neale
/
simpleauth
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Compare commits

base: neale:8d6cd79ed6ad81398439ab0bed5870237ceadf95
Branches Tags
neale:main
..
compare: neale:969c3797af7eef7842b8e266c4847ee3a27ae1c9
Branches Tags
neale:main

No commits in common. "8d6cd79ed6ad81398439ab0bed5870237ceadf95" and "969c3797af7eef7842b8e266c4847ee3a27ae1c9" have entirely different histories.
8d6cd79ed6 ... 969c3797af

18 changed files with 234 additions and 686 deletions
Show Stats Expand all files Collapse all files

221
README.md
View File

@ -1,136 +1,91 @@
# Simple Auth
This is a stateless forward-auth provider.
I tested it with Caddy, but it should work fine with Traefik.
# Theory of Operation
This issues cryptographically signed authentication tokens to the client.
Some JavaScript stores the token in a cookie.
When a client presents an authentication token in a cookie,
they are allowed in if the token was properly signed,
and has not expired.
Authentication tokens consist of:
* Username
* Expiration date
* Hashed Message Authentication Code (HMAC)
Simpleauth also works with HTTP Basic authentication.
# Setup
Simpleauth needs two (2) files:
* A secret key, to sign authentication tokens
* A list of usernames and hashed passwords
## Create secret key
This will use `/dev/urandom` to generate a 64-byte secret key.
```sh
SASECRET=/run/secrets/simpleauth.key # Set to wherever you want your secret to live
dd if=/dev/urandom of=$SASECRET bs=1 count=64
```
## Create password file
It's just a text file with hashed passwords.
Each line is of the format `username:password_hash`
```sh
alias sacrypt="docker run --rm --entrypoint=/crypt git.woozle.org/neale/simpleauth"
SAPASSWD=/run/secrets/passwd # Set to wherever you want your password file to live
: > $SAPASSWD # Reset password file
sacrypt user1 password1 >> $SAPASSWD
sacrypt user2 password2 >> $SAPASSWD
sacrypt user3 password3 >> $SAPASSWD
```
## Start it
Turning this into the container orchestration system you prefer
(Docker Swarm, Kubernetes, Docker Compose)
is left as an exercise for the reader.
```sh
docker run \
--name=simpleauth \
--detach \
--restart=always \
--port 8080:8080 \
--volume $SASECRET:/run/secrets/simpleauth.key:ro \
--volume $SAPASSWD:/run/secrets/passwd:ro \
git.woozle.org/neale/simpleauth
```
## Make your web server use it
### Caddy
You'll want a `forward-auth` section like this:
```
private.example.com {
forward_auth localhost:8080 {
uri /
copy_headers X-Simpleauth-Username
header_down X-Simpleauth-Domain example.com # Set cookie for all of example.com
}
respond "Hello, friend!"
}
```
The `copy_headers` directive tells Caddy to pass
Simpleauth's `X-Simpleauth-Username` header
along in the HTTP request.
If you are reverse proxying to some other app,
it can look at this header to determine who's logged in.
`header_down` sets the
`X-Simpleauth-Domain` header in HTTP responses.
The only time a client would get an HTTP response is when it is not yet authenticated.
The built-in JavaScript login page uses this header to set the cookie domain:
this way, you can protect multiple sites within a single cookie
### Traefik
I need someone to send me equivalent
traefik
configuration,
to include here.
### nginx
I need someone to send me equivalent
nginx
configuration,
to include here.
# Why not some other thing?
The main reason is that I couldn't get the freedesktop.org
WebDAV client code to work with anything else I found.
* Authelia - I like it, but I couldn't get WebDAV to work. Also, it used 4.8GB of RAM and wanted a Redis server.
* Authentik - Didn't try it, looked too complicated.
* Keycloak - Didn't try it, looked way too complicated.
# Todo
* [ ] Performance testing: somehow this takes more CPU than caddy?
# Project Home
The canonical home for this project is
https://git.woozle.org/neale/simpleauth
# Simple Auth
All this does is present a login page.
Upon successful login, the browser gets a cookie,
and further attempts to access will get the success page.
I made this to use with the Traefik forward-auth middleware.
I now use Caddy: it works with that too.
All I need is a simple password, that's easy to fill with a password manager.
This checks those boxes.
## Format of the `passwd` file
It's just like `/etc/shadow`.
username:crypted-password
We use sha256,
until there's a Go library that supports everything.
There's a program included called `crypt` that will output lines for this file.
## Installation with Caddy
Run simpleauth as a service.
Make sure it can read your `passwd` file,
which you set up in the previous section.
You'll want a section like this in your Caddyfile:
```
forward_auth simpleauth:8080 {
uri /
copy_headers X-Simpleauth-Token
}
```
## Installation with Traefik
I don't use Traefik any longer, but when I did,
I had it set up like this:
```yaml
services:
my-cool-service:
# All your cool stuff here
deploy:
labels:
# Keep all your existing traefik stuff
traefik.http.routers.dashboard.middlewares: forward-auth
traefik.http.middlewares.forward-auth.forwardauth.address: http://simpleauth:8080/
simpleauth:
image: ghcr.io/nealey/simpleauth
secrets:
- password
deploy:
labels:
traefik.enable: "true"
traefik.http.routers.simpleauth.rules: "PathPrefix(`/`)"
traefik.http.services.simpleauth.loadbalancer.server.port: "8080"
secrets:
password:
file: password
name: password-v1
```
# How It Works
Simpleauth uses a token cookie, in addition to HTTP Basic authentication.
The token is an HMAC digest of an expiration timestamp,
plus the timestamp.
When the HMAC is good, and the timestamp is in the future,
the token is a valid authentication.
This technique means there is no persistent server storage.
If you use the default of pulling the session secret from the OS PRNG,
then everybody will have to log in again every time the server restarts.
You can use the `-secret` argument to provide a persistent secret,
so this won't happen.
Some things,
like WebDAV,
will only ever use HTTP Basic auth.
That's okay:
Simpleauth will issue a new token for every request,
and the client will ignore it.

