barbercollie/tinyauth
1
0
Fork 1
mirror of https://github.com/steveiliop56/tinyauth.git synced 2025-10-28 04:35:40 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: finalize logic

Browse Source
This commit is contained in:
Stavros
2025-01-30 17:11:31 +02:00
parent 6602e8140b
commit 29f0a94faf
5 changed files with 98 additions and 33 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
cmd/root.go
View File

@@ -78,8 +78,15 @@ var rootCmd = &cobra.Command{
log.Debug().Msg("Parsed OAuth config") log.Debug().Msg("Parsed OAuth config")
// Create docker service
docker := docker.NewDocker()
// Initialize docker
dockerErr := docker.Init()
HandleError(dockerErr, "Failed to initialize docker")
// Create auth service // Create auth service
auth := auth.NewAuth(users, oauthWhitelist) auth := auth.NewAuth(docker, users, oauthWhitelist)
// Create OAuth providers service // Create OAuth providers service
providers := providers.NewProviders(oauthConfig) providers := providers.NewProviders(oauthConfig)
@@ -90,13 +97,6 @@ var rootCmd = &cobra.Command{
// Create hooks service // Create hooks service
hooks := hooks.NewHooks(auth, providers) hooks := hooks.NewHooks(auth, providers)
// Create docker service
docker := docker.NewDocker()
// Initialize docker
dockerErr := docker.Init()
HandleError(dockerErr, "Failed to initialize docker")
// Create API // Create API
api := api.NewAPI(types.APIConfig{ api := api.NewAPI(types.APIConfig{
Port: config.Port, Port: config.Port,
@@ -113,18 +113,7 @@ var rootCmd = &cobra.Command{
api.SetupRoutes() api.SetupRoutes()
// Start // Start
// api.Run() api.Run()
containers, err := docker.GetContainers()
HandleError(err, "Failed to get containers")
for _, container := range containers {
log.Debug().Str("container", container.ID).Msg("Found container")
inspect, err := docker.InspectContainer(container.ID)
HandleError(err, "Failed to inspect container")
log.Debug().Str("container", container.ID).Str("name", inspect.Name).Interface("labels", container.Labels).Msg("Inspected container")
labels := utils.GetTinyauthLabels(inspect.Config.Labels)
log.Debug().Interface("labels", labels).Msg("Parsed labels")
}
}, },
} }

25
internal/api/api.go
View File

@@ -98,8 +98,30 @@ func (api *API) SetupRoutes() {
log.Debug().Msg("Checking auth") log.Debug().Msg("Checking auth")
userContext := api.Hooks.UseUserContext(c) userContext := api.Hooks.UseUserContext(c)
uri := c.Request.Header.Get("X-Forwarded-Uri")
proto := c.Request.Header.Get("X-Forwarded-Proto")
host := c.Request.Header.Get("X-Forwarded-Host")
if userContext.IsLoggedIn { if userContext.IsLoggedIn {
log.Debug().Msg("Authenticated") log.Debug().Msg("Authenticated")
appAllowed, appAllowedErr := api.Auth.ResourceAllowed(userContext, host)
if handleApiError(c, "Failed to check if resource is allowed", appAllowedErr) {
return
}
if !appAllowed {
log.Warn().Str("username", userContext.Username).Str("host", host).Msg("User not allowed")
queries, queryErr := query.Values(types.UnauthorizedQuery{
Username: userContext.Username,
Resource: strings.Split(host, ".")[0],
})
if handleApiError(c, "Failed to build query", queryErr) {
return
}
c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/unauthorized?%s", api.Config.AppURL, queries.Encode()))
}
c.JSON(200, gin.H{ c.JSON(200, gin.H{
"status": 200, "status": 200,
"message": "Authenticated", "message": "Authenticated",
@@ -107,9 +129,6 @@ func (api *API) SetupRoutes() {
return return
} }
uri := c.Request.Header.Get("X-Forwarded-Uri")
proto := c.Request.Header.Get("X-Forwarded-Proto")
host := c.Request.Header.Get("X-Forwarded-Host")
queries, queryErr := query.Values(types.LoginQuery{ queries, queryErr := query.Values(types.LoginQuery{
RedirectURI: fmt.Sprintf("%s://%s%s", proto, host, uri), RedirectURI: fmt.Sprintf("%s://%s%s", proto, host, uri),
}) })

