mirror of
https://github.com/steveiliop56/tinyauth.git
synced 2026-04-19 12:08:15 +00:00
Compare commits
1 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
 dependabot[bot]
|
eb145645b0 |
@@ -1,82 +0,0 @@
|
||||
name: Proxy Integration Tests
|
||||
|
||||
on:
|
||||
workflow_dispatch:
|
||||
inputs:
|
||||
build:
|
||||
type: boolean
|
||||
description: Build from current tag before running tests
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
determine-tag:
|
||||
runs-on: ubuntu-latest
|
||||
outputs:
|
||||
version: ${{ steps.metadata.outputs.VERSION }}
|
||||
commit_hash: ${{ steps.metadata.outputs.COMMIT_HASH }}
|
||||
build_timestamp: ${{ steps.metadata.outputs.BUILD_TIMESTAMP }}
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v4
|
||||
|
||||
- name: Determine metadata
|
||||
id: metadata
|
||||
run: |
|
||||
# Generate static metadata
|
||||
echo "COMMIT_HASH=$(git rev-parse HEAD)" >> "$GITHUB_OUTPUT"
|
||||
echo "BUILD_TIMESTAMP=$(date '+%Y-%m-%dT%H:%M:%S')" >> "$GITHUB_OUTPUT"
|
||||
|
||||
# Determine version
|
||||
if [ "${{ inputs.build }}" == "true" ]; then
|
||||
echo "VERSION=development" >> "$GITHUB_OUTPUT"
|
||||
else
|
||||
echo "VERSION=${{ github.ref_name }}" >> "$GITHUB_OUTPUT"
|
||||
fi
|
||||
|
||||
integration:
|
||||
runs-on: ubuntu-latest
|
||||
needs: determine-tag
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v4
|
||||
|
||||
- name: Setup Go
|
||||
uses: actions/setup-go@v6
|
||||
with:
|
||||
go-version: "1.25.0"
|
||||
|
||||
- name: Initialize submodules
|
||||
run: |
|
||||
git submodule init
|
||||
git submodule update
|
||||
|
||||
- name: Apply patches
|
||||
run: |
|
||||
git apply --directory paerser/ patches/nested_maps.diff
|
||||
|
||||
- name: Set up Docker Buildx
|
||||
uses: docker/setup-buildx-action@v3
|
||||
if: ${{ inputs.build == 'true' }}
|
||||
|
||||
- name: Build
|
||||
uses: docker/build-push-action@v6
|
||||
if: ${{ inputs.build == 'true' }}
|
||||
with:
|
||||
platforms: linux/amd64
|
||||
tags: ghcr.io/${{ github.repository_owner }}/tinyauth:${{ needs.determine-tag.outputs.version }}
|
||||
outputs: type=image,push=false
|
||||
cache-from: type=gha
|
||||
cache-to: type=gha,mode=max
|
||||
build-args: |
|
||||
VERSION=${{ needs.determine-tag.outputs.version }}
|
||||
COMMIT_HASH=${{ needs.determine-tag.outputs.commit_hash }}
|
||||
BUILD_TIMESTAMP=${{ needs.determine-tag.outputs.build_timestamp }}
|
||||
|
||||
- name: Set tinyauth version
|
||||
run: |
|
||||
sed -i "s/TINYAUTH_VERSION=.*/TINYAUTH_VERSION=${{ needs.determine-tag.outputs.version }}/" integration/.env
|
||||
|
||||
- name: Test
|
||||
run: make integration
|
||||
@@ -15,6 +15,8 @@ jobs:
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v4
|
||||
with:
|
||||
ref: nightly
|
||||
|
||||
- name: Generate metadata
|
||||
id: metadata
|
||||
|
||||
@@ -81,11 +81,5 @@ sql:
|
||||
sqlc generate
|
||||
|
||||
# Go gen
|
||||
.PHONY: generate
|
||||
generate:
|
||||
go run ./gen
|
||||
|
||||
# Proxy integration tests
|
||||
.PHONY: integration
|
||||
integration:
|
||||
go run ./integration -- --log=false
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
<div align="center">
|
||||
<img alt="Tinyauth" title="Tinyauth" width="96" src="assets/logo-rounded.png">
|
||||
<h1>Tinyauth</h1>
|
||||
<p>The tiniest authentication and authorization server you have ever seen.</p>
|
||||
<p>The simplest way to protect your apps with a login screen.</p>
|
||||
</div>
|
||||
|
||||
<div align="center">
|
||||
@@ -14,7 +14,7 @@
|
||||
|
||||
<br />
|
||||
|
||||
Tinyauth is the simplest and tiniest authentication and authorization server you have ever seen. It is designed to both work as an authentication middleware for your apps, offering support for OAuth, LDAP and access-controls, and as a standalone authentication server. It supports all the popular proxies like Traefik, Nginx and Caddy.
|
||||
Tinyauth is a simple authentication middleware that adds a simple login screen or OAuth with Google, Github or any other provider to all of your apps. It supports all the popular proxies like Traefik, Nginx and Caddy.
|
||||
|
||||
|
||||
|
||||
@@ -26,7 +26,7 @@ Tinyauth is the simplest and tiniest authentication and authorization server you
|
||||
|
||||
## Getting Started
|
||||
|
||||
You can get started with Tinyauth by following the guide in the [documentation](https://tinyauth.app/docs/getting-started). There is also an available [docker-compose](./docker-compose.example.yml) file that has Traefik, Whoami and Tinyauth to demonstrate its capabilities (keep in mind that this file lives in the development branch so it may have updates that are not yet released).
|
||||
You can easily get started with Tinyauth by following the guide in the [documentation](https://tinyauth.app/docs/getting-started). There is also an available [docker compose](./docker-compose.example.yml) file that has Traefik, Whoami and Tinyauth to demonstrate its capabilities.
|
||||
|
||||
## Demo
|
||||
|
||||
@@ -40,15 +40,15 @@ If you wish to contribute to the documentation head over to the [repository](htt
|
||||
|
||||
## Discord
|
||||
|
||||
Tinyauth has a [Discord](https://discord.gg/eHzVaCzRRd) server. Feel free to hop in to chat about self-hosting, homelabs and of course Tinyauth. See you there!
|
||||
Tinyauth has a [discord](https://discord.gg/eHzVaCzRRd) server. Feel free to hop in to chat about self-hosting, homelabs and of course Tinyauth. See you there!
|
||||
|
||||
## Contributing
|
||||
|
||||
All contributions to the codebase are welcome! If you have any free time, feel free to pick up an [issue](https://github.com/steveiliop56/tinyauth/issues) or add your own missing features. Make sure to check out the [contributing guide](./CONTRIBUTING.md) for instructions on how to get the development server up and running.
|
||||
All contributions to the codebase are welcome! If you have any free time feel free to pick up an [issue](https://github.com/steveiliop56/tinyauth/issues) or add your own missing features. Make sure to check out the [contributing guide](./CONTRIBUTING.md) for instructions on how to get the development server up and running.
|
||||
|
||||
## Localization
|
||||
|
||||
If you like, you can help translate Tinyauth into more languages by visiting the [Crowdin](https://crowdin.com/project/tinyauth) page.
|
||||
If you would like to help translate Tinyauth into more languages, visit the [Crowdin](https://crowdin.com/project/tinyauth) page.
|
||||
|
||||
## License
|
||||
|
||||
|
||||
@@ -1,5 +1,6 @@
|
||||
services:
|
||||
traefik:
|
||||
container_name: traefik
|
||||
image: traefik:v3.6
|
||||
command: --api.insecure=true --providers.docker
|
||||
ports:
|
||||
@@ -8,6 +9,7 @@ services:
|
||||
- /var/run/docker.sock:/var/run/docker.sock
|
||||
|
||||
whoami:
|
||||
container_name: whoami
|
||||
image: traefik/whoami:latest
|
||||
labels:
|
||||
traefik.enable: true
|
||||
@@ -15,6 +17,7 @@ services:
|
||||
traefik.http.routers.whoami.middlewares: tinyauth
|
||||
|
||||
tinyauth-frontend:
|
||||
container_name: tinyauth-frontend
|
||||
build:
|
||||
context: .
|
||||
dockerfile: frontend/Dockerfile.dev
|
||||
@@ -27,6 +30,7 @@ services:
|
||||
traefik.http.routers.tinyauth.rule: Host(`tinyauth.127.0.0.1.sslip.io`)
|
||||
|
||||
tinyauth-backend:
|
||||
container_name: tinyauth-backend
|
||||
build:
|
||||
context: .
