extern/zrok
1
1
Fork 0
mirror of https://github.com/openziti/zrok.git synced 2025-01-24 23:09:32 +01:00
Code Issues Packages Projects Releases Wiki Activity

switchable auth scheme based on service config (#12)

Browse Source
This commit is contained in:
Michael Quigley 2022-08-16 11:41:04 -04:00
parent b510190910
commit 83b573bfa8
No known key found for this signature in database
GPG Key ID: 9B60314A9DD20A62
1 changed files with 30 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

49
proxy/proxy.go
View File

@ -44,7 +44,7 @@ func Run(cfg *Config) error {
{Username: "hello", Password: "world"}, {Username: "hello", Password: "world"},
}, },
} }
return http.ListenAndServe(cfg.Address, basicAuth(util.NewProxyHandler(proxy), users, "zrok")) return http.ListenAndServe(cfg.Address, basicAuth(util.NewProxyHandler(proxy), users, "zrok", &resolver{}, zCtx))
} }
type resolver struct{} type resolver struct{}
@ -165,28 +165,39 @@ func getRefreshedService(name string, ctx ziti.Context) (*edge.Service, bool) {
return svc, found return svc, found
} }
func basicAuth(handler http.Handler, users *model.BasicAuth, realm string) http.HandlerFunc { func basicAuth(handler http.Handler, users *model.BasicAuth, realm string, rslv ProxyServiceResolver, ctx ziti.Context) http.HandlerFunc {
return func(w http.ResponseWriter, r *http.Request) { return func(w http.ResponseWriter, r *http.Request) {
inUser, inPass, ok := r.BasicAuth() svcName := rslv.Service(r.Host)
if !ok { if svc, found := getRefreshedService(svcName, ctx); found {
writeUnauthorizedResponse(w, realm) if cfg, found := svc.Configs[model.ZrokProxyConfig]; found {
return if scheme, found := cfg["auth_scheme"]; found {
} switch scheme {
case model.None:
handler.ServeHTTP(w, r)
return
authed := false case model.Basic:
for _, v := range users.Users { inUser, inPass, ok := r.BasicAuth()
if subtle.ConstantTimeCompare([]byte(inUser), []byte(v.Username)) == 1 && subtle.ConstantTimeCompare([]byte(inPass), []byte(v.Password)) == 1 { if !ok {
authed = true writeUnauthorizedResponse(w, realm)
break return
}
authed := false
for _, v := range users.Users {
if subtle.ConstantTimeCompare([]byte(inUser), []byte(v.Username)) == 1 && subtle.ConstantTimeCompare([]byte(inPass), []byte(v.Password)) == 1 {
authed = true
break
}
}
if !authed {
writeUnauthorizedResponse(w, realm)
return
}
handler.ServeHTTP(w, r)
}
}
} }
} }
if !authed {
writeUnauthorizedResponse(w, realm)
return
}
handler.ServeHTTP(w, r)
} }
} }