7
build.sh
View File

@ -1,7 +0,0 @@
#! /bin/sh
set -e
tag=git.woozle.org/neale/simpleauth:latest
docker buildx build --push --tag $tag $(dirname $0)/.

0
Dockerfile → build/Dockerfile
View File

9
build/build.sh Executable file
View File

@ -0,0 +1,9 @@
#! /bin/sh
set -e
tag=git.woozle.org/neale/simpleauth
cd $(dirname $0)/..
docker build -t $tag -f build/Dockerfile .
docker push $tag

25
build/gitlab-vars Executable file
View File

@ -0,0 +1,25 @@
#! /bin/sh
case $1 in
-h|-help|--help)
echo "Usage: $0 TARGET"
echo
echo "Sets CI build variables for gitlab"
exit 1
;;
esac
branch=$(git symbolic-ref -q --short HEAD)
if [ "$branch" = "main" ]; then
branch=latest
fi
printf "Branch: %s\n" "$branch"
printf "::set-output name=branch::%s\n" "$branch"
printf "::set-output name=tag::%s\n" "$branch"
# I think it will use whichever comes last
git tag --points-at HEAD | while read tag; do
printf "Tag: %s\n" "$tag"
printf "::set-output name=tag::%s\n" "$tag"
done

146
cmd/simpleauth/main.go
View File

@ -7,15 +7,14 @@ import (
"io/ioutil"
"log"
"net/http"
"net/url"
"os"
"path"
"strings"
"time"
"git.woozle.org/neale/simpleauth/pkg/token"
"github.com/GehirnInc/crypt"
_ "github.com/GehirnInc/crypt/sha256_crypt"
"git.woozle.org/neale/simpleauth/pkg/token"
)
const CookieName = "simpleauth-token"
@ -24,19 +23,6 @@ var secret []byte = make([]byte, 256)
var lifespan time.Duration
var cryptedPasswords map[string]string
var loginHtml []byte
var verbose bool
func debugln(v ...any) {
if verbose {
log.Println(v...)
}
}
func debugf(fmt string, v ...any) {
if verbose {
log.Printf(fmt, v...)
}
}
func authenticationValid(username, password string) bool {
c := crypt.SHA256.New()
@ -48,94 +34,64 @@ func authenticationValid(username, password string) bool {
return false
}
func usernameIfAuthenticated(req *http.Request) string {
if authUsername, authPassword, ok := req.BasicAuth(); ok {
valid := authenticationValid(authUsername, authPassword)
debugf("basic auth valid:%v username:%v", valid, authUsername)
if valid {
return authUsername
}
} else {
debugf("no basic auth")
}
ncookies := 0
for i, cookie := range req.Cookies() {
if cookie.Name != CookieName {
continue
}
t, _ := token.ParseString(cookie.Value)
valid := t.Valid(secret)
debugf("cookie %d valid:%v username:%v", i, valid, t.Username)
if valid {
return t.Username
}
ncookies += 1
}
if ncookies == 0 {
debugf("no cookies")
}
return ""
}
func rootHandler(w http.ResponseWriter, req *http.Request) {
var status string
username := usernameIfAuthenticated(req)
login := req.Header.Get("X-Simpleauth-Login") == "true"
browser := strings.Contains(req.Header.Get("Accept"), "text/html")
if username == "" {
status = "failed"
} else {
status = "succeeded"
w.Header().Set("X-Simpleauth-Username", username)
if login {
// Send back a token; this will turn into a cookie
t := token.New(secret, username, time.Now().Add(lifespan))
w.Header().Set("X-Simpleauth-Cookie", fmt.Sprintf("%s=%s", CookieName, t.String()))
w.Header().Set("X-Simpleauth-Token", t.String())
} else {
// This is the only time simpleauth returns 200
// That will cause Caddy to proceed with the original request