|
||||
dockerfile: Dockerfile.dev
|
||||
|
||||
@@ -1,5 +1,6 @@
|
||||
services:
|
||||
traefik:
|
||||
container_name: traefik
|
||||
image: traefik:v3.6
|
||||
command: --api.insecure=true --providers.docker
|
||||
ports:
|
||||
@@ -8,6 +9,7 @@ services:
|
||||
- /var/run/docker.sock:/var/run/docker.sock
|
||||
|
||||
whoami:
|
||||
container_name: whoami
|
||||
image: traefik/whoami:latest
|
||||
labels:
|
||||
traefik.enable: true
|
||||
@@ -15,7 +17,8 @@ services:
|
||||
traefik.http.routers.whoami.middlewares: tinyauth
|
||||
|
||||
tinyauth:
|
||||
image: ghcr.io/steveiliop56/tinyauth:v5
|
||||
container_name: tinyauth
|
||||
image: ghcr.io/steveiliop56/tinyauth:v3
|
||||
environment:
|
||||
- TINYAUTH_APPURL=https://tinyauth.example.com
|
||||
- TINYAUTH_AUTH_USERS=user:$$2a$$10$$UdLYoJ5lgPsC0RKqYH/jMua7zIn0g9kPqWmhYayJYLaZQ/FTmH2/u # user:password
|
||||
|
||||
+4
-4
@@ -16,7 +16,7 @@
|
||||
"axios": "^1.13.6",
|
||||
"class-variance-authority": "^0.7.1",
|
||||
"clsx": "^2.1.1",
|
||||
"i18next": "^25.8.18",
|
||||
"i18next": "^25.8.17",
|
||||
"i18next-browser-languagedetector": "^8.2.1",
|
||||
"i18next-resources-to-backend": "^1.2.1",
|
||||
"input-otp": "^1.4.2",
|
||||
@@ -26,7 +26,7 @@
|
||||
"react": "^19.2.4",
|
||||
"react-dom": "^19.2.4",
|
||||
"react-hook-form": "^7.71.2",
|
||||
"react-i18next": "^16.5.8",
|
||||
"react-i18next": "^16.5.6",
|
||||
"react-markdown": "^10.1.0",
|
||||
"react-router": "^7.13.1",
|
||||
"sonner": "^2.0.7",
|
||||
@@ -637,7 +637,7 @@
|
||||
|
||||
"html-url-attributes": ["html-url-attributes@3.0.1", "", {}, "sha512-ol6UPyBWqsrO6EJySPz2O7ZSr856WDrEzM5zMqp+FJJLGMW35cLYmmZnl0vztAZxRUoNZJFTCohfjuIJ8I4QBQ=="],
|
||||
|
||||
"i18next": ["i18next@25.8.18", "", { "dependencies": { "@babel/runtime": "^7.28.6" }, "peerDependencies": { "typescript": "^5" }, "optionalPeers": ["typescript"] }, "sha512-lzY5X83BiL5AP77+9DydbrqkQHFN9hUzWGjqjLpPcp5ZOzuu1aSoKaU3xbBLSjWx9dAzW431y+d+aogxOZaKRA=="],
|
||||
"i18next": ["i18next@25.8.17", "", { "dependencies": { "@babel/runtime": "^7.28.6" }, "peerDependencies": { "typescript": "^5" }, "optionalPeers": ["typescript"] }, "sha512-vWtCttyn5bpOK4hWbRAe1ZXkA+Yzcn2OcACT+WJavtfGMcxzkfvXTLMeOU8MUhRmAySKjU4VVuKlo0sSGeBokA=="],
|
||||
|
||||
"i18next-browser-languagedetector": ["i18next-browser-languagedetector@8.2.1", "", { "dependencies": { "@babel/runtime": "^7.23.2" } }, "sha512-bZg8+4bdmaOiApD7N7BPT9W8MLZG+nPTOFlLiJiT8uzKXFjhxw4v2ierCXOwB5sFDMtuA5G4kgYZ0AznZxQ/cw=="],
|
||||
|
||||
@@ -843,7 +843,7 @@
|
||||
|
||||
"react-hook-form": ["react-hook-form@7.71.2", "", { "peerDependencies": { "react": "^16.8.0 || ^17 || ^18 || ^19" } }, "sha512-1CHvcDYzuRUNOflt4MOq3ZM46AronNJtQ1S7tnX6YN4y72qhgiUItpacZUAQ0TyWYci3yz1X+rXaSxiuEm86PA=="],
|
||||
|
||||
"react-i18next": ["react-i18next@16.5.8", "", { "dependencies": { "@babel/runtime": "^7.28.4", "html-parse-stringify": "^3.0.1", "use-sync-external-store": "^1.6.0" }, "peerDependencies": { "i18next": ">= 25.6.2", "react": ">= 16.8.0", "typescript": "^5" }, "optionalPeers": ["typescript"] }, "sha512-2ABeHHlakxVY+LSirD+OiERxFL6+zip0PaHo979bgwzeHg27Sqc82xxXWIrSFmfWX0ZkrvXMHwhsi/NGUf5VQg=="],
|
||||
"react-i18next": ["react-i18next@16.5.6", "", { "dependencies": { "@babel/runtime": "^7.28.4", "html-parse-stringify": "^3.0.1", "use-sync-external-store": "^1.6.0" }, "peerDependencies": { "i18next": ">= 25.6.2", "react": ">= 16.8.0", "typescript": "^5" }, "optionalPeers": ["typescript"] }, "sha512-Ua7V2/efA88ido7KyK51fb8Ki8M/sRfW8LR/rZ/9ZKr2luhuTI7kwYZN5agT1rWG7aYm5G0RYE/6JR8KJoCMDw=="],
|
||||
|
||||
"react-markdown": ["react-markdown@10.1.0", "", { "dependencies": { "@types/hast": "^3.0.0", "@types/mdast": "^4.0.0", "devlop": "^1.0.0", "hast-util-to-jsx-runtime": "^2.0.0", "html-url-attributes": "^3.0.0", "mdast-util-to-hast": "^13.0.0", "remark-parse": "^11.0.0", "remark-rehype": "^11.0.0", "unified": "^11.0.0", "unist-util-visit": "^5.0.0", "vfile": "^6.0.0" }, "peerDependencies": { "@types/react": ">=18", "react": ">=18" } }, "sha512-qKxVopLT/TyA6BX3Ue5NwabOsAzm0Q7kAPwq6L+wWDwisYs7R8vZ0nRXqq6rkueboxpkjvLGU9fWifiX/ZZFxQ=="],
|
||||
|
||||
|
||||
@@ -22,7 +22,7 @@
|
||||
"axios": "^1.13.6",
|
||||
"class-variance-authority": "^0.7.1",
|
||||
"clsx": "^2.1.1",
|
||||
"i18next": "^25.8.18",
|
||||
"i18next": "^25.8.17",
|
||||
"i18next-browser-languagedetector": "^8.2.1",
|
||||
"i18next-resources-to-backend": "^1.2.1",
|
||||
"input-otp": "^1.4.2",
|
||||
@@ -32,7 +32,7 @@
|
||||
"react": "^19.2.4",
|
||||
"react-dom": "^19.2.4",
|
||||
"react-hook-form": "^7.71.2",
|
||||
"react-i18next": "^16.5.8",
|
||||
"react-i18next": "^16.5.6",
|
||||
"react-markdown": "^10.1.0",
|
||||
"react-router": "^7.13.1",
|
||||
"sonner": "^2.0.7",
|
||||
|
||||
@@ -58,8 +58,8 @@
|
||||
"invalidInput": "Saisie non valide",
|
||||
"domainWarningTitle": "Domaine invalide",
|
||||
"domainWarningSubtitle": "Cette instance est configurée pour être accédée depuis <code>{{appUrl}}</code>, mais <code>{{currentUrl}}</code> est utilisé. Si vous continuez, vous pourriez rencontrer des problèmes d'authentification.",
|
||||
"domainWarningCurrent": "Actuellement :",
|
||||
"domainWarningExpected": "Attendu :",
|
||||
"domainWarningCurrent": "Current:",
|
||||
"domainWarningExpected": "Expected:",
|
||||
"ignoreTitle": "Ignorer",
|
||||
"goToCorrectDomainTitle": "Aller au bon domaine",
|
||||
"authorizeTitle": "Autoriser",
|
||||
|
||||
@@ -19,9 +19,9 @@ require (
|
||||
github.com/rs/zerolog v1.34.0
|
||||
github.com/traefik/paerser v0.2.2
|
||||
github.com/weppos/publicsuffix-go v0.50.3
|
||||
golang.org/x/crypto v0.49.0
|
||||
golang.org/x/crypto v0.48.0
|
||||
golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546
|
||||
golang.org/x/oauth2 v0.36.0
|
||||
golang.org/x/oauth2 v0.35.0
|
||||
gotest.tools/v3 v3.5.2
|
||||
modernc.org/sqlite v1.46.1
|
||||
)
|
||||
@@ -114,10 +114,10 @@ require (
|
||||
go.opentelemetry.io/otel/trace v1.37.0 // indirect
|
||||
golang.org/x/arch v0.22.0 // indirect
|
||||
golang.org/x/net v0.51.0 // indirect
|
||||
golang.org/x/sync v0.20.0 // indirect
|
||||
golang.org/x/sys v0.42.0 // indirect
|
||||
golang.org/x/term v0.41.0 // indirect
|
||||
golang.org/x/text v0.35.0 // indirect
|
||||
golang.org/x/sync v0.19.0 // indirect
|
||||
golang.org/x/sys v0.41.0 // indirect
|
||||
golang.org/x/term v0.40.0 // indirect
|
||||
golang.org/x/text v0.34.0 // indirect
|
||||
google.golang.org/protobuf v1.36.10 // indirect
|
||||
gopkg.in/yaml.v3 v3.0.1 // indirect
|
||||
modernc.org/libc v1.67.6 // indirect
|
||||
|
||||
@@ -309,25 +309,25 @@ golang.org/x/arch v0.22.0/go.mod h1:dNHoOeKiyja7GTvF9NJS1l3Z2yntpQNzgrjh1cU103A=
|
||||
golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
|
||||
golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
|
||||
golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
|
||||
golang.org/x/crypto v0.49.0 h1:+Ng2ULVvLHnJ/ZFEq4KdcDd/cfjrrjjNSXNzxg0Y4U4=
|
||||
golang.org/x/crypto v0.49.0/go.mod h1:ErX4dUh2UM+CFYiXZRTcMpEcN8b/1gxEuv3nODoYtCA=
|
||||
golang.org/x/crypto v0.48.0 h1:/VRzVqiRSggnhY7gNRxPauEQ5Drw9haKdM0jqfcCFts=
|
||||
golang.org/x/crypto v0.48.0/go.mod h1:r0kV5h3qnFPlQnBSrULhlsRfryS2pmewsg+XfMgkVos=
|
||||
golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546 h1:mgKeJMpvi0yx/sU5GsxQ7p6s2wtOnGAHZWCHUM4KGzY=
|
||||
golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546/go.mod h1:j/pmGrbnkbPtQfxEe5D0VQhZC6qKbfKifgD0oM7sR70=
|
||||
golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
|
||||
golang.org/x/mod v0.33.0 h1:tHFzIWbBifEmbwtGz65eaWyGiGZatSrT9prnU8DbVL8=
