digest auth: use RequireAuthStale when appropriate
This commit is contained in:
parent
b54412e82e
commit
69de5bb828
4 changed files with 35 additions and 23 deletions
2
go.mod
2
go.mod
|
@ -104,7 +104,7 @@ replace github.com/docker/docker => github.com/docker/engine v1.4.2-0.2020020422
|
||||||
|
|
||||||
// Containous forks
|
// Containous forks
|
||||||
replace (
|
replace (
|
||||||
github.com/abbot/go-http-auth => github.com/containous/go-http-auth v0.4.1-0.20180112153951-65b0cdae8d7f
|
github.com/abbot/go-http-auth => github.com/containous/go-http-auth v0.4.1-0.20200324110947-a37a7636d23e
|
||||||
github.com/go-check/check => github.com/containous/check v0.0.0-20170915194414-ca0bf163426a
|
github.com/go-check/check => github.com/containous/check v0.0.0-20170915194414-ca0bf163426a
|
||||||
github.com/gorilla/mux => github.com/containous/mux v0.0.0-20181024131434-c33f32e26898
|
github.com/gorilla/mux => github.com/containous/mux v0.0.0-20181024131434-c33f32e26898
|
||||||
github.com/mailgun/minheap => github.com/containous/minheap v0.0.0-20190809180810-6e71eb837595
|
github.com/mailgun/minheap => github.com/containous/minheap v0.0.0-20190809180810-6e71eb837595
|
||||||
|
|
6
go.sum
6
go.sum
|
@ -162,8 +162,8 @@ github.com/containous/alice v0.0.0-20181107144136-d83ebdd94cbd h1:0n+lFLh5zU0l6K
|
||||||
github.com/containous/alice v0.0.0-20181107144136-d83ebdd94cbd/go.mod h1:BbQgeDS5i0tNvypwEoF1oNjOJw8knRAE1DnVvjDstcQ=
|
github.com/containous/alice v0.0.0-20181107144136-d83ebdd94cbd/go.mod h1:BbQgeDS5i0tNvypwEoF1oNjOJw8knRAE1DnVvjDstcQ=
|
||||||
github.com/containous/check v0.0.0-20170915194414-ca0bf163426a h1:8esAQaPKjfntQR1bag/mAOvWJd5HqSX5nsa+0KT63zo=
|
github.com/containous/check v0.0.0-20170915194414-ca0bf163426a h1:8esAQaPKjfntQR1bag/mAOvWJd5HqSX5nsa+0KT63zo=
|
||||||
github.com/containous/check v0.0.0-20170915194414-ca0bf163426a/go.mod h1:eQOqZ7GoFsLxI7jFKLs7+Nv2Rm1x4FyK8d2NV+yGjwQ=
|
github.com/containous/check v0.0.0-20170915194414-ca0bf163426a/go.mod h1:eQOqZ7GoFsLxI7jFKLs7+Nv2Rm1x4FyK8d2NV+yGjwQ=
|
||||||
github.com/containous/go-http-auth v0.4.1-0.20180112153951-65b0cdae8d7f h1:AgXgJSqQmsiNFW268OGe/y7Mn4jiCWaMUk05qser3Bo=
|
github.com/containous/go-http-auth v0.4.1-0.20200324110947-a37a7636d23e h1:D+uTEzDZc1Fhmd0Pq06c+O9+KkAyExw0eVmu/NOqaHU=
|
||||||
github.com/containous/go-http-auth v0.4.1-0.20180112153951-65b0cdae8d7f/go.mod h1:dCmRGidPSLagL8D/2u7yIO6Y/8D/yuYX9EdKrnrhpCA=
|
github.com/containous/go-http-auth v0.4.1-0.20200324110947-a37a7636d23e/go.mod h1:s8kLgBQolDbsJOPVIGCEEv9zGAKUUf/685Gi0Qqg8z8=
|
||||||
github.com/containous/minheap v0.0.0-20190809180810-6e71eb837595 h1:aPspFRO6b94To3gl4yTDOEtpjFwXI7V2W+z0JcNljQ4=
|
github.com/containous/minheap v0.0.0-20190809180810-6e71eb837595 h1:aPspFRO6b94To3gl4yTDOEtpjFwXI7V2W+z0JcNljQ4=
|
||||||
github.com/containous/minheap v0.0.0-20190809180810-6e71eb837595/go.mod h1:+lHFbEasIiQVGzhVDVw/cn0ZaOzde2OwNncp1NhXV4c=
|
github.com/containous/minheap v0.0.0-20190809180810-6e71eb837595/go.mod h1:+lHFbEasIiQVGzhVDVw/cn0ZaOzde2OwNncp1NhXV4c=
|
||||||
github.com/containous/multibuf v0.0.0-20190809014333-8b6c9a7e6bba h1:PhR03pep+5eO/9BSvCY9RyG8rjogB3uYS4X/WBYNTT8=
|
github.com/containous/multibuf v0.0.0-20190809014333-8b6c9a7e6bba h1:PhR03pep+5eO/9BSvCY9RyG8rjogB3uYS4X/WBYNTT8=
|
||||||
|
@ -796,6 +796,8 @@ golang.org/x/crypto v0.0.0-20190820162420-60c769a6c586/go.mod h1:yigFU9vqHzYiE8U
|
||||||
golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
|
golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
|
||||||
golang.org/x/crypto v0.0.0-20200302210943-78000ba7a073 h1:xMPOj6Pz6UipU1wXLkrtqpHbR0AVFnyPEQq/wRWz9lM=
|
golang.org/x/crypto v0.0.0-20200302210943-78000ba7a073 h1:xMPOj6Pz6UipU1wXLkrtqpHbR0AVFnyPEQq/wRWz9lM=
|
||||||
golang.org/x/crypto v0.0.0-20200302210943-78000ba7a073/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
|
golang.org/x/crypto v0.0.0-20200302210943-78000ba7a073/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