http.Error(w, "Success", http.StatusOK)
if cookie, err := req.Cookie(CookieName); err == nil {
t, _ := token.ParseString(cookie.Value)
if t.Valid(secret) {
fmt.Print(w, "Valid token")
return
}
// Fall through to the 401 response, though,
// so that Caddy will send our response back to the client,
// which needs these headers to set the cookie and try again.
}
acceptsHtml := false
if strings.Contains(req.Header.Get("Accept"), "text/html") {
acceptsHtml = true
}
authenticated := false
if username, password, ok := req.BasicAuth(); ok {
authenticated = authenticationValid(username, password)
}
// Log the request
clientIP := req.Header.Get("X-Real-IP")
if clientIP == "" {
clientIP = req.RemoteAddr
}
forwardedMethod := req.Header.Get("X-Forwarded-Method")
forwardedURL := url.URL{
Scheme: req.Header.Get("X-Forwarded-Proto"),
Host: req.Header.Get("X-Forwarded-Host"),
Path: req.Header.Get("X-Forwarded-Uri"),
User: url.UserPassword(username, ""),
log.Printf("%s %s %s [auth:%v]", clientIP, req.Method, req.URL, authenticated)
if !authenticated {
w.Header().Set("Content-Type", "text/html")
if !acceptsHtml {
w.Header().Set("WWW-Authenticate", "Basic realm=\"simpleauth\"")
}
w.WriteHeader(http.StatusUnauthorized)
w.Write(loginHtml)
return
}
// Log the request
if false {
log.Printf("%s %s %s login:%v %s",
clientIP, forwardedMethod, forwardedURL.String(),
login, status,
)
}
// Set Cookie
t := token.New(secret, time.Now().Add(lifespan))
http.SetCookie(w, &http.Cookie{
Name: CookieName,
Value: t.String(),
Path: "/",
Secure: true,
SameSite: http.SameSiteStrictMode,
})
w.Header().Set("Content-Type", "text/html")
w.Header().Set("X-Simpleauth-Authentication", status)
w.Header().Set("WWW-Authenticate", "Simpleauth-Login")
if !login && !browser {
// Make browsers use our login form instead of basic auth
w.Header().Add("WWW-Authenticate", "Basic realm=\"simpleauth\"")
// Set cookie value in our fancypants header
w.Header().Set("X-Simpleauth-Token", t.String())
if req.Header.Get("X-Simpleauth-Login") != "" {
// Caddy treats any response <300 as "please serve original content",
// so we'll use 302 (Found).
// According to RFC9110, the server SHOULD send a Location header with 302.
// We don't do that, because we don't know where to send you.
// It's possible 300 is a less incorrect code to use here.
w.WriteHeader(http.StatusFound)
}
w.WriteHeader(http.StatusUnauthorized)
w.Write(loginHtml)
fmt.Fprintln(w, "Authenticated")
}
func main() {
@ -157,7 +113,7 @@ func main() {
)
secretPath := flag.String(
"secret",
"/run/secrets/simpleauth.key",
"/dev/urandom",
"Path to a file containing some sort of secret, for signing requests",
)
htmlPath := flag.String(
@ -165,12 +121,6 @@ func main() {
"web",
"Path to HTML files",
)
flag.BoolVar(
&verbose,
"verbose",
false,
"Print verbose logs, for debugging",
)
flag.Parse()
cryptedPasswords = make(map[string]string, 10)
@ -204,7 +154,7 @@ func main() {
}
defer f.Close()
l, err := f.Read(secret)
if l < 64 {
if l < 8 {
log.Fatalf("Secret file provided %d bytes. That's not enough bytes!", l)
} else if err != nil {
log.Fatal(err)

