barbercollie/tinyauth
1
0
Fork 1
mirror of https://github.com/steveiliop56/tinyauth.git synced 2025-10-28 04:35:40 +00:00
Code Issues Packages Projects Releases Wiki Activity

refactor: unify labels

Browse Source
This commit is contained in:
Stavros
2025-08-29 13:52:47 +03:00
parent 03d06cb0a7
commit 598abc5fe1
5 changed files with 138 additions and 104 deletions
Download Patch File Download Diff File Expand all files Collapse all files

100
internal/config/config.go
View File

@@ -1,20 +1,19 @@
package config package config
type Claims struct { // Version information, set at build time
Name string `json:"name"`
Email string `json:"email"`
PreferredUsername string `json:"preferred_username"`
Groups any `json:"groups"`
}
var Version = "development" var Version = "development"
var CommitHash = "n/a" var CommitHash = "n/a"
var BuildTimestamp = "n/a" var BuildTimestamp = "n/a"
// Cookie name templates
var SessionCookieName = "tinyauth-session" var SessionCookieName = "tinyauth-session"
var CSRFCookieName = "tinyauth-csrf" var CSRFCookieName = "tinyauth-csrf"
var RedirectCookieName = "tinyauth-redirect" var RedirectCookieName = "tinyauth-redirect"
// Main app config
type Config struct { type Config struct {
Port int `mapstructure:"port" validate:"required"` Port int `mapstructure:"port" validate:"required"`
Address string `validate:"required,ip4_addr" mapstructure:"address"` Address string `validate:"required,ip4_addr" mapstructure:"address"`
@@ -57,35 +56,13 @@ type Config struct {
DatabasePath string `mapstructure:"database-path" validate:"required"` DatabasePath string `mapstructure:"database-path" validate:"required"`
} }
type OAuthLabels struct { // OAuth/OIDC config
Whitelist string
Groups string
}
type BasicLabels struct { type Claims struct {
Username string Name string `json:"name"`
Password PasswordLabels Email string `json:"email"`
} PreferredUsername string `json:"preferred_username"`
Groups any `json:"groups"`
type PasswordLabels struct {
Plain string
File string
}
type IPLabels struct {
Allow []string
Block []string
Bypass []string
}
type Labels struct {
Users string
Allowed string
Headers []string
Domain []string
Basic BasicLabels
OAuth OAuthLabels
IP IPLabels
} }
type OAuthServiceConfig struct { type OAuthServiceConfig struct {
@@ -99,6 +76,8 @@ type OAuthServiceConfig struct {
InsecureSkipVerify bool InsecureSkipVerify bool
} }
// User/session related stuff
type User struct { type User struct {
Username string Username string
Password string Password string
@@ -132,6 +111,8 @@ type UserContext struct {
TotpEnabled bool TotpEnabled bool
} }
// API responses and queries
type UnauthorizedQuery struct { type UnauthorizedQuery struct {
Username string `url:"username"` Username string `url:"username"`
Resource string `url:"resource"` Resource string `url:"resource"`
@@ -142,3 +123,54 @@ type UnauthorizedQuery struct {
type RedirectQuery struct { type RedirectQuery struct {
RedirectURI string `url:"redirect_uri"` RedirectURI string `url:"redirect_uri"`
} }
// Labels
type Labels struct {
Apps map[string]AppLabels
}
type AppLabels struct {
Config ConfigLabels
Users UsersLabels
OAuth OAuthLabels
IP IPLabels
Response ResponseLabels
Path PathLabels
}
type ConfigLabels struct {
Domain string
}
type UsersLabels struct {
Allow string
Block string
}
type OAuthLabels struct {
Whitelist string
Groups string
}
type IPLabels struct {
Allow []string
Block []string
Bypass []string
}
type ResponseLabels struct {
Headers []string
BasicAuth BasicAuthLabels
}
type BasicAuthLabels struct {
Username string
Password string
PasswordFile string
}
type PathLabels struct {
Allow string
Block string
}

