From c0ca4b0967f4529b1f906894549c41700e00662b Mon Sep 17 00:00:00 2001 From: Michael Quigley Date: Wed, 18 Jun 2025 16:50:48 -0400 Subject: [PATCH] super rough secrets client access for basic auth (#987) --- endpoints/publicProxy/http.go | 77 ++++++++++++++++---------- endpoints/publicProxy/secretsAccess.go | 3 + 2 files changed, 51 insertions(+), 29 deletions(-) diff --git a/endpoints/publicProxy/http.go b/endpoints/publicProxy/http.go index 37e40807..2908c50e 100644 --- a/endpoints/publicProxy/http.go +++ b/endpoints/publicProxy/http.go @@ -3,6 +3,7 @@ package publicProxy import ( "context" "crypto/md5" + "encoding/json" "fmt" "net" "net/http" @@ -189,8 +190,42 @@ func shareHandler(handler http.Handler, cfg *Config, key []byte, ctx ziti.Contex } } - if scheme, found := proxyConfig["auth_scheme"]; found { - switch scheme { + logrus.Infof("proxyConfig: %v", proxyConfig) + + authSecrets := false + if v, found := proxyConfig["secrets_auth"]; found { + authSecrets = v.(bool) + } + var secrets map[string]string + if authSecrets { + secrets = make(map[string]string) + secretsArr, err := GetSecrets(shrToken, cfg) + if err != nil { + logrus.Infof("error getting secrets for '%v': %v", shrToken, err) + notFoundUi.WriteNotFound(w) + return + } + for _, secret := range secretsArr { + secrets[secret.Key] = secret.Value + } + } + + authScheme := "none" + if secrets != nil { + if v, found := secrets["auth_scheme"]; found { + authScheme = v + } + } else { + if v, found := proxyConfig["auth_scheme"]; found { + authScheme = v.(string) + } + } + + logrus.Infof("authScheme: %v", authScheme) + logrus.Infof("secrets: %v", secrets) + + if authScheme != "none" { + switch authScheme { case string(sdk.None): logrus.Debugf("auth scheme none '%v'", shrToken) // ensure cookies from other shares are not sent to this share, in case it's malicious @@ -206,32 +241,16 @@ func shareHandler(handler http.Handler, cfg *Config, key []byte, ctx ziti.Contex return } authed := false - if v, found := proxyConfig["basic_auth"]; found { - if basicAuth, ok := v.(map[string]interface{}); ok { - if v, found := basicAuth["users"]; found { - if arr, ok := v.([]interface{}); ok { - for _, v := range arr { - if um, ok := v.(map[string]interface{}); ok { - username := "" - if v, found := um["username"]; found { - if un, ok := v.(string); ok { - username = un - } - } - password := "" - if v, found := um["password"]; found { - if pw, ok := v.(string); ok { - password = pw - } - } - if username == inUser && password == inPass { - authed = true - break - } - } - } - } - } + var authUsers map[string]string + if v, found := secrets["auth_users"]; found { + if err := json.Unmarshal([]byte(v), &authUsers); err != nil { + basicAuthRequired(w, shrToken) + return + } + } + if password, found := authUsers[inUser]; found { + if inPass == password { + authed = true } } @@ -344,7 +363,7 @@ func shareHandler(handler http.Handler, cfg *Config, key []byte, ctx ziti.Contex notFoundUi.WriteNotFound(w) } default: - logrus.Infof("invalid auth scheme '%v'", scheme) + logrus.Infof("invalid auth scheme '%v'", authScheme) basicAuthRequired(w, shrToken) return } diff --git a/endpoints/publicProxy/secretsAccess.go b/endpoints/publicProxy/secretsAccess.go index 2908c9bc..015b93d4 100644 --- a/endpoints/publicProxy/secretsAccess.go +++ b/endpoints/publicProxy/secretsAccess.go @@ -7,6 +7,7 @@ import ( "github.com/openziti/sdk-golang/ziti" "github.com/openziti/zrok/controller/secretsGrpc" + "github.com/sirupsen/logrus" "github.com/viccon/sturdyc" "google.golang.org/grpc" "google.golang.org/grpc/credentials/insecure" @@ -19,8 +20,10 @@ type Secret struct { } func GetSecrets(shareToken string, cfg *Config) ([]Secret, error) { + logrus.Infof("getting secrets") cacheClient := sturdyc.New[[]Secret](cfg.SecretsCache.Capacity, cfg.SecretsCache.Shards, cfg.SecretsCache.TTL, cfg.SecretsCache.EvictionPercentage) fetch := func(ctx context.Context) ([]Secret, error) { + logrus.Infof("fetching '%v'", shareToken) opts := []grpc.DialOption{ grpc.WithContextDialer(func(ctx context.Context, addr string) (net.Conn, error) { zcfg, err := ziti.NewConfigFromFile(cfg.SecretsAccess.IdentityPath)