8
go.mod
View File

@ -1,14 +1,8 @@
module git.woozle.org/neale/simpleauth
go 1.18
go 1.13
require (
github.com/GehirnInc/crypt v0.0.0-20200316065508-bb7000b8a962
gopkg.in/yaml.v3 v3.0.1
)
require (
github.com/kr/pretty v0.3.1 // indirect
github.com/stretchr/testify v1.8.1 // indirect
gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect
)

14
go.sum
View File

@ -1,21 +1,10 @@
github.com/GehirnInc/crypt v0.0.0-20200316065508-bb7000b8a962 h1:KeNholpO2xKjgaaSyd+DyQRrsQjhbSeS7qe4nEw8aQw=
github.com/GehirnInc/crypt v0.0.0-20200316065508-bb7000b8a962/go.mod h1:kC29dT1vFpj7py2OvG1khBdQpo3kInWP+6QipLbdngo=
github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=
github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
github.com/rogpeppe/go-internal v1.9.0 h1:73kH8U+JUqXU8lRuOHeVHaa/SZPifC7BkcraZVejAe8=
github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs=
github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
@ -23,9 +12,8 @@ github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/
github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
github.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKsk=
github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

46
pkg/acl/acl.go
View File

@ -1,46 +0,0 @@
package acl
import (
"io"
"log"
"net/http"
"gopkg.in/yaml.v3"
)
type ACL struct {
Rules []Rule
}
func Read(r io.Reader) (*ACL, error) {
acl := ACL{}
ydec := yaml.NewDecoder(r)
if err := ydec.Decode(&acl); err != nil {
return nil, err
}
if err := acl.CompileURLs(); err != nil {
return nil, err
}
return &acl, nil
}
// CompileURLs compiles regular expressions for all URLs.
func (acl *ACL) CompileURLs() error {
for i := range acl.Rules {
rule := &acl.Rules[i]
if err := rule.CompileURL(); err != nil {
return err
}
}
return nil
}
func (acl *ACL) Match(req *http.Request) Action {
for _, rule := range acl.Rules {
log.Println(rule)
if rule.Match(req) {
return rule.Action
}
}
return Deny
}