|
||||
golang.org/x/mod v0.33.0/go.mod h1:swjeQEj+6r7fODbD2cqrnje9PnziFuw4bmLbBZFrQ5w=
|
||||
golang.org/x/mod v0.32.0 h1:9F4d3PHLljb6x//jOyokMv3eX+YDeepZSEo3mFJy93c=
|
||||
golang.org/x/mod v0.32.0/go.mod h1:SgipZ/3h2Ci89DlEtEXWUk/HteuRin+HHhN+WbNhguU=
|
||||
golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
|
||||
golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
|
||||
golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
|
||||
golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY=
|
||||
golang.org/x/net v0.51.0 h1:94R/GTO7mt3/4wIKpcR5gkGmRLOuE/2hNGeWq/GBIFo=
|
||||
golang.org/x/net v0.51.0/go.mod h1:aamm+2QF5ogm02fjy5Bb7CQ0WMt1/WVM7FtyaTLlA9Y=
|
||||
golang.org/x/oauth2 v0.36.0 h1:peZ/1z27fi9hUOFCAZaHyrpWG5lwe0RJEEEeH0ThlIs=
|
||||
golang.org/x/oauth2 v0.36.0/go.mod h1:YDBUJMTkDnJS+A4BP4eZBjCqtokkg1hODuPjwiGPO7Q=
|
||||
golang.org/x/oauth2 v0.35.0 h1:Mv2mzuHuZuY2+bkyWXIHMfhNdJAdwW3FuWeCPYN5GVQ=
|
||||
golang.org/x/oauth2 v0.35.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
|
||||
golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
|
||||
golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
|
||||
golang.org/x/sync v0.20.0 h1:e0PTpb7pjO8GAtTs2dQ6jYa5BWYlMuX047Dco/pItO4=
|
||||
golang.org/x/sync v0.20.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0=
|
||||
golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4=
|
||||
golang.org/x/sync v0.19.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
|
||||
golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
|
||||
golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
|
||||
golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
||||
@@ -338,26 +338,26 @@ golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBc
|
||||
golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
||||
golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
||||
golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
|
||||
golang.org/x/sys v0.42.0 h1:omrd2nAlyT5ESRdCLYdm3+fMfNFE/+Rf4bDIQImRJeo=
|
||||
golang.org/x/sys v0.42.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
|
||||
golang.org/x/sys v0.41.0 h1:Ivj+2Cp/ylzLiEU89QhWblYnOE9zerudt9Ftecq2C6k=
|
||||
golang.org/x/sys v0.41.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
|
||||
golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
|
||||
golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
|
||||
golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc=
|
||||
golang.org/x/term v0.41.0 h1:QCgPso/Q3RTJx2Th4bDLqML4W6iJiaXFq2/ftQF13YU=
|
||||
golang.org/x/term v0.41.0/go.mod h1:3pfBgksrReYfZ5lvYM0kSO0LIkAl4Yl2bXOkKP7Ec2A=
|
||||
golang.org/x/term v0.40.0 h1:36e4zGLqU4yhjlmxEaagx2KuYbJq3EwY8K943ZsHcvg=
|
||||
golang.org/x/term v0.40.0/go.mod h1:w2P8uVp06p2iyKKuvXIm7N/y0UCRt3UfJTfZ7oOpglM=
|
||||
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
|
||||
golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
|
||||
golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
|
||||
golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
|
||||
golang.org/x/text v0.35.0 h1:JOVx6vVDFokkpaq1AEptVzLTpDe9KGpj5tR4/X+ybL8=
|
||||
golang.org/x/text v0.35.0/go.mod h1:khi/HExzZJ2pGnjenulevKNX1W67CUy0AsXcNubPGCA=
|
||||
golang.org/x/text v0.34.0 h1:oL/Qq0Kdaqxa1KbNeMKwQq0reLCCaFtqu2eNuSeNHbk=
|
||||
golang.org/x/text v0.34.0/go.mod h1:homfLqTYRFyVYemLBFl5GgL/DWEiH5wcsQ5gSh1yziA=
|
||||
golang.org/x/time v0.12.0 h1:ScB/8o8olJvc+CQPWrK3fPZNfh7qgwCrY0zJmoEQLSE=
|
||||
golang.org/x/time v0.12.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg=
|
||||
golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
|
||||
golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
|
||||
golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
|
||||
golang.org/x/tools v0.42.0 h1:uNgphsn75Tdz5Ji2q36v/nsFSfR/9BRFvqhGBaJGd5k=
|
||||
golang.org/x/tools v0.42.0/go.mod h1:Ma6lCIwGZvHK6XtgbswSoWroEkhugApmsXyrUmBhfr0=
|
||||
golang.org/x/tools v0.41.0 h1:a9b8iMweWG+S0OBnlU36rzLp20z1Rp10w+IY2czHTQc=
|
||||
golang.org/x/tools v0.41.0/go.mod h1:XSY6eDqxVNiYgezAVqqCeihT4j1U2CCsqvH3WhQpnlg=
|
||||
golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
|
||||
google.golang.org/genproto v0.0.0-20250603155806-513f23925822 h1:rHWScKit0gvAPuOnu87KpaYtjK5zBMLcULh7gxkCXu4=
|
||||
google.golang.org/genproto/googleapis/api v0.0.0-20250818200422-3122310a409c h1:AtEkQdl5b6zsybXcbz00j1LwNodDuH6hVifIaNqk7NQ=
|
||||
|
||||
@@ -1,16 +0,0 @@
|
||||
# Nginx configuration
|
||||
NGINX_VERSION=1.29
|
||||
|
||||
# Whoami configuration
|
||||
WHOAMI_VERSION=latest
|
||||
|
||||
# Traefik configuration
|
||||
TRAEFIK_VERSION=v3.6
|
||||
TINYAUTH_HOST=tinyauth.127.0.0.1.sslip.io
|
||||
WHOAMI_HOST=whoami.127.0.0.1.sslip.io
|
||||
|
||||
# Envoy configuration
|
||||
ENVOY_VERSION=v1.33-latest
|
||||
|
||||
# Tinyauth configuration
|
||||
TINYAUTH_VERSION=latest
|
||||
@@ -1,15 +0,0 @@
|
||||
appUrl: http://tinyauth.127.0.0.1.sslip.io
|
||||
|
||||
auth:
|
||||
users: test:$2a$10$eG88kFow83l5YRSlTSL2o.sZimjxFHrpiKdaSUZqpLBGX7Y2.4PZG
|
||||
|
||||
log:
|
||||
json: true
|
||||
level: trace
|
||||
|
||||
apps:
|
||||
whoami:
|
||||
config:
|
||||
domain: whoami.127.0.0.1.sslip.io
|
||||
path:
|
||||
allow: /allow
|
||||
@@ -1,16 +0,0 @@
|
||||
services:
|
||||
envoy:
|
||||
image: envoyproxy/envoy:${ENVOY_VERSION}
|
||||
ports:
|
||||
- 80:80
|
||||
volumes:
|
||||
- ./envoy.yml:/etc/envoy/envoy.yaml:ro
|
||||
|
||||
whoami:
|
||||
image: traefik/whoami:${WHOAMI_VERSION}
|
||||
|
||||
tinyauth:
|
||||
image: ghcr.io/steveiliop56/tinyauth:${TINYAUTH_VERSION}
|
||||
command: --experimental.configfile=/data/config.yml
|
||||
volumes:
|
||||
- ./config.yml:/data/config.yml:ro
|
||||
@@ -1,16 +0,0 @@
|
||||
services:
|
||||
nginx:
|
||||
image: nginx:${NGINX_VERSION}
|
||||
ports:
|
||||
- 80:80
|
||||
volumes:
|
||||
- ./nginx.conf:/etc/nginx/conf.d/default.conf:ro
|
||||
|
||||
whoami:
|
||||
image: traefik/whoami:${WHOAMI_VERSION}
|
||||
|
||||
tinyauth:
|
||||
image: ghcr.io/steveiliop56/tinyauth:${TINYAUTH_VERSION}
|
||||
command: --experimental.configfile=/data/config.yml
|
||||
volumes:
|
||||
- ./config.yml:/data/config.yml:ro
|
||||
@@ -1,28 +0,0 @@
|
||||
services:
|
||||
traefik:
|
||||
image: traefik:${TRAEFIK_VERSION}
|
||||
command: |
|
||||
--api.insecure=true
|
||||
--providers.docker
|
||||
--entryPoints.web.address=:80
|
||||
ports:
|
||||
- 80:80
|
||||
volumes:
|
||||
- /var/run/docker.sock:/var/run/docker.sock
|
||||
|
||||
whoami:
|
||||
image: traefik/whoami:${WHOAMI_VERSION}
|
||||
labels:
|
||||
traefik.enable: true
|
||||
traefik.http.routers.whoami.rule: Host(`${WHOAMI_HOST}`)
|
||||
traefik.http.routers.whoami.middlewares: tinyauth
|
||||
|
||||
tinyauth:
|
||||
image: ghcr.io/steveiliop56/tinyauth:${TINYAUTH_VERSION}
|
||||
command: --experimental.configfile=/data/config.yml
|
||||
volumes:
|
||||
- ./config.yml:/data/config.yml:ro
|
||||
labels:
|
||||
traefik.enable: true
|
||||
traefik.http.routers.tinyauth.rule: Host(`${TINYAUTH_HOST}`)
|
||||
traefik.http.middlewares.tinyauth.forwardauth.address: http://tinyauth:3000/api/auth/traefik
|
||||
@@ -1,105 +0,0 @@
|
||||
static_resources:
|
||||
listeners:
|
||||
- name: "listener_http"
|
||||
address:
|
||||
socket_address:
|
||||
address: "0.0.0.0"
|
||||
port_value: 80
|
||||
filter_chains:
|
||||
- filters:
|
||||
- name: "envoy.filters.network.http_connection_manager"
|
||||
typed_config:
|
||||
"@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager"
|
||||
stat_prefix: "ingress_http"
|
||||
use_remote_address: true
|
||||
