wg-portal/internal/domain/context.go

package domain

import (
	"context"
	"fmt"
	"log/slog"
)

const CtxUserInfo = "userInfo"

const (
	CtxSystemAdminId    = "_WG_SYS_ADMIN_"
	CtxUnknownUserId    = "_WG_SYS_UNKNOWN_"
	CtxSystemLdapSyncer = "_WG_SYS_LDAP_SYNCER_"
	CtxSystemWgImporter = "_WG_SYS_WG_IMPORTER_"
	CtxSystemV1Migrator = "_WG_SYS_V1_MIGRATOR_"
)

type ContextUserInfo struct {
	Id      UserIdentifier
	IsAdmin bool
}

func (u *ContextUserInfo) String() string {
	return fmt.Sprintf("%s|%t", u.Id, u.IsAdmin)
}

func (u *ContextUserInfo) UserId() string {
	return string(u.Id)
}

// DefaultContextUserInfo returns a default context user info.
func DefaultContextUserInfo() *ContextUserInfo {
	return &ContextUserInfo{
		Id:      CtxUnknownUserId,
		IsAdmin: false,
	}
}

// SystemAdminContextUserInfo returns a context user info for the system admin.
func SystemAdminContextUserInfo() *ContextUserInfo {
	return &ContextUserInfo{
		Id:      CtxSystemAdminId,
		IsAdmin: true,
	}
}

// SetUserInfo sets the user info in the context.
func SetUserInfo(ctx context.Context, info *ContextUserInfo) context.Context {
	ctx = context.WithValue(ctx, CtxUserInfo, info)
	return ctx
}

// GetUserInfo returns the user info from the context.
func GetUserInfo(ctx context.Context) *ContextUserInfo {
	rawInfo := ctx.Value(CtxUserInfo)
	if rawInfo == nil {
		return DefaultContextUserInfo()
	}

	if info, ok := rawInfo.(*ContextUserInfo); ok {
		return info
	}

	return DefaultContextUserInfo()
}

// ValidateUserAccessRights checks if the current user has access rights to the requested user.
// If the user is an admin, access is granted.
func ValidateUserAccessRights(ctx context.Context, requiredUser UserIdentifier) error {
	sessionUser := GetUserInfo(ctx)

	if sessionUser.IsAdmin {
		return nil // Admins can do everything
	}

	if sessionUser.Id == requiredUser {
		return nil // User can access own data
	}

	slog.Warn("insufficient permissions",
		"user", sessionUser.Id,
		"requiredUser", requiredUser,
		"stack", GetStackTrace())
	return ErrNoPermission
}

// ValidateAdminAccessRights checks if the current user has admin access rights.
func ValidateAdminAccessRights(ctx context.Context) error {
	sessionUser := GetUserInfo(ctx)

	if sessionUser.IsAdmin {
		return nil
	}

	slog.Warn("insufficient admin permissions",
		"user", sessionUser.Id,
		"stack", GetStackTrace())
	return ErrNoPermission
}
V2 alpha - initial version (#172) Initial alpha codebase for version 2 of WireGuard Portal. This version is considered unstable and incomplete (for example, no public REST API)! Use with care! Fixes/Implements the following issues: - OAuth support #154, #1 - New Web UI with internationalisation support #98, #107, #89, #62 - Postgres Support #49 - Improved Email handling #47, #119 - DNS Search Domain support #46 - Bugfixes #94, #48 --------- Co-authored-by: Fabian Wechselberger <wechselbergerf@hotmail.com> 2023-08-04 13:34:18 +02:00			`package domain`

			`import (`
			`"context"`
			`"fmt"`
chore: replace logrus with standard lib log/slog 2025-03-02 08:51:13 +01:00			`"log/slog"`
V2 alpha - initial version (#172) Initial alpha codebase for version 2 of WireGuard Portal. This version is considered unstable and incomplete (for example, no public REST API)! Use with care! Fixes/Implements the following issues: - OAuth support #154, #1 - New Web UI with internationalisation support #98, #107, #89, #62 - Postgres Support #49 - Improved Email handling #47, #119 - DNS Search Domain support #46 - Bugfixes #94, #48 --------- Co-authored-by: Fabian Wechselberger <wechselbergerf@hotmail.com> 2023-08-04 13:34:18 +02:00			`)`

