www/caddy-security
1
0
Fork 0
mirror of https://github.com/greenpau/caddy-security.git synced 2025-04-18 08:04:02 +03:00
Code

upgrade to go-authcrunch v1.0.21

Browse Source
This commit is contained in:
Paul Greenberg 2022-04-02 00:03:20 -04:00
parent 548360a7e3
commit 23e844745f
10 changed files with 85 additions and 75 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
CONTRIBUTING.md
View File

@ -81,10 +81,10 @@ module github.com/greenpau/caddy-security
go 1.16
require (
github.com/greenpau/go-authcrunch v1.0.20
github.com/greenpau/go-authcrunch v1.0.21
)
replace github.com/greenpau/go-authcrunch v1.0.20 => /home/greenpau/dev/go/src/github.com/greenpau/go-authcrunch
replace github.com/greenpau/go-authcrunch v1.0.21 => /home/greenpau/dev/go/src/github.com/greenpau/go-authcrunch
```
Then, modify `Makefile` such that that replacement passes to `xcaddy` builder:
@ -93,7 +93,7 @@ Then, modify `Makefile` such that that replacement passes to `xcaddy` builder:
@mkdir -p ../xcaddy-$(PLUGIN_NAME) && cd ../xcaddy-$(PLUGIN_NAME) && \
xcaddy build $(CADDY_VERSION) --output ../$(PLUGIN_NAME)/bin/caddy \
--with github.com/greenpau/caddy-security@$(LATEST_GIT_COMMIT)=$(BUILD_DIR) \
--with github.com/greenpau/go-authcrunch@v1.0.20=/home/greenpau/dev/go/src/github.com/greenpau/go-authcrunch
--with github.com/greenpau/go-authcrunch@v1.0.21=/home/greenpau/dev/go/src/github.com/greenpau/go-authcrunch
```
Once all the necessary packages are installed, you should be ready to compile

2
Makefile
View File

@ -17,7 +17,7 @@ all: info
xcaddy build $(CADDY_VERSION) --output ../$(PLUGIN_NAME)/bin/caddy \
--with github.com/greenpau/caddy-security@$(LATEST_GIT_COMMIT)=$(BUILD_DIR) \
--with github.com/greenpau/caddy-trace@v1.1.8
@#--with github.com/greenpau/go-authcrunch@v1.0.20=/home/greenpau/dev/go/src/github.com/greenpau/go-authcrunch
@#--with github.com/greenpau/go-authcrunch@v1.0.21=/home/greenpau/dev/go/src/github.com/greenpau/go-authcrunch
@#bin/caddy run -config assets/config/Caddyfile
@for f in `find ./assets -type f -name 'Caddyfile'`; do bin/caddy fmt -overwrite $$f; done

2
VERSION
View File

@ -1 +1 @@
1.0.19
1.1.0

1
app.go
View File

@ -68,6 +68,7 @@ func (app *App) Provision(ctx caddy.Context) error {
zap.String("app", app.Name),
zap.Error(err),
)
return err
}
app.server = server

