barbercollie/tinyauth
1
0
Fork 1
mirror of https://github.com/steveiliop56/tinyauth.git synced 2025-10-28 04:35:40 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: header based acls (#337)

Browse Source 
* feat: add header decoder

* feat: allow for dash substitute over slash for environments like kubernetes

* feat: use decoded headers in proxy controller

* refactor: simplify decode header to node function

* refactor: use stdlib prefix check in header decoder

* fix: lowercase key and filter before comparing
This commit is contained in:
Stavros
2025-09-02 19:06:52 +03:00
committed by GitHub
parent 9ce16c9652
commit f0d2da281a
10 changed files with 355 additions and 51 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
internal/service/auth_service.go
View File

@@ -285,7 +285,7 @@ func (auth *AuthService) UserAuthConfigured() bool {
return len(auth.config.Users) > 0 || auth.ldap != nil
}
func (auth *AuthService) IsResourceAllowed(c *gin.Context, context config.UserContext, labels config.AppLabels) bool {
func (auth *AuthService) IsResourceAllowed(c *gin.Context, context config.UserContext, labels config.App) bool {
if context.OAuth {
log.Debug().Msg("Checking OAuth whitelist")
return utils.CheckFilter(labels.OAuth.Whitelist, context.Email)
@@ -322,7 +322,7 @@ func (auth *AuthService) IsInOAuthGroup(c *gin.Context, context config.UserConte
return false
}
func (auth *AuthService) IsAuthEnabled(uri string, path config.PathLabels) (bool, error) {
func (auth *AuthService) IsAuthEnabled(uri string, path config.AppPath) (bool, error) {
// Check for block list
if path.Block != "" {
regex, err := regexp.Compile(path.Block)
@@ -364,7 +364,7 @@ func (auth *AuthService) GetBasicAuth(c *gin.Context) *config.User {
}
}
func (auth *AuthService) CheckIP(labels config.IPLabels, ip string) bool {
func (auth *AuthService) CheckIP(labels config.AppIP, ip string) bool {
for _, blocked := range labels.Block {
res, err := utils.FilterIP(blocked, ip)
if err != nil {
@@ -398,7 +398,7 @@ func (auth *AuthService) CheckIP(labels config.IPLabels, ip string) bool {
return true
}
func (auth *AuthService) IsBypassedIP(labels config.IPLabels, ip string) bool {
func (auth *AuthService) IsBypassedIP(labels config.AppIP, ip string) bool {
for _, bypassed := range labels.Bypass {
res, err := utils.FilterIP(bypassed, ip)
if err != nil {

12
internal/service/docker_service.go
View File

@@ -4,7 +4,7 @@ import (
"context"
"strings"
"tinyauth/internal/config"
"tinyauth/internal/utils"
"tinyauth/internal/utils/decoders"
container "github.com/docker/docker/api/types/container"
"github.com/docker/docker/client"
@@ -55,17 +55,17 @@ func (docker *DockerService) DockerConnected() bool {
return err == nil
}
func (docker *DockerService) GetLabels(appDomain string) (config.AppLabels, error) {
func (docker *DockerService) GetLabels(appDomain string) (config.App, error) {
isConnected := docker.DockerConnected()
if !isConnected {
log.Debug().Msg("Docker not connected, returning empty labels")
return config.AppLabels{}, nil
return config.App{}, nil
}
containers, err := docker.GetContainers()
if err != nil {
return config.AppLabels{}, err
return config.App{}, err
}
for _, ctr := range containers {
@@ -75,7 +75,7 @@ func (docker *DockerService) GetLabels(appDomain string) (config.AppLabels, erro
continue
}
labels, err := utils.GetLabels(inspect.Config.Labels)
labels, err := decoders.DecodeLabels(inspect.Config.Labels)
if err != nil {
log.Warn().Str("id", ctr.ID).Err(err).Msg("Error getting container labels, skipping")
continue
@@ -95,5 +95,5 @@ func (docker *DockerService) GetLabels(appDomain string) (config.AppLabels, erro
}
log.Debug().Msg("No matching container found, returning empty labels")
return config.AppLabels{}, nil
return config.App{}, nil
}