extern/zrok
1
1
Fork 0
mirror of https://github.com/openziti/zrok.git synced 2025-06-26 04:31:30 +02:00
Code Issues Packages Projects Releases Wiki Activity

super rough secrets client access for basic auth (#987)

Browse Source
This commit is contained in:
Michael Quigley 2025-06-18 16:50:48 -04:00
parent 4c5f3e77e3
commit c0ca4b0967
No known key found for this signature in database
GPG Key ID: 9B60314A9DD20A62
2 changed files with 51 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

77
endpoints/publicProxy/http.go
View File

@ -3,6 +3,7 @@ package publicProxy
import (
"context"
"crypto/md5"
"encoding/json"
"fmt"
"net"
"net/http"
@ -189,8 +190,42 @@ func shareHandler(handler http.Handler, cfg *Config, key []byte, ctx ziti.Contex
}
}
if scheme, found := proxyConfig["auth_scheme"]; found {
switch scheme {
logrus.Infof("proxyConfig: %v", proxyConfig)
authSecrets := false
if v, found := proxyConfig["secrets_auth"]; found {
authSecrets = v.(bool)
}
var secrets map[string]string
if authSecrets {
secrets = make(map[string]string)
secretsArr, err := GetSecrets(shrToken, cfg)
if err != nil {
logrus.Infof("error getting secrets for '%v': %v", shrToken, err)
notFoundUi.WriteNotFound(w)
return
}
for _, secret := range secretsArr {
secrets[secret.Key] = secret.Value
}
}
authScheme := "none"
if secrets != nil {
if v, found := secrets["auth_scheme"]; found {
authScheme = v
}
} else {
if v, found := proxyConfig["auth_scheme"]; found {
authScheme = v.(string)
}
}
logrus.Infof("authScheme: %v", authScheme)
logrus.Infof("secrets: %v", secrets)
if authScheme != "none" {
switch authScheme {
case string(sdk.None):
logrus.Debugf("auth scheme none '%v'", shrToken)
// ensure cookies from other shares are not sent to this share, in case it's malicious
@ -206,32 +241,16 @@ func shareHandler(handler http.Handler, cfg *Config, key []byte, ctx ziti.Contex
return
}
authed := false
if v, found := proxyConfig["basic_auth"]; found {
if basicAuth, ok := v.(map[string]interface{}); ok {
if v, found := basicAuth["users"]; found {
if arr, ok := v.([]interface{}); ok {
for _, v := range arr {
if um, ok := v.(map[string]interface{}); ok {
username := ""
if v, found := um["username"]; found {
if un, ok := v.(string); ok {
username = un
}
}
password := ""
if v, found := um["password"]; found {
if pw, ok := v.(string); ok {
password = pw
}
}
if username == inUser && password == inPass {
authed = true
break
}
}
}
}
}
var authUsers map[string]string
if v, found := secrets["auth_users"]; found {
if err := json.Unmarshal([]byte(v), &authUsers); err != nil {
basicAuthRequired(w, shrToken)
return
}
}
if password, found := authUsers[inUser]; found {
if inPass == password {
authed = true
}
}
@ -344,7 +363,7 @@ func shareHandler(handler http.Handler, cfg *Config, key []byte, ctx ziti.Contex
notFoundUi.WriteNotFound(w)
}
default:
logrus.Infof("invalid auth scheme '%v'", scheme)
logrus.Infof("invalid auth scheme '%v'", authScheme)
basicAuthRequired(w, shrToken)
return
}

3
endpoints/publicProxy/secretsAccess.go
View File

@ -7,6 +7,7 @@ import (
"github.com/openziti/sdk-golang/ziti"
"github.com/openziti/zrok/controller/secretsGrpc"
"github.com/sirupsen/logrus"
"github.com/viccon/sturdyc"
"google.golang.org/grpc"
"google.golang.org/grpc/credentials/insecure"
@ -19,8 +20,10 @@ type Secret struct {
}
func GetSecrets(shareToken string, cfg *Config) ([]Secret, error) {
logrus.Infof("getting secrets")
cacheClient := sturdyc.New[[]Secret](cfg.SecretsCache.Capacity, cfg.SecretsCache.Shards, cfg.SecretsCache.TTL, cfg.SecretsCache.EvictionPercentage)
fetch := func(ctx context.Context) ([]Secret, error) {
logrus.Infof("fetching '%v'", shareToken)
opts := []grpc.DialOption{
grpc.WithContextDialer(func(ctx context.Context, addr string) (net.Conn, error) {
zcfg, err := ziti.NewConfigFromFile(cfg.SecretsAccess.IdentityPath)