mirror/opencloud
1
0
Fork 0
mirror of https://github.com/opencloud-eu/opencloud.git synced 2026-01-01 01:41:13 -06:00
Code Issues Packages Projects Releases Wiki Activity
Files
052d219465d0471b9c5daec7479b2bf79255baac
opencloud/proxy/pkg/middleware/basic_auth.go
Willy Kloucek 62704ceb2e fix double "the"
2021-11-15 13:24:26 +01:00

127 lines
3.9 KiB
Go
Raw Blame History

package middleware
import (
"fmt"
"net/http"
"strings"
"github.com/owncloud/ocis/ocis-pkg/log"
"github.com/owncloud/ocis/ocis-pkg/oidc"
"github.com/owncloud/ocis/proxy/pkg/user/backend"
"github.com/owncloud/ocis/proxy/pkg/webdav"
)
const publicFilesEndpoint = "/remote.php/dav/public-files/"
// BasicAuth provides a middleware to check if BasicAuth is provided
func BasicAuth(optionSetters ...Option) func(next http.Handler) http.Handler {
options := newOptions(optionSetters...)
logger := options.Logger
if options.EnableBasicAuth {
options.Logger.Warn().Msg("basic auth enabled, use only for testing or development")
}
h := basicAuth{
logger: logger,
enabled: options.EnableBasicAuth,
userProvider: options.UserProvider,
}
return func(next http.Handler) http.Handler {
return http.HandlerFunc(
func(w http.ResponseWriter, req *http.Request) {
if h.isPublicLink(req) || !h.isBasicAuth(req) || h.isOIDCTokenAuth(req) {
if !h.isPublicLink(req) {
userAgentAuthenticateLockIn(w, req, options.CredentialsByUserAgent, "basic")
}
next.ServeHTTP(w, req)
return
}
removeSuperfluousAuthenticate(w)
login, password, _ := req.BasicAuth()
user, _, err := h.userProvider.Authenticate(req.Context(), login, password)
// touch is a user agent locking guard, when touched changes to true it indicates the User-Agent on the
// request is configured to support only one challenge, it it remains untouched, there are no considera-
// tions and we should write all available authentication challenges to the response.
touch := false
if err != nil {
for k, v := range options.CredentialsByUserAgent {
if strings.Contains(k, req.UserAgent()) {
removeSuperfluousAuthenticate(w)
w.Header().Add("Www-Authenticate", fmt.Sprintf("%v realm=\"%s\", charset=\"UTF-8\"", strings.Title(v), req.Host))
touch = true
break
}
}
// if the request is not bound to any user agent, write all available challenges
if !touch {
writeSupportedAuthenticateHeader(w, req)
}
// if the request is a PROPFIND return a WebDAV error code.
// TODO: The proxy has to be smart enough to detect when a request is directed towards a webdav server
// and react accordingly.
w.WriteHeader(http.StatusUnauthorized)
if webdav.IsWebdavRequest(req) {
b, err := webdav.Marshal(webdav.Exception{
Code: webdav.SabredavPermissionDenied,
Message: "Authentication error",
})
webdav.HandleWebdavError(w, b, err)
return
}
return
}
// fake oidc claims
claims := map[string]interface{}{
oidc.Iss: user.Id.Idp,
oidc.PreferredUsername: user.Username,
oidc.Email: user.Mail,
oidc.OwncloudUUID: user.Id.OpaqueId,
}
if options.UserCS3Claim == "userid" {
// set the custom user claim only if users will be looked up by the userid on the CS3api
// OpaqueId contains the userid configured in STORAGE_LDAP_USER_SCHEMA_UID
claims[options.UserOIDCClaim] = user.Id.OpaqueId
}
next.ServeHTTP(w, req.WithContext(oidc.NewContext(req.Context(), claims)))
},
)
}
}
type basicAuth struct {
logger log.Logger
enabled bool
userProvider backend.UserBackend
}
func (m basicAuth) isPublicLink(req *http.Request) bool {
login, _, ok := req.BasicAuth()
return ok && login == "public" && strings.HasPrefix(req.URL.Path, publicFilesEndpoint)
}
// The token auth endpoint uses basic auth for clients, see https://openid.net/specs/openid-connect-basic-1_0.html#TokenRequest
// > The Client MUST authenticate to the Token Endpoint using the HTTP Basic method, as described in 2.3.1 of OAuth 2.0.
func (m basicAuth) isOIDCTokenAuth(req *http.Request) bool {
return req.URL.Path == "/konnect/v1/token"
}
func (m basicAuth) isBasicAuth(req *http.Request) bool {
_, _, ok := req.BasicAuth()
return m.enabled && ok
}
Reference in New Issue View Git Blame Copy Permalink