			`const CtxUserInfo = "userInfo"`

			`const (`
code cleanup 2025-01-11 22:56:25 +01:00			`CtxSystemAdminId = "_WG_SYS_ADMIN_"`
			`CtxUnknownUserId = "_WG_SYS_UNKNOWN_"`
			`CtxSystemLdapSyncer = "_WG_SYS_LDAP_SYNCER_"`
			`CtxSystemWgImporter = "_WG_SYS_WG_IMPORTER_"`
			`CtxSystemV1Migrator = "_WG_SYS_V1_MIGRATOR_"`
V2 alpha - initial version (#172) Initial alpha codebase for version 2 of WireGuard Portal. This version is considered unstable and incomplete (for example, no public REST API)! Use with care! Fixes/Implements the following issues: - OAuth support #154, #1 - New Web UI with internationalisation support #98, #107, #89, #62 - Postgres Support #49 - Improved Email handling #47, #119 - DNS Search Domain support #46 - Bugfixes #94, #48 --------- Co-authored-by: Fabian Wechselberger <wechselbergerf@hotmail.com> 2023-08-04 13:34:18 +02:00			`)`

			`type ContextUserInfo struct {`
			`Id UserIdentifier`
			`IsAdmin bool`
			`}`

			`func (u *ContextUserInfo) String() string {`
			`return fmt.Sprintf("%s\|%t", u.Id, u.IsAdmin)`
			`}`

			`func (u *ContextUserInfo) UserId() string {`
			`return string(u.Id)`
			`}`

API - CRUD for peers, interfaces and users (#340) Public REST API implementation to handle peers, interfaces and users. It also includes some simple provisioning endpoints. The Swagger API documentation is available under /api/v1/doc.html 2025-01-11 18:44:55 +01:00			`// DefaultContextUserInfo returns a default context user info.`
V2 alpha - initial version (#172) Initial alpha codebase for version 2 of WireGuard Portal. This version is considered unstable and incomplete (for example, no public REST API)! Use with care! Fixes/Implements the following issues: - OAuth support #154, #1 - New Web UI with internationalisation support #98, #107, #89, #62 - Postgres Support #49 - Improved Email handling #47, #119 - DNS Search Domain support #46 - Bugfixes #94, #48 --------- Co-authored-by: Fabian Wechselberger <wechselbergerf@hotmail.com> 2023-08-04 13:34:18 +02:00			`func DefaultContextUserInfo() *ContextUserInfo {`
			`return &ContextUserInfo{`
			`Id: CtxUnknownUserId,`
			`IsAdmin: false,`
			`}`
			`}`

API - CRUD for peers, interfaces and users (#340) Public REST API implementation to handle peers, interfaces and users. It also includes some simple provisioning endpoints. The Swagger API documentation is available under /api/v1/doc.html 2025-01-11 18:44:55 +01:00			`// SystemAdminContextUserInfo returns a context user info for the system admin.`
V2 alpha - initial version (#172) Initial alpha codebase for version 2 of WireGuard Portal. This version is considered unstable and incomplete (for example, no public REST API)! Use with care! Fixes/Implements the following issues: - OAuth support #154, #1 - New Web UI with internationalisation support #98, #107, #89, #62 - Postgres Support #49 - Improved Email handling #47, #119 - DNS Search Domain support #46 - Bugfixes #94, #48 --------- Co-authored-by: Fabian Wechselberger <wechselbergerf@hotmail.com> 2023-08-04 13:34:18 +02:00			`func SystemAdminContextUserInfo() *ContextUserInfo {`
			`return &ContextUserInfo{`
			`Id: CtxSystemAdminId,`
			`IsAdmin: true,`
			`}`
			`}`

API - CRUD for peers, interfaces and users (#340) Public REST API implementation to handle peers, interfaces and users. It also includes some simple provisioning endpoints. The Swagger API documentation is available under /api/v1/doc.html 2025-01-11 18:44:55 +01:00			`// SetUserInfo sets the user info in the context.`
V2 alpha - initial version (#172) Initial alpha codebase for version 2 of WireGuard Portal. This version is considered unstable and incomplete (for example, no public REST API)! Use with care! Fixes/Implements the following issues: - OAuth support #154, #1 - New Web UI with internationalisation support #98, #107, #89, #62 - Postgres Support #49 - Improved Email handling #47, #119 - DNS Search Domain support #46 - Bugfixes #94, #48 --------- Co-authored-by: Fabian Wechselberger <wechselbergerf@hotmail.com> 2023-08-04 13:34:18 +02:00			`func SetUserInfo(ctx context.Context, info *ContextUserInfo) context.Context {`
			`ctx = context.WithValue(ctx, CtxUserInfo, info)`
			`return ctx`
			`}`

