zrok/endpoints/publicProxy/http.go

367 lines
12 KiB
Go
Raw Normal View History

package publicProxy
2022-07-19 22:15:54 +02:00
import (
2022-08-10 21:15:35 +02:00
"context"
"crypto/md5"
2022-08-10 21:15:35 +02:00
"fmt"
2023-09-05 18:50:41 +02:00
"github.com/golang-jwt/jwt/v5"
2022-07-20 20:16:01 +02:00
"github.com/openziti/sdk-golang/ziti"
"github.com/openziti/zrok/endpoints"
"github.com/openziti/zrok/endpoints/publicProxy/healthUi"
"github.com/openziti/zrok/endpoints/publicProxy/notFoundUi"
2023-09-05 18:50:41 +02:00
"github.com/openziti/zrok/endpoints/publicProxy/unauthorizedUi"
"github.com/openziti/zrok/environment"
"github.com/openziti/zrok/sdk"
"github.com/openziti/zrok/util"
2022-07-20 20:16:01 +02:00
"github.com/pkg/errors"
"github.com/sirupsen/logrus"
"net"
"net/http"
"net/http/httputil"
"net/url"
"strings"
2023-09-05 16:55:55 +02:00
"time"
2022-07-19 22:15:54 +02:00
)
type HttpFrontend struct {
2022-08-18 22:57:38 +02:00
cfg *Config
zCtx ziti.Context
handler http.Handler
}
func NewHTTP(cfg *Config) (*HttpFrontend, error) {
var key []byte
if cfg.Oauth != nil {
hash := md5.New()
2023-10-05 19:34:27 +02:00
n, err := hash.Write([]byte(cfg.Oauth.HashKey))
if err != nil {
return nil, err
}
2023-10-05 19:34:27 +02:00
if n != len(cfg.Oauth.HashKey) {
return nil, errors.New("short hash")
}
key = hash.Sum(nil)
}
root, err := environment.LoadRoot()
if err != nil {
return nil, errors.Wrap(err, "error loading environment root")
}
zCfgPath, err := root.ZitiIdentityNamed(cfg.Identity)
if err != nil {
2023-07-10 22:41:16 +02:00
return nil, errors.Wrapf(err, "error getting ziti identity '%v' from environment", cfg.Identity)
}
2023-05-25 17:50:38 +02:00
zCfg, err := ziti.NewConfigFromFile(zCfgPath)
2022-07-20 20:16:01 +02:00
if err != nil {
2022-08-18 22:57:38 +02:00
return nil, errors.Wrap(err, "error loading config")
2022-07-20 20:16:01 +02:00
}
zCfg.ConfigTypes = []string{sdk.ZrokProxyConfig}
2023-05-25 17:50:38 +02:00
zCtx, err := ziti.NewContext(zCfg)
if err != nil {
return nil, errors.Wrap(err, "error loading ziti context")
}
zDialCtx := zitiDialContext{ctx: zCtx}
2022-07-21 21:26:44 +02:00
zTransport := http.DefaultTransport.(*http.Transport).Clone()
zTransport.DialContext = zDialCtx.Dial
2022-07-21 21:46:14 +02:00
proxy, err := newServiceProxy(cfg, zCtx)
2022-07-20 20:36:14 +02:00
if err != nil {
2022-08-18 22:57:38 +02:00
return nil, err
2022-07-20 20:36:14 +02:00
}
2022-07-21 21:46:14 +02:00
proxy.Transport = zTransport
2023-09-05 16:55:55 +02:00
if err := configureOauthHandlers(context.Background(), cfg, false); err != nil {
return nil, err
}
handler := authHandler(util.NewProxyHandler(proxy), cfg, key, zCtx)
return &HttpFrontend{
2022-08-18 22:57:38 +02:00
cfg: cfg,
zCtx: zCtx,
handler: handler,
}, nil
}
2023-10-05 19:34:27 +02:00
func (f *HttpFrontend) Run() error {
return http.ListenAndServe(f.cfg.Address, f.handler)
}
2022-08-10 21:15:35 +02:00
2022-08-18 23:09:38 +02:00
type zitiDialContext struct {
ctx ziti.Context
2022-08-10 21:15:35 +02:00
}
2023-10-05 19:34:27 +02:00
func (c *zitiDialContext) Dial(_ context.Context, _ string, addr string) (net.Conn, error) {
2023-01-04 20:42:58 +01:00
