working commit

app/handler/aaafunc.go

@@ -29,12 +29,12 @@ func (hand *Handler) AuthMiddleware(next router.Handler) router.Handler {
 	var handlerFunc router.HandlerFunc
 
 	handlerFunc = func(rctx *router.Context) {
-		hand.logg.Debugf("Call authorization middleware")
+		//hand.logg.Debugf("Call authorization middleware")
 		success, accountID, err := hand.CheckAccess(rctx)
 		if success {
 			rctx.SetBool(authTag, true)
 			rctx.SetString(userTag, accountID)
-			hand.logg.Debugf("Authorization for accountID [%s]", rctx.Strings[userTag])
+			//hand.logg.Debugf("Authorization for accountID [%s]", rctx.Strings[userTag])
 		}
 		if err != nil {
 			hand.logg.Errorf("Authorization middleware error: %v", err)
@@ -45,6 +45,7 @@ func (hand *Handler) AuthMiddleware(next router.Handler) router.Handler {
 	return handlerFunc
 }
 
+// Authentification
 func (hand *Handler) CheckAccess(rctx *router.Context) (bool, string, error) {
 	var err error
 	var success bool
@@ -56,12 +57,15 @@ func (hand *Handler) CheckAccess(rctx *router.Context) (bool, string, error) {
 
 	authHeader := rctx.GetHeader("Authorization")
 	if authHeader != "" {
-		hand.logg.Debugf("Authorization header is %s", authHeader)
+		//hand.logg.Debugf("Authorization header is %s", authHeader)
 		username, password, err = auxhttp.ParseBasicAuth(authHeader)
 		if err != nil {
 			return success, accountID, err
 		}
-		hand.logg.Debugf("Authorization pair is %s:%s", username, password)
+		//hand.logg.Debugf("Authorization pair is %s:%s", username, password)
+		if username == "" || password == "" {
+			goto anonymous
+		}
 
 		success, id, err := hand.ValidatePassword(rctx.Ctx, username, password)
 		if err != nil {
@@ -74,6 +78,7 @@ func (hand *Handler) CheckAccess(rctx *router.Context) (bool, string, error) {
 		accountID = id
 		return success, accountID, err
 	}
+anonymous:
 	success = true
 	accountID = descr.AnonymousID
 	return success, accountID, err
@@ -99,38 +104,44 @@ func (hand *Handler) ValidatePassword(ctx context.Context, username, password st
 	return valid, accountID, err
 }
 
-func (hand *Handler) CheckRight(ctx context.Context, accountID, right, subject string) (bool, error) {
+// Authorization
+
+func (hand *Handler) CheckRight(ctx context.Context, accountID, reqRight, subject string) (bool, error) {
 	var err error
 	var res bool
-	hand.logg.Debugf("Cop check your right %s: %s %s", accountID, right, subject)
+	//hand.logg.Debugf("Cop check your right %s: %s %s", accountID, reqRight, subject)
 	//         =[]=
-	//        .------.
-	//   .---[-]  [#] \--,
-	//  >|   [ ]  [ ]    |
+	//        .------.       ---
+	//   .---[-]  [#] \--, ---
+	//  >|   [ ]  [ ]    |     ---...
 	//   '--0-------0----'
 	//  Bad news for you, baby.... #
 	//
-	exists, grant, err := hand.mdb.GetGrantByAccoundIDRight(ctx, accountID, right)
+	exists, grants, err := hand.mdb.ListGrantsByAccoundIDRight(ctx, accountID, reqRight)
 	if err != nil {
 		return res, err
 	}
 	if !exists {
 		return res, err
 	}
-	switch right {
+	switch reqRight {
 	case descr.RightReadFiles, descr.RightWriteFiles:
-		grant.Pattern = ".*"
-		re, err := regexp.Compile(grant.Pattern)
-		if err != nil {
-			return res, err
-		}
-		if !re.MatchString(subject) {
-			return res, err
+		for _, grant := range grants {
+			re, err := regexp.Compile(grant.Pattern)
+			if err != nil {
+				hand.logg.Warningf("Wrong pattern %s for grant %s: %v", grant.Pattern, grant.ID, err)
+				err = nil
+				continue
+			}
+			if re.MatchString(subject) {
+				res = true
+				break
+			}
 		}
 	default:
 		// NOP
 	}
 	res = true
-	hand.logg.Debugf("Checking right %s for %s: %v", right, accountID, res)
+	//hand.logg.Debugf("Result of checking right %s for %s: %v", reqRight, accountID, res)
 	return res, err
 }