Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-04-21 13:37:30 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 91
fleet/server/mdm/android/service/endpoint_utils.go
Juan Fernandez 2b35eabd5d
Added middleware for api-only users auth (#43772) 
Fixes #42885

Added new middleware (APIOnlyEndpointCheck) that enforces 403 for
API-only users whose request either isn't in the API endpoint catalog or
falls outside their configured per-user endpoint restrictions.
2026-04-21 07:11:33 -04:00

92 lines
2.9 KiB
Go
Raw Blame History

package service
import (
"context"
"io"
"net/http"
"github.com/fleetdm/fleet/v4/server/fleet"
"github.com/fleetdm/fleet/v4/server/mdm/android"
eu "github.com/fleetdm/fleet/v4/server/platform/endpointer"
platform_http "github.com/fleetdm/fleet/v4/server/platform/http"
"github.com/fleetdm/fleet/v4/server/service/middleware/auth"
"github.com/go-json-experiment/json"
"github.com/go-json-experiment/json/jsontext"
"github.com/go-kit/kit/endpoint"
kithttp "github.com/go-kit/kit/transport/http"
"github.com/gorilla/mux"
)
func encodeResponse(ctx context.Context, w http.ResponseWriter, response interface{}) error {
return eu.EncodeCommonResponse(ctx, w, response,
func(w http.ResponseWriter, response interface{}) error {
return json.MarshalWrite(w, response, jsontext.WithIndent(" "))
},
nil, // no domain-specific error encoder
)
}
func makeDecoder(iface any, requestBodySizeLimit int64) kithttp.DecodeRequestFunc {
return eu.MakeDecoder(iface, func(body io.Reader, req any) error {
return json.UnmarshalRead(body, req)
}, nil, nil, nil, nil, requestBodySizeLimit)
}
// handlerFunc is the handler function type for Android service endpoints.
type handlerFunc func(ctx context.Context, request any, svc android.Service) fleet.Errorer
// Compile-time check to ensure that androidEndpointer implements Endpointer.
var _ eu.Endpointer[handlerFunc] = &androidEndpointer{}
type androidEndpointer struct {
svc android.Service
}
func (e *androidEndpointer) CallHandlerFunc(f handlerFunc, ctx context.Context, request any,
svc any,
) (platform_http.Errorer, error) {
return f(ctx, request, svc.(android.Service)), nil
}
func (e *androidEndpointer) Service() any {
return e.svc
}
func newUserAuthenticatedEndpointer(fleetSvc fleet.Service, svc android.Service, opts []kithttp.ServerOption, r *mux.Router,
versions ...string,
) *eu.CommonEndpointer[handlerFunc] {
// Full-slice expression prevents aliasing into the caller's backing array
// if it happens to have spare capacity.
opts = append(opts[:len(opts):len(opts)], kithttp.ServerBefore(auth.RouteTemplateRequestFunc))
return &eu.CommonEndpointer[handlerFunc]{
EP: &androidEndpointer{
svc: svc,
},
MakeDecoderFn: makeDecoder,
EncodeFn: encodeResponse,
Opts: opts,
AuthMiddleware: func(next endpoint.Endpoint) endpoint.Endpoint {
return auth.AuthenticatedUser(fleetSvc, auth.APIOnlyEndpointCheck(next))
},
Router: r,
Versions: versions,
}
}
func newNoAuthEndpointer(fleetSvc fleet.Service, svc android.Service, opts []kithttp.ServerOption, r *mux.Router,
versions ...string,
) *eu.CommonEndpointer[handlerFunc] {
return &eu.CommonEndpointer[handlerFunc]{
EP: &androidEndpointer{
svc: svc,
},
MakeDecoderFn: makeDecoder,
EncodeFn: encodeResponse,
Opts: opts,
AuthMiddleware: func(next endpoint.Endpoint) endpoint.Endpoint {
return auth.UnauthenticatedRequest(fleetSvc, next)
},
Router: r,
Versions: versions,
}
}
Reference in a new issue View git blame Copy permalink