From 046abdd93c47bd71c220a71b081247f4ae135702 Mon Sep 17 00:00:00 2001 From: Pierre-Olivier Mercier Date: Fri, 21 Feb 2020 01:05:53 +0100 Subject: [PATCH] login-validator: new auth method: http forwarder --- pkg/login-validator/cmd/auth_fwd.go | 26 ++++++++++++++++++++++++++ pkg/login-validator/cmd/main.go | 14 +++++++++++++- server.yml | 3 ++- 3 files changed, 41 insertions(+), 2 deletions(-) create mode 100644 pkg/login-validator/cmd/auth_fwd.go diff --git a/pkg/login-validator/cmd/auth_fwd.go b/pkg/login-validator/cmd/auth_fwd.go new file mode 100644 index 0000000..1a62088 --- /dev/null +++ b/pkg/login-validator/cmd/auth_fwd.go @@ -0,0 +1,26 @@ +package main + +import ( + "net/http" + "net/url" +) + +type FWDAuth struct { + URI *url.URL +} + +func (f FWDAuth) checkAuth(username, password string) (res bool, err error) { + if r, err := http.NewRequest("GET", f.URI.String(), nil); err != nil { + return false, err + } else { + r.SetBasicAuth(username, password) + + if resp, err := http.DefaultClient.Do(r); err != nil { + return false, err + } else { + resp.Body.Close() + + return resp.StatusCode < 400, err + } + } +} diff --git a/pkg/login-validator/cmd/main.go b/pkg/login-validator/cmd/main.go index 24447f2..d3cdfb1 100644 --- a/pkg/login-validator/cmd/main.go +++ b/pkg/login-validator/cmd/main.go @@ -6,6 +6,7 @@ import ( "fmt" "log" "net/http" + "net/url" "os" "os/signal" "path/filepath" @@ -23,7 +24,9 @@ func main() { flag.StringVar(&tftpDir, "tftpdir", "/var/tftp/", "Path to TFTPd directory") flag.StringVar(&loginSalt, "loginsalt", "adelina", "secret used in login HMAC") - var auth = flag.String("auth", "none", "Auth method: none, ldap") + var auth = flag.String("auth", "none", "Auth method: none, ldap, fwd") + + var fwdURI = flag.String("fwduri", "https://srs.epita.fr:443/", "URI to forward auth requests") var ldapAddr = flag.String("ldaphost", "auth.cri.epita.fr", "LDAP host") var ldapPort = flag.Int("ldapport", 636, "LDAP port") @@ -53,6 +56,15 @@ func main() { BindUsername: *ldapbindusername, BindPassword: *ldapbindpassword, } + } else if auth != nil && *auth == "fwd" && fwdURI != nil { + if uri, err := url.Parse(*fwdURI); err != nil { + log.Fatal("Unable to parse FWD URL:", err) + } else { + log.Printf("Auth method: HTTP_FWD(%s)", uri) + lc.authMethod = FWDAuth{ + URI: uri, + } + } } else { log.Println("No auth method selected: all access will be granted") lc.authMethod = NoAuth{} diff --git a/server.yml b/server.yml index 8b639b4..b2b158a 100644 --- a/server.yml +++ b/server.yml @@ -155,7 +155,8 @@ services: - name: login-validator image: nemunaire/adlin-login-validator:87f1cf05e8037b934d293a48704bd3f8ee678d41 # command: ["/bin/login-validator", "-bind=:8081", "-auth=ldap", "-ldaphost=auth.cri.epita.net", "-ldapport=636", "-ldaptls", "-ldapbase=dc=epita,dc=net"] - command: ["/bin/login-validator", "-bind=:8081", "-auth=none"] + command: ["/bin/login-validator", "-bind=:8081", "-auth=fwd", "-fwduri=https://adlin.nemunai.re/auth"] +# command: ["/bin/login-validator", "-bind=:8081", "-auth=none"] net: /run/netns/login binds: - /etc/resolv.conf:/etc/resolv.conf:ro