89
pkg/acl/acl_test.go
View File

@ -1,89 +0,0 @@
package acl
import (
"net/http"
"net/url"
"os"
"testing"
)
type testAcl struct {
t *testing.T
acl *ACL
}
func readAcl(filename string) (*ACL, error) {
f, err := os.Open(filename)
if err != nil {
return nil, err
}
defer f.Close()
acl, err := Read(f)
if err != nil {
return nil, err
}
return acl, nil
}
func (ta *testAcl) try(method string, URL string, expected Action) {
u, err := url.Parse(URL)
if err != nil {
ta.t.Errorf("Parsing %s: %v", URL, err)
}
req := &http.Request{
Method: method,
URL: u,
}
action := ta.acl.Match(req)
if action != expected {
ta.t.Errorf("%s %s expected %v but got %v", method, URL, expected, action)
}
}
func TestRegexen(t *testing.T) {
acl, err := readAcl("testdata/acl.yaml")
if err != nil {
t.Fatal(err)
}
for i, rule := range acl.Rules {
if rule.urlRegexp == nil {
t.Errorf("Regexp not precompiled on rule %d", i)
}
}
}
func TestUsers(t *testing.T) {
acl, err := readAcl("testdata/acl.yaml")
if err != nil {
t.Fatal(err)
}
if acl.Rules[0].Users != nil {
t.Errorf("Rules[0].Users != nil")
}
if acl.Rules[1].Users == nil {
t.Errorf("Rules[0].Users == nil")
}
}
func TestAclMatching(t *testing.T) {
acl, err := readAcl("testdata/acl.yaml")
if err != nil {
t.Fatal(err)
}
ta := testAcl{
t: t,
acl: acl,
}
ta.try("GET", "https://example.com/moo", Deny)
ta.try("GET", "https://example.com/blargh", Deny)
ta.try("GET", "https://example.com/public/moo", Public)
ta.try("BLARGH", "https://example.com/blargh", Public)
ta.try("GET", "https://example.com/only-alice/boog", Deny)
ta.try("GET", "https://alice:@example.com/only-alice/boog", Auth)
ta.try("GET", "https://alice:@example.com/bob/", Deny)
ta.try("GET", "https://bob:@example.com/bob/", Auth)
}

40
pkg/acl/action.go
View File

@ -1,40 +0,0 @@
package acl
import (
"fmt"
"strings"
)
type Action int
const (
Deny Action = iota
Auth
Public
)
var actions = [...]string{
"deny",
"auth",
"public",
}
func (a Action) String() string {
return actions[a]
}
func (a *Action) UnmarshalYAML(unmarshal func(any) error) error {
var val string
if err := unmarshal(&val); err != nil {
return err
}
val = strings.ToLower(val)
for i, s := range actions {
if val == s {
*a = (Action)(i)
return nil
}
}
return fmt.Errorf("Unknown action type: %s", val)
}

38
pkg/acl/action_test.go
View File

@ -1,38 +0,0 @@
package acl
import (
"testing"
"gopkg.in/yaml.v3"
)
func TestActions(t *testing.T) {
if Deny.String() != "deny" {
t.Error("Deny string wrong")
}
if Auth.String() != "auth" {
t.Error("Auth string wrong")
}
if Public.String() != "public" {
t.Error("Public string wrong")
}
}
func TestYamlActions(t *testing.T) {
var out []Action
yamlDoc := "[Deny, Auth, Public, dEnY, pUBLiC]"
expected := []Action{Deny, Auth, Public, Deny, Public}
if err := yaml.Unmarshal([]byte(yamlDoc), &out); err != nil {
t.Fatal(err)
}
if len(out) != len(expected) {
t.Error("Wrong length of unmarshalled yaml")
}
for i, a := range out {
if expected[i] != a {
t.Errorf("Wrong value at position %d. Wanted %v, got %v", i, expected[i], a)
}
}
}

