stuff basic auth into the secrets store (#983)

2025-06-26 12:42:18 +02:00 · 2025-06-18 13:15:37 -04:00 · 2025-06-18 13:15:37 -04:00 · 19d391e7f8
commit 19d391e7f8
parent 6598fd6961
4 changed files with 43 additions and 13 deletions
--- a/controller/share.go
+++ b/controller/share.go
@ -1,6 +1,8 @@
 package controller

 import (
+	"encoding/json"
+
 	"github.com/go-openapi/runtime/middleware"
 	"github.com/jmoiron/sqlx"
 	"github.com/openziti/zrok/controller/store"
@ -127,12 +129,13 @@ func (h *shareHandler) Handle(params share.ShareParams, principal *rest_model_zr
 					return share.NewShareNotFound()
 				}
 			}
-			if sfe != nil && sfe.UrlTemplate != nil {
+			if sfe.UrlTemplate != nil {
 				frontendZIds = append(frontendZIds, sfe.ZId)
 				frontendTemplates = append(frontendTemplates, *sfe.UrlTemplate)
 				logrus.Infof("added frontend selection '%v' with ziti identity '%v' for share '%v'", frontendSelection, sfe.ZId, shrToken)
 			}
 		}
+
 		var skipInterstitial bool
 		if backendMode != sdk.DriveBackendMode {
 			skipInterstitial, err = str.IsAccountGrantedSkipInterstitial(int(principal.ID), trx)
@ -143,6 +146,7 @@ func (h *shareHandler) Handle(params share.ShareParams, principal *rest_model_zr
 		} else {
 			skipInterstitial = true
 		}
+
 		shrZId, frontendEndpoints, err = newPublicResourceAllocator().allocate(envZId, shrToken, frontendZIds, frontendTemplates, params, !skipInterstitial, edge)
 		if err != nil {
 			logrus.Error(err)
@ -201,6 +205,31 @@ func (h *shareHandler) Handle(params share.ShareParams, principal *rest_model_zr
 		}
 	}

+	if sshr.ShareMode == string(sdk.PublicShareMode) && params.Body.AuthScheme == string(sdk.Basic) {
+		logrus.Infof("writing basic auth secrets for '%v'", sshr.Token)
+		authUsersMap := make(map[string]string)
+		for _, authUser := range params.Body.AuthUsers {
+			authUsersMap[authUser.Username] = authUser.Password
+		}
+		authUsersMapJson, err := json.Marshal(authUsersMap)
+		if err != nil {
+			logrus.Errorf("error marshalling auth secrets for '%v': %v", sshr.Token, err)
+			return share.NewShareInternalServerError()
+		}
+		secrets := store.Secrets{
+			ShareId: sid,
+			Secrets: []store.Secret{
+				{Key: "auth_scheme", Value: string(sdk.Basic)},
+				{Key: "auth_users", Value: string(authUsersMapJson)},
+			},
+		}
+		if err := str.CreateSecrets(secrets, trx); err != nil {
+			logrus.Errorf("error creating secrets for '%v': %v", principal.Email, err)
+			return share.NewShareInternalServerError()
+		}
+		logrus.Infof("wrote auth secrets for '%v'", sshr.Token)
+	}
+
 	if err := trx.Commit(); err != nil {
 		logrus.Errorf("error committing share record: %v", err)
 		return share.NewShareInternalServerError()
--- a/controller/sharePublic.go
+++ b/controller/sharePublic.go
@ -23,14 +23,12 @@ func (a *publicResourceAllocator) allocate(envZId, shrToken string, frontendZIds
 		return "", nil, err
 	}
 	options := &zrokEdgeSdk.FrontendOptions{
-		Interstitial:   interstitial,
-		AuthScheme:     authScheme,
-		BasicAuthUsers: authUsers,
-		Oauth: &sdk.OauthConfig{
-			Provider:                   params.Body.OauthProvider,
-			EmailDomains:               params.Body.OauthEmailDomains,
-			AuthorizationCheckInterval: params.Body.OauthAuthorizationCheckInterval,
-		},
+		Interstitial: interstitial,
+		AuthSecrets:  false,
+	}
+	switch authScheme {
+	case sdk.Basic:
+		options.AuthSecrets = true
 	}
 	cfgId, err := zrokEdgeSdk.CreateConfig(zrokProxyConfigId, envZId, shrToken, options, edge)
 	if err != nil {
--- a/controller/store/secret.go
+++ b/controller/store/secret.go
@ -12,8 +12,8 @@ type Secrets struct {
 }

 type Secret struct {
-	Key   string
-	Value string
+	Key   string `json:"key"`
+	Value string `json:"value"`
 }

 func (str *Store) CreateSecrets(secrets Secrets, trx *sqlx.Tx) error {
--- a/controller/zrokEdgeSdk/config.go
+++ b/controller/zrokEdgeSdk/config.go
@ -3,17 +3,19 @@ package zrokEdgeSdk
 import (
 	"context"
 	"fmt"
+	"reflect"
+	"time"
+
 	"github.com/openziti/edge-api/rest_management_api_client"
 	"github.com/openziti/edge-api/rest_management_api_client/config"
 	"github.com/openziti/edge-api/rest_model"
 	"github.com/openziti/zrok/sdk/golang/sdk"
 	"github.com/sirupsen/logrus"
-	"reflect"
-	"time"
 )

 type FrontendOptions struct {
 	Interstitial   bool
+	AuthSecrets    bool
 	AuthScheme     sdk.AuthScheme
 	BasicAuthUsers []*sdk.AuthUserConfig
 	Oauth          *sdk.OauthConfig
@ -22,6 +24,7 @@ type FrontendOptions struct {
 func CreateConfig(cfgTypeZId, envZId, shrToken string, options *FrontendOptions, edge *rest_management_api_client.ZitiEdgeManagement) (cfgZId string, err error) {
 	cfg := &sdk.FrontendConfig{
 		Interstitial: options.Interstitial,
+		AuthSecrets:  options.AuthSecrets,
 		AuthScheme:   options.AuthScheme,
 	}
 	if cfg.AuthScheme == sdk.Basic {