Gitiles
Code Review Sign In
code.v1.dodo.cloud / pcloud / 4fde4a1fed6a333653e079d5d756f3902b2d1622^! / . / core / auth / proxy / main.go
commit4fde4a1fed6a333653e079d5d756f3902b2d1622[log] [tgz]
authorgio <gio@v1.dodo.cloud>Sun Oct 13 12:19:30 2024 +0400
committergio <gio@v1.dodo.cloud>Mon Oct 14 09:07:05 2024 +0400
treecdd711f0382bbb7baadd39026e2ac8914be11cf0
parent9870cc00ca128b0428e5fef1fff930ec33446039 [diff] [blame]
AuthProxy: Support Regexps when checking if path requires auth

Change-Id: I3bc6d3143cef46b711bb3ccc7e2cb1ee8c59313f

diff --git a/core/auth/proxy/main.go b/core/auth/proxy/main.go
index a147049..f8ab620 100644
--- a/core/auth/proxy/main.go
+++ b/core/auth/proxy/main.go

@@ -14,6 +14,7 @@
 	"net/http"
 	"net/http/cookiejar"
 	"net/url"
+	"regexp"
 	"slices"
 	"strings"
 )
@@ -25,7 +26,7 @@
 var membershipPublicAddr = flag.String("membership-public-addr", "", "Public address of membership service")
 var groups = flag.String("groups", "", "Comma separated list of groups. User must be part of at least one of them. If empty group membership will not be checked.")
 var upstream = flag.String("upstream", "", "Upstream service address")
-var noAuthPathPrefixes = flag.String("no-auth-path-prefixes", "", "Path prefixes to disable authentication for")
+var noAuthPathPatterns = flag.String("no-auth-path-patterns", "", "Path regex patterns to disable authentication for")
 
 //go:embed unauthorized.html
 var unauthorizedHTML embed.FS
@@ -33,6 +34,23 @@
 //go:embed static/*
 var f embed.FS
 
+var noAuthPathRegexps []*regexp.Regexp
+
+func initPathPatterns() error {
+	for _, p := range strings.Split(*noAuthPathPatterns, ",") {
+		t := strings.TrimSpace(p)
+		if len(t) == 0 {
+			continue
+		}
+		exp, err := regexp.Compile(t)
+		if err != nil {
+			return err
+		}
+		noAuthPathRegexps = append(noAuthPathRegexps, exp)
+	}
+	return nil
+}
+
 type cachingHandler struct {
 	h http.Handler
 }
@@ -100,9 +118,8 @@
 		return
 	}
 	reqAuth := true
-	for _, p := range strings.Split(*noAuthPathPrefixes, ",") {
-		t := strings.TrimSpace(p)
-		if len(t) > 0 && strings.HasPrefix(r.URL.Path, t) {
+	for _, p := range noAuthPathRegexps {
+		if p.MatchString(r.URL.Path) {
 			reqAuth = false
 			break
 		}
@@ -255,6 +272,9 @@
 	if *groups != "" && (*membershipAddr == "" || *membershipPublicAddr == "") {
 		log.Fatal("membership-addr and membership-public-addr flags are required when groups are provided")
 	}
+	if err := initPathPatterns(); err != nil {
+		log.Fatal(err)
+	}
 	http.Handle("/.auth/static/", http.StripPrefix("/.auth", cachingHandler{http.FileServer(http.FS(f))}))
 	http.HandleFunc("/", handle)
 	fmt.Printf("Starting HTTP server on port: %d\n", *port)