2017-09-18 15:48:07 +00:00
|
|
|
package auth
|
2016-07-20 22:29:00 +00:00
|
|
|
|
|
|
|
import (
|
|
|
|
"fmt"
|
2017-02-24 02:46:50 +00:00
|
|
|
"io/ioutil"
|
2016-12-30 08:21:13 +00:00
|
|
|
"net/http"
|
2018-01-24 17:18:03 +00:00
|
|
|
"net/url"
|
2016-12-30 08:21:13 +00:00
|
|
|
"strings"
|
|
|
|
|
2017-08-25 16:22:03 +00:00
|
|
|
goauth "github.com/abbot/go-http-auth"
|
2016-09-23 16:27:01 +00:00
|
|
|
"github.com/containous/traefik/log"
|
2018-01-10 16:48:04 +00:00
|
|
|
"github.com/containous/traefik/middlewares/tracing"
|
2016-07-20 22:29:00 +00:00
|
|
|
"github.com/containous/traefik/types"
|
2017-07-19 10:02:51 +00:00
|
|
|
"github.com/urfave/negroni"
|
2016-07-20 22:29:00 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
// Authenticator is a middleware that provides HTTP basic and digest authentication
|
|
|
|
type Authenticator struct {
|
|
|
|
handler negroni.Handler
|
|
|
|
users map[string]string
|
|
|
|
}
|
|
|
|
|
2018-01-10 16:48:04 +00:00
|
|
|
type tracingAuthenticator struct {
|
|
|
|
name string
|
|
|
|
handler negroni.Handler
|
|
|
|
clientSpanKind bool
|
|
|
|
}
|
|
|
|
|
2018-07-16 11:52:03 +00:00
|
|
|
const (
|
|
|
|
authorizationHeader = "Authorization"
|
|
|
|
)
|
|
|
|
|
2017-10-02 08:32:02 +00:00
|
|
|
// NewAuthenticator builds a new Authenticator given a config
|
2018-01-10 16:48:04 +00:00
|
|
|
func NewAuthenticator(authConfig *types.Auth, tracingMiddleware *tracing.Tracing) (*Authenticator, error) {
|
2016-07-20 22:29:00 +00:00
|
|
|
if authConfig == nil {
|
2018-01-10 16:48:04 +00:00
|
|
|
return nil, fmt.Errorf("error creating Authenticator: auth is nil")
|
2016-07-20 22:29:00 +00:00
|
|
|
}
|
2018-06-11 09:36:03 +00:00
|
|
|
|
2016-07-20 22:29:00 +00:00
|
|
|
var err error
|
2018-06-11 09:36:03 +00:00
|
|
|
authenticator := &Authenticator{}
|
|
|
|
tracingAuth := tracingAuthenticator{}
|
|
|
|
|
2016-07-20 22:29:00 +00:00
|
|
|
if authConfig.Basic != nil {
|
2017-02-24 02:46:50 +00:00
|
|
|
authenticator.users, err = parserBasicUsers(authConfig.Basic)
|
2016-07-20 22:29:00 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2018-10-04 14:46:03 +00:00
|
|
|
realm := "traefik"
|
|
|
|
if authConfig.Basic.Realm != "" {
|
|
|
|
realm = authConfig.Basic.Realm
|
|
|
|
}
|
|
|
|
basicAuth := goauth.NewBasicAuthenticator(realm, authenticator.secretBasic)
|
2018-06-11 09:36:03 +00:00
|
|
|
tracingAuth.handler = createAuthBasicHandler(basicAuth, authConfig)
|
|
|
|
tracingAuth.name = "Auth Basic"
|
|
|
|
tracingAuth.clientSpanKind = false
|
2016-07-20 22:29:00 +00:00
|
|
|
} else if authConfig.Digest != nil {
|
2017-02-24 02:46:50 +00:00
|
|
|
authenticator.users, err = parserDigestUsers(authConfig.Digest)
|
2016-07-20 22:29:00 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2018-06-11 09:36:03 +00:00
|
|
|
|
2017-08-25 16:22:03 +00:00
|
|
|
digestAuth := goauth.NewDigestAuthenticator("traefik", authenticator.secretDigest)
|
2018-06-11 09:36:03 +00:00
|
|
|
tracingAuth.handler = createAuthDigestHandler(digestAuth, authConfig)
|
|
|
|
tracingAuth.name = "Auth Digest"
|
|
|
|
tracingAuth.clientSpanKind = false
|
2017-08-25 16:22:03 +00:00
|
|
|
} else if authConfig.Forward != nil {
|
2018-06-11 09:36:03 +00:00
|
|
|
tracingAuth.handler = createAuthForwardHandler(authConfig)
|
|
|
|
tracingAuth.name = "Auth Forward"
|
|
|
|
tracingAuth.clientSpanKind = true
|
2018-01-10 16:48:04 +00:00
|
|
|
}
|
2018-06-11 09:36:03 +00:00
|
|
|
|
2018-01-10 16:48:04 +00:00
|
|
|
if tracingMiddleware != nil {
|
2018-06-11 09:36:03 +00:00
|
|
|
authenticator.handler = tracingMiddleware.NewNegroniHandlerWrapper(tracingAuth.name, tracingAuth.handler, tracingAuth.clientSpanKind)
