200 lines
6.5 KiB
Go
200 lines
6.5 KiB
Go
package main
|
|
|
|
import (
|
|
"context"
|
|
"encoding/json"
|
|
"fmt"
|
|
"io"
|
|
"libshared"
|
|
"log"
|
|
"net/http"
|
|
"strings"
|
|
|
|
"github.com/golang-jwt/jwt/v5"
|
|
)
|
|
|
|
// Custom claims struct
|
|
type MyClaims struct {
|
|
Sub string `json:"sub"`
|
|
Purpose string `json:"purpose"`
|
|
Account string `json:"account"`
|
|
jwt.RegisteredClaims
|
|
}
|
|
|
|
type PolicyRequest struct {
|
|
Name string `json:"name"`
|
|
Description string `json:"description"`
|
|
PolicyDocument Policy `json:"policydocument"`
|
|
}
|
|
|
|
type PolicyResponse struct {
|
|
// PolicyID string `json:"policy_id"`
|
|
}
|
|
|
|
func CreatePolicy(w http.ResponseWriter, r *http.Request) {
|
|
|
|
log.Println("Create Policy Request")
|
|
|
|
w.Header().Set("Content-Type", "application/json")
|
|
|
|
// Only allow POST method
|
|
if r.Method != http.MethodPost {
|
|
log.Println("Invalid method:", r.Method)
|
|
//w.Header().Set("Content-Type", "application/json")
|
|
w.WriteHeader(http.StatusMethodNotAllowed)
|
|
|
|
apiresponse := libshared.NewAPIResponse[PolicyResponse]("fail", "Method not allowed", PolicyResponse{})
|
|
json.NewEncoder(w).Encode(apiresponse)
|
|
return
|
|
}
|
|
// Optional: enforce content type
|
|
if r.Header.Get("Content-Type") != "application/json" {
|
|
log.Println("Invalid Content-Type:", r.Header.Get("Content-Type"))
|
|
//w.Header().Set("Content-Type", "application/json")
|
|
w.WriteHeader(http.StatusUnsupportedMediaType)
|
|
apiresponse := libshared.NewAPIResponse[PolicyResponse]("fail", "Content-Type must be application/json", PolicyResponse{})
|
|
json.NewEncoder(w).Encode(apiresponse)
|
|
//http.Error(w, "Content-Type must be application/json", http.StatusUnsupportedMediaType)
|
|
return
|
|
}
|
|
|
|
// Get JWT from Authorization header
|
|
authHeader := r.Header.Get("Authorization")
|
|
if authHeader == "" {
|
|
log.Println("Missing Authorization header")
|
|
//w.Header().Set("Content-Type", "application/json")
|
|
w.WriteHeader(http.StatusUnauthorized)
|
|
apiresponse := libshared.NewAPIResponse[PolicyResponse]("fail", "Missing Authorization header", PolicyResponse{})
|
|
json.NewEncoder(w).Encode(apiresponse)
|
|
//http.Error(w, "Missing Authorization header", http.StatusUnauthorized)
|
|
return
|
|
}
|
|
|
|
parts := strings.SplitN(authHeader, " ", 2)
|
|
if len(parts) != 2 || parts[0] != "Bearer" {
|
|
log.Println("Invalid Authorization header format")
|
|
//w.Header().Set("Content-Type", "application/json")
|
|
w.WriteHeader(http.StatusUnauthorized)
|
|
apiresponse := libshared.NewAPIResponse[PolicyResponse]("fail", "Invalid Authorization format", PolicyResponse{})
|
|
json.NewEncoder(w).Encode(apiresponse)
|
|
//http.Error(w, "Invalid Authorization format", http.StatusUnauthorized)
|
|
return
|
|
}
|
|
|
|
tokenString := parts[1]
|
|
|
|
// Replace with your actual secret or keyfunc
|
|
secret := []byte("super-secret-key")
|
|
|
|
claims := &MyClaims{}
|
|
|
|
token, err := jwt.ParseWithClaims(tokenString, claims, func(token *jwt.Token) (interface{}, error) {
|
|
// Validate signing method if needed
|
|
return secret, nil
|
|
})
|
|
|
|
if err != nil || !token.Valid {
|
|
log.Println("Invalid token:", err)
|
|
//http.Error(w, "Invalid token", http.StatusUnauthorized)
|
|
w.Header().Set("Content-Type", "application/json")
|
|
w.WriteHeader(http.StatusUnauthorized)
|
|
apiresponse := libshared.NewAPIResponse[PolicyResponse]("fail", "Invalid token", PolicyResponse{})
|
|
json.NewEncoder(w).Encode(apiresponse)
|
|
return
|
|
}
|
|
|
|
// Access parsed values