73
pkg/acl/rule.go
View File

@ -1,73 +0,0 @@
package acl
import (
"net/http"
"net/url"
"regexp"
)
type Rule struct {
URL string
urlRegexp *regexp.Regexp
Users []string
Methods []string
Action Action
}
// CompileURL compiles regular expressions for the URL.
// This is an startup optimization that speeds up rule processing.
func (r *Rule) CompileURL() error {
if re, err := regexp.Compile(r.URL); err != nil {
return err
} else {
r.urlRegexp = re
}
return nil
}
// Match returns true if req is matched by the rule
func (r *Rule) Match(req *http.Request) bool {
if r.urlRegexp == nil {
// Womp womp. Things will be slow, because the compiled regex won't get cached.
r.CompileURL()
}
requestUser := req.URL.User.Username()
anonURL := url.URL(*req.URL)
anonURL.User = nil
found := r.urlRegexp.FindStringSubmatch(anonURL.String())
if len(found) == 0 {
return false
}
// Match any listed method
methodMatch := (len(r.Methods) == 0)
for _, method := range r.Methods {
if method == req.Method {
methodMatch = true
}
}
if !methodMatch {
return false
}
// If they used (?P<user>),
// make sure that matches the username in the request URL
userIndex := r.urlRegexp.SubexpIndex("user")
if (userIndex != -1) && (found[userIndex] != requestUser) {
return false
}
// Match any listed user
userMatch := (len(r.Users) == 0)
for _, user := range r.Users {
if user == requestUser {
userMatch = true
}
}
if !userMatch {
// If no user match
return false
}
return true
}

22
pkg/acl/testdata/acl.yaml vendored
View File

@ -1,22 +0,0 @@
groups:
- &any [.]
- &all
- alice
- bob
- carol
rules:
- url: ^https://example.org/public/
action: public
- url: ^https://example.com/private/
users: *any
action: auth
- url: ^https://example.com/blargh
methods:
- BLARGH
action: public
- url: ^https://example.com/only-alice/
users:
- alice
action: auth
- url: ^https://example.com/(?P<user>)/
action: auth

17
pkg/acl/url.go
View File

@ -1,17 +0,0 @@
package acl
import "net/url"
type URL struct {
*url.URL
}
func (u *URL) UnmarshalYAML(unmarshal func(any) error) error {
var s string
if err := unmarshal(&s); err != nil {
return err
}
nu, err := url.Parse(s)
u.URL = nu
return err
}

60
pkg/token/token.go
View File

@ -5,47 +5,38 @@ import (
"crypto/hmac"
"crypto/sha256"
"encoding/base64"
"encoding/gob"
"encoding/binary"
"log"
"time"
)
type T struct {
Expiration time.Time
Username string
Mac []byte
expiration time.Time
mac []byte
}
func (t T) computeMac(secret []byte) []byte {
zt := t
zt.Mac = nil
mac := hmac.New(sha256.New, secret)
mac.Write(zt.Bytes())
binary.Write(mac, binary.BigEndian, t.expiration)
return mac.Sum([]byte{})
}
// Bytes encodes the token
func (t T) Bytes() []byte {
// String returns the string encoding of the token
func (t T) String() string {
f := new(bytes.Buffer)
enc := gob.NewEncoder(f)
if err := enc.Encode(t); err != nil {
if err := binary.Write(f, binary.BigEndian, t.expiration.Unix()); err != nil {
log.Fatal(err)
}
return f.Bytes()
}
// String returns the ASCII string encoding of the token
func (t T) String() string {
return base64.StdEncoding.EncodeToString(t.Bytes())
f.Write(t.mac)
return base64.StdEncoding.EncodeToString(f.Bytes())
}
// Valid returns true iff the token is valid for the given secret and current time
func (t T) Valid(secret []byte) bool {
if time.Now().After(t.Expiration) {
if time.Now().After(t.expiration) {
return false
}
if !hmac.Equal(t.Mac, t.computeMac(secret)) {
if !hmac.Equal(t.mac, t.computeMac(secret)) {
return false
}
@ -53,25 +44,36 @@ func (t T) Valid(secret []byte) bool {
}
// New returns a new token
func New(secret []byte, username string, expiration time.Time) T {
func New(secret []byte, expiration time.Time) T {
t := T{
Username: username,
Expiration: expiration,
expiration: expiration,
}
t.Mac = t.computeMac(secret)
t.mac = t.computeMac(secret)
return t
}
// Parse returns a new token from the given bytes
func Parse(b []byte) (T, error) {
var t T
t := T{
mac: make([]byte, sha256.Size),
}
f := bytes.NewReader(b)
dec := gob.NewDecoder(f)
err := dec.Decode(&t)
return t, err
{
var sec int64
if err := binary.Read(f, binary.BigEndian, &sec); err != nil {
return t, err
}
t.expiration = time.Unix(sec, 0)
}
if n, err := f.Read(t.mac); err != nil {
return t, err
} else {
t.mac = t.mac[:n]
}
return t, nil
}
// ParseString parses an ASCII-encoded string, as created by T.String()
// ParseString parses a base64-encoded string, as created by T.String()
func ParseString(s string) (T, error) {
b, err := base64.StdEncoding.DecodeString(s)
if err != nil {