|
2018-01-10 16:48:04 +00:00
|
|
|
} else {
|
2018-06-11 09:36:03 +00:00
|
|
|
authenticator.handler = tracingAuth.handler
|
2016-07-20 22:29:00 +00:00
|
|
|
}
|
2018-06-11 09:36:03 +00:00
|
|
|
return authenticator, nil
|
2016-07-20 22:29:00 +00:00
|
|
|
}
|
|
|
|
|
2018-01-10 16:48:04 +00:00
|
|
|
func createAuthForwardHandler(authConfig *types.Auth) negroni.HandlerFunc {
|
|
|
|
return negroni.HandlerFunc(func(w http.ResponseWriter, r *http.Request, next http.HandlerFunc) {
|
|
|
|
Forward(authConfig.Forward, w, r, next)
|
|
|
|
})
|
|
|
|
}
|
|
|
|
func createAuthDigestHandler(digestAuth *goauth.DigestAuth, authConfig *types.Auth) negroni.HandlerFunc {
|
|
|
|
return negroni.HandlerFunc(func(w http.ResponseWriter, r *http.Request, next http.HandlerFunc) {
|
|
|
|
if username, _ := digestAuth.CheckAuth(r); username == "" {
|
|
|
|
log.Debugf("Digest auth failed")
|
|
|
|
digestAuth.RequireAuth(w, r)
|
|
|
|
} else {
|
|
|
|
log.Debugf("Digest auth succeeded")
|
2018-01-24 17:18:03 +00:00
|
|
|
r.URL.User = url.User(username)
|
2018-01-10 16:48:04 +00:00
|
|
|
if authConfig.HeaderField != "" {
|
|
|
|
r.Header[authConfig.HeaderField] = []string{username}
|
|
|
|
}
|
2018-07-16 11:52:03 +00:00
|
|
|
if authConfig.Digest.RemoveHeader {
|
|
|
|
log.Debugf("Remove the Authorization header from the Digest auth")
|
|
|
|
r.Header.Del(authorizationHeader)
|
|
|
|
}
|
2018-01-10 16:48:04 +00:00
|
|
|
next.ServeHTTP(w, r)
|
|
|
|
}
|
|
|
|
})
|
|
|
|
}
|
|
|
|
func createAuthBasicHandler(basicAuth *goauth.BasicAuth, authConfig *types.Auth) negroni.HandlerFunc {
|
|
|
|
return negroni.HandlerFunc(func(w http.ResponseWriter, r *http.Request, next http.HandlerFunc) {
|
|
|
|
if username := basicAuth.CheckAuth(r); username == "" {
|
|
|
|
log.Debugf("Basic auth failed")
|
|
|
|
basicAuth.RequireAuth(w, r)
|
|
|
|
} else {
|
2018-01-24 17:18:03 +00:00
|
|
|
log.Debugf("Basic auth succeeded")
|
|
|
|
r.URL.User = url.User(username)
|
2018-01-10 16:48:04 +00:00
|
|
|
if authConfig.HeaderField != "" {
|
|
|
|
r.Header[authConfig.HeaderField] = []string{username}
|
|
|
|
}
|
2018-07-16 11:52:03 +00:00
|
|
|
if authConfig.Basic.RemoveHeader {
|
|
|
|
log.Debugf("Remove the Authorization header from the Basic auth")
|
|
|
|
r.Header.Del(authorizationHeader)
|
|
|
|
}
|
2018-01-10 16:48:04 +00:00
|
|
|
next.ServeHTTP(w, r)
|
|
|
|
}
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
2017-02-24 02:46:50 +00:00
|
|
|
func getLinesFromFile(filename string) ([]string, error) {
|
|
|
|
dat, err := ioutil.ReadFile(filename)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
// Trim lines and filter out blanks
|
|
|
|
rawLines := strings.Split(string(dat), "\n")
|
|
|
|
var filteredLines []string
|
|
|
|
for _, rawLine := range rawLines {
|
|
|
|
line := strings.TrimSpace(rawLine)
|
|
|
|
if line != "" {
|
|
|
|
filteredLines = append(filteredLines, line)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return filteredLines, nil
|
|
|
|
}
|
|
|
|
|
2016-07-20 22:29:00 +00:00
|
|
|
func (a *Authenticator) secretBasic(user, realm string) string {
|
|
|
|
if secret, ok := a.users[user]; ok {
|
|
|
|
return secret
|
|
|
|
}
|
|
|
|
log.Debugf("User not found: %s", user)
|
|
|
|
return ""
|
|
|
|
}
|
|
|
|
|
|
|
|
func (a *Authenticator) secretDigest(user, realm string) string {
|
|
|
|
if secret, ok := a.users[user+":"+realm]; ok {
|
|
|
|
return secret
|
|
|
|
}
|
|
|
|
log.Debugf("User not found: %s:%s", user, realm)
|
|
|
|
return ""
|
|
|
|
}
|
|
|
|
|
|
|
|
func (a *Authenticator) ServeHTTP(rw http.ResponseWriter, r *http.Request, next http.HandlerFunc) {
|
|
|
|
a.handler.ServeHTTP(rw, r, next)
|
|
|
|
}
|