Snawoot
GitHub
commit
77729e9eef
30
auth.go
30
auth.go
|
|
@ -23,7 +23,7 @@ const AUTH_TRIGGERED_MSG = "Browser auth triggered!\n"
|
||||||
const EPOCH_EXPIRE = "Thu, 01 Jan 1970 00:00:01 GMT"
|
const EPOCH_EXPIRE = "Thu, 01 Jan 1970 00:00:01 GMT"
|
||||||
|
|
||||||
type Auth interface {
|
type Auth interface {
|
||||||
Validate(wr http.ResponseWriter, req *http.Request) bool
|
Validate(wr http.ResponseWriter, req *http.Request) (string, bool)
|
||||||
Stop()
|
Stop()
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -191,29 +191,29 @@ func (auth *BasicAuth) reloadLoop(interval time.Duration) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func (auth *BasicAuth) Validate(wr http.ResponseWriter, req *http.Request) bool {
|
func (auth *BasicAuth) Validate(wr http.ResponseWriter, req *http.Request) (string, bool) {
|
||||||
hdr := req.Header.Get("Proxy-Authorization")
|
hdr := req.Header.Get("Proxy-Authorization")
|
||||||
if hdr == "" {
|
if hdr == "" {
|
||||||
requireBasicAuth(wr, req, auth.hiddenDomain)
|
requireBasicAuth(wr, req, auth.hiddenDomain)
|
||||||
return false
|
return "", false
|
||||||
}
|
}
|
||||||
hdr_parts := strings.SplitN(hdr, " ", 2)
|
hdr_parts := strings.SplitN(hdr, " ", 2)
|
||||||
if len(hdr_parts) != 2 || strings.ToLower(hdr_parts[0]) != "basic" {
|
if len(hdr_parts) != 2 || strings.ToLower(hdr_parts[0]) != "basic" {
|
||||||
requireBasicAuth(wr, req, auth.hiddenDomain)
|
requireBasicAuth(wr, req, auth.hiddenDomain)
|
||||||
return false
|
return "", false
|
||||||
}
|
}
|
||||||
|
|
||||||
token := hdr_parts[1]
|
token := hdr_parts[1]
|
||||||
data, err := base64.StdEncoding.DecodeString(token)
|
data, err := base64.StdEncoding.DecodeString(token)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
requireBasicAuth(wr, req, auth.hiddenDomain)
|
requireBasicAuth(wr, req, auth.hiddenDomain)
|
||||||
return false
|
return "", false
|
||||||
}
|
}
|
||||||
|
|
||||||
pair := strings.SplitN(string(data), ":", 2)
|
pair := strings.SplitN(string(data), ":", 2)
|
||||||
if len(pair) != 2 {
|
if len(pair) != 2 {
|
||||||
requireBasicAuth(wr, req, auth.hiddenDomain)
|
requireBasicAuth(wr, req, auth.hiddenDomain)
|
||||||
return false
|
return "", false
|
||||||
}
|
}
|
||||||
|
|
||||||
login := pair[0]
|
login := pair[0]
|
||||||
|
|
@ -233,13 +233,13 @@ func (auth *BasicAuth) Validate(wr http.ResponseWriter, req *http.Request) bool
|
||||||
wr.Header()["Date"] = nil
|
wr.Header()["Date"] = nil
|
||||||
wr.WriteHeader(http.StatusOK)
|
wr.WriteHeader(http.StatusOK)
|
||||||
wr.Write([]byte(AUTH_TRIGGERED_MSG))
|
wr.Write([]byte(AUTH_TRIGGERED_MSG))
|
||||||
return false
|
return "", false
|
||||||
} else {
|
} else {
|
||||||
return true
|
return login, true
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
requireBasicAuth(wr, req, auth.hiddenDomain)
|
requireBasicAuth(wr, req, auth.hiddenDomain)
|
||||||
return false
|
return "", false
|
||||||
}
|
}
|
||||||
|
|
||||||
func (auth *BasicAuth) Stop() {
|
func (auth *BasicAuth) Stop() {
|
||||||
|
|
@ -250,20 +250,20 @@ func (auth *BasicAuth) Stop() {
|
||||||
|
|
||||||
type NoAuth struct{}
|
type NoAuth struct{}
|
||||||
|
|
||||||
func (_ NoAuth) Validate(wr http.ResponseWriter, req *http.Request) bool {
|
func (_ NoAuth) Validate(wr http.ResponseWriter, req *http.Request) (string, bool) {
|
||||||
return true
|
return "", true
|
||||||
}
|
}
|
||||||
|
|
||||||
func (_ NoAuth) Stop() {}
|
func (_ NoAuth) Stop() {}
|
||||||
|
|
||||||
type CertAuth struct{}
|
type CertAuth struct{}
|
||||||
|
|
||||||
func (_ CertAuth) Validate(wr http.ResponseWriter, req *http.Request) bool {
|
func (_ CertAuth) Validate(wr http.ResponseWriter, req *http.Request) (string, bool) {
|
||||||
if req.TLS == nil || len(req.TLS.VerifiedChains) < 1 {
|
if req.TLS == nil || len(req.TLS.VerifiedChains) < 1 || len(req.TLS.VerifiedChains[0]) < 1 {
|
||||||
http.Error(wr, BAD_REQ_MSG, http.StatusBadRequest)
|
http.Error(wr, BAD_REQ_MSG, http.StatusBadRequest)
|
||||||
return false
|
return "", false
|
||||||
} else {
|
} else {
|
||||||
return true
|
return req.TLS.VerifiedChains[0][0].Subject.String(), true
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -106,8 +106,6 @@ func (s *ProxyHandler) isLoopback(req *http.Request) (string, bool) {
|
||||||
}
|
}
|
||||||
|
|
||||||
func (s *ProxyHandler) ServeHTTP(wr http.ResponseWriter, req *http.Request) {
|
func (s *ProxyHandler) ServeHTTP(wr http.ResponseWriter, req *http.Request) {
|
||||||
s.logger.Info("Request: %v %v %v %v", req.RemoteAddr, req.Proto, req.Method, req.URL)
|
|
||||||
|
|
||||||
if originator, isLoopback := s.isLoopback(req); isLoopback {
|
if originator, isLoopback := s.isLoopback(req); isLoopback {
|
||||||
s.logger.Critical("Loopback tunnel detected: %s is an outbound "+
|
s.logger.Critical("Loopback tunnel detected: %s is an outbound "+
|
||||||
"address for another request from %s", req.RemoteAddr, originator)
|
"address for another request from %s", req.RemoteAddr, originator)
|
||||||
|
|
@ -121,7 +119,11 @@ func (s *ProxyHandler) ServeHTTP(wr http.ResponseWriter, req *http.Request) {
|
||||||
http.Error(wr, BAD_REQ_MSG, http.StatusBadRequest)
|
http.Error(wr, BAD_REQ_MSG, http.StatusBadRequest)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
if !s.auth.Validate(wr, req) {
|
|
||||||
|
username, ok := s.auth.Validate(wr, req)
|
||||||
|
s.logger.Info("Request: %v %q %v %v %v", req.RemoteAddr, username, req.Proto, req.Method, req.URL)
|
||||||
|
|
||||||
|
if !ok {
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
delHopHeaders(req.Header)
|
delHopHeaders(req.Header)
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue