barbercollie/tinyauth
1
0
Fork 1
mirror of https://github.com/steveiliop56/tinyauth.git synced 2025-10-29 21:25:43 +00:00
Code Issues Packages Projects Releases Wiki Activity

Revert "feat: header based acls (#337)"

Browse Source 
This reverts commit f0d2da281a.
This commit is contained in:
Stavros
2025-09-03 12:01:33 +03:00
committed by GitHub
parent f0d2da281a
commit c9817e7feb
10 changed files with 51 additions and 355 deletions
Download Patch File Download Diff File Expand all files Collapse all files

40
internal/controller/proxy_controller.go
View File

@@ -7,7 +7,6 @@ import (
"tinyauth/internal/config"
"tinyauth/internal/service"
"tinyauth/internal/utils"
"tinyauth/internal/utils/decoders"
"github.com/gin-gonic/gin"
"github.com/google/go-querystring/query"
@@ -68,16 +67,6 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
proto := c.Request.Header.Get("X-Forwarded-Proto")
host := c.Request.Header.Get("X-Forwarded-Host")
var app config.App
headers, err := decoders.DecodeHeaders(utils.NormalizeHeaders(c.Request.Header))
if err != nil {
log.Error().Err(err).Msg("Failed to decode headers")
controller.handleError(c, req, isBrowser)
return
}
labels, err := controller.docker.GetLabels(host)
if err != nil {
@@ -86,21 +75,10 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
return
}
if len(headers.Apps) > 0 {
for k, v := range headers.Apps {
log.Debug().Str("app", k).Msg("Using headers for app config instead of labels")
app = v
break
}
} else {
log.Debug().Msg("No app config found in headers, using labels")
app = labels
}
clientIP := c.ClientIP()
if controller.auth.IsBypassedIP(app.IP, clientIP) {
controller.setHeaders(c, app)
if controller.auth.IsBypassedIP(labels.IP, clientIP) {
controller.setHeaders(c, labels)
c.JSON(200, gin.H{
"status": 200,
"message": "Authenticated",
@@ -108,7 +86,7 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
return
}
authEnabled, err := controller.auth.IsAuthEnabled(uri, app.Path)
authEnabled, err := controller.auth.IsAuthEnabled(uri, labels.Path)
if err != nil {
log.Error().Err(err).Msg("Failed to check if auth is enabled for resource")
@@ -118,7 +96,7 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
if !authEnabled {
log.Debug().Msg("Authentication disabled for resource, allowing access")
controller.setHeaders(c, app)
controller.setHeaders(c, labels)
c.JSON(200, gin.H{
"status": 200,
"message": "Authenticated",
@@ -126,7 +104,7 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
return
}
if !controller.auth.CheckIP(app.IP, clientIP) {
if !controller.auth.CheckIP(labels.IP, clientIP) {
if req.Proxy == "nginx" || !isBrowser {
c.JSON(401, gin.H{
"status": 401,
@@ -169,7 +147,7 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
}
if userContext.IsLoggedIn {
appAllowed := controller.auth.IsResourceAllowed(c, userContext, app)
appAllowed := controller.auth.IsResourceAllowed(c, userContext, labels)
if !appAllowed {
log.Warn().Str("user", userContext.Username).Str("resource", strings.Split(host, ".")[0]).Msg("User not allowed to access resource")
@@ -203,7 +181,7 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
}
if userContext.OAuth {
groupOK := controller.auth.IsInOAuthGroup(c, userContext, app.OAuth.Groups)
groupOK := controller.auth.IsInOAuthGroup(c, userContext, labels.OAuth.Groups)
if !groupOK {
log.Warn().Str("user", userContext.Username).Str("resource", strings.Split(host, ".")[0]).Msg("User OAuth groups do not match resource requirements")
@@ -243,7 +221,7 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
c.Header("Remote-Email", utils.SanitizeHeader(userContext.Email))
c.Header("Remote-Groups", utils.SanitizeHeader(userContext.OAuthGroups))
controller.setHeaders(c, app)
controller.setHeaders(c, labels)
c.JSON(200, gin.H{
"status": 200,
@@ -273,7 +251,7 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/login?%s", controller.config.AppURL, queries.Encode()))
}
func (controller *ProxyController) setHeaders(c *gin.Context, labels config.App) {
func (controller *ProxyController) setHeaders(c *gin.Context, labels config.AppLabels) {
c.Header("Authorization", c.Request.Header.Get("Authorization"))
headers := utils.ParseHeaders(labels.Response.Headers)