110
caddyfile_authz_test.go
View File

@ -91,67 +91,65 @@ func TestParseCaddyfileAuthorization(t *testing.T) {
validate path acl
validate source address
validate bearer header
with basic auth context default
with api key auth context default
with basic auth portal default realm local
with api key auth portal default realm local
allow roles authp/admin authp/user
}
}`),
want: `{
"config": {
"authorization_policies": [
{
"name": "mypolicy",
"auth_url_path": "/auth",
"auth_redirect_query_param": "redirect_url",
"auth_redirect_status_code": 302,
"name": "mypolicy",
"auth_url_path": "/auth",
"access_list_rules": [
{
"conditions": [
"match roles authp/admin authp/user"
],
"action": "allow log debug"
}
],
"crypto_key_configs": [
{
"id": "0",
"usage": "verify",
"token_name": "access_token",
"source": "config",
"algorithm": "hmac",
"token_lifetime": 900,
"token_secret": "0e2fdcf8-6868-41a7-884b-7308795fc286"
}
],
"disable_auth_redirect": true,
"disable_auth_redirect_query": true,
"auth_redirect_status_code": 302,
"allowed_token_sources": ["query"],
"forbidden_url": "/forbidden",
"validate_bearer_header": true,
"validate_method_path": true,
"validate_access_list_path_claim": true,
"validate_source_address": true,
"config": {
"authorization_policies": [
{
"name": "mypolicy",
"auth_url_path": "/auth",
"disable_auth_redirect": true,
"disable_auth_redirect_query": true,
"auth_redirect_query_param": "return_path_url",
"identity_provider_config": {
"context": "default",
"basic_auth": {
"enabled": true,
"realms": {
"local": true
}
},
"api_key_auth": {
"enabled": true,
"realms": {
"local": true
}
}
}
}
]
"auth_redirect_status_code": 302,
"access_list_rules": [
{
"conditions": [
"match roles authp/admin authp/user"
],
"action": "allow log debug"
}
],
"crypto_key_configs": [
{
"id": "0",
"usage": "verify",
"token_name": "access_token",
"source": "config",
"algorithm": "hmac",
"token_lifetime": 900,
"token_secret": "0e2fdcf8-6868-41a7-884b-7308795fc286"
}
],
"auth_proxy_config": {
"portal_name": "default",
"basic_auth": {
"enabled": true,
"realms": {
"local": true
}
},
"api_key_auth": {
"enabled": true,
"realms": {
"local": true
}
}
},
"allowed_token_sources": [
"query"
],
"forbidden_url": "/forbidden",
"validate_bearer_header": true,
"validate_method_path": true,
"validate_access_list_path_claim": true,
"validate_source_address": true
}
]
}
}`,
},

12
caddyfile_identity_provider.go
View File

@ -56,6 +56,8 @@ import (
// }
//
func parseCaddyfileIdentityProvider(d *caddyfile.Dispenser, repl *caddy.Replacer, cfg *authcrunch.Config, kind, name string, shortcuts []string) error {
var disabled bool
m := make(map[string]interface{})
if len(shortcuts) > 0 {
switch kind {
@ -83,7 +85,7 @@ func parseCaddyfileIdentityProvider(d *caddyfile.Dispenser, repl *caddy.Replacer
rd := mkcp("security."+kind+".identity.provider["+name+"]", k)
switch k {
case "disabled":
return nil
disabled = true
case "realm", "driver", "tenant_id",
// OAuth
"domain_name", "client_id", "client_secret", "server_id", "base_auth_url",
@ -174,8 +176,12 @@ func parseCaddyfileIdentityProvider(d *caddyfile.Dispenser, repl *caddy.Replacer
}
}
if err := cfg.AddIdentityProvider(name, kind, m); err != nil {
return err
if disabled {
cfg.AddDisabledIdentityProvider(name)
} else {
if err := cfg.AddIdentityProvider(name, kind, m); err != nil {
return err
}
}
return nil

13
caddyfile_identity_store.go
View File

@ -34,9 +34,11 @@ import (
// type <local>
// file <file_path>
// realm <name>
// disabled
// }
//
func parseCaddyfileIdentityStore(d *caddyfile.Dispenser, repl *caddy.Replacer, cfg *authcrunch.Config, kind, name string, shortcuts []string) error {
var disabled bool
m := make(map[string]interface{})
if len(shortcuts) > 0 {
@ -58,7 +60,7 @@ func parseCaddyfileIdentityStore(d *caddyfile.Dispenser, repl *caddy.Replacer, c
rd := mkcp("security.identity.store["+name+"]", k)
switch k {
case "disabled":
return nil
disabled = true
case "realm",
// Local.
"path",
@ -139,8 +141,13 @@ func parseCaddyfileIdentityStore(d *caddyfile.Dispenser, repl *caddy.Replacer, c
return errors.ErrMalformedDirective.WithArgs(rd, args)
}
}
if err := cfg.AddIdentityStore(name, kind, m); err != nil {
return err
if disabled {
cfg.AddDisabledIdentityStore(name)
} else {
if err := cfg.AddIdentityStore(name, kind, m); err != nil {
return err
}
}
return nil