API - CRUD for peers, interfaces and users (#340) Public REST API implementation to handle peers, interfaces and users. It also includes some simple provisioning endpoints. The Swagger API documentation is available under /api/v1/doc.html 2025-01-11 18:44:55 +01:00			`// GetUserInfo returns the user info from the context.`
V2 alpha - initial version (#172) Initial alpha codebase for version 2 of WireGuard Portal. This version is considered unstable and incomplete (for example, no public REST API)! Use with care! Fixes/Implements the following issues: - OAuth support #154, #1 - New Web UI with internationalisation support #98, #107, #89, #62 - Postgres Support #49 - Improved Email handling #47, #119 - DNS Search Domain support #46 - Bugfixes #94, #48 --------- Co-authored-by: Fabian Wechselberger <wechselbergerf@hotmail.com> 2023-08-04 13:34:18 +02:00			`func GetUserInfo(ctx context.Context) *ContextUserInfo {`
			`rawInfo := ctx.Value(CtxUserInfo)`
			`if rawInfo == nil {`
			`return DefaultContextUserInfo()`
			`}`

			`if info, ok := rawInfo.(*ContextUserInfo); ok {`
			`return info`
			`}`

			`return DefaultContextUserInfo()`
			`}`
fix REST API permission checks (#209) 2024-01-31 21:14:36 +01:00
API - CRUD for peers, interfaces and users (#340) Public REST API implementation to handle peers, interfaces and users. It also includes some simple provisioning endpoints. The Swagger API documentation is available under /api/v1/doc.html 2025-01-11 18:44:55 +01:00			`// ValidateUserAccessRights checks if the current user has access rights to the requested user.`
			`// If the user is an admin, access is granted.`
fix REST API permission checks (#209) 2024-01-31 21:14:36 +01:00			`func ValidateUserAccessRights(ctx context.Context, requiredUser UserIdentifier) error {`
			`sessionUser := GetUserInfo(ctx)`

			`if sessionUser.IsAdmin {`
			`return nil // Admins can do everything`
			`}`

			`if sessionUser.Id == requiredUser {`
			`return nil // User can access own data`
			`}`

chore: replace logrus with standard lib log/slog 2025-03-02 08:51:13 +01:00			`slog.Warn("insufficient permissions",`
			`"user", sessionUser.Id,`
			`"requiredUser", requiredUser,`
			`"stack", GetStackTrace())`
API - CRUD for peers, interfaces and users (#340) Public REST API implementation to handle peers, interfaces and users. It also includes some simple provisioning endpoints. The Swagger API documentation is available under /api/v1/doc.html 2025-01-11 18:44:55 +01:00			`return ErrNoPermission`
fix REST API permission checks (#209) 2024-01-31 21:14:36 +01:00			`}`

API - CRUD for peers, interfaces and users (#340) Public REST API implementation to handle peers, interfaces and users. It also includes some simple provisioning endpoints. The Swagger API documentation is available under /api/v1/doc.html 2025-01-11 18:44:55 +01:00			`// ValidateAdminAccessRights checks if the current user has admin access rights.`
fix REST API permission checks (#209) 2024-01-31 21:14:36 +01:00			`func ValidateAdminAccessRights(ctx context.Context) error {`
			`sessionUser := GetUserInfo(ctx)`

			`if sessionUser.IsAdmin {`
			`return nil`
			`}`

chore: replace logrus with standard lib log/slog 2025-03-02 08:51:13 +01:00			`slog.Warn("insufficient admin permissions",`
			`"user", sessionUser.Id,`
			`"stack", GetStackTrace())`
API - CRUD for peers, interfaces and users (#340) Public REST API implementation to handle peers, interfaces and users. It also includes some simple provisioning endpoints. The Swagger API documentation is available under /api/v1/doc.html 2025-01-11 18:44:55 +01:00			`return ErrNoPermission`
fix REST API permission checks (#209) 2024-01-31 21:14:36 +01:00			`}`