skip_xff_append: false
|
||||
route_config:
|
||||
name: "local_route"
|
||||
virtual_hosts:
|
||||
- name: "whoami_service"
|
||||
domains: ["whoami.127.0.0.1.sslip.io"]
|
||||
routes:
|
||||
- match:
|
||||
prefix: "/"
|
||||
route:
|
||||
cluster: "whoami"
|
||||
- name: "tinyauth_service"
|
||||
domains: ["tinyauth.127.0.0.1.sslip.io"]
|
||||
typed_per_filter_config:
|
||||
envoy.filters.http.ext_authz:
|
||||
"@type": "type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute"
|
||||
disabled: true
|
||||
routes:
|
||||
- match:
|
||||
prefix: "/"
|
||||
route:
|
||||
cluster: "tinyauth"
|
||||
http_filters:
|
||||
- name: "envoy.filters.http.ext_authz"
|
||||
typed_config:
|
||||
"@type": "type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz"
|
||||
transport_api_version: "v3"
|
||||
http_service:
|
||||
path_prefix: "/api/auth/envoy?path="
|
||||
server_uri:
|
||||
uri: "tinyauth:3000"
|
||||
cluster: "tinyauth"
|
||||
timeout: "0.25s"
|
||||
authorization_request:
|
||||
allowed_headers:
|
||||
patterns:
|
||||
- exact: "authorization"
|
||||
- exact: "accept"
|
||||
- exact: "cookie"
|
||||
headers_to_add:
|
||||
- key: "x-forwarded-proto"
|
||||
value: "%REQ(:SCHEME)%"
|
||||
- key: "x-forwarded-host"
|
||||
value: "%REQ(:AUTHORITY)%"
|
||||
- key: "x-forwarded-uri"
|
||||
value: "%REQ(:PATH)%"
|
||||
authorization_response:
|
||||
allowed_upstream_headers:
|
||||
patterns:
|
||||
- prefix: "remote-"
|
||||
allowed_client_headers:
|
||||
patterns:
|
||||
- exact: "set-cookie"
|
||||
- exact: "location"
|
||||
allowed_client_headers_on_success:
|
||||
patterns:
|
||||
- exact: "set-cookie"
|
||||
- exact: "location"
|
||||
failure_mode_allow: false
|
||||
- name: "envoy.filters.http.router"
|
||||
typed_config:
|
||||
"@type": "type.googleapis.com/envoy.extensions.filters.http.router.v3.Router"
|
||||
clusters:
|
||||
- name: "whoami"
|
||||
connect_timeout: "0.25s"
|
||||
type: "logical_dns"
|
||||
dns_lookup_family: "v4_only"
|
||||
lb_policy: "round_robin"
|
||||
load_assignment:
|
||||
cluster_name: "whoami"
|
||||
endpoints:
|
||||
- lb_endpoints:
|
||||
- endpoint:
|
||||
address:
|
||||
socket_address:
|
||||
address: "whoami"
|
||||
port_value: 80
|
||||
- name: "tinyauth"
|
||||
connect_timeout: "0.25s"
|
||||
type: "logical_dns"
|
||||
dns_lookup_family: "v4_only"
|
||||
lb_policy: "round_robin"
|
||||
load_assignment:
|
||||
cluster_name: "tinyauth"
|
||||
endpoints:
|
||||
- lb_endpoints:
|
||||
- endpoint:
|
||||
address:
|
||||
socket_address:
|
||||
address: "tinyauth"
|
||||
port_value: 3000
|
||||
@@ -1,62 +0,0 @@
|
||||
package main
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"io"
|
||||
"net/http"
|
||||
"strings"
|
||||
)
|
||||
|
||||
func testUnauthorized(client *http.Client) error {
|
||||
req, err := http.NewRequest("GET", WhoamiURL, nil)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
resp, err := client.Do(req)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
defer resp.Body.Close()
|
||||
body, err := io.ReadAll(resp.Body)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
// nginx and envoy will throw us at the frontend
|
||||
if resp.StatusCode != http.StatusUnauthorized && !strings.Contains(string(body), "<div id=\"root\"></div>") {
|
||||
return fmt.Errorf("expected status code %d or to to contain '<div id=\"root\"></div>', got %d", http.StatusUnauthorized, resp.StatusCode)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func testLoggedIn(client *http.Client) error {
|
||||
req, err := http.NewRequest("GET", WhoamiURL, nil)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
req.SetBasicAuth(DefaultUsername, DefaultPassword)
|
||||
resp, err := client.Do(req)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
defer resp.Body.Close()
|
||||
if resp.StatusCode != http.StatusOK {
|
||||
return fmt.Errorf("expected status code %d, got %d", http.StatusOK, resp.StatusCode)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func testACLAllowed(client *http.Client) error {
|
||||
req, err := http.NewRequest("GET", WhoamiURL+"/allow", nil)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
resp, err := client.Do(req)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
defer resp.Body.Close()
|
||||
if resp.StatusCode != http.StatusOK {
|
||||
return fmt.Errorf("expected status code %d, got %d", http.StatusOK, resp.StatusCode)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
@@ -1,191 +0,0 @@
|
||||
package main
|
||||
|
||||
import (
|
||||
"bufio"
|
||||
"context"
|
||||
"errors"
|
||||
"flag"
|
||||
"fmt"
|
||||
"log/slog"
|
||||
"net/http"
|
||||
"os"
|
||||
"os/exec"
|
||||
"path"
|
||||
"time"
|
||||
)
|
||||
|
||||
var ProxiesToTest = []string{"traefik", "nginx", "envoy"}
|
||||
|
||||
const (
|
||||
EnvFile = ".env"
|
||||
ConfigFile = "config.yml"
|
||||
)
|
||||
|
||||
const (
|
||||
TinyauthURL = "http://tinyauth.127.0.0.1.sslip.io"
|
||||
WhoamiURL = "http://whoami.127.0.0.1.sslip.io"
|
||||
)
|
||||
|
||||
const (
|
||||
DefaultUsername = "test"
|
||||
DefaultPassword = "password"
|
||||
)
|
||||
|
||||
func main() {
|
||||
logFlag := flag.Bool("log", false, "enable stack logging")
|
||||
flag.Parse()
|
||||
|
||||
rootFolder, err := os.Getwd()
|
||||
|
||||
if err != nil {
|
||||
slog.Error("fail", "error", err)
|
||||
os.Exit(1)
|
||||
}
|
||||
|
||||
slog.Info("root folder", "folder", rootFolder)
|
||||
|
||||
integrationRoot := rootFolder
|
||||
|
||||
if _, err := os.Stat(path.Join(rootFolder, ".git")); err != nil {
|
||||
if !errors.Is(err, os.ErrNotExist) {
|
||||
slog.Error("fail", "error", err)
|
||||
os.Exit(1)
|
||||
}
|
||||
} else {
|
||||
integrationRoot = path.Join(rootFolder, "integration")
|
||||
}
|
||||
|
||||
slog.Info("integration root", "folder", integrationRoot)
|
||||
|
||||
for _, proxy := range ProxiesToTest {
|
||||
slog.Info("begin", "proxy", proxy)
|
||||
compose := fmt.Sprintf("docker-compose.%s.yml", proxy)
|
||||
if _, err := os.Stat(path.Join(integrationRoot, compose)); err != nil {
|
||||
slog.Error("fail", "proxy", proxy, "error", err)
|
||||
os.Exit(1)
|
||||
}
|
||||
if err := createInstanceAndRunTests(compose, *logFlag, proxy, integrationRoot); err != nil {
|
||||
slog.Error("fail", "proxy", proxy, "error", err)
|
||||
os.Exit(1)
|
||||
}
|
||||
slog.Info("end", "proxy", proxy)
|
||||
}
|
||||
}
|
||||
|
||||
func runTests(client *http.Client, name string) error {
|
||||
if err := testUnauthorized(client); err != nil {
|
||||
slog.Error("fail unauthorized test", "name", name)
|
||||
return err
|
||||
}
|
||||
|
||||
slog.Info("unauthorized test passed", "name", name)
|
||||
|
||||
if err := testLoggedIn(client); err != nil {
|
||||
slog.Error("fail logged in test", "name", name)
|
||||
return err
|
||||
}
|
||||
|
||||
slog.Info("logged in test passed", "name", name)
|
||||
|
||||
if err := testACLAllowed(client); err != nil {
|
||||
slog.Error("fail acl test", "name", name)
|
||||
return err
|
||||
}
|
||||
|
||||
slog.Info("acl test passed", "name", name)
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func createInstanceAndRunTests(compose string, log bool, name string, integrationDir string) error {
|
||||
ctx, cancel := context.WithCancel(context.Background())
|
||||
defer cancel()
|
||||
|
||||
composeFile := path.Join(integrationDir, compose)
|
||||
envFile := path.Join(integrationDir, EnvFile)
|
||||
cmdArgs := []string{"compose", "-f", composeFile, "--env-file", envFile, "up", "--build", "--force-recreate", "--remove-orphans"}
|
||||
cmd := exec.CommandContext(ctx, "docker", cmdArgs...)
