auth: hidden_auth option

This commit is contained in:
Vladislav Yarmak 2020-05-24 18:26:23 +03:00
parent a8a8bef4db
commit 6b024dd763
1 changed files with 26 additions and 17 deletions

35
auth.go
View File

@ -33,49 +33,58 @@ func NewAuth(paramstr string) (Auth, error) {
} }
} }
type StaticAuth string type StaticAuth struct {
token string
hiddenDomain string
}
func NewStaticAuth(param_url *url.URL) (StaticAuth, error) { func NewStaticAuth(param_url *url.URL) (*StaticAuth, error) {
values, err := url.ParseQuery(param_url.RawQuery) values, err := url.ParseQuery(param_url.RawQuery)
if err != nil { if err != nil {
return StaticAuth(""), err return nil, err
} }
username := values.Get("username") username := values.Get("username")
if username == "" { if username == "" {
return StaticAuth(""), errors.New("\"username\" parameter is missing from auth config URI") return nil, errors.New("\"username\" parameter is missing from auth config URI")
} }
password := values.Get("password") password := values.Get("password")
if password == "" { if password == "" {
return StaticAuth(""), errors.New("\"password\" parameter is missing from auth config URI") return nil, errors.New("\"password\" parameter is missing from auth config URI")
} }
return StaticAuth(base64.StdEncoding.EncodeToString( return &StaticAuth{
[]byte(username + ":" + password))), nil token: base64.StdEncoding.EncodeToString([]byte(username + ":" + password)),
hiddenDomain: strings.ToLower(values.Get("hidden_domain")),
}, nil
} }
func requireBasicAuth(wr http.ResponseWriter) { func requireBasicAuth(wr http.ResponseWriter, req *http.Request, hidden_domain string) {
if hidden_domain != "" && req.URL.Host != hidden_domain && req.Host != hidden_domain {
http.Error(wr, "Bad Request", http.StatusBadRequest)
} else {
wr.Header().Set("Proxy-Authenticate", `Basic realm="dumbproxy"`) wr.Header().Set("Proxy-Authenticate", `Basic realm="dumbproxy"`)
wr.Header().Set("Content-Length", strconv.Itoa(len([]byte(AUTH_REQUIRED_MSG)))) wr.Header().Set("Content-Length", strconv.Itoa(len([]byte(AUTH_REQUIRED_MSG))))
wr.WriteHeader(407) wr.WriteHeader(407)
wr.Write([]byte(AUTH_REQUIRED_MSG)) wr.Write([]byte(AUTH_REQUIRED_MSG))
}
} }
func (auth StaticAuth) Validate(wr http.ResponseWriter, req *http.Request) bool { func (auth *StaticAuth) Validate(wr http.ResponseWriter, req *http.Request) bool {
hdr := req.Header.Get("Proxy-Authorization") hdr := req.Header.Get("Proxy-Authorization")
if hdr == "" { if hdr == "" {
requireBasicAuth(wr) requireBasicAuth(wr, req, auth.hiddenDomain)
return false return false
} }
hdr_parts := strings.SplitN(hdr, " ", 2) hdr_parts := strings.SplitN(hdr, " ", 2)
if len(hdr_parts) != 2 || strings.ToLower(hdr_parts[0]) != "basic" { if len(hdr_parts) != 2 || strings.ToLower(hdr_parts[0]) != "basic" {
requireBasicAuth(wr) requireBasicAuth(wr, req, auth.hiddenDomain)
return false return false
} }
token := hdr_parts[1] token := hdr_parts[1]
ok := (subtle.ConstantTimeCompare([]byte(token), []byte(auth)) == 1) ok := (subtle.ConstantTimeCompare([]byte(token), []byte(auth.token)) == 1)
if ok { if ok {
return true return true
} else { } else {
requireBasicAuth(wr) requireBasicAuth(wr, req, auth.hiddenDomain)
return false return false
} }
} }