diff options
author | zachdriver <zach@driver.xyz> | 2017-10-17 14:51:21 -0700 |
---|---|---|
committer | GitHub <noreply@github.com> | 2017-10-17 14:51:21 -0700 |
commit | 2af63e7fb8b15568adaf2d9f0a6b395d6719fd71 (patch) | |
tree | bb66e54c3f7ff26af279df255452566df057223b /src/main/scala/xyz/driver/core/rest/auth/AuthProvider.scala | |
parent | b00892d723f6dedf50dc1c1fde7d443e9c3f9497 (diff) | |
parent | 1aaaf7a5ecf2cd28350fff872e334f9f6186966a (diff) | |
download | driver-core-2af63e7fb8b15568adaf2d9f0a6b395d6719fd71.tar.gz driver-core-2af63e7fb8b15568adaf2d9f0a6b395d6719fd71.tar.bz2 driver-core-2af63e7fb8b15568adaf2d9f0a6b395d6719fd71.zip |
Merge pull request #74 from drivergroup/zsmith/rest-app-packages
Split app and rest packages into separate files
Diffstat (limited to 'src/main/scala/xyz/driver/core/rest/auth/AuthProvider.scala')
-rw-r--r-- | src/main/scala/xyz/driver/core/rest/auth/AuthProvider.scala | 64 |
1 files changed, 64 insertions, 0 deletions
diff --git a/src/main/scala/xyz/driver/core/rest/auth/AuthProvider.scala b/src/main/scala/xyz/driver/core/rest/auth/AuthProvider.scala new file mode 100644 index 0000000..35b65f7 --- /dev/null +++ b/src/main/scala/xyz/driver/core/rest/auth/AuthProvider.scala @@ -0,0 +1,64 @@ +package xyz.driver.core.rest.auth + +import akka.http.scaladsl.model.headers.HttpChallenges +import akka.http.scaladsl.server.AuthenticationFailedRejection.CredentialsRejected +import com.typesafe.scalalogging.Logger +import xyz.driver.core._ +import xyz.driver.core.auth.{Permission, User} +import xyz.driver.core.rest.{AuthorizedServiceRequestContext, ServiceRequestContext, serviceContext} + +import scala.concurrent.{ExecutionContext, Future} +import scala.util.{Failure, Success} + +import scalaz.Scalaz.futureInstance +import scalaz.OptionT + +abstract class AuthProvider[U <: User](val authorization: Authorization[U], log: Logger)( + implicit execution: ExecutionContext) { + + import akka.http.scaladsl.server._ + import Directives._ + + /** + * Specific implementation on how to extract user from request context, + * can either need to do a network call to auth server or extract everything from self-contained token + * + * @param ctx set of request values which can be relevant to authenticate user + * @return authenticated user + */ + def authenticatedUser(implicit ctx: ServiceRequestContext): OptionT[Future, U] + + /** + * Verifies if request is authenticated and authorized to have `permissions` + */ + def authorize(permissions: Permission*): Directive1[AuthorizedServiceRequestContext[U]] = { + serviceContext flatMap { ctx => + onComplete { + (for { + authToken <- OptionT.optionT(Future.successful(ctx.authToken)) + user <- authenticatedUser(ctx) + authCtx = ctx.withAuthenticatedUser(authToken, user) + authorizationResult <- authorization.userHasPermissions(user, permissions)(authCtx).toOptionT + + cachedPermissionsAuthCtx = authorizationResult.token.fold(authCtx)(authCtx.withPermissionsToken) + allAuthorized = permissions.forall(authorizationResult.authorized.getOrElse(_, false)) + } yield (cachedPermissionsAuthCtx, allAuthorized)).run + } flatMap { + case Success(Some((authCtx, true))) => provide(authCtx) + case Success(Some((authCtx, false))) => + val challenge = + HttpChallenges.basic(s"User does not have the required permissions: ${permissions.mkString(", ")}") + log.warn( + s"User ${authCtx.authenticatedUser} does not have the required permissions: ${permissions.mkString(", ")}") + reject(AuthenticationFailedRejection(CredentialsRejected, challenge)) + case Success(None) => + log.warn( + s"Wasn't able to find authenticated user for the token provided to verify ${permissions.mkString(", ")}") + reject(ValidationRejection(s"Wasn't able to find authenticated user for the token provided")) + case Failure(t) => + log.warn(s"Wasn't able to verify token for authenticated user to verify ${permissions.mkString(", ")}", t) + reject(ValidationRejection(s"Wasn't able to verify token for authenticated user", Some(t))) + } + } + } +} |