upgrade to github.com/greenpau/go-authcrunch v1.0.14

greenpau · Feb 6, 2022 · 379b7b2 · 379b7b2
1 parent a859100
commit 379b7b2
Show file tree

Hide file tree

Showing 9 changed files with 93 additions and 23 deletions.
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -81,10 +81,10 @@ module github.com/greenpau/caddy-security
 go 1.16
 
 require (
-    github.com/greenpau/go-authcrunch v1.0.13
+    github.com/greenpau/go-authcrunch v1.0.14
 )
 
-replace github.com/greenpau/go-authcrunch v1.0.13 => /home/greenpau/dev/go/src/github.com/greenpau/go-authcrunch
+replace github.com/greenpau/go-authcrunch v1.0.14 => /home/greenpau/dev/go/src/github.com/greenpau/go-authcrunch
 ```
 
 Then, modify `Makefile` such that that replacement passes to `xcaddy` builder:
@@ -93,7 +93,7 @@ Then, modify `Makefile` such that that replacement passes to `xcaddy` builder:
         @mkdir -p ../xcaddy-$(PLUGIN_NAME) && cd ../xcaddy-$(PLUGIN_NAME) && \
                 xcaddy build $(CADDY_VERSION) --output ../$(PLUGIN_NAME)/bin/caddy \
                 --with github.com/greenpau/caddy-security@$(LATEST_GIT_COMMIT)=$(BUILD_DIR) \
-                --with github.com/greenpau/[email protected].13=/home/greenpau/dev/go/src/github.com/greenpau/go-authcrunch
+                --with github.com/greenpau/[email protected].14=/home/greenpau/dev/go/src/github.com/greenpau/go-authcrunch
 ```
 
 Once all the necessary packages are installed, you should be ready to compile

diff --git a/Makefile b/Makefile
@@ -15,9 +15,9 @@ all: info
 	@rm -rf ../xcaddy-$(PLUGIN_NAME)/*
 	@mkdir -p ../xcaddy-$(PLUGIN_NAME) && cd ../xcaddy-$(PLUGIN_NAME) && \
 		xcaddy build $(CADDY_VERSION) --output ../$(PLUGIN_NAME)/bin/caddy \
-		--with github.com/greenpau/caddy-security@$(LATEST_GIT_COMMIT)=$(BUILD_DIR)
-	@#--with github.com/greenpau/go-authcrunch@v1.0.13=/home/greenpau/dev/go/src/github.com/greenpau/go-authcrunch
-	@#--with github.com/greenpau/caddy-trace@v1.1.8=/home/greenpau/dev/go/src/github.com/greenpau/caddy-trace
+		--with github.com/greenpau/caddy-security@$(LATEST_GIT_COMMIT)=$(BUILD_DIR) \
+		--with github.com/greenpau/caddy-trace@v1.1.8
+	@#--with github.com/greenpau/go-authcrunch@v1.0.14=/home/greenpau/dev/go/src/github.com/greenpau/go-authcrunch
 	@#bin/caddy run -config assets/config/Caddyfile
 	@for f in `find ./assets -type f -name 'Caddyfile'`; do bin/caddy fmt -overwrite $$f; done
 

diff --git a/caddyfile_authn.go b/caddyfile_authn.go
@@ -102,6 +102,9 @@ const (
 //     }
 //
 //     validate source address
+//
+//     enable source ip tracking
+//     enable admin api
 //   }
 //
 func parseCaddyfileAuthentication(d *caddyfile.Dispenser, repl *caddy.Replacer, cfg *authcrunch.Config) error {

diff --git a/caddyfile_authn_cookie.go b/caddyfile_authn_cookie.go
@@ -15,42 +15,95 @@
 package security
 
 import (
+	"fmt"
 	"github.com/caddyserver/caddy/v2"
 	"github.com/caddyserver/caddy/v2/caddyconfig/caddyfile"
 	"github.com/greenpau/go-authcrunch/pkg/authn"
+	"github.com/greenpau/go-authcrunch/pkg/authn/cookie"
 	cfgutil "github.com/greenpau/go-authcrunch/pkg/util/cfg"
 	"strconv"
 	"strings"
 )
 