36
pkg/token/token_test.go
View File

@ -1,36 +0,0 @@
package token
import (
"testing"
"time"
)
func TestToken(t *testing.T) {
secret := []byte("bloop")
username := "rodney"
token := New(secret, username, time.Now().Add(10*time.Second))
if token.Username != username {
t.Error("Wrong username")
}
if !token.Valid(secret) {
t.Error("Not valid")
}
tokenStr := token.String()
if nt, err := ParseString(tokenStr); err != nil {
t.Error("ParseString", err)
} else if nt.Username != token.Username {
t.Error("Decoded username wrong")
}
}
func TestExpired(t *testing.T) {
secret := []byte("bloop")
username := "rodney"
token := New(secret, username, time.Now().Add(-10*time.Second))
if token.Valid(secret) {
t.Error("Expired token still valid")
}
}

69
web/login.html
View File

@ -19,51 +19,45 @@
</style>
<script>
function error(msg) {
document.querySelector("#error").textContent = msg
}
function message(msg) {
document.querySelector("#message").textContent = msg
}
document.querySelector("#error").textContent = msg
}
async function login(evt) {
evt.preventDefault()
let data = new FormData(evt.target)
let username = data.get("username")
let password = data.get("password")
evt.preventDefault()
let data = new FormData(evt.target)
let username = data.get("username")
let password = data.get("password")
url = new URL(evt.target.action)
url.username = ""
url.password = ""
url = new URL(evt.target.action)
url.username = ""
url.password = ""
let headers = new Headers({
"Authorization": "Basic " + btoa(username + ":" + password),
"X-Simpleauth-Login": "true",
})
let req = await fetch(url, {
method: "GET",
headers: headers,
})
let cookie = req.headers.get("X-Simpleauth-Cookie")
let domain = req.headers.get("X-Simpleauth-Domain")
if (cookie) {
let expiration = new Date()
expiration.setFullYear(expiration.getFullYear() + 1)
let cookieStr = `${cookie}; expires=${expiration.toUTCString()}; path=/; Secure; SameSite=Strict`
document.cookie = "simpleauth-token=; expires=Thu, 01 Jan 1970 00:00:00 GMT" // Clear any old cookies
if (domain) {
cookieStr += `; domain=${domain}`
document.cookie = `simpleauth-token=; expires=Thu, 01 Jan 1970 00:00:00 GMT; domain=${domain}`
let headers = new Headers({
"Authorization": "Basic " + btoa(username + ":" + password),
"X-Simpleauth-Login": "true",
})
let req = await fetch(url, {
method: "GET",
headers: headers,
credentials: "same-origin",
})
if (req.status != 401) {
let token = req.headers.get("X-Simpleauth-Token")
if (token) {
// Set a cookie, just in case
let expiration = new Date()
expiration.setFullYear(expiration.getFullYear() + 1)
document.cookie = `simpleauth-token=${token}; expires=${expiration.toUTCString()}; path=/; Secure; SameSite=Strict`
}
location.reload()
return
}
document.cookie = cookieStr // JavaScript butt-magic!
location.reload()
message("Logged In!")
return
}
error(req.statusText || "Authentication failed")
console.log(req.headers)
error(req.statusText || "Authentication failed")
}
async function init() {
document.querySelector("form").addEventListener("submit", login)
document.querySelector("form").addEventListener("submit", login)
}
window.addEventListener("load", init)
@ -77,6 +71,5 @@
<div><input type="submit" value="Log In"></div>
</form>
<div id="error"></div>
<div id="message"></div>
</body>
</html>