1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
|
package controllers
import (
"context"
"code.crute.us/mcrute/cloud-identity-broker/app/middleware"
"code.crute.us/mcrute/cloud-identity-broker/app/models"
"code.crute.us/mcrute/cloud-identity-broker/cloud/aws"
"github.com/labstack/echo/v4"
)
type requestContext struct {
Account *models.Account
Principal *models.User
AWS aws.AWSClient
}
// AWSAPI is a capability that all handlers talking to the AWS APIs should use.
// This capability does common permission checks and populates a request
// context with user, account, and AWS API information.
type AWSAPI struct {
Store models.AccountStore
}
// GetContext checks that the user is authenticated and is authorized to access
// the requested AWS account. This should be the very first call in any handler
// that will eventually call the AWS APIs. Errors returned from this method are
// echo responses and can be returned directly to the client.
func (h *AWSAPI) GetContext(c echo.Context) (*requestContext, error) {
principal, err := middleware.GetAuthorizedPrincipal(c)
if err != nil {
return nil, echo.ErrUnauthorized
}
account, err := h.Store.GetForUser(context.Background(), c.Param("account"), principal)
if err != nil {
return nil, echo.NotFoundHandler(c)
}
ac, err := aws.NewAWSClientFromAccount(account)
if err != nil {
c.Logger().Errorf("Error building AWS client: %w", err)
return nil, echo.ErrInternalServerError
}
return &requestContext{
Account: account,
Principal: principal,
AWS: ac,
}, nil
}
|