 func parseCaddyfileAuthPortalCookie(h *caddyfile.Dispenser, repl *caddy.Replacer, portal *authn.PortalConfig, rootDirective string, args []string) error {
-	if len(args) != 2 {
+	switch {
+	case len(args) == 2:
+		if err := updateAuthPortalCookieConfig(portal, "default", args[0], args[1]); err != nil {
+			return h.Errf("%s %s directive erred: %v", rootDirective, strings.Join(args, " "), err)
+		}
+
+	case len(args) == 3:
+		if err := updateAuthPortalCookieConfig(portal, args[0], args[1], args[2]); err != nil {
+			return h.Errf("%s %s directive erred: %v", rootDirective, strings.Join(args, " "), err)
+		}
+	default:
 		return h.Errf("%s %s directive is invalid", rootDirective, strings.Join(args, " "))
 	}
-	switch args[0] {
+	return nil
+}
+
+func updateAuthPortalCookieConfig(portal *authn.PortalConfig, domain, k, v string) error {
+	var defaultDomain bool
+	if domain == "default" {
+		defaultDomain = true
+	}
+
+	if defaultDomain && (k == "domain") {
+		domain = v
+		defaultDomain = false
+	}
+
+	if !defaultDomain {
+		if portal.CookieConfig.Domains == nil {
+			portal.CookieConfig.Domains = make(map[string]*cookie.DomainConfig)
+		}
+		if _, exists := portal.CookieConfig.Domains[domain]; !exists {
+			portal.CookieConfig.Domains[domain] = &cookie.DomainConfig{
+				Domain: domain,
+			}
+		}
+		portal.CookieConfig.Domains[domain].Seq = len(portal.CookieConfig.Domains)
+	}
+
+	switch k {
 	case "domain":
-		portal.CookieConfig.Domain = args[1]
 	case "path":
-		portal.CookieConfig.Path = args[1]
+		if defaultDomain {
+			portal.CookieConfig.Path = v
+		} else {
+			portal.CookieConfig.Domains[domain].Path = v
+		}
 	case "lifetime":
-		lifetime, err := strconv.Atoi(args[1])
+		lifetime, err := strconv.Atoi(v)
 		if err != nil {
-			return h.Errf("%s %s value %q conversion failed: %v", rootDirective, args[0], args[1], err)
+			return fmt.Errorf("value %q conversion failed: %v", v, err)
 		}
 		if lifetime < 1 {
-			return h.Errf("%s %s value must be greater than zero", rootDirective, args[0])
+			return fmt.Errorf("%s value must be greater than zero", k)
+		}
+		if defaultDomain {
+			portal.CookieConfig.Lifetime = lifetime
+		} else {
+			portal.CookieConfig.Domains[domain].Lifetime = lifetime
 		}
-		portal.CookieConfig.Lifetime = lifetime
 	case "samesite":
-		portal.CookieConfig.SameSite = args[1]
+		if defaultDomain {
+			portal.CookieConfig.SameSite = v
+		} else {
+			portal.CookieConfig.Domains[domain].SameSite = v
+		}
 	case "insecure":
-		enabled, err := cfgutil.ParseBoolArg(args[1])
+		enabled, err := cfgutil.ParseBoolArg(v)
 		if err != nil {
-			return h.Errf("%s %s directive value of %q is invalid: %v", rootDirective, args[0], args[1], err)
+			return fmt.Errorf("%s value of %q is invalid: %v", k, v, err)
+		}
+		if defaultDomain {
+			portal.CookieConfig.Insecure = enabled
+		} else {
+			portal.CookieConfig.Domains[domain].Insecure = enabled
 		}
-		portal.CookieConfig.Insecure = enabled
 	default:
-		return h.Errf("%s %s directive is unsupported", rootDirective, strings.Join(args, " "))
+		return fmt.Errorf("unsupported %q directive", k)
 	}
 	return nil
 }
diff --git a/caddyfile_authn_misc.go b/caddyfile_authn_misc.go
@@ -29,6 +29,11 @@ func parseCaddyfileAuthPortalMisc(h *caddyfile.Dispenser, repl *caddy.Replacer,
 		switch v {
 		case "source ip tracking":
 			portal.TokenGrantorOptions.EnableSourceAddress = true
+		case "admin api":
+			if portal.API == nil {
+				portal.API = &authn.APIConfig{}
+				portal.API.Enabled = true
+			}
 		default:
 			return h.Errf("unsupported directive for %s: %s", rootDirective, v)
 		}

diff --git a/caddyfile_authn_test.go b/caddyfile_authn_test.go
@@ -164,7 +164,12 @@ func TestParseCaddyfileAuthentication(t *testing.T) {
                       }
                     ],
                     "cookie_config": {
-                      "domain": "contoso.com"
+					  "domains": {
+					    "contoso.com": {
+						  "seq":   1,
+						  "domain": "contoso.com"
+						}
+					  }
                     },
                     "backend_configs": [
                       {

diff --git a/go.mod b/go.mod
@@ -5,7 +5,7 @@ go 1.16
 require (
 	github.com/caddyserver/caddy/v2 v2.4.6
 	github.com/google/go-cmp v0.5.7
-	github.com/greenpau/go-authcrunch v1.0.13
+	github.com/greenpau/go-authcrunch v1.0.14
 	github.com/satori/go.uuid v1.2.0
 	go.uber.org/zap v1.20.0
 )
diff --git a/go.sum b/go.sum
@@ -476,8 +476,8 @@ github.com/gorilla/mux v1.7.3/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2z
 github.com/gorilla/websocket v0.0.0-20170926233335-4201258b820c/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ=
 github.com/gorilla/websocket v1.4.0/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ=
 github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
-github.com/greenpau/go-authcrunch v1.0.13 h1:JGyGq9Xn3EkHG6D0DT/SpRDPJReIS3n0MqXxZYMJuoY=
-github.com/greenpau/go-authcrunch v1.0.13/go.mod h1:M/Np8/Vtfa7swLjXyQgpUBEzPDl0gr8Sqdm6GUCNQeI=
+github.com/greenpau/go-authcrunch v1.0.14 h1:qhU7INhMgwWQRqTbqB1yEmA75qnfNRtHz6XkA/aS1To=
+github.com/greenpau/go-authcrunch v1.0.14/go.mod h1:M/Np8/Vtfa7swLjXyQgpUBEzPDl0gr8Sqdm6GUCNQeI=
 github.com/greenpau/versioned v1.0.27 h1:aFJ16tzsUkbc6WT7DRia60S0VrgWzBNuul3h0RXFKxM=
 github.com/greenpau/versioned v1.0.27/go.mod h1:rtFCvaWWNbMH4CJnje/xicgmrM63j++rUh5juSu0k/A=
 github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA=

diff --git a/plugin_authz.go b/plugin_authz.go
@@ -107,6 +107,10 @@ func (m AuthzMiddleware) Authenticate(w http.ResponseWriter, r *http.Request) (c
 		)
 	}
 
+	if ar.Response.Bypassed {
+		return caddyauth.User{}, ar.Response.Bypassed, nil
+	}
+
 	if ar.Response.User == nil {
 		return caddyauth.User{}, false, errors.ErrAuthorizationFailed.WithArgs(
 			getAuthorizationDetails(r, ar), "user data not found",