|
||||
|
||||
if log {
|
||||
setupCmdLogging(cmd)
|
||||
}
|
||||
|
||||
if err := cmd.Start(); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
defer func() {
|
||||
cmd.Process.Signal(os.Interrupt)
|
||||
cmd.Wait()
|
||||
}()
|
||||
|
||||
slog.Info("instance created", "name", name)
|
||||
|
||||
if err := waitForHealthy(); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
slog.Info("instance healthy", "name", name)
|
||||
|
||||
client := &http.Client{}
|
||||
|
||||
if err := runTests(client, name); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
slog.Info("tests passed", "name", name)
|
||||
|
||||
cmd.Process.Signal(os.Interrupt)
|
||||
|
||||
if err := cmd.Wait(); cmd.ProcessState.ExitCode() != 130 && err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func setupCmdLogging(cmd *exec.Cmd) {
|
||||
stdout, _ := cmd.StdoutPipe()
|
||||
stderr, _ := cmd.StderrPipe()
|
||||
|
||||
go func() {
|
||||
scanner := bufio.NewScanner(stdout)
|
||||
for scanner.Scan() {
|
||||
slog.Info("docker out", "stdout", scanner.Text())
|
||||
}
|
||||
}()
|
||||
|
||||
go func() {
|
||||
scanner := bufio.NewScanner(stderr)
|
||||
for scanner.Scan() {
|
||||
slog.Error("docker out", "stderr", scanner.Text())
|
||||
}
|
||||
}()
|
||||
}
|
||||
|
||||
func waitForHealthy() error {
|
||||
ctx, cancel := context.WithTimeout(context.Background(), 5*time.Minute)
|
||||
defer cancel()
|
||||
|
||||
ticker := time.NewTicker(10 * time.Second)
|
||||
client := http.Client{}
|
||||
|
||||
for {
|
||||
select {
|
||||
case <-ctx.Done():
|
||||
return errors.New("tinyauth not healthy after 5 minutes")
|
||||
case <-ticker.C:
|
||||
req, err := http.NewRequestWithContext(ctx, "GET", TinyauthURL+"/api/healthz", nil)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
res, err := client.Do(req)
|
||||
if err != nil {
|
||||
continue
|
||||
}
|
||||
if res.StatusCode == http.StatusOK {
|
||||
return nil
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1,36 +0,0 @@
|
||||
server {
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
|
||||
server_name tinyauth.127.0.0.1.sslip.io;
|
||||
|
||||
location / {
|
||||
proxy_pass http://tinyauth:3000;
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
|
||||
server_name whoami.127.0.0.1.sslip.io;
|
||||
|
||||
location / {
|
||||
proxy_pass http://whoami;
|
||||
auth_request /tinyauth;
|
||||
error_page 401 = @tinyauth_login;
|
||||
}
|
||||
|
||||
location /tinyauth {
|
||||
internal;
|
||||
proxy_pass http://tinyauth:3000/api/auth/nginx;
|
||||
proxy_set_header x-original-url $scheme://$http_host$request_uri;
|
||||
proxy_set_header x-forwarded-proto $scheme;
|
||||
proxy_set_header x-forwarded-host $host;
|
||||
proxy_set_header x-forwarded-uri $request_uri;
|
||||
}
|
||||
|
||||
location @tinyauth_login {
|
||||
return 302 http://tinyauth.127.0.0.1.sslip.io/login?redirect_uri=$scheme://$http_host$request_uri;
|
||||
}
|
||||
}
|
||||
@@ -115,11 +115,6 @@ func (controller *OIDCController) Authorize(c *gin.Context) {
|
||||
return
|
||||
}
|
||||
|
||||
if !userContext.IsLoggedIn {
|
||||
controller.authorizeError(c, errors.New("err user not logged in"), "User not logged in", "The user is not logged in", "", "", "")
|
||||
return
|
||||
}
|
||||
|
||||
var req service.AuthorizeRequest
|
||||
|
||||
err = c.BindJSON(&req)
|
||||
@@ -270,7 +265,7 @@ func (controller *OIDCController) Token(c *gin.Context) {
|
||||
|
||||
switch req.GrantType {
|
||||
case "authorization_code":
|
||||
entry, err := controller.oidc.GetCodeEntry(c, controller.oidc.Hash(req.Code), client.ClientID)
|
||||
entry, err := controller.oidc.GetCodeEntry(c, controller.oidc.Hash(req.Code))
|
||||
if err != nil {
|
||||
if errors.Is(err, service.ErrCodeNotFound) {
|
||||
tlog.App.Warn().Msg("Code not found")
|
||||
@@ -286,13 +281,6 @@ func (controller *OIDCController) Token(c *gin.Context) {
|
||||
})
|
||||
return
|
||||
}
|
||||
if errors.Is(err, service.ErrInvalidClient) {
|
||||
tlog.App.Warn().Msg("Invalid client ID")
|
||||
c.JSON(400, gin.H{
|
||||
"error": "invalid_client",
|
||||
})
|
||||
return
|
||||
}
|
||||
tlog.App.Warn().Err(err).Msg("Failed to get OIDC code entry")
|
||||
c.JSON(400, gin.H{
|
||||
"error": "server_error",
|
||||
|
||||
@@ -1,11 +1,9 @@
|
||||
package controller
|
||||
|
||||
import (
|
||||
"errors"
|
||||
"fmt"
|
||||
"net/http"
|
||||
"net/url"
|
||||
"regexp"
|
||||
"slices"
|
||||
"strings"
|
||||
|
||||
"github.com/steveiliop56/tinyauth/internal/config"
|
||||
@@ -17,29 +15,12 @@ import (
|
||||
"github.com/google/go-querystring/query"
|
||||
)
|
||||
|
||||
type AuthModuleType int
|
||||
|
||||
const (
|
||||
AuthRequest AuthModuleType = iota
|
||||
ExtAuthz
|
||||
ForwardAuth
|
||||
)
|
||||
|
||||
var BrowserUserAgentRegex = regexp.MustCompile("Chrome|Gecko|AppleWebKit|Opera|Edge")
|
||||
var SupportedProxies = []string{"nginx", "traefik", "caddy", "envoy"}
|
||||
|
||||
type Proxy struct {
|
||||
Proxy string `uri:"proxy" binding:"required"`
|
||||
}
|
||||
|
||||
type ProxyContext struct {
|
||||
Host string
|
||||
Proto string
|
||||
Path string
|
||||
Method string
|
||||
Type AuthModuleType
|
||||
IsBrowser bool
|
||||
}
|
||||
|
||||
type ProxyControllerConfig struct {
|
||||
AppURL string
|
||||
}
|
||||
@@ -62,30 +43,63 @@ func NewProxyController(config ProxyControllerConfig, router *gin.RouterGroup, a
|
||||
|
||||
func (controller *ProxyController) SetupRoutes() {
|
||||
proxyGroup := controller.router.Group("/auth")
|
||||
// There is a later check to control allowed methods per proxy
|
||||
proxyGroup.Any("/:proxy", controller.proxyHandler)
|
||||
}
|
||||
|
||||
func (controller *ProxyController) proxyHandler(c *gin.Context) {
|
||||
// Load proxy context based on the request type
|
||||
proxyCtx, err := controller.getProxyContext(c)
|
||||
var req Proxy
|
||||
|
||||
err := c.BindUri(&req)
|
||||
if err != nil {
|
||||
tlog.App.Warn().Err(err).Msg("Failed to get proxy context")
|
||||
tlog.App.Error().Err(err).Msg("Failed to bind URI")
|
||||
c.JSON(400, gin.H{
|
||||
"status": 400,
|
||||
"message": "Bad request",
|
||||
"message": "Bad Request",
|
||||
})
|
||||
return
|
||||
}
|
||||
|
||||
tlog.App.Trace().Interface("ctx", proxyCtx).Msg("Got proxy context")
|
||||
if !slices.Contains(SupportedProxies, req.Proxy) {
|
||||
tlog.App.Warn().Str("proxy", req.Proxy).Msg("Invalid proxy")
|
||||
c.JSON(400, gin.H{
|
||||
"status": 400,
|
||||
"message": "Bad Request",
|
||||
})
|
||||
return
|
||||
}
|
||||
|
||||
// Only allow GET for non-envoy proxies.
