2022-12-14 20:40:45 +01:00
|
|
|
package privateFrontend
|
2022-11-23 17:58:45 +01:00
|
|
|
|
|
|
|
import (
|
|
|
|
"context"
|
|
|
|
"fmt"
|
|
|
|
"github.com/openziti-test-kitchen/zrok/endpoints"
|
2022-12-14 20:41:54 +01:00
|
|
|
"github.com/openziti-test-kitchen/zrok/endpoints/publicFrontend/notFoundUi"
|
2022-11-23 17:58:45 +01:00
|
|
|
"github.com/openziti-test-kitchen/zrok/model"
|
|
|
|
"github.com/openziti-test-kitchen/zrok/util"
|
|
|
|
"github.com/openziti-test-kitchen/zrok/zrokdir"
|
|
|
|
"github.com/openziti/sdk-golang/ziti"
|
|
|
|
"github.com/openziti/sdk-golang/ziti/config"
|
|
|
|
"github.com/pkg/errors"
|
|
|
|
"github.com/sirupsen/logrus"
|
|
|
|
"net"
|
|
|
|
"net/http"
|
|
|
|
"net/http/httputil"
|
|
|
|
"net/url"
|
2023-01-10 22:38:53 +01:00
|
|
|
"time"
|
2022-11-23 17:58:45 +01:00
|
|
|
)
|
|
|
|
|
|
|
|
type httpFrontend struct {
|
2022-11-30 18:46:19 +01:00
|
|
|
cfg *Config
|
|
|
|
zCtx ziti.Context
|
2023-01-04 20:42:58 +01:00
|
|
|
shrToken string
|
2022-11-30 18:46:19 +01:00
|
|
|
handler http.Handler
|
2022-11-23 17:58:45 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
func NewHTTP(cfg *Config) (*httpFrontend, error) {
|
|
|
|
zCfgPath, err := zrokdir.ZitiIdentityFile(cfg.IdentityName)
|
|
|
|
if err != nil {
|
|
|
|
return nil, errors.Wrapf(err, "error getting ziti identity '%v' from zrokdir", cfg.IdentityName)
|
|
|
|
}
|
|
|
|
zCfg, err := config.NewFromFile(zCfgPath)
|
|
|
|
if err != nil {
|
|
|
|
return nil, errors.Wrap(err, "error loading config")
|
|
|
|
}
|
|
|
|
zCfg.ConfigTypes = []string{model.ZrokProxyConfig}
|
|
|
|
zCtx := ziti.NewContextWithConfig(zCfg)
|
2023-01-04 20:42:58 +01:00
|
|
|
zDialCtx := zitiDialContext{ctx: zCtx, shrToken: cfg.ShrToken}
|
2022-11-23 17:58:45 +01:00
|
|
|
zTransport := http.DefaultTransport.(*http.Transport).Clone()
|
|
|
|
zTransport.DialContext = zDialCtx.Dial
|
|
|
|
|
|
|
|
proxy, err := newServiceProxy(cfg, zCtx)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
proxy.Transport = zTransport
|
|
|
|
|
2023-01-04 20:42:58 +01:00
|
|
|
handler := authHandler(cfg.ShrToken, util.NewProxyHandler(proxy), "zrok", cfg, zCtx)
|
2022-11-23 17:58:45 +01:00
|
|
|
return &httpFrontend{
|
|
|
|
cfg: cfg,
|
|
|
|
zCtx: zCtx,
|
|
|
|
handler: handler,
|
|
|
|
}, nil
|
|
|
|
}
|
|
|
|
|
2022-11-23 18:39:42 +01:00
|
|
|
func (h *httpFrontend) Run() error {
|
|
|
|
return http.ListenAndServe(h.cfg.Address, h.handler)
|
|
|
|
}
|
|
|
|
|
2022-11-23 17:58:45 +01:00
|
|
|
type zitiDialContext struct {
|
2022-11-30 18:46:19 +01:00
|
|
|
ctx ziti.Context
|
2023-01-04 20:42:58 +01:00
|
|
|
shrToken string
|
2022-11-23 17:58:45 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
func (zdc *zitiDialContext) Dial(_ context.Context, _ string, addr string) (net.Conn, error) {
|
2023-01-04 20:42:58 +01:00
|
|
|
conn, err := zdc.ctx.Dial(zdc.shrToken)
|
