Add authorization support for auth/bearer tokens

2018-08-14 11:51:15 -05:00 · 2018-08-14 11:51:15 -05:00 · f7a0b201d7
parent 943629b354
commit f7a0b201d7
4 changed files with 107 additions and 4 deletions
--- a/documentation/api/v1/auth_api_doc.rb
+++ b/documentation/api/v1/auth_api_doc.rb
@ -0,0 +1,65 @@
+require 'swagger/blocks'
+
+module AuthApiDoc
+  include Swagger::Blocks
+
+  MESSAGE_DESC = 'The status of the authentication request.'
+  MESSAGE_EXAMPLE = 'Generated new API token.'
+  TOKEN_DESC = 'The Authentication Bearer token'
+  TOKEN_EXAMPLE = '899d2f45e12429d07427230289400a4594bcffe32169ebb826b4ffa9b90e1d1586f15fa42f069bb7'
+
+  # Swagger documentation for auth model
+  swagger_schema :Auth do
+    property :message, type: :string, description: MESSAGE_DESC, example: MESSAGE_EXAMPLE
+    property :token, type: :string, description: TOKEN_DESC, example: TOKEN_EXAMPLE
+  end
+
+  swagger_path '/api/v1/auth/generate-token' do
+    # Swagger documentation for /api/v1/auth/generate-tokenGET
+    operation :get do
+
+      key :description, 'Return a valid Authorization Bearer token.'
+      key :tags, [ 'auth' ]
+
+      parameter do
+        key :name, :username
+        key :in, :query
+        key :description, ''
+        key :required, true
+        key :type, :string
+      end
+
+      parameter do
+        key :name, :password
+        key :in, :query
+        key :description, ''
+        key :required, true
+        key :type, :string
+      end
+
+      response 200 do
+        key :description, 'Returns a valid auth token.'
+        schema do
+          property :data do
+            key :'$ref', :Auth
+          end
+        end
+      end
+
+      response 500 do
+        key :description, 'An error occurred during the operation. See the message for more details.'
+        schema do
+          key :'$ref', :ErrorModel
+        end
+      end
+
+      response 401 do
+        key :description, 'Invalid username or password. Authenticate to access this resource.'
+        schema do
+          key :'$ref', :AuthErrorModel
+        end
+      end
+
+    end
+  end
+end
--- a/documentation/api/v1/root_api_doc.rb
+++ b/documentation/api/v1/root_api_doc.rb
@ -14,6 +14,10 @@ module RootApiDoc
  CODE_EXAMPLE = 500
  MESSAGE_DESC = 'A message describing the error that occurred.'
  MESSAGE_EXAMPLE = 'Undefined method \'empty?\' for nil:NilClass'
+  AUTH_CODE_DESC = 'The authentication error code that was generated.'
+  AUTH_CODE_EXAMPLE = 401
+  AUTH_MESSAGE_DESC = 'A message describing the authentication error that occurred.'
+  AUTH_MESSAGE_EXAMPLE = 'Authenticate to access this resource'

  swagger_root do
    key :swagger, '2.0'
@ -29,11 +33,22 @@ module RootApiDoc
    key :consumes, ['application/json']
    key :produces, ['application/json']

+    security_definition :api_key do
+      key :type, :apiKey
+      key :name, :Authorization
+      key :in, :header
+    end
+
+    security do
+      key :api_key, []
+    end
+
    #################################
    #
    # Documentation Tags
    #
    #################################
+    tag name: 'auth', description: 'Authorization operations.'
    tag name: 'credential', description: 'Credential operations.'
    tag name: 'db_export', description: 'Endpoint for generating and retrieving a database backup.'
    tag name: 'event', description: 'Event operations.'
@ -127,4 +142,21 @@ module RootApiDoc
      end
    end
  end
-end
+
+  swagger_schema :AuthErrorModel do
+    key :required, [:message]
+    property :error do
+      property :code do
+        key :type, :int32
+        key :description, AUTH_CODE_DESC
+        key :example, AUTH_CODE_EXAMPLE
+      end
+      property :message do
+        key :type, :string
+        key :description, AUTH_MESSAGE_DESC
+        key :example, AUTH_MESSAGE_EXAMPLE
+      end
+    end
+  end
+
+end
--- a/lib/msf/core/db_manager/http/servlet/api_docs_servlet.rb
+++ b/lib/msf/core/db_manager/http/servlet/api_docs_servlet.rb
@ -1,5 +1,6 @@
 require 'swagger/blocks'
 load 'documentation/api/v1/root_api_doc.rb'
+load 'documentation/api/v1/auth_api_doc.rb'
 load 'documentation/api/v1/credential_api_doc.rb'
 load 'documentation/api/v1/db_export_api_doc.rb'
 load 'documentation/api/v1/event_api_doc.rb'
@ -43,6 +44,7 @@ module ApiDocsServlet
    lambda {
      swaggered_classes = [
          RootApiDoc,
+          AuthApiDoc,
          CredentialApiDoc,
          DbExportApiDoc,
          EventApiDoc,
--- a/lib/msf/core/db_manager/http/views/api_docs.erb
+++ b/lib/msf/core/db_manager/http/views/api_docs.erb
@ -79,9 +79,13 @@
                SwaggerUIBundle.presets.apis,
                SwaggerUIStandalonePreset
            ],
-            layout: "StandaloneLayout"
-        })
-
+            layout: "StandaloneLayout",
+            requestInterceptor: function (request) {
+                let token = request.headers.Authorization;
+                request.headers.Authorization = "Bearer " + token;
+                return request;
+            }
+        });
        window.ui = ui
    }
 </script>