| package main |
| |
| import ( |
| "bytes" |
| "context" |
| "crypto/tls" |
| "embed" |
| "encoding/json" |
| "flag" |
| "fmt" |
| "html/template" |
| "io" |
| "log" |
| "net/http" |
| "net/http/cookiejar" |
| "net/url" |
| "regexp" |
| "slices" |
| "strings" |
| ) |
| |
| var port = flag.Int("port", 3000, "Port to listen on") |
| var whoAmIAddr = flag.String("whoami-addr", "", "Kratos whoami endpoint address") |
| var loginAddr = flag.String("login-addr", "", "Login page address") |
| var membershipAddr = flag.String("membership-addr", "", "Group membership API endpoint") |
| var membershipPublicAddr = flag.String("membership-public-addr", "", "Public address of membership service") |
| var groups = flag.String("groups", "", "Comma separated list of groups. User must be part of at least one of them. If empty group membership will not be checked.") |
| var upstream = flag.String("upstream", "", "Upstream service address") |
| var noAuthPathPatterns = flag.String("no-auth-path-patterns", "", "Path regex patterns to disable authentication for") |
| |
| //go:embed unauthorized.html |
| var unauthorizedHTML embed.FS |
| |
| //go:embed static/* |
| var f embed.FS |
| |
| var noAuthPathRegexps []*regexp.Regexp |
| |
| func initPathPatterns() error { |
| for _, p := range strings.Split(*noAuthPathPatterns, ",") { |
| t := strings.TrimSpace(p) |
| if len(t) == 0 { |
| continue |
| } |
| exp, err := regexp.Compile(t) |
| if err != nil { |
| return err |
| } |
| noAuthPathRegexps = append(noAuthPathRegexps, exp) |
| } |
| return nil |
| } |
| |
| type cachingHandler struct { |
| h http.Handler |
| } |
| |
| func (h cachingHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) { |
| w.Header().Set("Cache-Control", "max-age=604800") |
| h.h.ServeHTTP(w, r) |
| } |
| |
| type user struct { |
| Identity struct { |
| Id string `json:"id"` |
| Traits struct { |
| Username string `json:"username"` |
| } `json:"traits"` |
| } `json:"identity"` |
| } |
| |
| type authError struct { |
| Error struct { |
| Status string `json:"status"` |
| } `json:"error"` |
| } |
| |
| func getAddr(r *http.Request) (*url.URL, error) { |
| return url.Parse(fmt.Sprintf( |
| "%s://%s%s", |
| r.Header["X-Forwarded-Scheme"][0], |
| r.Header["X-Forwarded-Host"][0], |
| r.URL.RequestURI())) |
| } |
| |
| var funcMap = template.FuncMap{ |
| "IsLast": func(index int, slice []string) bool { |
| return index == len(slice)-1 |
| }, |
| } |
| |
| type UnauthorizedPageData struct { |
| MembershipPublicAddr string |
| Groups []string |
| } |
| |
| func renderUnauthorizedPage(w http.ResponseWriter, groups []string) { |
| tmpl, err := template.New("unauthorized.html").Funcs(funcMap).ParseFS(unauthorizedHTML, "unauthorized.html") |
| if err != nil { |
| http.Error(w, "Failed to load template", http.StatusInternalServerError) |
| return |
| } |
| data := UnauthorizedPageData{ |
| MembershipPublicAddr: *membershipPublicAddr, |
| Groups: groups, |
| } |
| w.Header().Set("Content-Type", "text/html") |
| w.WriteHeader(http.StatusUnauthorized) |
| if err := tmpl.Execute(w, data); err != nil { |
| http.Error(w, "Failed render template", http.StatusInternalServerError) |
| } |
| } |
| |
| func handle(w http.ResponseWriter, r *http.Request) { |
| user, err := queryWhoAmI(r.Cookies()) |
| if err != nil { |
| http.Error(w, err.Error(), http.StatusInternalServerError) |
| return |
| } |
| reqAuth := true |
| for _, p := range noAuthPathRegexps { |
| if p.MatchString(r.URL.Path) { |
| reqAuth = false |
| break |
| } |
| } |
| if reqAuth { |
| if user == nil { |
| if r.Method != http.MethodGet { |
| http.Error(w, "Unauthorized", http.StatusUnauthorized) |
| return |
| } |
| curr, err := getAddr(r) |
| if err != nil { |
| http.Error(w, err.Error(), http.StatusInternalServerError) |
| return |
| } |
| addr := fmt.Sprintf("%s?return_to=%s", *loginAddr, curr.String()) |
| http.Redirect(w, r, addr, http.StatusSeeOther) |
| return |
| } |
| if *groups != "" { |
| hasPermission := false |
