From 19d391e7f8c1a4f5f90e6cb1a346ace24b72491e Mon Sep 17 00:00:00 2001 From: Michael Quigley Date: Wed, 18 Jun 2025 13:15:37 -0400 Subject: [PATCH] stuff basic auth into the secrets store (#983) --- controller/share.go | 31 ++++++++++++++++++++++++++++++- controller/sharePublic.go | 14 ++++++-------- controller/store/secret.go | 4 ++-- controller/zrokEdgeSdk/config.go | 7 +++++-- 4 files changed, 43 insertions(+), 13 deletions(-) diff --git a/controller/share.go b/controller/share.go index 6e2eed3c..a2047669 100644 --- a/controller/share.go +++ b/controller/share.go @@ -1,6 +1,8 @@ package controller import ( + "encoding/json" + "github.com/go-openapi/runtime/middleware" "github.com/jmoiron/sqlx" "github.com/openziti/zrok/controller/store" @@ -127,12 +129,13 @@ func (h *shareHandler) Handle(params share.ShareParams, principal *rest_model_zr return share.NewShareNotFound() } } - if sfe != nil && sfe.UrlTemplate != nil { + if sfe.UrlTemplate != nil { frontendZIds = append(frontendZIds, sfe.ZId) frontendTemplates = append(frontendTemplates, *sfe.UrlTemplate) logrus.Infof("added frontend selection '%v' with ziti identity '%v' for share '%v'", frontendSelection, sfe.ZId, shrToken) } } + var skipInterstitial bool if backendMode != sdk.DriveBackendMode { skipInterstitial, err = str.IsAccountGrantedSkipInterstitial(int(principal.ID), trx) @@ -143,6 +146,7 @@ func (h *shareHandler) Handle(params share.ShareParams, principal *rest_model_zr } else { skipInterstitial = true } + shrZId, frontendEndpoints, err = newPublicResourceAllocator().allocate(envZId, shrToken, frontendZIds, frontendTemplates, params, !skipInterstitial, edge) if err != nil { logrus.Error(err) @@ -201,6 +205,31 @@ func (h *shareHandler) Handle(params share.ShareParams, principal *rest_model_zr } } + if sshr.ShareMode == string(sdk.PublicShareMode) && params.Body.AuthScheme == string(sdk.Basic) { + logrus.Infof("writing basic auth secrets for '%v'", sshr.Token) + authUsersMap := make(map[string]string) + for _, authUser := range params.Body.AuthUsers { + authUsersMap[authUser.Username] = authUser.Password + } + authUsersMapJson, err := json.Marshal(authUsersMap) + if err != nil { + logrus.Errorf("error marshalling auth secrets for '%v': %v", sshr.Token, err) + return share.NewShareInternalServerError() + } + secrets := store.Secrets{ + ShareId: sid, + Secrets: []store.Secret{ + {Key: "auth_scheme", Value: string(sdk.Basic)}, + {Key: "auth_users", Value: string(authUsersMapJson)}, + }, + } + if err := str.CreateSecrets(secrets, trx); err != nil { + logrus.Errorf("error creating secrets for '%v': %v", principal.Email, err) + return share.NewShareInternalServerError() + } + logrus.Infof("wrote auth secrets for '%v'", sshr.Token) + } + if err := trx.Commit(); err != nil { logrus.Errorf("error committing share record: %v", err) return share.NewShareInternalServerError() diff --git a/controller/sharePublic.go b/controller/sharePublic.go index 335b9b24..c09c55b7 100644 --- a/controller/sharePublic.go +++ b/controller/sharePublic.go @@ -23,14 +23,12 @@ func (a *publicResourceAllocator) allocate(envZId, shrToken string, frontendZIds return "", nil, err } options := &zrokEdgeSdk.FrontendOptions{ - Interstitial: interstitial, - AuthScheme: authScheme, - BasicAuthUsers: authUsers, - Oauth: &sdk.OauthConfig{ - Provider: params.Body.OauthProvider, - EmailDomains: params.Body.OauthEmailDomains, - AuthorizationCheckInterval: params.Body.OauthAuthorizationCheckInterval, - }, + Interstitial: interstitial, + AuthSecrets: false, + } + switch authScheme { + case sdk.Basic: + options.AuthSecrets = true } cfgId, err := zrokEdgeSdk.CreateConfig(zrokProxyConfigId, envZId, shrToken, options, edge) if err != nil { diff --git a/controller/store/secret.go b/controller/store/secret.go index 3bb31d61..34bd207d 100644 --- a/controller/store/secret.go +++ b/controller/store/secret.go @@ -12,8 +12,8 @@ type Secrets struct { } type Secret struct { - Key string - Value string + Key string `json:"key"` + Value string `json:"value"` } func (str *Store) CreateSecrets(secrets Secrets, trx *sqlx.Tx) error { diff --git a/controller/zrokEdgeSdk/config.go b/controller/zrokEdgeSdk/config.go index 6c9b7b8c..853d4695 100644 --- a/controller/zrokEdgeSdk/config.go +++ b/controller/zrokEdgeSdk/config.go @@ -3,17 +3,19 @@ package zrokEdgeSdk import ( "context" "fmt" + "reflect" + "time" + "github.com/openziti/edge-api/rest_management_api_client" "github.com/openziti/edge-api/rest_management_api_client/config" "github.com/openziti/edge-api/rest_model" "github.com/openziti/zrok/sdk/golang/sdk" "github.com/sirupsen/logrus" - "reflect" - "time" ) type FrontendOptions struct { Interstitial bool + AuthSecrets bool AuthScheme sdk.AuthScheme BasicAuthUsers []*sdk.AuthUserConfig Oauth *sdk.OauthConfig @@ -22,6 +24,7 @@ type FrontendOptions struct { func CreateConfig(cfgTypeZId, envZId, shrToken string, options *FrontendOptions, edge *rest_management_api_client.ZitiEdgeManagement) (cfgZId string, err error) { cfg := &sdk.FrontendConfig{ Interstitial: options.Interstitial, + AuthSecrets: options.AuthSecrets, AuthScheme: options.AuthScheme, } if cfg.AuthScheme == sdk.Basic {