implement auth

This commit is contained in:
Vladislav Yarmak 2020-05-20 00:53:32 +03:00
parent 902ebe89ac
commit d1e4c310d8
4 changed files with 113 additions and 3 deletions

88
auth.go Normal file
View File

@ -0,0 +1,88 @@
package main
import (
"net/http"
"net/url"
"errors"
"strings"
"strconv"
"encoding/base64"
"crypto/subtle"
)
const AUTH_REQUIRED_MSG = "Proxy authentication required."
type Auth interface {
Validate(wr http.ResponseWriter, req *http.Request) bool
}
func NewAuth(paramstr string) (Auth, error) {
url, err := url.Parse(paramstr)
if err != nil {
return nil, err
}
switch strings.ToLower(url.Scheme) {
case "static":
auth, err := NewStaticAuth(url)
return auth, err
case "none":
return NoAuth{}, nil
default:
return nil, errors.New("Unknown auth scheme")
}
}
type StaticAuth string
func NewStaticAuth(param_url *url.URL) (StaticAuth, error) {
values, err := url.ParseQuery(param_url.RawQuery)
if err != nil {
return StaticAuth(""), err
}
username := values.Get("username")
if username == "" {
return StaticAuth(""), errors.New("\"username\" parameter is missing from auth config URI")
}
password := values.Get("password")
if password == "" {
return StaticAuth(""), errors.New("\"password\" parameter is missing from auth config URI")
}
return StaticAuth(base64.StdEncoding.EncodeToString(
[]byte(username + ":" + password))), nil
}
func requireBasicAuth(wr http.ResponseWriter) {
wr.Header().Set("Proxy-Authenticate", `Basic realm="dumbproxy"`)
wr.Header().Set("Content-Length", strconv.Itoa(len([]byte(AUTH_REQUIRED_MSG))))
wr.WriteHeader(407)
wr.Write([]byte(AUTH_REQUIRED_MSG))
}
func (auth StaticAuth) Validate(wr http.ResponseWriter, req *http.Request) bool {
hdr := req.Header.Get("Proxy-Authorization")
if hdr == "" {
requireBasicAuth(wr)
return false
}
hdr_parts := strings.SplitN(hdr, " ", 2)
if len(hdr_parts) != 2 || strings.ToLower(hdr_parts[0]) != "basic" {
requireBasicAuth(wr)
return false
}
token := hdr_parts[1]
ok := (subtle.ConstantTimeCompare([]byte(token), []byte(auth)) == 1)
if ok {
return true
} else {
requireBasicAuth(wr)
return false
}
}
type NoAuth struct {}
func (_ NoAuth) Validate(wr http.ResponseWriter, req *http.Request) bool {
return true
}

View File

@ -12,14 +12,16 @@ import (
type ProxyHandler struct { type ProxyHandler struct {
timeout time.Duration timeout time.Duration
auth Auth
logger *CondLogger logger *CondLogger
httptransport http.RoundTripper httptransport http.RoundTripper
} }
func NewProxyHandler(timeout time.Duration, logger *CondLogger) *ProxyHandler { func NewProxyHandler(timeout time.Duration, auth Auth, logger *CondLogger) *ProxyHandler {
httptransport := &http.Transport{} httptransport := &http.Transport{}
return &ProxyHandler{ return &ProxyHandler{
timeout: timeout, timeout: timeout,
auth: auth,
logger: logger, logger: logger,
httptransport: httptransport, httptransport: httptransport,
} }
@ -65,11 +67,15 @@ func (s *ProxyHandler) HandleRequest(wr http.ResponseWriter, req *http.Request)
delHopHeaders(resp.Header) delHopHeaders(resp.Header)
copyHeader(wr.Header(), resp.Header) copyHeader(wr.Header(), resp.Header)
wr.WriteHeader(resp.StatusCode) wr.WriteHeader(resp.StatusCode)
flush(wr)
io.Copy(wr, resp.Body) io.Copy(wr, resp.Body)
} }
func (s *ProxyHandler) ServeHTTP(wr http.ResponseWriter, req *http.Request) { func (s *ProxyHandler) ServeHTTP(wr http.ResponseWriter, req *http.Request) {
s.logger.Info("Request: %v %v %v", req.RemoteAddr, req.Method, req.URL) s.logger.Info("Request: %v %v %v", req.RemoteAddr, req.Method, req.URL)
if !s.auth.Validate(wr, req) {
return
}
delHopHeaders(req.Header) delHopHeaders(req.Header)
if strings.ToUpper(req.Method) == "CONNECT" { if strings.ToUpper(req.Method) == "CONNECT" {
s.HandleTunnel(wr, req) s.HandleTunnel(wr, req)

11
main.go
View File

@ -23,6 +23,7 @@ func arg_fail(msg string) {
type CLIArgs struct { type CLIArgs struct {
bind_address string bind_address string
auth string
verbosity int verbosity int
timeout time.Duration timeout time.Duration
} }
@ -31,6 +32,7 @@ type CLIArgs struct {
func parse_args() CLIArgs { func parse_args() CLIArgs {
var args CLIArgs var args CLIArgs
flag.StringVar(&args.bind_address, "bind-address", ":8080", "HTTP proxy listen address") flag.StringVar(&args.bind_address, "bind-address", ":8080", "HTTP proxy listen address")
flag.StringVar(&args.auth, "auth", "none://", "auth parameters")
flag.IntVar(&args.verbosity, "verbosity", 20, "logging verbosity " + flag.IntVar(&args.verbosity, "verbosity", 20, "logging verbosity " +
"(10 - debug, 20 - info, 30 - warning, 40 - error, 50 - critical)") "(10 - debug, 20 - info, 30 - warning, 40 - error, 50 - critical)")
flag.DurationVar(&args.timeout, "timeout", 10 * time.Second, "timeout for network operations") flag.DurationVar(&args.timeout, "timeout", 10 * time.Second, "timeout for network operations")
@ -51,8 +53,13 @@ func run() int {
log.LstdFlags | log.Lshortfile), log.LstdFlags | log.Lshortfile),
args.verbosity) args.verbosity)
mainLogger.Info("Starting proxy server...") mainLogger.Info("Starting proxy server...")
handler := NewProxyHandler(args.timeout, proxyLogger) auth, err := NewAuth(args.auth)
err := http.ListenAndServe(args.bind_address, handler) if err != nil {
mainLogger.Critical("Failed to instantiate auth provider: %v", err)
return 3
}
handler := NewProxyHandler(args.timeout, auth, proxyLogger)
err = http.ListenAndServe(args.bind_address, handler)
mainLogger.Critical("Server terminated with a reason: %v", err) mainLogger.Critical("Server terminated with a reason: %v", err)
mainLogger.Info("Shutting down...") mainLogger.Info("Shutting down...")
return 0 return 0

View File

@ -82,3 +82,12 @@ func hijack(hijackable interface{}) (net.Conn, *bufio.ReadWriter, error) {
} }
return conn, rw, nil return conn, rw, nil
} }
func flush(flusher interface{}) bool {
f, ok := flusher.(http.Flusher)
if !ok {
return false
}
f.Flush()
return true
}