|
||||
// Envoy uses the original client method for the external auth request
|
||||
// so we allow Any standard HTTP method for /api/auth/envoy
|
||||
if req.Proxy != "envoy" && c.Request.Method != http.MethodGet {
|
||||
tlog.App.Warn().Str("method", c.Request.Method).Msg("Invalid method for proxy")
|
||||
c.Header("Allow", "GET")
|
||||
c.JSON(405, gin.H{
|
||||
"status": 405,
|
||||
"message": "Method Not Allowed",
|
||||
})
|
||||
return
|
||||
}
|
||||
|
||||
isBrowser := strings.Contains(c.Request.Header.Get("Accept"), "text/html")
|
||||
|
||||
if isBrowser {
|
||||
tlog.App.Debug().Msg("Request identified as (most likely) coming from a browser")
|
||||
} else {
|
||||
tlog.App.Debug().Msg("Request identified as (most likely) coming from a non-browser client")
|
||||
}
|
||||
|
||||
uri := c.Request.Header.Get("X-Forwarded-Uri")
|
||||
proto := c.Request.Header.Get("X-Forwarded-Proto")
|
||||
host := c.Request.Header.Get("X-Forwarded-Host")
|
||||
|
||||
// Get acls
|
||||
acls, err := controller.acls.GetAccessControls(proxyCtx.Host)
|
||||
acls, err := controller.acls.GetAccessControls(host)
|
||||
|
||||
if err != nil {
|
||||
tlog.App.Error().Err(err).Msg("Failed to get access controls for resource")
|
||||
controller.handleError(c, proxyCtx)
|
||||
controller.handleError(c, req, isBrowser)
|
||||
return
|
||||
}
|
||||
|
||||
@@ -102,11 +116,11 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
|
||||
return
|
||||
}
|
||||
|
||||
authEnabled, err := controller.auth.IsAuthEnabled(proxyCtx.Path, acls.Path)
|
||||
authEnabled, err := controller.auth.IsAuthEnabled(uri, acls.Path)
|
||||
|
||||
if err != nil {
|
||||
tlog.App.Error().Err(err).Msg("Failed to check if auth is enabled for resource")
|
||||
controller.handleError(c, proxyCtx)
|
||||
controller.handleError(c, req, isBrowser)
|
||||
return
|
||||
}
|
||||
|
||||
@@ -121,7 +135,7 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
|
||||
}
|
||||
|
||||
if !controller.auth.CheckIP(acls.IP, clientIP) {
|
||||
if !controller.useFriendlyError(proxyCtx) {
|
||||
if req.Proxy == "nginx" || !isBrowser {
|
||||
c.JSON(401, gin.H{
|
||||
"status": 401,
|
||||
"message": "Unauthorized",
|
||||
@@ -130,7 +144,7 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
|
||||
}
|
||||
|
||||
queries, err := query.Values(config.UnauthorizedQuery{
|
||||
Resource: strings.Split(proxyCtx.Host, ".")[0],
|
||||
Resource: strings.Split(host, ".")[0],
|
||||
IP: clientIP,
|
||||
})
|
||||
|
||||
@@ -159,13 +173,18 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
|
||||
|
||||
tlog.App.Trace().Interface("context", userContext).Msg("User context from request")
|
||||
|
||||
if userContext.IsBasicAuth && userContext.TotpEnabled {
|
||||
tlog.App.Debug().Msg("User has TOTP enabled, denying basic auth access")
|
||||
userContext.IsLoggedIn = false
|
||||
}
|
||||
|
||||
if userContext.IsLoggedIn {
|
||||
userAllowed := controller.auth.IsUserAllowed(c, userContext, acls)
|
||||
|
||||
if !userAllowed {
|
||||
tlog.App.Warn().Str("user", userContext.Username).Str("resource", strings.Split(proxyCtx.Host, ".")[0]).Msg("User not allowed to access resource")
|
||||
tlog.App.Warn().Str("user", userContext.Username).Str("resource", strings.Split(host, ".")[0]).Msg("User not allowed to access resource")
|
||||
|
||||
if !controller.useFriendlyError(proxyCtx) {
|
||||
if req.Proxy == "nginx" || !isBrowser {
|
||||
c.JSON(403, gin.H{
|
||||
"status": 403,
|
||||
"message": "Forbidden",
|
||||
@@ -174,7 +193,7 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
|
||||
}
|
||||
|
||||
queries, err := query.Values(config.UnauthorizedQuery{
|
||||
Resource: strings.Split(proxyCtx.Host, ".")[0],
|
||||
Resource: strings.Split(host, ".")[0],
|
||||
})
|
||||
|
||||
if err != nil {
|
||||
@@ -203,9 +222,9 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
|
||||
}
|
||||
|
||||
if !groupOK {
|
||||
tlog.App.Warn().Str("user", userContext.Username).Str("resource", strings.Split(proxyCtx.Host, ".")[0]).Msg("User groups do not match resource requirements")
|
||||
tlog.App.Warn().Str("user", userContext.Username).Str("resource", strings.Split(host, ".")[0]).Msg("User groups do not match resource requirements")
|
||||
|
||||
if !controller.useFriendlyError(proxyCtx) {
|
||||
if req.Proxy == "nginx" || !isBrowser {
|
||||
c.JSON(403, gin.H{
|
||||
"status": 403,
|
||||
"message": "Forbidden",
|
||||
@@ -214,7 +233,7 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
|
||||
}
|
||||
|
||||
queries, err := query.Values(config.UnauthorizedQuery{
|
||||
Resource: strings.Split(proxyCtx.Host, ".")[0],
|
||||
Resource: strings.Split(host, ".")[0],
|
||||
GroupErr: true,
|
||||
})
|
||||
|
||||
@@ -256,7 +275,7 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
|
||||
return
|
||||
}
|
||||
|
||||
if !controller.useFriendlyError(proxyCtx) {
|
||||
if req.Proxy == "nginx" || !isBrowser {
|
||||
c.JSON(401, gin.H{
|
||||
"status": 401,
|
||||
"message": "Unauthorized",
|
||||
@@ -265,7 +284,7 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
|
||||
}
|
||||
|
||||
queries, err := query.Values(config.RedirectQuery{
|
||||
RedirectURI: fmt.Sprintf("%s://%s%s", proxyCtx.Proto, proxyCtx.Host, proxyCtx.Path),
|
||||
RedirectURI: fmt.Sprintf("%s://%s%s", proto, host, uri),
|
||||
})
|
||||
|
||||
if err != nil {
|
||||
@@ -295,8 +314,8 @@ func (controller *ProxyController) setHeaders(c *gin.Context, acls config.App) {
|
||||
}
|
||||
}
|
||||
|
||||
func (controller *ProxyController) handleError(c *gin.Context, proxyCtx ProxyContext) {
|
||||
if !controller.useFriendlyError(proxyCtx) {
|
||||
func (controller *ProxyController) handleError(c *gin.Context, req Proxy, isBrowser bool) {
|
||||
if req.Proxy == "nginx" || !isBrowser {
|
||||
c.JSON(500, gin.H{
|
||||
"status": 500,
|
||||
"message": "Internal Server Error",
|
||||
@@ -306,196 +325,3 @@ func (controller *ProxyController) handleError(c *gin.Context, proxyCtx ProxyCon
|
||||
|
||||
c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
|
||||
}
|
||||
|
||||
func (controller *ProxyController) getHeader(c *gin.Context, header string) (string, bool) {
|
||||
val := c.Request.Header.Get(header)
|
||||
return val, strings.TrimSpace(val) != ""
|
||||
}
|
||||
|
||||
func (controller *ProxyController) useFriendlyError(proxyCtx ProxyContext) bool {
|
||||
return (proxyCtx.Type == ForwardAuth || proxyCtx.Type == ExtAuthz) && proxyCtx.IsBrowser
|
||||
}
|
||||
|
||||
// Code below is inspired from https://github.com/authelia/authelia/blob/master/internal/handlers/handler_authz.go
|
||||
// and thus it may be subject to Apache 2.0 License
|
||||
func (controller *ProxyController) getForwardAuthContext(c *gin.Context) (ProxyContext, error) {
|
||||
host, ok := controller.getHeader(c, "x-forwarded-host")
|
||||
|
||||
if !ok {
|
||||
return ProxyContext{}, errors.New("x-forwarded-host not found")
|
||||
}
|
||||
|
||||
uri, ok := controller.getHeader(c, "x-forwarded-uri")
|
||||
|
||||
if !ok {
|
||||
return ProxyContext{}, errors.New("x-forwarded-uri not found")
|
||||
}
|
||||
|
||||
proto, ok := controller.getHeader(c, "x-forwarded-proto")
|
||||
|
||||
if !ok {
|
||||
return ProxyContext{}, errors.New("x-forwarded-proto not found")
|
||||
}
|
||||
|
||||
// Normally we should only allow GET for forward auth but since it's a fallback
|
||||
// for envoy we should allow everything, not a big deal
|
||||
method := c.Request.Method
|
||||
|
||||
return ProxyContext{
|
||||
Host: host,
|
||||
Proto: proto,
|
||||
Path: uri,
|
||||
Method: method,
|
||||
Type: ForwardAuth,
|
||||
}, nil
|
||||
}
|
||||
|
||||
func (controller *ProxyController) getAuthRequestContext(c *gin.Context) (ProxyContext, error) {
|
||||
xOriginalUrl, ok := controller.getHeader(c, "x-original-url")
|
||||
|
||||
if !ok {
|
||||
return ProxyContext{}, errors.New("x-original-url not found")
|
||||
}
|
||||
|
||||
url, err := url.Parse(xOriginalUrl)
|
||||
|
||||
if err != nil {
|
||||
return ProxyContext{}, err
|
||||
}
|
||||
|
||||
host := url.Host
|
||||
|
||||
if strings.TrimSpace(host) == "" {
|
||||
return ProxyContext{}, errors.New("host not found")
|
||||
}
|
||||
|
||||
proto := url.Scheme
|
||||
|
||||
if strings.TrimSpace(proto) == "" {
|
||||
return ProxyContext{}, errors.New("proto not found")
|
||||
}
|
||||
|
||||
path := url.Path
|
||||
method := c.Request.Method
|
||||
|
||||
return ProxyContext{
|
||||
Host: host,