2022-11-23 17:58:45 +01:00
|
|
|
if err != nil {
|
|
|
|
return conn, err
|
|
|
|
}
|
|
|
|
return conn, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func newServiceProxy(cfg *Config, ctx ziti.Context) (*httputil.ReverseProxy, error) {
|
|
|
|
proxy := serviceTargetProxy(cfg, ctx)
|
|
|
|
director := proxy.Director
|
|
|
|
proxy.Director = func(req *http.Request) {
|
2023-01-10 22:38:53 +01:00
|
|
|
if cfg.RequestsChan != nil {
|
|
|
|
cfg.RequestsChan <- &endpoints.BackendRequest{
|
|
|
|
Stamp: time.Now(),
|
|
|
|
RemoteAddr: fmt.Sprintf("%v", req.Header["X-Real-Ip"]),
|
|
|
|
Method: req.Method,
|
|
|
|
Path: req.URL.String(),
|
|
|
|
}
|
|
|
|
}
|
2022-11-23 17:58:45 +01:00
|
|
|
director(req)
|
|
|
|
req.Header.Set("X-Proxy", "zrok")
|
|
|
|
}
|
|
|
|
proxy.ModifyResponse = func(resp *http.Response) error {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
proxy.ErrorHandler = func(w http.ResponseWriter, r *http.Request, err error) {
|
|
|
|
logrus.Errorf("error proxying: %v", err)
|
2022-12-14 20:41:54 +01:00
|
|
|
notFoundUi.WriteNotFound(w)
|
2022-11-23 17:58:45 +01:00
|
|
|
}
|
|
|
|
return proxy, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func serviceTargetProxy(cfg *Config, ctx ziti.Context) *httputil.ReverseProxy {
|
|
|
|
director := func(req *http.Request) {
|
2023-01-04 20:42:58 +01:00
|
|
|
targetShrToken := cfg.ShrToken
|
|
|
|
if svc, found := endpoints.GetRefreshedService(targetShrToken, ctx); found {
|
2022-11-23 17:58:45 +01:00
|
|
|
if cfg, found := svc.Configs[model.ZrokProxyConfig]; found {
|
|
|
|
logrus.Debugf("auth model: %v", cfg)
|
|
|
|
} else {
|
|
|
|
logrus.Warn("no config!")
|
|
|
|
}
|
2023-01-04 20:42:58 +01:00
|
|
|
if target, err := url.Parse(fmt.Sprintf("http://%v", targetShrToken)); err == nil {
|
2023-01-10 22:38:53 +01:00
|
|
|
logrus.Debugf("[%v] -> %v", targetShrToken, req.URL)
|
2022-11-23 17:58:45 +01:00
|
|
|
|
|
|
|
targetQuery := target.RawQuery
|
|
|
|
req.URL.Scheme = target.Scheme
|
|
|
|
req.URL.Host = target.Host
|
|
|
|
req.URL.Path, req.URL.RawPath = endpoints.JoinURLPath(target, req.URL)
|
|
|
|
if targetQuery == "" || req.URL.RawQuery == "" {
|
|
|
|
req.URL.RawQuery = targetQuery + req.URL.RawQuery
|
|
|
|
} else {
|
|
|
|
req.URL.RawQuery = targetQuery + "&" + req.URL.RawQuery
|
|
|
|
}
|
|
|
|
if _, ok := req.Header["User-Agent"]; !ok {
|
|
|
|
// explicitly disable User-Agent so it's not set to default value
|
|
|
|
req.Header.Set("User-Agent", "")
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
logrus.Errorf("error proxying: %v", err)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return &httputil.ReverseProxy{Director: director}
|
|
|
|
}
|
|
|
|
|
2023-01-04 20:42:58 +01:00
|
|
|
func authHandler(shrToken string, handler http.Handler, realm string, cfg *Config, ctx ziti.Context) http.HandlerFunc {
|
2022-11-23 17:58:45 +01:00
