middleware

func AuthMiddleware ¶

func AuthMiddleware(authenticator api.Authenticator) mux.MiddlewareFunc

AuthMiddleware is a middleware func generator that returns a http.Handler which closes around an instances of the v2.Authenticator struct.

On request, the middleware attempts to parse the Authorization HTTP header if it exists. If the header does not exist then the middleware sets the auth.Context of the request context to "unauthenticated." If the header exists the scheme of the Authorization header is interpreted next to identify which authorization method to utilize.

BloodHound Auth supports the following Authorization schemes:

`bearer`
   Bearer token scheme that contains the user's authenticated session JWT as its parameter.
`bhesignature`
   Request signing scheme that contains the BloodHound token ID as its parameter. See: `src/api/v2/signature.go`

func AuthorizeAuthManagementAccess ¶

func AuthorizeAuthManagementAccess(permissions auth.PermissionSet, authorizer auth.Authorizer) mux.MiddlewareFunc

AuthorizeAuthManagementAccess is a middleware func generator that returns a http.Handler which closes around a permission set to reference permission definitions and validate API access to user management related calls.

An actor may operate on other actor entities if they have the permission "permission://auth/ManageUsers." If not the actor may only exercise auth management calls on auth entities that are explicitly owned by the actor.

func CORSMiddleware ¶

func CORSMiddleware() mux.MiddlewareFunc

CORSMiddleware is a middleware function that sets our CORS options per-request and answers to client OPTIONS requests

Note: AllowedOrigins is set to "" on purpose; otherwise, the Access-Control-Allow-Origin header (ACAO) will be set to "*" which is too permissive. If we want a more permissive CORS policy we should explicitly set the "Referrer-Policy" header and mirror the request Origin/Referrer in the ACAO header when they match an allowed hostname.

XXX: This is not enough to protect against CSRF attacks

func CompressionMiddleware ¶

func CompressionMiddleware(next http.Handler) http.Handler

func ContextMiddleware ¶

func ContextMiddleware(bypassLimitsParam bool) mux.MiddlewareFunc

ContextMiddleware is a middleware function that sets the BloodHound context per-request. It also sets the request ID. bypassLimitsParam determines whether endpoints can bypass timeout limits entirely via the prefer:wait=-1 header.

func DefaultRateLimitMiddleware ¶

func DefaultRateLimitMiddleware(db database.Database) mux.MiddlewareFunc

DefaultRateLimitMiddleware is a convenience function for creating the default rate limiting middleware for a router/route

Usage:

router.Use(DefaultRateLimitMiddleware(db))

func EnsureRequestBodyClosed ¶

func EnsureRequestBodyClosed() mux.MiddlewareFunc

func FeatureFlagMiddleware ¶

func FeatureFlagMiddleware(db database.Database, flagKey string) mux.MiddlewareFunc

FeatureFlagMiddleware is a middleware that enables or disables a given endpoint based on the status of the passed feature flag. It is intended to be attached directly to endpoints that should be affected by the feature flag. The feature flag determining the endpoint's availability should be specified in flagKey.

If the flag is enabled, the endpoint will work as intended. If the flag is disabled, a 404 will be returned to the user.

func LoggingMiddleware ¶

func LoggingMiddleware(idResolver auth.IdentityResolver, bypassLimitsParam bool) func(http.Handler) http.Handler

LoggingMiddleware is a middleware func that outputs a log for each request-response lifecycle. It includes timestamped information organized into fields suitable for searching or parsing.

func LoginTimer ¶

func LoginTimer() mux.MiddlewareFunc

LoginTimer is a middleware to protect against time-based user enumeration on the Login route. It does this by starting a timer before the actual login procedure to normalize the duration of this procedure to be within 1.5s and 2s.

func PanicHandler ¶

func PanicHandler(next http.Handler) http.Handler

PanicHandler is a middleware func that sets up a defer-recovery trap to capture any unhandled panics that bubble up the request handler stack.

func ParseHeaderValues ¶

func ParseHeaderValues(values string) map[string]string

func PermissionsCheckAll ¶

func PermissionsCheckAll(authorizer auth.Authorizer, permissions ...model.Permission) mux.MiddlewareFunc

PermissionsCheckAll is a middleware func generator that returns a http.Handler which closes around a list of permissions that an actor must have in the request auth context to access the wrapped http.Handler.

func PermissionsCheckAtLeastOne ¶

func PermissionsCheckAtLeastOne(authorizer auth.Authorizer, permissions ...model.Permission) mux.MiddlewareFunc

PermissionsCheckAtLeastOne is a middleware func generator that returns a http.Handler which closes around a list of permissions that an actor must have at least one in the request auth context to access the wrapped http.Handler.

func RateLimitMiddleware ¶

func RateLimitMiddleware(db database.Database, limit int64) mux.MiddlewareFunc

RateLimitMiddleware is a function for creating rate limiting middleware with a particular limit for a router/route

Usage:

router.Use(RateLimitMiddleware(db, 1))

func RequestWaitDuration ¶

func RequestWaitDuration(request *http.Request, bypassLimitsParam bool) (time.Duration, error)

RequestWaitDuration is responsible for returning a time.Duration if the Prefer header is specified. When bypassLimitsParam is false and wait=-1 is specified, returns -1 to indicate no timeout. Returns an error if the header value is invalid or if bypass is requested but not enabled.

func RequireAllEnvironmentAccessMiddleware ¶

func RequireAllEnvironmentAccessMiddleware(dogTagsService dogtags.Service) mux.MiddlewareFunc

RequireAllEnvironmentAccessMiddleware will check if a user's all environments flag is true and return a forbidden response code if set to false

func RequireUserId ¶

func RequireUserId() mux.MiddlewareFunc

RequireUserId is a middleware func generator that returns a http.Handler which checks to see if a user_id parameter has been included. There are a number of handlers that expect this parameter to be present, so this middleware can be applied to those to validate the required parameter has been included in the request.

func SecureHandlerMiddleware ¶

func SecureHandlerMiddleware(cfg config.Configuration, contentSecurityPolicy string) mux.MiddlewareFunc

func SupportsETACMiddleware ¶

func SupportsETACMiddleware(db database.Database, dogTagsService dogtags.Service) mux.MiddlewareFunc

SupportsETACMiddleware will check a user's environment access control to determine if they have access to the environment provided in the url If a user has the AllEnvironments flag set to true, they will be given access to all environments