|
||||
Proto: proto,
|
||||
Path: path,
|
||||
Method: method,
|
||||
Type: AuthRequest,
|
||||
}, nil
|
||||
}
|
||||
|
||||
func (controller *ProxyController) getExtAuthzContext(c *gin.Context) (ProxyContext, error) {
|
||||
// We hope for the someone to set the x-forwarded-proto header
|
||||
proto, ok := controller.getHeader(c, "x-forwarded-proto")
|
||||
|
||||
if !ok {
|
||||
return ProxyContext{}, errors.New("x-forwarded-proto not found")
|
||||
}
|
||||
|
||||
// It sets the host to the original host, not the forwarded host
|
||||
host := c.Request.Host
|
||||
|
||||
if strings.TrimSpace(host) == "" {
|
||||
return ProxyContext{}, errors.New("host not found")
|
||||
}
|
||||
|
||||
// We get the path from the query string
|
||||
path := c.Query("path")
|
||||
|
||||
// For envoy we need to support every method
|
||||
method := c.Request.Method
|
||||
|
||||
return ProxyContext{
|
||||
Host: host,
|
||||
Proto: proto,
|
||||
Path: path,
|
||||
Method: method,
|
||||
Type: ExtAuthz,
|
||||
}, nil
|
||||
}
|
||||
|
||||
func (controller *ProxyController) determineAuthModules(proxy string) []AuthModuleType {
|
||||
switch proxy {
|
||||
case "traefik", "caddy":
|
||||
return []AuthModuleType{ForwardAuth}
|
||||
case "envoy":
|
||||
return []AuthModuleType{ExtAuthz, ForwardAuth}
|
||||
case "nginx":
|
||||
return []AuthModuleType{AuthRequest, ForwardAuth}
|
||||
default:
|
||||
return []AuthModuleType{}
|
||||
}
|
||||
}
|
||||
|
||||
func (controller *ProxyController) getContextFromAuthModule(c *gin.Context, module AuthModuleType) (ProxyContext, error) {
|
||||
switch module {
|
||||
case ForwardAuth:
|
||||
ctx, err := controller.getForwardAuthContext(c)
|
||||
if err != nil {
|
||||
return ProxyContext{}, err
|
||||
}
|
||||
return ctx, nil
|
||||
case ExtAuthz:
|
||||
ctx, err := controller.getExtAuthzContext(c)
|
||||
if err != nil {
|
||||
return ProxyContext{}, err
|
||||
}
|
||||
return ctx, nil
|
||||
case AuthRequest:
|
||||
ctx, err := controller.getAuthRequestContext(c)
|
||||
if err != nil {
|
||||
return ProxyContext{}, err
|
||||
}
|
||||
return ctx, nil
|
||||
}
|
||||
return ProxyContext{}, fmt.Errorf("unsupported auth module: %v", module)
|
||||
}
|
||||
|
||||
func (controller *ProxyController) getProxyContext(c *gin.Context) (ProxyContext, error) {
|
||||
var req Proxy
|
||||
|
||||
err := c.BindUri(&req)
|
||||
if err != nil {
|
||||
return ProxyContext{}, err
|
||||
}
|
||||
|
||||
tlog.App.Debug().Msgf("Proxy: %v", req.Proxy)
|
||||
|
||||
authModules := controller.determineAuthModules(req.Proxy)
|
||||
|
||||
if len(authModules) == 0 {
|
||||
return ProxyContext{}, fmt.Errorf("no auth modules supported for proxy: %v", req.Proxy)
|
||||
}
|
||||
|
||||
var ctx ProxyContext
|
||||
|
||||
for _, module := range authModules {
|
||||
tlog.App.Debug().Msgf("Trying auth module: %v", module)
|
||||
ctx, err = controller.getContextFromAuthModule(c, module)
|
||||
if err == nil {
|
||||
tlog.App.Debug().Msgf("Auth module %v succeeded", module)
|
||||
break
|
||||
}
|
||||
tlog.App.Debug().Err(err).Msgf("Auth module %v failed", module)
|
||||
}
|
||||
|
||||
if err != nil {
|
||||
return ProxyContext{}, err
|
||||
}
|
||||
|
||||
// We don't care if the header is empty, we will just assume it's not a browser
|
||||
userAgent, _ := controller.getHeader(c, "user-agent")
|
||||
isBrowser := BrowserUserAgentRegex.MatchString(userAgent)
|
||||
|
||||
if isBrowser {
|
||||
tlog.App.Debug().Msg("Request identified as coming from a browser")
|
||||
} else {
|
||||
tlog.App.Debug().Msg("Request identified as coming from a non-browser client")
|
||||
}
|
||||
|
||||
ctx.IsBrowser = isBrowser
|
||||
return ctx, nil
|
||||
}
|
||||
|
||||
@@ -1,7 +1,6 @@
|
||||
package controller_test
|
||||
|
||||
import (
|
||||
"net/http"
|
||||
"net/http/httptest"
|
||||
"testing"
|
||||
|
||||
@@ -10,26 +9,21 @@ import (
|
||||
"github.com/steveiliop56/tinyauth/internal/controller"
|
||||
"github.com/steveiliop56/tinyauth/internal/repository"
|
||||
"github.com/steveiliop56/tinyauth/internal/service"
|
||||
"github.com/steveiliop56/tinyauth/internal/utils/tlog"
|
||||
|
||||
"github.com/gin-gonic/gin"
|
||||
"gotest.tools/v3/assert"
|
||||
)
|
||||
|
||||
var loggedInCtx = config.UserContext{
|
||||
Username: "test",
|
||||
Name: "Test",
|
||||
Email: "test@example.com",
|
||||
IsLoggedIn: true,
|
||||
Provider: "local",
|
||||
}
|
||||
func setupProxyController(t *testing.T, middlewares *[]gin.HandlerFunc) (*gin.Engine, *httptest.ResponseRecorder, *service.AuthService) {
|
||||
tlog.NewSimpleLogger().Init()
|
||||
|
||||
func setupProxyController(t *testing.T, middlewares []gin.HandlerFunc) (*gin.Engine, *httptest.ResponseRecorder) {
|
||||
// Setup
|
||||
gin.SetMode(gin.TestMode)
|
||||
router := gin.Default()
|
||||
|
||||
if len(middlewares) > 0 {
|
||||
for _, m := range middlewares {
|
||||
if middlewares != nil {
|
||||
for _, m := range *middlewares {
|
||||
router.Use(m)
|
||||
}
|
||||
}
|
||||
@@ -54,13 +48,7 @@ func setupProxyController(t *testing.T, middlewares []gin.HandlerFunc) (*gin.Eng
|
||||
assert.NilError(t, dockerService.Init())
|
||||
|
||||
// Access controls
|
||||
accessControlsService := service.NewAccessControlsService(dockerService, map[string]config.App{
|
||||
"whoami": {
|
||||
Path: config.AppPath{
|
||||
Allow: "/allow",
|
||||
},
|
||||
},
|
||||
})
|
||||
accessControlsService := service.NewAccessControlsService(dockerService, map[string]config.App{})
|
||||
|
||||
assert.NilError(t, accessControlsService.Init())
|
||||
|
||||
@@ -71,11 +59,6 @@ func setupProxyController(t *testing.T, middlewares []gin.HandlerFunc) (*gin.Eng
|
||||
Username: "testuser",
|
||||
Password: "$2a$10$ne6z693sTgzT3ePoQ05PgOecUHnBjM7sSNj6M.l5CLUP.f6NyCnt.", // test
|
||||
},
|
||||
{
|
||||
Username: "totpuser",
|
||||
Password: "$2a$10$ne6z693sTgzT3ePoQ05PgOecUHnBjM7sSNj6M.l5CLUP.f6NyCnt.",
|
||||
TotpSecret: "foo",
|
||||
},
|
||||
},
|
||||
OauthWhitelist: []string{},
|
||||
SessionExpiry: 3600,
|
||||
@@ -89,214 +72,140 @@ func setupProxyController(t *testing.T, middlewares []gin.HandlerFunc) (*gin.Eng
|
||||
|
||||
// Controller
|
||||
ctrl := controller.NewProxyController(controller.ProxyControllerConfig{
|
||||
AppURL: "http://tinyauth.example.com",
|
||||
AppURL: "http://localhost:8080",
|
||||
}, group, accessControlsService, authService)
|
||||
ctrl.SetupRoutes()
|
||||
|
||||
return router, recorder
|
||||
return router, recorder, authService
|
||||
}
|
||||
|
||||
// TODO: Needs tests for context middleware
|
||||
|
||||
func TestProxyHandler(t *testing.T) {
|
||||
// Test logged out user traefik/caddy (forward_auth)
|
||||
router, recorder := setupProxyController(t, nil)
|
||||
// Setup
|
||||
router, recorder, authService := setupProxyController(t, nil)
|
||||
|
||||
// Test invalid proxy
|
||||
req := httptest.NewRequest("GET", "/api/auth/invalidproxy", nil)
|
||||
router.ServeHTTP(recorder, req)
|
||||
|
||||
assert.Equal(t, 400, recorder.Code)
|
||||
|
||||
// Test invalid method for non-envoy proxy
|
||||
recorder = httptest.NewRecorder()
|
||||
req = httptest.NewRequest("POST", "/api/auth/traefik", nil)
|
||||
router.ServeHTTP(recorder, req)
|
||||
|
||||
assert.Equal(t, 405, recorder.Code)
|
||||
assert.Equal(t, "GET", recorder.Header().Get("Allow"))
|
||||
|
||||
// Test logged out user (traefik/caddy)
|
||||
recorder = httptest.NewRecorder()
|
||||
req = httptest.NewRequest("GET", "/api/auth/traefik", nil)
|
||||
req.Header.Set("X-Forwarded-Proto", "https")
|
||||
req.Header.Set("X-Forwarded-Host", "example.com")
|
||||
req.Header.Set("X-Forwarded-Uri", "/somepath")
|
||||
req.Header.Set("Accept", "text/html")
|
||||
router.ServeHTTP(recorder, req)
|
||||
|
||||
assert.Equal(t, 307, recorder.Code)
|
||||
assert.Equal(t, "http://localhost:8080/login?redirect_uri=https%3A%2F%2Fexample.com%2Fsomepath", recorder.Header().Get("Location"))
|
||||
|
||||
// Test logged out user (envoy - POST method)
|
||||
recorder = httptest.NewRecorder()
|
||||
req = httptest.NewRequest("POST", "/api/auth/envoy", nil)
|
||||
req.Header.Set("X-Forwarded-Proto", "https")
|
||||
req.Header.Set("X-Forwarded-Host", "example.com")
|
||||
req.Header.Set("X-Forwarded-Uri", "/somepath")
|
||||
req.Header.Set("Accept", "text/html")
|
||||
router.ServeHTTP(recorder, req)
|
||||
|
||||
assert.Equal(t, 307, recorder.Code)
|
||||
