From 5cb359d877d00da73f20631d6c78891c5a581a61 Mon Sep 17 00:00:00 2001 From: "A.Unger" Date: Mon, 30 Nov 2020 17:19:03 +0100 Subject: [PATCH] WIP --- accounts/pkg/command/server.go | 8 +++++ accounts/pkg/server/http/server.go | 8 +++++ proxy/pkg/command/server.go | 11 +++--- proxy/pkg/middleware/authentication.go | 48 ++++++++++++++++++++++++++ proxy/pkg/middleware/basic_auth.go | 7 ++-- proxy/pkg/middleware/oidc_auth.go | 5 ++- 6 files changed, 78 insertions(+), 9 deletions(-) create mode 100644 proxy/pkg/middleware/authentication.go diff --git a/accounts/pkg/command/server.go b/accounts/pkg/command/server.go index b5edee2db9..e6ce9e7645 100644 --- a/accounts/pkg/command/server.go +++ b/accounts/pkg/command/server.go @@ -2,8 +2,11 @@ package command import ( "context" + gohttp "net/http" + _ "net/http/pprof" "os" "os/signal" + "runtime" "strings" "github.com/micro/cli/v2" @@ -109,6 +112,11 @@ func Server(cfg *config.Config) *cli.Command { cancel() }) } + runtime.SetBlockProfileRate(1) + runtime.SetMutexProfileFraction(1) + go func() { + gohttp.ListenAndServe(":8887", nil) + }() return gr.Run() }, diff --git a/accounts/pkg/server/http/server.go b/accounts/pkg/server/http/server.go index 4514d412ac..81678a71b1 100644 --- a/accounts/pkg/server/http/server.go +++ b/accounts/pkg/server/http/server.go @@ -1,7 +1,12 @@ package http import ( + _ "net/http/pprof" + + ghttp "net/http" + "github.com/go-chi/chi" + cmw "github.com/go-chi/chi/middleware" "github.com/owncloud/ocis/accounts/pkg/assets" "github.com/owncloud/ocis/accounts/pkg/proto/v0" "github.com/owncloud/ocis/accounts/pkg/version" @@ -27,6 +32,9 @@ func Server(opts ...Option) http.Service { mux := chi.NewMux() + mux.Use(func(next ghttp.Handler) ghttp.Handler { + return cmw.Profiler() + }) mux.Use(middleware.RealIP) mux.Use(middleware.RequestID) mux.Use(middleware.NoCache) diff --git a/proxy/pkg/command/server.go b/proxy/pkg/command/server.go index dad51e2497..2f5cb86198 100644 --- a/proxy/pkg/command/server.go +++ b/proxy/pkg/command/server.go @@ -268,8 +268,8 @@ func loadMiddlewares(ctx context.Context, l log.Logger, cfg *config.Config) alic return alice.New( middleware.HTTPSRedirect, - middleware.OIDCAuth( - middleware.Logger(l), + middleware.Authentication( + // OIDC Options middleware.OIDCProviderFunc(func() (middleware.OIDCProvider, error) { // Initialize a provider by specifying the issuer URL. // it will fetch the keys from the issuer using the .well-known @@ -280,13 +280,12 @@ func loadMiddlewares(ctx context.Context, l log.Logger, cfg *config.Config) alic ) }), middleware.HTTPClient(oidcHTTPClient), - middleware.OIDCIss(cfg.OIDC.Issuer), middleware.TokenCacheSize(cfg.OIDC.UserinfoCache.Size), middleware.TokenCacheTTL(time.Second*time.Duration(cfg.OIDC.UserinfoCache.TTL)), - ), - middleware.BasicAuth( + + // basic Options middleware.Logger(l), - middleware.EnableBasicAuth(cfg.EnableBasicAuth), + middleware.EnableBasicAuth(true), middleware.AccountsClient(accountsClient), middleware.OIDCIss(cfg.OIDC.Issuer), ), diff --git a/proxy/pkg/middleware/authentication.go b/proxy/pkg/middleware/authentication.go new file mode 100644 index 0000000000..00d0efcbec --- /dev/null +++ b/proxy/pkg/middleware/authentication.go @@ -0,0 +1,48 @@ +package middleware + +import ( + "fmt" + "net/http" + "time" +) + +// Authentication is a higher level authentication middleware. +func Authentication(opts ...Option) func(next http.Handler) http.Handler { + options := newOptions(opts...) + + oidc := OIDCAuth( + Logger(options.Logger), + OIDCProviderFunc(options.OIDCProviderFunc), + HTTPClient(options.HTTPClient), + OIDCIss(options.OIDCIss), + TokenCacheSize(options.UserinfoCacheSize), + TokenCacheTTL(time.Second*time.Duration(options.UserinfoCacheTTL)), + ) + + basic := BasicAuth( + Logger(options.Logger), + EnableBasicAuth(options.EnableBasicAuth), + AccountsClient(options.AccountsClient), + OIDCIss(options.OIDCIss), + ) + + return func(next http.Handler) http.Handler { + return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + // here we multiplex depending on the use agent + userAgent := r.Header.Get("User-Agent") + fmt.Printf("\n\nUser-Agent:\t%s\n\n", userAgent) + switch userAgent { + case "a": + oidc(next).ServeHTTP(w, r) + return + case "b": + basic(next).ServeHTTP(w, r) + return + default: + oidc(next).ServeHTTP(w, r) + basic(next).ServeHTTP(w, r) + return + } + }) + } +} diff --git a/proxy/pkg/middleware/basic_auth.go b/proxy/pkg/middleware/basic_auth.go index f06879b012..f766dcd5d7 100644 --- a/proxy/pkg/middleware/basic_auth.go +++ b/proxy/pkg/middleware/basic_auth.go @@ -2,11 +2,12 @@ package middleware import ( "fmt" + "net/http" + "strings" + accounts "github.com/owncloud/ocis/accounts/pkg/proto/v0" "github.com/owncloud/ocis/ocis-pkg/log" "github.com/owncloud/ocis/ocis-pkg/oidc" - "net/http" - "strings" ) const publicFilesEndpoint = "/remote.php/dav/public-files/" @@ -38,6 +39,8 @@ func BasicAuth(optionSetters ...Option) func(next http.Handler) http.Handler { account, ok := h.getAccount(req) if !ok { + // TODO need correct hostname + w.Header().Add("WWW-Authenticate", "Basic realm=\"Access to localhost\", charset=\"UTF-8\"") w.WriteHeader(http.StatusUnauthorized) return } diff --git a/proxy/pkg/middleware/oidc_auth.go b/proxy/pkg/middleware/oidc_auth.go index ace5a045b4..1de7ecc508 100644 --- a/proxy/pkg/middleware/oidc_auth.go +++ b/proxy/pkg/middleware/oidc_auth.go @@ -38,7 +38,10 @@ func OIDCAuth(optionSetters ...Option) func(next http.Handler) http.Handler { return func(next http.Handler) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) { if !h.shouldServe(req) { - next.ServeHTTP(w, req) + // TODO need correct hostname + w.Header().Add("WWW-Authenticate", "Bearer realm=\"Access to localhost\", charset=\"UTF-8\"") + //w.WriteHeader(http.StatusUnauthorized) + //next.ServeHTTP(w, req) return }