mirror of
https://github.com/openziti/zrok.git
synced 2025-06-26 12:42:18 +02:00
super rough secrets client access for basic auth (#987)
This commit is contained in:
Michael Quigley
parent
4c5f3e77e3
commit
c0ca4b0967
@ -3,6 +3,7 @@ package publicProxy
|
|||||||
import (
|
import (
|
||||||
"context"
|
"context"
|
||||||
"crypto/md5"
|
"crypto/md5"
|
||||||
|
"encoding/json"
|
||||||
"fmt"
|
"fmt"
|
||||||
"net"
|
"net"
|
||||||
"net/http"
|
"net/http"
|
||||||
@ -189,8 +190,42 @@ func shareHandler(handler http.Handler, cfg *Config, key []byte, ctx ziti.Contex
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if scheme, found := proxyConfig["auth_scheme"]; found {
|
logrus.Infof("proxyConfig: %v", proxyConfig)
|
||||||
switch scheme {
|
|
||||||
|
authSecrets := false
|
||||||
|
if v, found := proxyConfig["secrets_auth"]; found {
|
||||||
|
authSecrets = v.(bool)
|
||||||
|
}
|
||||||
|
var secrets map[string]string
|
||||||
|
if authSecrets {
|
||||||
|
secrets = make(map[string]string)
|
||||||
|
secretsArr, err := GetSecrets(shrToken, cfg)
|
||||||
|
if err != nil {
|
||||||
|
logrus.Infof("error getting secrets for '%v': %v", shrToken, err)
|
||||||
|
notFoundUi.WriteNotFound(w)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
for _, secret := range secretsArr {
|
||||||
|
secrets[secret.Key] = secret.Value
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
authScheme := "none"
|
||||||
|
if secrets != nil {
|
||||||
|
if v, found := secrets["auth_scheme"]; found {
|
||||||
|
authScheme = v
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
if v, found := proxyConfig["auth_scheme"]; found {
|
||||||
|
authScheme = v.(string)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
logrus.Infof("authScheme: %v", authScheme)
|
||||||
|
logrus.Infof("secrets: %v", secrets)
|
||||||
|
|
||||||
|
if authScheme != "none" {
|
||||||
|
switch authScheme {
|
||||||
case string(sdk.None):
|
case string(sdk.None):
|
||||||
logrus.Debugf("auth scheme none '%v'", shrToken)
|
logrus.Debugf("auth scheme none '%v'", shrToken)
|
||||||
// ensure cookies from other shares are not sent to this share, in case it's malicious
|
// ensure cookies from other shares are not sent to this share, in case it's malicious
|
||||||
@ -206,32 +241,16 @@ func shareHandler(handler http.Handler, cfg *Config, key []byte, ctx ziti.Contex
|
|||||||
return
|
return
|
||||||
}
|
}
|
||||||
authed := false
|
authed := false
|
||||||
if v, found := proxyConfig["basic_auth"]; found {
|
var authUsers map[string]string
|
||||||
if basicAuth, ok := v.(map[string]interface{}); ok {
|
if v, found := secrets["auth_users"]; found {
|
||||||
if v, found := basicAuth["users"]; found {
|
if err := json.Unmarshal([]byte(v), &authUsers); err != nil {
|
||||||
if arr, ok := v.([]interface{}); ok {
|
basicAuthRequired(w, shrToken)
|
||||||
for _, v := range arr {
|
return
|
||||||
if um, ok := v.(map[string]interface{}); ok {
|
|
||||||
username := ""
|
|
||||||
if v, found := um["username"]; found {
|
|
||||||
if un, ok := v.(string); ok {
|
|
||||||
username = un
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
password := ""
|
if password, found := authUsers[inUser]; found {
|
||||||
if v, found := um["password"]; found {
|
if inPass == password {
|
||||||
if pw, ok := v.(string); ok {
|
|
||||||
password = pw
|
|
||||||
}
|
|
||||||
}
|
|
||||||
if username == inUser && password == inPass {
|
|
||||||
authed = true
|
authed = true
|
||||||
break
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -344,7 +363,7 @@ func shareHandler(handler http.Handler, cfg *Config, key []byte, ctx ziti.Contex
|
|||||||
notFoundUi.WriteNotFound(w)
|
notFoundUi.WriteNotFound(w)
|
||||||
}
|
}
|
||||||
default:
|
default:
|
||||||
logrus.Infof("invalid auth scheme '%v'", scheme)
|
logrus.Infof("invalid auth scheme '%v'", authScheme)
|
||||||
basicAuthRequired(w, shrToken)
|
basicAuthRequired(w, shrToken)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|||||||
@ -7,6 +7,7 @@ import (
|
|||||||
|
|
||||||
"github.com/openziti/sdk-golang/ziti"
|
"github.com/openziti/sdk-golang/ziti"
|
||||||
"github.com/openziti/zrok/controller/secretsGrpc"
|
"github.com/openziti/zrok/controller/secretsGrpc"
|
||||||
|
"github.com/sirupsen/logrus"
|
||||||
"github.com/viccon/sturdyc"
|
"github.com/viccon/sturdyc"
|
||||||
"google.golang.org/grpc"
|
"google.golang.org/grpc"
|
||||||
"google.golang.org/grpc/credentials/insecure"
|
"google.golang.org/grpc/credentials/insecure"
|
||||||
@ -19,8 +20,10 @@ type Secret struct {
|
|||||||
}
|
}
|
||||||
|
|
||||||
func GetSecrets(shareToken string, cfg *Config) ([]Secret, error) {
|
func GetSecrets(shareToken string, cfg *Config) ([]Secret, error) {
|
||||||
|
logrus.Infof("getting secrets")
|
||||||
cacheClient := sturdyc.New[[]Secret](cfg.SecretsCache.Capacity, cfg.SecretsCache.Shards, cfg.SecretsCache.TTL, cfg.SecretsCache.EvictionPercentage)
|
cacheClient := sturdyc.New[[]Secret](cfg.SecretsCache.Capacity, cfg.SecretsCache.Shards, cfg.SecretsCache.TTL, cfg.SecretsCache.EvictionPercentage)
|
||||||
fetch := func(ctx context.Context) ([]Secret, error) {
|
fetch := func(ctx context.Context) ([]Secret, error) {
|
||||||
|
logrus.Infof("fetching '%v'", shareToken)
|
||||||
opts := []grpc.DialOption{
|
opts := []grpc.DialOption{
|
||||||
grpc.WithContextDialer(func(ctx context.Context, addr string) (net.Conn, error) {
|
grpc.WithContextDialer(func(ctx context.Context, addr string) (net.Conn, error) {
|
||||||
zcfg, err := ziti.NewConfigFromFile(cfg.SecretsAccess.IdentityPath)
|
zcfg, err := ziti.NewConfigFromFile(cfg.SecretsAccess.IdentityPath)
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user