don't promote htpasswd auth; auth directly

This commit is contained in:
Jehiah Czebotar 2012-12-26 15:55:41 +00:00
parent c459806ab0
commit 4367e47a46
2 changed files with 74 additions and 20 deletions

View File

@ -150,7 +150,7 @@ func (p *OauthProxy) getUserInfo(token string) (string, error) {
func (p *OauthProxy) ClearCookie(rw http.ResponseWriter, req *http.Request) { func (p *OauthProxy) ClearCookie(rw http.ResponseWriter, req *http.Request) {
domain := strings.Split(req.Host, ":")[0] domain := strings.Split(req.Host, ":")[0]
if *cookieDomain != "" { if *cookieDomain != "" && strings.HasSuffix(domain, *cookieDomain) {
domain = *cookieDomain domain = *cookieDomain
} }
cookie := &http.Cookie{ cookie := &http.Cookie{
@ -167,7 +167,7 @@ func (p *OauthProxy) ClearCookie(rw http.ResponseWriter, req *http.Request) {
func (p *OauthProxy) SetCookie(rw http.ResponseWriter, req *http.Request, val string) { func (p *OauthProxy) SetCookie(rw http.ResponseWriter, req *http.Request, val string) {
domain := strings.Split(req.Host, ":")[0] // strip the port (if any) domain := strings.Split(req.Host, ":")[0] // strip the port (if any)
if *cookieDomain != "" { if *cookieDomain != "" && strings.HasSuffix(domain, *cookieDomain) {
domain = *cookieDomain domain = *cookieDomain
} }
cookie := &http.Cookie{ cookie := &http.Cookie{
@ -182,7 +182,6 @@ func (p *OauthProxy) SetCookie(rw http.ResponseWriter, req *http.Request, val st
http.SetCookie(rw, cookie) http.SetCookie(rw, cookie)
} }
func (p *OauthProxy) ErrorPage(rw http.ResponseWriter, code int, title string, message string) { func (p *OauthProxy) ErrorPage(rw http.ResponseWriter, code int, title string, message string) {
log.Printf("ErrorPage %d %s %s", code, title, message) log.Printf("ErrorPage %d %s %s", code, title, message)
rw.WriteHeader(code) rw.WriteHeader(code)
@ -202,14 +201,52 @@ func (p *OauthProxy) SignInPage(rw http.ResponseWriter, req *http.Request, code
p.ClearCookie(rw, req) p.ClearCookie(rw, req)
rw.WriteHeader(code) rw.WriteHeader(code)
templates := getTemplates() templates := getTemplates()
t := struct{ SignInMessage string }{SignInMessage: p.SignInMessage}
t := struct{
SignInMessage string
Htpasswd bool
}{
SignInMessage: p.SignInMessage,
Htpasswd: p.HtpasswdFile != nil,
}
templates.ExecuteTemplate(rw, "sign_in.html", t) templates.ExecuteTemplate(rw, "sign_in.html", t)
} }
func (p *OauthProxy) ManualSignIn(rw http.ResponseWriter, req *http.Request) (string, bool){
if req.Method != "POST" || p.HtpasswdFile == nil{
return "", false
}
user := req.FormValue("username")
passwd := req.FormValue("password")
if user == "" {
return "", false
}
// check auth
if p.HtpasswdFile.Validate(user, passwd) {
log.Printf("authenticated %s via manual sign in", user)
return user, true
}
return "", false
}
func (p *OauthProxy) ServeHTTP(rw http.ResponseWriter, req *http.Request) { func (p *OauthProxy) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
// check if this is a redirect back at the end of oauth // check if this is a redirect back at the end of oauth
remoteIP := req.Header.Get("X-Real-IP")
if remoteIP == "" {
remoteIP = req.RemoteAddr
}
log.Printf("%s %s %s", remoteIP, req.Method, req.URL.Path)
var ok bool
var user string
if req.URL.Path == signInPath { if req.URL.Path == signInPath {
user, ok = p.ManualSignIn(rw, req)
if ok {
p.SetCookie(rw, req, user)
http.Redirect(rw, req, "/", 302)
} else {
p.SignInPage(rw, req, 200) p.SignInPage(rw, req, 200)
}
return return
} }
if req.URL.Path == oauthStartPath { if req.URL.Path == oauthStartPath {
@ -260,20 +297,22 @@ func (p *OauthProxy) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
} }
} }
if !ok {
cookie, err := req.Cookie(p.CookieKey) cookie, err := req.Cookie(p.CookieKey)
var ok bool
var email string
var user string
if err == nil { if err == nil {
var email string
email, ok = validateCookie(cookie, p.CookieSeed) email, ok = validateCookie(cookie, p.CookieSeed)
user = strings.Split(email, "@")[0] user = strings.Split(email, "@")[0]
} }
}
if !ok { if !ok {
user, ok = p.CheckBasicAuth(req) user, ok = p.CheckBasicAuth(req)
if ok { // if we want to promote basic auth requests to cookie'd requests, we could do that here
p.SetCookie(rw, req, user) // not sure that would be ideal in all circumstances though
} // if ok {
// p.SetCookie(rw, req, user)
// }
} }
if !ok { if !ok {
@ -308,6 +347,7 @@ func (p *OauthProxy) CheckBasicAuth(req *http.Request) (string, bool) {
return "", false return "", false
} }
if p.HtpasswdFile.Validate(pair[0], pair[1]) { if p.HtpasswdFile.Validate(pair[0], pair[1]) {
log.Printf("authenticated %s via basic auth", pair[0])
return pair[0], true return pair[0], true
} }
return "", false return "", false

View File

@ -7,20 +7,34 @@ import (
func getTemplates() *template.Template { func getTemplates() *template.Template {
t, err := template.New("foo").Parse(`{{define "sign_in.html"}} t, err := template.New("foo").Parse(`{{define "sign_in.html"}}
<html><head><title>Sign In</title></head> <!DOCTYPE html>
<html lang="en" charset="utf-8">
<head><title>Sign In</title></head>
<body> <body>
<form method="GET" action="/oauth2/start"> <form method="GET" action="/oauth2/start">
<button type="submit">Sign In w/ Google</button> <button type="submit">Sign In w/ Google</button>
{{.SignInMessage}} {{.SignInMessage}}
</form> </form>
</body></html> {{ if .Htpasswd }}
<fieldset>
<form method="POST" action="/oauth2/sign_in">
<label>Username: <input type="text" name="username" size="10"></label><br/>
<label>Password: <input type="password" name="password" size="10"></label><br/>
<button type="submit">Sign In</button>
</form>
</fieldset>
{{ end }}
</body>
</html>
{{end}}`) {{end}}`)
if err != nil { if err != nil {
log.Fatalf("failed parsing template %s", err.Error()) log.Fatalf("failed parsing template %s", err.Error())
} }
t, err = t.Parse(`{{define "error.html"}} t, err = t.Parse(`{{define "error.html"}}
<html><head><title>{{.Title}}</title></head> <!DOCTYPE html>
<html lang="en" charset="utf-8">
<head><title>{{.Title}}</title></head>
<body> <body>
<h2>{{.Title}}</h2> <h2>{{.Title}}</h2>
<p>{{.Message}}</p> <p>{{.Message}}</p>