check(#httpd{path_parts=[<<"_uuids">>]}=Req) ->
+    Req;
+server_authorization_check(#httpd{path_parts=[<<"_session">>]}=Req) ->
+    Req;
+server_authorization_check(#httpd{path_parts=[<<"_replicate">>]}=Req) ->
+    Req;
+server_authorization_check(#httpd{path_parts=[<<"_stats">>]}=Req) ->
+    Req;
+server_authorization_check(#httpd{path_parts=[<<"_active_tasks">>]}=Req) ->
+    Req;
+server_authorization_check(#httpd{method=Method, path_parts=[<<"_utils">>,
+    <<"script">>|_]}=Req) when Method =:= 'HEAD' orelse Method =:= 'GET' ->
+    Req;
+server_authorization_check(#httpd{path_parts=[<<"_", _/binary>>|_]}=Req) ->
+    require_admin(Req).
+
+db_authorization_check(#httpd{path_parts=[DbName|_],user_ctx=Ctx}=Req) ->
+    {_} = fabric:get_security(DbName, [{user_ctx, Ctx}]),
+    Req.
+
+require_admin(Req) ->
+    ok = couch_httpd:verify_is_server_admin(Req),
+    Req.


Mime
View raw message