81
internal/controller/proxy_controller.go
View File

@@ -89,19 +89,20 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
clientIP := c.ClientIP() clientIP := c.ClientIP()
if controller.Auth.IsBypassedIP(labels, clientIP) { if controller.Auth.IsBypassedIP(labels.IP, clientIP) {
c.Header("Authorization", c.Request.Header.Get("Authorization")) c.Header("Authorization", c.Request.Header.Get("Authorization"))
headers := utils.ParseHeaders(labels.Headers) headers := utils.ParseHeaders(labels.Response.Headers)
for key, value := range headers { for key, value := range headers {
log.Debug().Str("header", key).Msg("Setting header") log.Debug().Str("header", key).Msg("Setting header")
c.Header(key, value) c.Header(key, value)
} }
if labels.Basic.Username != "" && utils.GetSecret(labels.Basic.Password.Plain, labels.Basic.Password.File) != "" { basicPassword := utils.GetSecret(labels.Response.BasicAuth.Password, labels.Response.BasicAuth.PasswordFile)
log.Debug().Str("username", labels.Basic.Username).Msg("Setting basic auth header") if labels.Response.BasicAuth.Username != "" && basicPassword != "" {
c.Header("Authorization", fmt.Sprintf("Basic %s", utils.GetBasicAuth(labels.Basic.Username, utils.GetSecret(labels.Basic.Password.Plain, labels.Basic.Password.File)))) log.Debug().Str("username", labels.Response.BasicAuth.Username).Msg("Setting basic auth header")
c.Header("Authorization", fmt.Sprintf("Basic %s", utils.GetBasicAuth(labels.Response.BasicAuth.Username, basicPassword)))
} }
c.JSON(200, gin.H{ c.JSON(200, gin.H{
@@ -111,31 +112,7 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
return return
} }
if !controller.Auth.CheckIP(labels, clientIP) { authEnabled, err := controller.Auth.IsAuthEnabled(uri, labels.Path.Allow)
if req.Proxy == "nginx" || !isBrowser {
c.JSON(401, gin.H{
"status": 401,
"message": "Unauthorized",
})
return
}
queries, err := query.Values(config.UnauthorizedQuery{
Resource: strings.Split(host, ".")[0],
IP: clientIP,
})
if err != nil {
log.Error().Err(err).Msg("Failed to encode unauthorized query")
c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.Config.AppURL))
return
}
c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/unauthorized?%s", controller.Config.AppURL, queries.Encode()))
return
}
authEnabled, err := controller.Auth.IsAuthEnabled(uri, labels)
if err != nil { if err != nil {
log.Error().Err(err).Msg("Failed to check if auth is enabled for resource") log.Error().Err(err).Msg("Failed to check if auth is enabled for resource")
@@ -157,16 +134,17 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
c.Header("Authorization", c.Request.Header.Get("Authorization")) c.Header("Authorization", c.Request.Header.Get("Authorization"))
headers := utils.ParseHeaders(labels.Headers) headers := utils.ParseHeaders(labels.Response.Headers)
for key, value := range headers { for key, value := range headers {
log.Debug().Str("header", key).Msg("Setting header") log.Debug().Str("header", key).Msg("Setting header")
c.Header(key, value) c.Header(key, value)
} }
if labels.Basic.Username != "" && utils.GetSecret(labels.Basic.Password.Plain, labels.Basic.Password.File) != "" { basicPassword := utils.GetSecret(labels.Response.BasicAuth.Password, labels.Response.BasicAuth.PasswordFile)
log.Debug().Str("username", labels.Basic.Username).Msg("Setting basic auth header") if labels.Response.BasicAuth.Username != "" && basicPassword != "" {
c.Header("Authorization", fmt.Sprintf("Basic %s", utils.GetBasicAuth(labels.Basic.Username, utils.GetSecret(labels.Basic.Password.Plain, labels.Basic.Password.File)))) log.Debug().Str("username", labels.Response.BasicAuth.Username).Msg("Setting basic auth header")
c.Header("Authorization", fmt.Sprintf("Basic %s", utils.GetBasicAuth(labels.Response.BasicAuth.Username, basicPassword)))
} }
c.JSON(200, gin.H{ c.JSON(200, gin.H{
@@ -176,6 +154,30 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
return return
} }
if !controller.Auth.CheckIP(labels.IP, clientIP) {
if req.Proxy == "nginx" || !isBrowser {
c.JSON(401, gin.H{
"status": 401,
"message": "Unauthorized",
})
return
}
queries, err := query.Values(config.UnauthorizedQuery{
Resource: strings.Split(host, ".")[0],
IP: clientIP,
})
if err != nil {
log.Error().Err(err).Msg("Failed to encode unauthorized query")
c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.Config.AppURL))
return
}
c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/unauthorized?%s", controller.Config.AppURL, queries.Encode()))
return
}
var userContext config.UserContext var userContext config.UserContext
context, err := utils.GetContext(c) context, err := utils.GetContext(c)
@@ -229,7 +231,7 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
} }
if userContext.OAuth { if userContext.OAuth {
groupOK := controller.Auth.IsInOAuthGroup(c, userContext, labels) groupOK := controller.Auth.IsInOAuthGroup(c, userContext, labels.OAuth.Groups)
if !groupOK { if !groupOK {
log.Warn().Str("user", userContext.Username).Str("resource", strings.Split(host, ".")[0]).Msg("User OAuth groups do not match resource requirements") log.Warn().Str("user", userContext.Username).Str("resource", strings.Split(host, ".")[0]).Msg("User OAuth groups do not match resource requirements")
@@ -270,16 +272,17 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
c.Header("Remote-Email", utils.SanitizeHeader(userContext.Email)) c.Header("Remote-Email", utils.SanitizeHeader(userContext.Email))
c.Header("Remote-Groups", utils.SanitizeHeader(userContext.OAuthGroups)) c.Header("Remote-Groups", utils.SanitizeHeader(userContext.OAuthGroups))
headers := utils.ParseHeaders(labels.Headers) headers := utils.ParseHeaders(labels.Response.Headers)
for key, value := range headers { for key, value := range headers {
log.Debug().Str("header", key).Msg("Setting header") log.Debug().Str("header", key).Msg("Setting header")
c.Header(key, value) c.Header(key, value)
} }
if labels.Basic.Username != "" && utils.GetSecret(labels.Basic.Password.Plain, labels.Basic.Password.File) != "" { basicPassword := utils.GetSecret(labels.Response.BasicAuth.Password, labels.Response.BasicAuth.PasswordFile)
log.Debug().Str("username", labels.Basic.Username).Msg("Setting basic auth header") if labels.Response.BasicAuth.Username != "" && basicPassword != "" {
c.Header("Authorization", fmt.Sprintf("Basic %s", utils.GetBasicAuth(labels.Basic.Username, utils.GetSecret(labels.Basic.Password.Plain, labels.Basic.Password.File)))) log.Debug().Str("username", labels.Response.BasicAuth.Username).Msg("Setting basic auth header")
c.Header("Authorization", fmt.Sprintf("Basic %s", utils.GetBasicAuth(labels.Response.BasicAuth.Username, basicPassword)))
} }
c.JSON(200, gin.H{ c.JSON(200, gin.H{