shrToken := strings.Split(addr, ":")[0] // ignore :port (we get passed 'host:port')
2023-10-05 19:34:27 +02:00
conn, err := c.ctx.Dial(shrToken)
if err != nil {
return conn, err
}
return conn, nil
2022-08-10 21:15:35 +02:00
}
func newServiceProxy(cfg *Config, ctx ziti.Context) (*httputil.ReverseProxy, error) {
proxy := hostTargetReverseProxy(cfg, ctx)
2022-08-10 21:15:35 +02:00
director := proxy.Director
proxy.Director = func(req *http.Request) {
director(req)
req.Header.Set("X-Proxy", "zrok")
}
proxy.ModifyResponse = func(resp *http.Response) error {
return nil
}
proxy.ErrorHandler = func(w http.ResponseWriter, r *http.Request, err error) {
logrus.Errorf("error proxying: %v", err)
2022-12-14 20:41:54 +01:00
notFoundUi.WriteNotFound(w)
2022-08-10 21:15:35 +02:00
}
return proxy, nil
}
func hostTargetReverseProxy(cfg *Config, ctx ziti.Context) *httputil.ReverseProxy {
2022-08-10 21:15:35 +02:00
director := func(req *http.Request) {
2023-01-04 20:42:58 +01:00
targetShrToken := resolveService(cfg.HostMatch, req.Host)
if svc, found := endpoints.GetRefreshedService(targetShrToken, ctx); found {
if cfg, found := svc.Config[sdk.ZrokProxyConfig]; found {
logrus.Debugf("auth model: %v", cfg)
2022-08-10 21:15:35 +02:00
} else {
2022-08-15 23:52:24 +02:00
logrus.Warn("no config!")
2022-08-10 21:15:35 +02:00
}
2023-01-04 20:42:58 +01:00
if target, err := url.Parse(fmt.Sprintf("http://%v", targetShrToken)); err == nil {
logrus.Infof("[%v] -> %v", targetShrToken, req.URL)
2022-08-15 23:52:24 +02:00
targetQuery := target.RawQuery
req.URL.Scheme = target.Scheme
req.URL.Host = target.Host
req.URL.Path, req.URL.RawPath = endpoints.JoinURLPath(target, req.URL)
2022-08-15 23:52:24 +02:00
if targetQuery == "" || req.URL.RawQuery == "" {
req.URL.RawQuery = targetQuery + req.URL.RawQuery
} else {
req.URL.RawQuery = targetQuery + "&" + req.URL.RawQuery
}
if _, ok := req.Header["User-Agent"]; !ok {
// explicitly disable User-Agent so it's not set to default value
req.Header.Set("User-Agent", "")
}
} else {
logrus.Errorf("error proxying: %v", err)
2022-08-10 21:15:35 +02:00
}
}
}
return &httputil.ReverseProxy{Director: director}
}
func authHandler(handler http.Handler, pcfg *Config, key []byte, ctx ziti.Context) http.HandlerFunc {
2022-08-16 17:27:31 +02:00
return func(w http.ResponseWriter, r *http.Request) {
2023-09-05 16:55:55 +02:00
shrToken := resolveService(pcfg.HostMatch, r.Host)
2023-01-04 20:42:58 +01:00
if shrToken != "" {
if svc, found := endpoints.GetRefreshedService(shrToken, ctx); found {
if cfg, found := svc.Config[sdk.ZrokProxyConfig]; found {
if scheme, found := cfg["auth_scheme"]; found {
switch scheme {
case string(sdk.None):
2023-01-04 20:42:58 +01:00
logrus.Debugf("auth scheme none '%v'", shrToken)
handler.ServeHTTP(w, r)
return
case string(sdk.Basic):
2023-01-04 20:42:58 +01:00
logrus.Debugf("auth scheme basic '%v", shrToken)
inUser, inPass, ok := r.BasicAuth()
if !ok {
basicAuthRequired(w, shrToken)
return
}
authed := false
if v, found := cfg["basic_auth"]; found {
if basicAuth, ok := v.(map[string]interface{}); ok {
if v, found := basicAuth["users"]; found {
if arr, ok := v.([]interface{}); ok {
for _, v := range arr {
if um, ok := v.(map[string]interface{}); ok {