|
|
log.Println("sub:", claims.Sub)
|
|
log.Println("purpose:", claims.Purpose)
|
|
log.Println("account:", claims.Account)
|
|
// exp and iat come from RegisteredClaims
|
|
log.Println("exp:", claims.ExpiresAt)
|
|
log.Println("iat:", claims.IssuedAt)
|
|
|
|
// Read body with size limit (protect against huge requests)
|
|
const maxBodyBytes = 1 << 20 // 1 MB
|
|
r.Body = http.MaxBytesReader(w, r.Body, maxBodyBytes)
|
|
|
|
// Decode JSON into our struct
|
|
var policydocumentrequest PolicyRequest
|
|
decoder := json.NewDecoder(r.Body)
|
|
decoder.DisallowUnknownFields() // strict mode - reject unknown fields
|
|
|
|
if err := decoder.Decode(&policydocumentrequest); err != nil {
|
|
switch {
|
|
case err == io.EOF:
|
|
log.Println("Empty request body")
|
|
w.WriteHeader(http.StatusBadRequest)
|
|
apiresponse := libshared.NewAPIResponse[PolicyResponse]("fail", "Empty request body", PolicyResponse{})
|
|
json.NewEncoder(w).Encode(apiresponse)
|
|
//http.Error(w, "Empty request body", http.StatusBadRequest)
|
|
return
|
|
case err.Error() == "http: request body too large":
|
|
log.Println("Request body too large")
|
|
w.WriteHeader(http.StatusRequestEntityTooLarge)
|
|
apiresponse := libshared.NewAPIResponse[PolicyResponse]("fail", "Request body too large (max 1MB)", PolicyResponse{})
|
|
json.NewEncoder(w).Encode(apiresponse)
|
|
//http.Error(w, "Request body too large (max 1MB)", http.StatusRequestEntityTooLarge)
|
|
return
|
|
default:
|
|
log.Println("Invalid JSON:", err)
|
|
w.WriteHeader(http.StatusBadRequest)
|
|
apiresponse := libshared.NewAPIResponse[PolicyResponse]("fail", fmt.Sprintf("Invalid JSON: %v", err), PolicyResponse{})
|
|
json.NewEncoder(w).Encode(apiresponse)
|
|
//http.Error(w, fmt.Sprintf("Invalid JSON: %v", err), http.StatusBadRequest)
|
|
return
|
|
}
|
|
}
|
|
|
|
checkExisting := libshared.Pool.QueryRow(
|
|
context.Background(),
|
|
`SELECT FROM policies WHERE name=$1 AND accountid=$2`,
|
|
policydocumentrequest.Name,
|
|
claims.Account,
|
|
)
|
|
err = checkExisting.Scan()
|
|
if err == nil {
|
|
log.Println("Policy with this name already exists for this account")
|
|
w.WriteHeader(http.StatusConflict)
|
|
apiresponse := libshared.NewAPIResponse[PolicyResponse]("fail", "Policy with this name already exists", PolicyResponse{})
|
|
json.NewEncoder(w).Encode(apiresponse)
|
|
return
|
|
}
|
|
|
|
_, err = libshared.Pool.Exec(
|
|
context.Background(),
|
|
`INSERT INTO policies (name, accountid, description, document) VALUES ($1, $2, $3, $4)`,
|
|
policydocumentrequest.Name,
|
|
claims.Account,
|
|
policydocumentrequest.Description,
|
|
policydocumentrequest.PolicyDocument,
|
|
)
|
|
|
|
if err != nil {
|
|
log.Println("Database error:", err)
|
|
w.WriteHeader(http.StatusInternalServerError)
|
|
apiresponse := libshared.NewAPIResponse[PolicyResponse]("fail", "Internal server error", PolicyResponse{})
|
|
json.NewEncoder(w).Encode(apiresponse)
|
|
return
|
|
}
|
|
|
|
// Success response
|
|
w.Header().Set("Content-Type", "application/json")
|
|
w.WriteHeader(http.StatusCreated)
|
|
|
|
apiresponse := libshared.NewAPIResponse[PolicyResponse]("success", "Policy created", PolicyResponse{})
|
|
json.NewEncoder(w).Encode(apiresponse)
|
|
|
|
// arnservice:region:account-id:resource-type:resource-id
|
|
//pri := "pri:iam::" + accountid + ":policy/" + policydocumentrequest.PolicyName
|
|
|
|
// response := map[string]interface{}{
|
|
// "status": "success",
|
|
// //"pri": pri,
|
|
// "message": "Policy created",
|
|
// "timestamp": fmt.Sprintf("%d", time.Now().Unix()),
|
|
// }
|
|
|
|
return
|
|
}
|