echo-openapi-router/security.go at master · responsibleapi/echo-openapi-router · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
package openapirouter

import (
	"fmt"
	"net/http"
	"slices"

	"github.com/getkin/kin-openapi/openapi3"
	"github.com/labstack/echo/v5"
)

type SecurityHandler func(c *echo.Context, scheme *openapi3.SecurityScheme, scopes []string) error

func (builder *RouterBuilder) securityScheme(name string) (*openapi3.SecurityScheme, error) {
	if builder.spec.Components == nil || builder.spec.Components.SecuritySchemes == nil {
		return nil, fmt.Errorf("missing security scheme %q", name)
	}
	ref := builder.spec.Components.SecuritySchemes[name]
	if ref == nil || ref.Value == nil {
		return nil, fmt.Errorf("missing security scheme %q", name)
	}
	return ref.Value, nil
}

func (builder *RouterBuilder) securityMiddleware(operation *openapi3.Operation) (echo.MiddlewareFunc, error) {
	requirements := builder.effectiveSecurityRequirements(operation)
	if len(requirements) == 0 {
		return nil, nil
	}
	optional := false
	for _, requirement := range requirements {
		if len(requirement) == 0 {
			optional = true
			continue
		}
		for name := range requirement {
			if len(builder.securityHandlers[name]) == 0 {
				return nil, fmt.Errorf("missing security handler for %q", name)
			}
		}
	}
	if optional {
		return nil, nil
	}
	return func(next echo.HandlerFunc) echo.HandlerFunc {
		return func(c *echo.Context) error {
			var firstErr error
			for _, requirement := range requirements {
				if builder.satisfiesSecurityRequirement(c, requirement, &firstErr) {
					return next(c)
				}
			}
			if firstErr != nil {
				return firstErr
			}
			return echo.NewHTTPError(http.StatusUnauthorized, http.StatusText(http.StatusUnauthorized))
		}
	}, nil
}

func (builder *RouterBuilder) effectiveSecurityRequirements(
	operation *openapi3.Operation,
) openapi3.SecurityRequirements {
	if operation.Security != nil {
		return *operation.Security
	}
	return builder.spec.Security
}

func (builder *RouterBuilder) satisfiesSecurityRequirement(
	c *echo.Context,
	requirement openapi3.SecurityRequirement,
	firstErr *error,
) bool {
	names := make([]string, 0, len(requirement))
	for name := range requirement {
		names = append(names, name)
	}
	slices.Sort(names)
	for _, name := range names {
		ref := builder.spec.Components.SecuritySchemes[name]
		for _, handler := range builder.securityHandlers[name] {
			if err := handler(c, ref.Value, requirement[name]); err != nil {
				if *firstErr == nil {
					*firstErr = err
				}
				return false
			}
		}
	}
	return true
}