32
internal/service/auth_service.go
View File

@@ -283,18 +283,18 @@ func (auth *AuthService) UserAuthConfigured() bool {
return len(auth.Config.Users) > 0 || auth.LDAP != nil return len(auth.Config.Users) > 0 || auth.LDAP != nil
} }
func (auth *AuthService) IsResourceAllowed(c *gin.Context, context config.UserContext, labels config.Labels) bool { func (auth *AuthService) IsResourceAllowed(c *gin.Context, context config.UserContext, labels config.AppLabels) bool {
if context.OAuth { if context.OAuth {
log.Debug().Msg("Checking OAuth whitelist") log.Debug().Msg("Checking OAuth whitelist")
return utils.CheckFilter(labels.OAuth.Whitelist, context.Email) return utils.CheckFilter(labels.OAuth.Whitelist, context.Email)
} }
log.Debug().Msg("Checking users") log.Debug().Msg("Checking users")
return utils.CheckFilter(labels.Users, context.Username) return utils.CheckFilter(labels.Users.Allow, context.Username)
} }
func (auth *AuthService) IsInOAuthGroup(c *gin.Context, context config.UserContext, labels config.Labels) bool { func (auth *AuthService) IsInOAuthGroup(c *gin.Context, context config.UserContext, groups string) bool {
if labels.OAuth.Groups == "" { if groups == "" {
return true return true
} }
@@ -304,10 +304,10 @@ func (auth *AuthService) IsInOAuthGroup(c *gin.Context, context config.UserConte
} }
// No need to parse since they are from the API response // No need to parse since they are from the API response
oauthGroups := strings.Split(context.OAuthGroups, ",") groupsSplit := strings.Split(groups, ",")
for _, group := range oauthGroups { for _, group := range groupsSplit {
if utils.CheckFilter(labels.OAuth.Groups, group) { if utils.CheckFilter(groups, group) {
return true return true
} }
} }
@@ -316,12 +316,12 @@ func (auth *AuthService) IsInOAuthGroup(c *gin.Context, context config.UserConte
return false return false
} }
func (auth *AuthService) IsAuthEnabled(uri string, labels config.Labels) (bool, error) { func (auth *AuthService) IsAuthEnabled(uri string, pathAllow string) (bool, error) {
if labels.Allowed == "" { if pathAllow == "" {
return true, nil return true, nil
} }
regex, err := regexp.Compile(labels.Allowed) regex, err := regexp.Compile(pathAllow)
if err != nil { if err != nil {
return true, err return true, err
@@ -346,8 +346,8 @@ func (auth *AuthService) GetBasicAuth(c *gin.Context) *config.User {
} }
} }
func (auth *AuthService) CheckIP(labels config.Labels, ip string) bool { func (auth *AuthService) CheckIP(labels config.IPLabels, ip string) bool {
for _, blocked := range labels.IP.Block { for _, blocked := range labels.Block {
res, err := utils.FilterIP(blocked, ip) res, err := utils.FilterIP(blocked, ip)
if err != nil { if err != nil {
log.Warn().Err(err).Str("item", blocked).Msg("Invalid IP/CIDR in block list") log.Warn().Err(err).Str("item", blocked).Msg("Invalid IP/CIDR in block list")
@@ -359,7 +359,7 @@ func (auth *AuthService) CheckIP(labels config.Labels, ip string) bool {
} }
} }
for _, allowed := range labels.IP.Allow { for _, allowed := range labels.Allow {
res, err := utils.FilterIP(allowed, ip) res, err := utils.FilterIP(allowed, ip)
if err != nil { if err != nil {
log.Warn().Err(err).Str("item", allowed).Msg("Invalid IP/CIDR in allow list") log.Warn().Err(err).Str("item", allowed).Msg("Invalid IP/CIDR in allow list")
@@ -371,7 +371,7 @@ func (auth *AuthService) CheckIP(labels config.Labels, ip string) bool {
} }
} }
if len(labels.IP.Allow) > 0 { if len(labels.Allow) > 0 {
log.Debug().Str("ip", ip).Msg("IP not in allow list, denying access") log.Debug().Str("ip", ip).Msg("IP not in allow list, denying access")
return false return false
} }
@@ -380,8 +380,8 @@ func (auth *AuthService) CheckIP(labels config.Labels, ip string) bool {
return true return true
} }
func (auth *AuthService) IsBypassedIP(labels config.Labels, ip string) bool { func (auth *AuthService) IsBypassedIP(labels config.IPLabels, ip string) bool {
for _, bypassed := range labels.IP.Bypass { for _, bypassed := range labels.Bypass {
res, err := utils.FilterIP(bypassed, ip) res, err := utils.FilterIP(bypassed, ip)
if err != nil { if err != nil {
log.Warn().Err(err).Str("item", bypassed).Msg("Invalid IP/CIDR in bypass list") log.Warn().Err(err).Str("item", bypassed).Msg("Invalid IP/CIDR in bypass list")