|
|
|
return func(w http.ResponseWriter, r *http.Request) {
|
2023-01-04 20:42:58 +01:00
|
|
|
if svc, found := endpoints.GetRefreshedService(shrToken, ctx); found {
|
2022-11-23 17:58:45 +01:00
|
|
|
if cfg, found := svc.Configs[model.ZrokProxyConfig]; found {
|
|
|
|
if scheme, found := cfg["auth_scheme"]; found {
|
|
|
|
switch scheme {
|
|
|
|
case string(model.None):
|
2023-01-04 20:42:58 +01:00
|
|
|
logrus.Debugf("auth scheme none '%v'", shrToken)
|
2022-11-23 17:58:45 +01:00
|
|
|
handler.ServeHTTP(w, r)
|
|
|
|
return
|
|
|
|
|
|
|
|
case string(model.Basic):
|
2023-01-04 20:42:58 +01:00
|
|
|
logrus.Debugf("auth scheme basic '%v", shrToken)
|
2022-11-23 17:58:45 +01:00
|
|
|
inUser, inPass, ok := r.BasicAuth()
|
|
|
|
if !ok {
|
|
|
|
writeUnauthorizedResponse(w, realm)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
authed := false
|
|
|
|
if v, found := cfg["basic_auth"]; found {
|
|
|
|
if basicAuth, ok := v.(map[string]interface{}); ok {
|
|
|
|
if v, found := basicAuth["users"]; found {
|
|
|
|
if arr, ok := v.([]interface{}); ok {
|
|
|
|
for _, v := range arr {
|
|
|
|
if um, ok := v.(map[string]interface{}); ok {
|
|
|
|
username := ""
|
|
|
|
if v, found := um["username"]; found {
|
|
|
|
if un, ok := v.(string); ok {
|
|
|
|
username = un
|
|
|
|
}
|
|
|
|
}
|
|
|
|
password := ""
|
|
|
|
if v, found := um["password"]; found {
|
|
|
|
if pw, ok := v.(string); ok {
|
|
|
|
password = pw
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if username == inUser && password == inPass {
|
|
|
|
authed = true
|
|
|
|
break
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if !authed {
|
|
|
|
writeUnauthorizedResponse(w, realm)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
handler.ServeHTTP(w, r)
|
|
|
|
|
|
|
|
default:
|
|
|
|
logrus.Infof("invalid auth scheme '%v'", scheme)
|
|
|
|
writeUnauthorizedResponse(w, realm)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
} else {
|
2023-01-04 20:42:58 +01:00
|
|
|
logrus.Warnf("%v -> no auth scheme for '%v'", r.RemoteAddr, shrToken)
|
2022-12-14 20:41:54 +01:00
|
|
|
notFoundUi.WriteNotFound(w)
|
2022-11-23 17:58:45 +01:00
|
|
|
}
|
|
|
|
} else {
|
2023-01-04 20:42:58 +01:00
|
|
|
logrus.Warnf("%v -> no proxy config for '%v'", r.RemoteAddr, shrToken)
|
2022-12-14 20:41:54 +01:00
|
|
|
notFoundUi.WriteNotFound(w)
|
2022-11-23 17:58:45 +01:00
|
|
|
}
|
|
|
|
} else {
|
2023-01-04 20:42:58 +01:00
|
|
|
logrus.Warnf("%v -> service '%v' not found", r.RemoteAddr, shrToken)
|
2022-12-14 20:41:54 +01:00
|
|
|
notFoundUi.WriteNotFound(w)
|
2022-11-23 17:58:45 +01:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func writeUnauthorizedResponse(w http.ResponseWriter, realm string) {
|
|
|
|
w.Header().Set("WWW-Authenticate", `Basic realm="`+realm+`"`)
|
|
|
|
w.WriteHeader(401)
|
|
|
|
w.Write([]byte("No Authorization\n"))
|
|
|
|
}
|