58
internal/auth/auth.go
View File

@@ -1,7 +1,11 @@
package auth package auth
import ( import (
"slices"
"strings"
"tinyauth/internal/docker"
"tinyauth/internal/types" "tinyauth/internal/types"
"tinyauth/internal/utils"
"github.com/gin-contrib/sessions" "github.com/gin-contrib/sessions"
"github.com/gin-gonic/gin" "github.com/gin-gonic/gin"
@@ -9,8 +13,9 @@ import (
"golang.org/x/crypto/bcrypt" "golang.org/x/crypto/bcrypt"
) )
func NewAuth(userList types.Users, oauthWhitelist []string) *Auth { func NewAuth(docker *docker.Docker, userList types.Users, oauthWhitelist []string) *Auth {
return &Auth{ return &Auth{
Docker: docker,
Users: userList, Users: userList,
OAuthWhitelist: oauthWhitelist, OAuthWhitelist: oauthWhitelist,
} }
@@ -18,6 +23,7 @@ func NewAuth(userList types.Users, oauthWhitelist []string) *Auth {
type Auth struct { type Auth struct {
Users types.Users Users types.Users
Docker *docker.Docker
OAuthWhitelist []string OAuthWhitelist []string
} }
@@ -89,3 +95,53 @@ func (auth *Auth) GetSessionCookie(c *gin.Context) (types.SessionCookie, error)
func (auth *Auth) UserAuthConfigured() bool { func (auth *Auth) UserAuthConfigured() bool {
return len(auth.Users) > 0 return len(auth.Users) > 0
} }
func (auth *Auth) ResourceAllowed(context types.UserContext, host string) (bool, error) {
appId := strings.Split(host, ".")[0]
containers, containersErr := auth.Docker.GetContainers()
if containersErr != nil {
return false, containersErr
}
log.Debug().Msg("Got containers")
for _, container := range containers {
inspect, inspectErr := auth.Docker.InspectContainer(container.ID)
if inspectErr != nil {
return false, inspectErr
}
containerName := strings.Split(inspect.Name, "/")[1]
if containerName == appId {
log.Debug().Str("container", containerName).Msg("Found container")
labels := utils.GetTinyauthLabels(inspect.Config.Labels)
log.Debug().Msg("Got labels")
if context.OAuth && len(labels.OAuthWhitelist) != 0 {
log.Debug().Msg("Checking OAuth whitelist")
if slices.Contains(labels.OAuthWhitelist, context.Username) {
return true, nil
}
return false, nil
}
if len(labels.Users) != 0 {
log.Debug().Msg("Checking users")
if slices.Contains(labels.Users, context.Username) {
return true, nil
}
return false, nil
}
}
}
log.Debug().Msg("No matching container found, allowing access")
return true, nil
}

1
internal/types/types.go
View File

@@ -89,6 +89,7 @@ type OAuthProviders struct {
type UnauthorizedQuery struct { type UnauthorizedQuery struct {
Username string `url:"username"` Username string `url:"username"`
Resource string `url:"resource"`
} }
type SessionCookie struct { type SessionCookie struct {

18
site/src/pages/unauthorized-page.tsx
View File

@@ -1,18 +1,12 @@
import { Button, Code, Paper, Text } from "@mantine/core"; import { Button, Code, Paper, Text } from "@mantine/core";
import { Layout } from "../components/layouts/layout"; import { Layout } from "../components/layouts/layout";
import { useUserContext } from "../context/user-context";
import { Navigate } from "react-router"; import { Navigate } from "react-router";
export const UnauthorizedPage = () => { export const UnauthorizedPage = () => {
const queryString = window.location.search; const queryString = window.location.search;
const params = new URLSearchParams(queryString); const params = new URLSearchParams(queryString);
const username = params.get("username"); const username = params.get("username");
const resource = params.get("resource");
const { isLoggedIn } = useUserContext();
if (isLoggedIn) {
return <Navigate to="/" />;
}
if (username === "null") { if (username === "null") {
return <Navigate to="/" />; return <Navigate to="/" />;
@@ -25,8 +19,14 @@ export const UnauthorizedPage = () => {
Unauthorized Unauthorized
</Text> </Text>
<Text> <Text>
The user with username <Code>{username}</Code> is not authorized to The user with username <Code>{username}</Code> is not authorized to{" "}
login. {resource !== "null" ? (
<span>
access the <Code>{resource}</Code> resource.
</span>
) : (
"login."
)}
</Text> </Text>
<Button <Button
fullWidth fullWidth