| tg, err := getTransitiveGroups(user.Identity.Traits.Username) |
| if err != nil { |
| http.Error(w, err.Error(), http.StatusInternalServerError) |
| return |
| } |
| for _, i := range strings.Split(*groups, ",") { |
| if slices.Contains(tg, strings.TrimSpace(i)) { |
| hasPermission = true |
| break |
| } |
| } |
| if !hasPermission { |
| groupList := strings.Split(*groups, ",") |
| renderUnauthorizedPage(w, groupList) |
| return |
| } |
| } |
| } |
| rc := r.Clone(context.Background()) |
| if user != nil { |
| rc.Header.Add("X-Forwarded-User", user.Identity.Traits.Username) |
| rc.Header.Add("X-Forwarded-UserId", user.Identity.Id) |
| } else { |
| delete(rc.Header, "X-Forwarded-User") |
| delete(rc.Header, "X-Forwarded-UserId") |
| } |
| ru, err := url.Parse(fmt.Sprintf("http://%s%s", *upstream, r.URL.RequestURI())) |
| if err != nil { |
| http.Error(w, err.Error(), http.StatusInternalServerError) |
| return |
| } |
| rc.URL = ru |
| rc.RequestURI = "" |
| client := &http.Client{ |
| Transport: &http.Transport{ |
| TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, |
| }, |
| CheckRedirect: func(req *http.Request, via []*http.Request) error { |
| return http.ErrUseLastResponse |
| }, |
| } |
| resp, err := client.Do(rc) |
| if err != nil { |
| http.Error(w, err.Error(), http.StatusInternalServerError) |
| return |
| } |
| for name, values := range resp.Header { |
| for _, value := range values { |
| w.Header().Add(name, value) |
| } |
| } |
| w.WriteHeader(resp.StatusCode) |
| if _, err := io.Copy(w, resp.Body); err != nil { |
| http.Error(w, err.Error(), http.StatusInternalServerError) |
| return |
| } |
| } |
| |
| func queryWhoAmI(cookies []*http.Cookie) (*user, error) { |
| jar, err := cookiejar.New(nil) |
| if err != nil { |
| return nil, err |
| } |
| client := &http.Client{ |
| Jar: jar, |
| Transport: &http.Transport{ |
| TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, |
| }, |
| } |
| addr, err := url.Parse(*whoAmIAddr) |
| if err != nil { |
| return nil, err |
| } |
| client.Jar.SetCookies(addr, cookies) |
| resp, err := client.Get(*whoAmIAddr) |
| if err != nil { |
| return nil, err |
| } |
| data := make(map[string]any) |
| if err := json.NewDecoder(resp.Body).Decode(&data); err != nil { |
| return nil, err |
| } |
| // TODO(gio): remove debugging |
| b, err := json.MarshalIndent(data, "", " ") |
| if err != nil { |
| return nil, err |
| } |
| fmt.Println(string(b)) |
| var buf bytes.Buffer |
| if err := json.NewEncoder(&buf).Encode(data); err != nil { |
| return nil, err |
| } |
| tmp := buf.String() |
| if resp.StatusCode == http.StatusOK { |
| u := &user{} |
| if err := json.NewDecoder(strings.NewReader(tmp)).Decode(u); err != nil { |
| return nil, err |
| } |
| return u, nil |
| } |
| e := &authError{} |
| if err := json.NewDecoder(strings.NewReader(tmp)).Decode(e); err != nil { |
| return nil, err |
| } |
| if e.Error.Status == "Unauthorized" { |
| return nil, nil |
| } |
| return nil, fmt.Errorf("Unknown error: %s", tmp) |
| } |
| |
| type MembershipInfo struct { |
| MemberOf []string `json:"memberOf"` |
| } |
| |
| func getTransitiveGroups(user string) ([]string, error) { |
| resp, err := http.Get(fmt.Sprintf("%s/%s", *membershipAddr, user)) |
| if err != nil { |
| return nil, err |
| } |
| var info MembershipInfo |
| if err := json.NewDecoder(resp.Body).Decode(&info); err != nil { |
| return nil, err |
| } |
| return info.MemberOf, nil |
| } |
| |
| func main() { |
| flag.Parse() |
| if *groups != "" && (*membershipAddr == "" || *membershipPublicAddr == "") { |
| log.Fatal("membership-addr and membership-public-addr flags are required when groups are provided") |
| } |
| if err := initPathPatterns(); err != nil { |
| log.Fatal(err) |
| } |
| http.Handle("/.auth/static/", http.StripPrefix("/.auth", cachingHandler{http.FileServer(http.FS(f))})) |
| http.HandleFunc("/", handle) |
| fmt.Printf("Starting HTTP server on port: %d\n", *port) |
| log.Fatal(http.ListenAndServe(fmt.Sprintf(":%d", *port), nil)) |
| } |