|
||||||
|
golang.org/x/crypto v0.0.0-20200317142112-1b76d66859c6 h1:TjszyFsQsyZNHwdVdZ5m7bjmreu0znc2kRYsEml9/Ww=
|
||||||
|
golang.org/x/crypto v0.0.0-20200317142112-1b76d66859c6/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
|
||||||
golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
|
golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
|
||||||
golang.org/x/exp v0.0.0-20190125153040-c74c464bbbf2/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
|
golang.org/x/exp v0.0.0-20190125153040-c74c464bbbf2/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
|
||||||
golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
|
golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
|
||||||
|
|
|
@ -49,7 +49,8 @@ func NewBasic(ctx context.Context, next http.Handler, authConfig dynamic.BasicAu
|
||||||
if len(authConfig.Realm) > 0 {
|
if len(authConfig.Realm) > 0 {
|
||||||
realm = authConfig.Realm
|
realm = authConfig.Realm
|
||||||
}
|
}
|
||||||
ba.auth = goauth.NewBasicAuthenticator(realm, ba.secretBasic)
|
|
||||||
|
ba.auth = &goauth.BasicAuth{Realm: realm, Secrets: ba.secretBasic}
|
||||||
|
|
||||||
return ba, nil
|
return ba, nil
|
||||||
}
|
}
|
||||||
|
|
|
@ -61,29 +61,38 @@ func (d *digestAuth) GetTracingInformation() (string, ext.SpanKindEnum) {
|
||||||
func (d *digestAuth) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
|
func (d *digestAuth) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
|
||||||
logger := log.FromContext(middlewares.GetLoggerCtx(req.Context(), d.name, digestTypeName))
|
logger := log.FromContext(middlewares.GetLoggerCtx(req.Context(), d.name, digestTypeName))
|
||||||
|
|
||||||
if username, _ := d.auth.CheckAuth(req); username == "" {
|
username, authinfo := d.auth.CheckAuth(req)
|
||||||
|
if username == "" {
|
||||||
|
if authinfo != nil && *authinfo == "stale" {
|
||||||
|
logger.Debug("Digest authentication failed, possibly because out of order requests")
|
||||||
|
tracing.SetErrorWithEvent(req, "Digest authentication failed, possibly because out of order requests")
|
||||||
|
d.auth.RequireAuthStale(rw, req)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
logger.Debug("Digest authentication failed")
|
logger.Debug("Digest authentication failed")
|
||||||
tracing.SetErrorWithEvent(req, "Digest authentication failed")
|
tracing.SetErrorWithEvent(req, "Digest authentication failed")
|
||||||
d.auth.RequireAuth(rw, req)
|
d.auth.RequireAuth(rw, req)
|
||||||
} else {
|
return
|
||||||
logger.Debug("Digest authentication succeeded")
|
|
||||||
req.URL.User = url.User(username)
|
|
||||||
|
|
||||||
logData := accesslog.GetLogData(req)
|
|
||||||
if logData != nil {
|
|
||||||
logData.Core[accesslog.ClientUsername] = username
|
|
||||||
}
|
|
||||||
|
|
||||||
if d.headerField != "" {
|
|
||||||
req.Header[d.headerField] = []string{username}
|
|
||||||
}
|
|
||||||
|
|
||||||
if d.removeHeader {
|
|
||||||
logger.Debug("Removing the Authorization header")
|
|
||||||
req.Header.Del(authorizationHeader)
|
|
||||||
}
|
|
||||||
d.next.ServeHTTP(rw, req)
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
logger.Debug("Digest authentication succeeded")
|
||||||
|
req.URL.User = url.User(username)
|
||||||
|
|
||||||
|
logData := accesslog.GetLogData(req)
|
||||||
|
if logData != nil {
|
||||||
|
logData.Core[accesslog.ClientUsername] = username
|
||||||
|
}
|
||||||
|
|
||||||
|
if d.headerField != "" {
|
||||||
|
req.Header[d.headerField] = []string{username}
|
||||||
|
}
|
||||||
|
|
||||||
|
if d.removeHeader {
|
||||||
|
logger.Debug("Removing the Authorization header")
|
||||||
|
req.Header.Del(authorizationHeader)
|
||||||
|
}
|
||||||
|
d.next.ServeHTTP(rw, req)
|
||||||
}
|
}
|
||||||
|
|
||||||
func (d *digestAuth) secretDigest(user, realm string) string {
|
func (d *digestAuth) secretDigest(user, realm string) string {
|
||||||
|
|
Loading…
Add table
Reference in a new issue