27
internal/service/docker_service.go
View File

@@ -6,8 +6,6 @@ import (
"tinyauth/internal/config" "tinyauth/internal/config"
"tinyauth/internal/utils" "tinyauth/internal/utils"
"slices"
container "github.com/docker/docker/api/types/container" container "github.com/docker/docker/api/types/container"
"github.com/docker/docker/client" "github.com/docker/docker/client"
"github.com/rs/zerolog/log" "github.com/rs/zerolog/log"
@@ -57,17 +55,17 @@ func (docker *DockerService) DockerConnected() bool {
return err == nil return err == nil
} }
func (docker *DockerService) GetLabels(app string, domain string) (config.Labels, error) { func (docker *DockerService) GetLabels(app string, domain string) (config.AppLabels, error) {
isConnected := docker.DockerConnected() isConnected := docker.DockerConnected()
if !isConnected { if !isConnected {
log.Debug().Msg("Docker not connected, returning empty labels") log.Debug().Msg("Docker not connected, returning empty labels")
return config.Labels{}, nil return config.AppLabels{}, nil
} }
containers, err := docker.GetContainers() containers, err := docker.GetContainers()
if err != nil { if err != nil {
return config.Labels{}, err return config.AppLabels{}, err
} }
for _, container := range containers { for _, container := range containers {
@@ -83,18 +81,19 @@ func (docker *DockerService) GetLabels(app string, domain string) (config.Labels
continue continue
} }
// Check if the container matches the ID or domain for appName, appLabels := range labels.Apps {
if slices.Contains(labels.Domain, domain) { if appLabels.Config.Domain == domain {
log.Debug().Str("id", inspect.ID).Msg("Found matching container by domain") log.Debug().Str("id", inspect.ID).Msg("Found matching container by domain")
return labels, nil return appLabels, nil
} }
if strings.TrimPrefix(inspect.Name, "/") == app { if strings.TrimPrefix(inspect.Name, "/") == appName {
log.Debug().Str("id", inspect.ID).Msg("Found matching container by name") log.Debug().Str("id", inspect.ID).Msg("Found matching container by app name")
return labels, nil return appLabels, nil
}
} }
} }
log.Debug().Msg("No matching container found, returning empty labels") log.Debug().Msg("No matching container found, returning empty labels")
return config.Labels{}, nil return config.AppLabels{}, nil
} }

2
internal/utils/label_utils.go
View File

@@ -11,7 +11,7 @@ import (
func GetLabels(labels map[string]string) (config.Labels, error) { func GetLabels(labels map[string]string) (config.Labels, error) {
var labelsParsed config.Labels var labelsParsed config.Labels
err := parser.Decode(labels, &labelsParsed, "tinyauth", "tinyauth.users", "tinyauth.allowed", "tinyauth.headers", "tinyauth.domain", "tinyauth.basic", "tinyauth.oauth", "tinyauth.ip") err := parser.Decode(labels, &labelsParsed, "tinyauth", "tinyauth.apps")
if err != nil { if err != nil {
return config.Labels{}, err return config.Labels{}, err
} }