4
go.mod
View File

@ -5,7 +5,7 @@ go 1.16
require (
github.com/caddyserver/caddy/v2 v2.4.6
github.com/google/go-cmp v0.5.7
github.com/greenpau/go-authcrunch v1.0.20
github.com/satori/go.uuid v1.2.0
github.com/google/uuid v1.3.0
github.com/greenpau/go-authcrunch v1.0.21
go.uber.org/zap v1.20.0
)

6
go.sum
View File

@ -476,8 +476,8 @@ github.com/gorilla/mux v1.7.3/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2z
github.com/gorilla/websocket v0.0.0-20170926233335-4201258b820c/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ=
github.com/gorilla/websocket v1.4.0/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ=
github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
github.com/greenpau/go-authcrunch v1.0.20 h1:78rPPqo/56CgBmtsdykn3VhVH2ujEfD1dYHFYY37Pd0=
github.com/greenpau/go-authcrunch v1.0.20/go.mod h1:d54vnpcLS68I0YzGX+d2Svv4tKWmAYs5F9vl5ali6uA=
github.com/greenpau/go-authcrunch v1.0.21 h1:0kgo7QeKsDPF70LMTk9Kmpeyf/vlRgBQPM7LBXoSU4k=
github.com/greenpau/go-authcrunch v1.0.21/go.mod h1:d54vnpcLS68I0YzGX+d2Svv4tKWmAYs5F9vl5ali6uA=
github.com/greenpau/versioned v1.0.27 h1:aFJ16tzsUkbc6WT7DRia60S0VrgWzBNuul3h0RXFKxM=
github.com/greenpau/versioned v1.0.27/go.mod h1:rtFCvaWWNbMH4CJnje/xicgmrM63j++rUh5juSu0k/A=
github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA=
@ -823,8 +823,6 @@ github.com/samfoo/ansi v0.0.0-20160124022901-b6bd2ded7189 h1:CmSpbxmewNQbzqztaY0
github.com/samfoo/ansi v0.0.0-20160124022901-b6bd2ded7189/go.mod h1:UUwuHEJ9zkkPDxspIHOa59PUeSkGFljESGzbxntLmIg=
github.com/samuel/go-zookeeper v0.0.0-20190923202752-2cc03de413da/go.mod h1:gi+0XIa01GRL2eRQVjQkKGqKF3SF9vZR/HnPullcV2E=
github.com/sassoftware/go-rpmutils v0.0.0-20190420191620-a8f1baeba37b/go.mod h1:am+Fp8Bt506lA3Rk3QCmSqmYmLMnPDhdDUcosQCAx+I=
github.com/satori/go.uuid v1.2.0 h1:0uYX9dsZ2yD7q2RtLRtPSdGDWzjeM3TbMJP9utgA0ww=
github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0=
github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg65j358z/aeFdxmN0P9QXhEzd20vsDc=
github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo=
github.com/sergi/go-diff v1.1.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM=

4
pkg/util/util.go
View File

@ -17,8 +17,8 @@ package util
import (
"github.com/caddyserver/caddy/v2"
"github.com/caddyserver/caddy/v2/modules/caddyhttp"
"github.com/google/uuid"
"github.com/greenpau/go-authcrunch/pkg/util/cfg"
"github.com/satori/go.uuid"
"net/http"
)
@ -41,7 +41,7 @@ func GetRequestID(r *http.Request) string {
if rawRequestID == nil {
requestID := r.Header.Get("X-Request-Id")
if requestID == "" {
requestID = uuid.NewV4().String()
requestID = uuid.New().String()
}
caddyhttp.SetVar(r.Context(), "request_id", requestID)
return requestID