This commit is contained in:
Vladislav Yarmak 2022-09-14 21:52:19 +03:00
parent 8f338e0c62
commit c09b293ded
2 changed files with 20 additions and 18 deletions

30
auth.go
View File

@ -23,7 +23,7 @@ const AUTH_TRIGGERED_MSG = "Browser auth triggered!\n"
const EPOCH_EXPIRE = "Thu, 01 Jan 1970 00:00:01 GMT"
type Auth interface {
Validate(wr http.ResponseWriter, req *http.Request) bool
Validate(wr http.ResponseWriter, req *http.Request) (string, bool)
Stop()
}
@ -191,29 +191,29 @@ func (auth *BasicAuth) reloadLoop(interval time.Duration) {
}
}
func (auth *BasicAuth) Validate(wr http.ResponseWriter, req *http.Request) bool {
func (auth *BasicAuth) Validate(wr http.ResponseWriter, req *http.Request) (string, bool) {
hdr := req.Header.Get("Proxy-Authorization")
if hdr == "" {
requireBasicAuth(wr, req, auth.hiddenDomain)
return false
return "", false
}
hdr_parts := strings.SplitN(hdr, " ", 2)
if len(hdr_parts) != 2 || strings.ToLower(hdr_parts[0]) != "basic" {
requireBasicAuth(wr, req, auth.hiddenDomain)
return false
return "", false
}
token := hdr_parts[1]
data, err := base64.StdEncoding.DecodeString(token)
if err != nil {
requireBasicAuth(wr, req, auth.hiddenDomain)
return false
return "", false
}
pair := strings.SplitN(string(data), ":", 2)
if len(pair) != 2 {
requireBasicAuth(wr, req, auth.hiddenDomain)
return false
return "", false
}
login := pair[0]
@ -233,13 +233,13 @@ func (auth *BasicAuth) Validate(wr http.ResponseWriter, req *http.Request) bool
wr.Header()["Date"] = nil
wr.WriteHeader(http.StatusOK)
wr.Write([]byte(AUTH_TRIGGERED_MSG))
return false
return "", false
} else {
return true
return login, true
}
}
requireBasicAuth(wr, req, auth.hiddenDomain)
return false
return "", false
}
func (auth *BasicAuth) Stop() {
@ -250,20 +250,20 @@ func (auth *BasicAuth) Stop() {
type NoAuth struct{}
func (_ NoAuth) Validate(wr http.ResponseWriter, req *http.Request) bool {
return true
func (_ NoAuth) Validate(wr http.ResponseWriter, req *http.Request) (string, bool) {
return "", true
}
func (_ NoAuth) Stop() {}
type CertAuth struct{}
func (_ CertAuth) Validate(wr http.ResponseWriter, req *http.Request) bool {
if req.TLS == nil || len(req.TLS.VerifiedChains) < 1 {
func (_ CertAuth) Validate(wr http.ResponseWriter, req *http.Request) (string, bool) {
if req.TLS == nil || len(req.TLS.VerifiedChains) < 1 || len(req.TLS.VerifiedChains[0]) < 1 {
http.Error(wr, BAD_REQ_MSG, http.StatusBadRequest)
return false
return "", false
} else {
return true
return req.TLS.VerifiedChains[0][0].Subject.String(), true
}
}

View File

@ -106,8 +106,6 @@ func (s *ProxyHandler) isLoopback(req *http.Request) (string, bool) {
}
func (s *ProxyHandler) ServeHTTP(wr http.ResponseWriter, req *http.Request) {
s.logger.Info("Request: %v %v %v %v", req.RemoteAddr, req.Proto, req.Method, req.URL)
if originator, isLoopback := s.isLoopback(req); isLoopback {
s.logger.Critical("Loopback tunnel detected: %s is an outbound "+
"address for another request from %s", req.RemoteAddr, originator)
@ -121,7 +119,11 @@ func (s *ProxyHandler) ServeHTTP(wr http.ResponseWriter, req *http.Request) {
http.Error(wr, BAD_REQ_MSG, http.StatusBadRequest)
return
}
if !s.auth.Validate(wr, req) {
username, ok := s.auth.Validate(wr, req)
s.logger.Info("Request: %v %q %v %v %v", req.RemoteAddr, username, req.Proto, req.Method, req.URL)
if !ok {
return
}
delHopHeaders(req.Header)