username := ""
if v, found := um["username"]; found {
if un, ok := v.(string); ok {
username = un
}
}
password := ""
if v, found := um["password"]; found {
if pw, ok := v.(string); ok {
password = pw
}
}
if username == inUser && password == inPass {
authed = true
break
}
}
}
}
}
}
}
if !authed {
basicAuthRequired(w, shrToken)
return
}
2022-09-07 18:22:22 +02:00
handler.ServeHTTP(w, r)
2023-09-05 17:10:25 +02:00
case string(sdk.Oauth):
logrus.Debugf("auth scheme oauth '%v'", shrToken)
2023-09-05 16:55:55 +02:00
if oauthCfg, found := cfg["oauth"]; found {
if provider, found := oauthCfg.(map[string]interface{})["provider"]; found {
2023-09-05 18:50:41 +02:00
var authCheckInterval time.Duration
if checkInterval, found := oauthCfg.(map[string]interface{})["authorization_check_interval"]; !found {
logrus.Errorf("Missing authorization check interval in share config. Defaulting to 3 hours")
authCheckInterval = 3 * time.Hour
} else {
i, err := time.ParseDuration(checkInterval.(string))
if err != nil {
logrus.Errorf("unable to parse authorization check interval in share config (%v). Defaulting to 3 hours", checkInterval)
authCheckInterval = 3 * time.Hour
} else {
authCheckInterval = i
}
}
target := fmt.Sprintf("%s%s", r.Host, r.URL.Path)
2023-09-05 16:55:55 +02:00
cookie, err := r.Cookie("zrok-access")
if err != nil {
logrus.Errorf("unable to get 'zrok-access' cookie: %v", err)
oauthLoginRequired(w, r, shrToken, pcfg, provider.(string), target, authCheckInterval)
2023-09-05 16:55:55 +02:00
return
}
tkn, err := jwt.ParseWithClaims(cookie.Value, &ZrokClaims{}, func(t *jwt.Token) (interface{}, error) {
if pcfg.Oauth == nil {
return nil, fmt.Errorf("missing oauth configuration for access point; unable to parse jwt")
2023-09-05 16:55:55 +02:00
}
return key, nil
2023-09-05 16:55:55 +02:00
})
if err != nil {
logrus.Errorf("unable to parse jwt: %v", err)
oauthLoginRequired(w, r, shrToken, pcfg, provider.(string), target, authCheckInterval)
2023-09-05 16:55:55 +02:00
return
}
claims := tkn.Claims.(*ZrokClaims)
if claims.Provider != provider {
logrus.Error("provider mismatch; restarting auth flow")
oauthLoginRequired(w, r, shrToken, pcfg, provider.(string), target, authCheckInterval)
2023-09-05 16:55:55 +02:00
return
}
if claims.AuthorizationCheckInterval != authCheckInterval {
logrus.Error("authorization check interval mismatch; restarting auth flow")
oauthLoginRequired(w, r, shrToken, pcfg, provider.(string), target, authCheckInterval)
2023-09-05 16:55:55 +02:00
return
}
if validDomains, found := oauthCfg.(map[string]interface{})["email_domains"]; found {
if castedDomains, ok := validDomains.([]interface{}); !ok {
logrus.Error("invalid email domain format")
2023-09-05 16:55:55 +02:00
return
} else {
if len(castedDomains) > 0 {
found := false
for _, domain := range castedDomains {
if strings.HasSuffix(claims.Email, domain.(string)) {
found = true
break
}
}
if !found {
logrus.Warnf("invalid email domain")
2023-09-05 16:55:55 +02:00
unauthorizedUi.WriteUnauthorized(w)
return
}
}
}
}
handler.ServeHTTP(w, r)
return
2023-09-05 16:55:55 +02:00
} else {
logrus.Warnf("%v -> no provider for '%v'", r.RemoteAddr, provider)
