dashboard: Can restrict access through htpasswd

2022-06-06 10:48:06 +02:00 · 2022-06-06 10:48:06 +02:00 · 437ed4d393
parent 635e67c224
commit 437ed4d393
5 changed files with 89 additions and 2 deletions
--- a/dashboard/app.go
+++ b/dashboard/app.go
@ -15,7 +15,7 @@ type App struct {
 	bind   string
 }

-func NewApp(baseURL string, bind string) App {
+func NewApp(htpasswd_file *string, baseURL string, bind string) App {
 	gin.ForceConsoleColor()
 	router := gin.Default()

@ -29,6 +29,11 @@ func NewApp(baseURL string, bind string) App {
 	} else {
 		baserouter = router.Group("")
 	}
+
+	if htpasswd_file != nil && len(*htpasswd_file) > 0 {
+		baserouter.Use(Htpassword(*htpasswd_file))
+	}
+
 	declareStaticRoutes(baserouter, baseURL)

 	app := App{
--- a/dashboard/htpasswd.go
+++ b/dashboard/htpasswd.go
@ -0,0 +1,78 @@
+package main
+
+import (
+	"bufio"
+	"fmt"
+	"log"
+	"net/http"
+	"os"
+	"strings"
+
+	"github.com/gin-gonic/gin"
+	"gitlab.com/nyarla/go-crypt"
+)
+
+func Htpassword(file string) func(c *gin.Context) {
+	htpasswd := &Htpasswd{}
+
+	log.Println("Reading htpasswd file...")
+	var err error
+	if htpasswd, err = NewHtpasswd(file); htpasswd == nil {
+		log.Fatal("Unable to parse htpasswd:", err)
+	}
+
+	return func(c *gin.Context) {
+		username, password, ok := c.Request.BasicAuth()
+		if !ok {
+			c.Writer.Header().Add("WWW-Authenticate", "Basic realm=\"FIC challenge Dashboard\"")
+			c.AbortWithError(http.StatusUnauthorized, fmt.Errorf("Please login"))
+			return
+		}
+
+		if !htpasswd.Authenticate(username, password) {
+			c.Writer.Header().Add("WWW-Authenticate", "Basic realm=\"FIC challenge Dashboard\"")
+			c.AbortWithError(http.StatusUnauthorized, fmt.Errorf("Not authorized"))
+			return
+		}
+
+		c.Next()
+	}
+}
+
+type Htpasswd struct {
+	entries map[string]string
+}
+
+func NewHtpasswd(path string) (*Htpasswd, error) {
+	if fd, err := os.Open(path); err != nil {
+		return nil, err
+	} else {
+		defer fd.Close()
+
+		htpasswd := Htpasswd{
+			map[string]string{},
+		}
+
+		scanner := bufio.NewScanner(fd)
+		for scanner.Scan() {
+			line := strings.SplitN(strings.TrimSpace(scanner.Text()), ":", 2)
+			if len(line) == 2 && len(line[1]) > 2 {
+				htpasswd.entries[line[0]] = line[1]
+			}
+		}
+		if err := scanner.Err(); err != nil {
+			return nil, err
+		}
+		return &htpasswd, nil
+	}
+}
+
+func (h Htpasswd) Authenticate(username, password string) bool {
+	if hash, ok := h.entries[username]; !ok {
+		return false
+	} else if crypt.Crypt(password, hash[:2]) != hash {
+		return false
+	} else {
+		return true
+	}
+}
--- a/dashboard/main.go
+++ b/dashboard/main.go
@ -69,6 +69,7 @@ func main() {

 	// Read parameters from command line
 	var bind = flag.String("bind", "127.0.0.1:8082", "Bind port/socket")
+	htpasswd_file := flag.String("htpasswd", "", "Restrict access with password, Apache htpasswd format")
 	flag.StringVar(&baseURL, "baseurl", baseURL, "URL prepended to each URL")
 	staticDir := flag.String("static", "./htdocs-dashboard/", "Directory containing static files")
 	flag.StringVar(&fic.FilesDir, "files", fic.FilesDir, "Base directory where found challenges files, local part")
@ -118,7 +119,7 @@ func main() {
 	interrupt := make(chan os.Signal, 1)
 	signal.Notify(interrupt, os.Interrupt, syscall.SIGTERM)

-	app := NewApp(baseURL, *bind)
+	app := NewApp(htpasswd_file, baseURL, *bind)
 	go app.Start()

 	// Wait shutdown signal
--- a/go.mod
+++ b/go.mod
@ -11,6 +11,7 @@ require (
 	github.com/julienschmidt/httprouter v1.3.0
 	github.com/studio-b12/gowebdav v0.0.0-20220128162035-c7b1ff8a5e62
 	github.com/yuin/goldmark v1.4.12
+	gitlab.com/nyarla/go-crypt v0.0.0-20160106005555-d9a5dc2b789b // indirect
 	golang.org/x/crypto v0.0.0-20220525230936-793ad666bf5e
 	golang.org/x/image v0.0.0-20220413100746-70e8d0d3baa9
 	golang.org/x/oauth2 v0.0.0-20220524215830-622c5d57e401
--- a/go.sum
+++ b/go.sum
@ -209,6 +209,8 @@ github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9de
 github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.4.12 h1:6hffw6vALvEDqJ19dOJvJKOoAOKe4NDaTqvd2sktGN0=
 github.com/yuin/goldmark v1.4.12/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
+gitlab.com/nyarla/go-crypt v0.0.0-20160106005555-d9a5dc2b789b h1:7gd+rd8P3bqcn/96gOZa3F5dpJr/vEiDQYlNb/y2uNs=
+gitlab.com/nyarla/go-crypt v0.0.0-20160106005555-d9a5dc2b789b/go.mod h1:T3BPAOm2cqquPa0MKWeNkmOM5RQsRhkrwMWonFMN7fE=
 go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
 go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8=
 go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=