notFoundUi.WriteNotFound(w)
}
} else {
logrus.Warnf("%v -> no oauth cfg for '%v'", r.RemoteAddr, shrToken)
notFoundUi.WriteNotFound(w)
}
default:
logrus.Infof("invalid auth scheme '%v'", scheme)
basicAuthRequired(w, shrToken)
return
}
} else {
2023-01-04 20:42:58 +01:00
logrus.Warnf("%v -> no auth scheme for '%v'", r.RemoteAddr, shrToken)
2022-12-14 20:41:54 +01:00
notFoundUi.WriteNotFound(w)
}
} else {
2023-01-04 20:42:58 +01:00
logrus.Warnf("%v -> no proxy config for '%v'", r.RemoteAddr, shrToken)
2022-12-14 20:41:54 +01:00
notFoundUi.WriteNotFound(w)
}
} else {
2023-01-04 20:42:58 +01:00
logrus.Warnf("%v -> service '%v' not found", r.RemoteAddr, shrToken)
2022-12-14 20:41:54 +01:00
notFoundUi.WriteNotFound(w)
2022-08-16 17:27:31 +02:00
}
} else {
2022-09-09 16:01:24 +02:00
logrus.Debugf("host '%v' did not match host match, returning health check", r.Host)
2022-12-14 20:41:54 +01:00
healthUi.WriteHealthOk(w)
2022-08-16 17:27:31 +02:00
}
}
}
2023-09-05 16:55:55 +02:00
type ZrokClaims struct {
Email string `json:"email"`
AccessToken string `json:"accessToken"`
Provider string `json:"provider"`
AuthorizationCheckInterval time.Duration `json:"authorizationCheckInterval"`
jwt.RegisteredClaims
}
2023-09-13 19:41:10 +02:00
func SetZrokCookie(w http.ResponseWriter, domain, email, accessToken, provider string, checkInterval time.Duration, key []byte) {
2023-09-05 16:55:55 +02:00
tkn := jwt.NewWithClaims(jwt.SigningMethodHS256, ZrokClaims{
Email: email,
AccessToken: accessToken,
Provider: provider,
AuthorizationCheckInterval: checkInterval,
})
sTkn, err := tkn.SignedString(key)
if err != nil {
http.Error(w, fmt.Sprintf("after signing cookie token: %v", err.Error()), http.StatusInternalServerError)
2023-09-05 16:55:55 +02:00
return
}
http.SetCookie(w, &http.Cookie{
Name: "zrok-access",
Value: sTkn,
2023-09-05 18:50:41 +02:00
MaxAge: int(checkInterval.Seconds()),
2023-09-13 19:41:10 +02:00
Domain: domain,
2023-09-05 16:55:55 +02:00
Path: "/",
Expires: time.Now().Add(checkInterval),
//Secure: true, //When tls gets added have this be configured on if tls
})
}
func basicAuthRequired(w http.ResponseWriter, realm string) {
2022-08-16 17:27:31 +02:00
w.Header().Set("WWW-Authenticate", `Basic realm="`+realm+`"`)
w.WriteHeader(401)
2023-10-05 19:34:27 +02:00
_, _ = w.Write([]byte("No Authorization\n"))
2022-08-16 17:27:31 +02:00
}
2022-08-18 22:57:38 +02:00
func oauthLoginRequired(w http.ResponseWriter, r *http.Request, shrToken string, pcfg *Config, provider, target string, authCheckInterval time.Duration) {
2023-10-05 19:34:27 +02:00
scheme := "https"
if pcfg.Oauth != nil && pcfg.Oauth.RedirectHttpOnly {
scheme = "http"
}
http.Redirect(w, r, fmt.Sprintf("%s://%s.%s:%d/%s/login?targethost=%s&checkInterval=%s", scheme, shrToken, pcfg.Oauth.RedirectHost, pcfg.Oauth.RedirectPort, provider, url.QueryEscape(target), authCheckInterval.String()), http.StatusFound)
}
func resolveService(hostMatch string, host string) string {
2022-09-07 18:22:22 +02:00
if hostMatch == "" || strings.Contains(host, hostMatch) {
tokens := strings.Split(host, ".")
if len(tokens) > 0 {
return tokens[0]
}
2022-08-18 22:57:38 +02:00
}
return ""
2022-08-18 22:57:38 +02:00
}