assert.Equal(t, "http://localhost:8080/login?redirect_uri=https%3A%2F%2Fexample.com%2Fsomepath", recorder.Header().Get("Location"))
|
||||
|
||||
// Test logged out user (envoy - DELETE method)
|
||||
recorder = httptest.NewRecorder()
|
||||
req = httptest.NewRequest("DELETE", "/api/auth/envoy", nil)
|
||||
req.Header.Set("X-Forwarded-Proto", "https")
|
||||
req.Header.Set("X-Forwarded-Host", "example.com")
|
||||
req.Header.Set("X-Forwarded-Uri", "/somepath")
|
||||
req.Header.Set("Accept", "text/html")
|
||||
router.ServeHTTP(recorder, req)
|
||||
|
||||
assert.Equal(t, 307, recorder.Code)
|
||||
assert.Equal(t, "http://localhost:8080/login?redirect_uri=https%3A%2F%2Fexample.com%2Fsomepath", recorder.Header().Get("Location"))
|
||||
|
||||
// Test logged out user (nginx)
|
||||
recorder = httptest.NewRecorder()
|
||||
req = httptest.NewRequest("GET", "/api/auth/nginx", nil)
|
||||
router.ServeHTTP(recorder, req)
|
||||
|
||||
assert.Equal(t, 401, recorder.Code)
|
||||
|
||||
// Test logged in user
|
||||
c := gin.CreateTestContextOnly(recorder, router)
|
||||
|
||||
err := authService.CreateSessionCookie(c, &repository.Session{
|
||||
Username: "testuser",
|
||||
Name: "testuser",
|
||||
Email: "testuser@example.com",
|
||||
Provider: "local",
|
||||
TotpPending: false,
|
||||
OAuthGroups: "",
|
||||
})
|
||||
|
||||
req, err := http.NewRequest("GET", "/api/auth/traefik", nil)
|
||||
assert.NilError(t, err)
|
||||
|
||||
req.Header.Set("x-forwarded-host", "whoami.example.com")
|
||||
req.Header.Set("x-forwarded-proto", "http")
|
||||
req.Header.Set("x-forwarded-uri", "/")
|
||||
cookie := c.Writer.Header().Get("Set-Cookie")
|
||||
|
||||
router.ServeHTTP(recorder, req)
|
||||
assert.Equal(t, recorder.Code, http.StatusUnauthorized)
|
||||
|
||||
// Test logged out user nginx (auth_request)
|
||||
router, recorder = setupProxyController(t, nil)
|
||||
|
||||
req, err = http.NewRequest("GET", "/api/auth/nginx", nil)
|
||||
assert.NilError(t, err)
|
||||
|
||||
req.Header.Set("x-original-url", "http://whoami.example.com/")
|
||||
|
||||
router.ServeHTTP(recorder, req)
|
||||
assert.Equal(t, recorder.Code, http.StatusUnauthorized)
|
||||
|
||||
// Test logged out user envoy (ext_authz)
|
||||
router, recorder = setupProxyController(t, nil)
|
||||
|
||||
req, err = http.NewRequest("GET", "/api/auth/envoy?path=/", nil)
|
||||
assert.NilError(t, err)
|
||||
|
||||
req.Host = "whoami.example.com"
|
||||
req.Header.Set("x-forwarded-proto", "http")
|
||||
|
||||
router.ServeHTTP(recorder, req)
|
||||
assert.Equal(t, recorder.Code, http.StatusUnauthorized)
|
||||
|
||||
// Test logged in user traefik/caddy (forward_auth)
|
||||
router, recorder = setupProxyController(t, []gin.HandlerFunc{
|
||||
router, recorder, _ = setupProxyController(t, &[]gin.HandlerFunc{
|
||||
func(c *gin.Context) {
|
||||
c.Set("context", &loggedInCtx)
|
||||
c.Set("context", &config.UserContext{
|
||||
Username: "testuser",
|
||||
Name: "testuser",
|
||||
Email: "testuser@example.com",
|
||||
IsLoggedIn: true,
|
||||
OAuth: false,
|
||||
Provider: "local",
|
||||
TotpPending: false,
|
||||
OAuthGroups: "",
|
||||
TotpEnabled: false,
|
||||
})
|
||||
c.Next()
|
||||
},
|
||||
})
|
||||
|
||||
req, err = http.NewRequest("GET", "/api/auth/traefik", nil)
|
||||
assert.NilError(t, err)
|
||||
|
||||
req.Header.Set("x-forwarded-host", "whoami.example.com")
|
||||
req.Header.Set("x-forwarded-proto", "http")
|
||||
req.Header.Set("x-forwarded-uri", "/")
|
||||
|
||||
req = httptest.NewRequest("GET", "/api/auth/traefik", nil)
|
||||
req.Header.Set("Cookie", cookie)
|
||||
req.Header.Set("Accept", "text/html")
|
||||
router.ServeHTTP(recorder, req)
|
||||
assert.Equal(t, recorder.Code, http.StatusOK)
|
||||
|
||||
// Test logged in user nginx (auth_request)
|
||||
router, recorder = setupProxyController(t, []gin.HandlerFunc{
|
||||
assert.Equal(t, 200, recorder.Code)
|
||||
|
||||
assert.Equal(t, "testuser", recorder.Header().Get("Remote-User"))
|
||||
assert.Equal(t, "testuser", recorder.Header().Get("Remote-Name"))
|
||||
assert.Equal(t, "testuser@example.com", recorder.Header().Get("Remote-Email"))
|
||||
|
||||
// Ensure basic auth is disabled for TOTP enabled users
|
||||
router, recorder, _ = setupProxyController(t, &[]gin.HandlerFunc{
|
||||
func(c *gin.Context) {
|
||||
c.Set("context", &loggedInCtx)
|
||||
c.Set("context", &config.UserContext{
|
||||
Username: "testuser",
|
||||
Name: "testuser",
|
||||
Email: "testuser@example.com",
|
||||
IsLoggedIn: true,
|
||||
IsBasicAuth: true,
|
||||
OAuth: false,
|
||||
Provider: "local",
|
||||
TotpPending: false,
|
||||
OAuthGroups: "",
|
||||
TotpEnabled: true,
|
||||
})
|
||||
c.Next()
|
||||
},
|
||||
})
|
||||
|
||||
req, err = http.NewRequest("GET", "/api/auth/nginx", nil)
|
||||
assert.NilError(t, err)
|
||||
|
||||
req.Header.Set("x-original-url", "http://whoami.example.com/")
|
||||
|
||||
req = httptest.NewRequest("GET", "/api/auth/traefik", nil)
|
||||
req.SetBasicAuth("testuser", "test")
|
||||
router.ServeHTTP(recorder, req)
|
||||
assert.Equal(t, recorder.Code, http.StatusOK)
|
||||
|
||||
// Test logged in user envoy (ext_authz)
|
||||
router, recorder = setupProxyController(t, []gin.HandlerFunc{
|
||||
func(c *gin.Context) {
|
||||
c.Set("context", &loggedInCtx)
|
||||
c.Next()
|
||||
},
|
||||
})
|
||||
|
||||
req, err = http.NewRequest("GET", "/api/auth/envoy?path=/", nil)
|
||||
assert.NilError(t, err)
|
||||
|
||||
req.Host = "whoami.example.com"
|
||||
req.Header.Set("x-forwarded-proto", "http")
|
||||
|
||||
router.ServeHTTP(recorder, req)
|
||||
assert.Equal(t, recorder.Code, http.StatusOK)
|
||||
|
||||
// Test ACL allow caddy/traefik (forward_auth)
|
||||
router, recorder = setupProxyController(t, nil)
|
||||
|
||||
req, err = http.NewRequest("GET", "/api/auth/traefik", nil)
|
||||
assert.NilError(t, err)
|
||||
|
||||
req.Header.Set("x-forwarded-host", "whoami.example.com")
|
||||
req.Header.Set("x-forwarded-proto", "http")
|
||||
req.Header.Set("x-forwarded-uri", "/allow")
|
||||
|
||||
router.ServeHTTP(recorder, req)
|
||||
assert.Equal(t, recorder.Code, http.StatusOK)
|
||||
|
||||
// Test ACL allow nginx
|
||||
router, recorder = setupProxyController(t, nil)
|
||||
|
||||
req, err = http.NewRequest("GET", "/api/auth/nginx", nil)
|
||||
assert.NilError(t, err)
|
||||
|
||||
req.Header.Set("x-original-url", "http://whoami.example.com/allow")
|
||||
|
||||
router.ServeHTTP(recorder, req)
|
||||
assert.Equal(t, recorder.Code, http.StatusOK)
|
||||
|
||||
// Test ACL allow envoy
|
||||
router, recorder = setupProxyController(t, nil)
|
||||
|
||||
req, err = http.NewRequest("GET", "/api/auth/envoy?path=/allow", nil)
|
||||
assert.NilError(t, err)
|
||||
|
||||
req.Host = "whoami.example.com"
|
||||
req.Header.Set("x-forwarded-proto", "http")
|
||||
|
||||
router.ServeHTTP(recorder, req)
|
||||
assert.Equal(t, recorder.Code, http.StatusOK)
|
||||
|
||||
// Test traefik/caddy (forward_auth) without required headers
|
||||
router, recorder = setupProxyController(t, nil)
|
||||
|
||||
req, err = http.NewRequest("GET", "/api/auth/traefik", nil)
|
||||
assert.NilError(t, err)
|
||||
|
||||
router.ServeHTTP(recorder, req)
|
||||
assert.Equal(t, recorder.Code, http.StatusBadRequest)
|
||||
|
||||
// Test nginx (forward_auth) without required headers
|
||||
router, recorder = setupProxyController(t, nil)
|
||||
|
||||
req, err = http.NewRequest("GET", "/api/auth/nginx", nil)
|
||||
assert.NilError(t, err)
|
||||
|
||||
router.ServeHTTP(recorder, req)
|
||||
assert.Equal(t, recorder.Code, http.StatusBadRequest)
|
||||
|
||||
// Test envoy (forward_auth) without required headers
|
||||
router, recorder = setupProxyController(t, nil)
|
||||
|
||||
req, err = http.NewRequest("GET", "/api/auth/envoy", nil)
|
||||
assert.NilError(t, err)
|
||||
|
||||
router.ServeHTTP(recorder, req)
|
||||
assert.Equal(t, recorder.Code, http.StatusBadRequest)
|
||||
|
||||
// Test nginx (auth_request) with forward_auth fallback with ACLs
|
||||
router, recorder = setupProxyController(t, nil)
|
||||
|
||||
req, err = http.NewRequest("GET", "/api/auth/nginx", nil)
|
||||
assert.NilError(t, err)
|
||||
|
||||
req.Header.Set("x-forwarded-host", "whoami.example.com")
|
||||
req.Header.Set("x-forwarded-proto", "http")
|
||||
req.Header.Set("x-forwarded-uri", "/allow")
|
||||
|
||||
router.ServeHTTP(recorder, req)
|
||||
assert.Equal(t, recorder.Code, http.StatusOK)
|
||||
|
||||
// Test envoy (ext_authz) with forward_auth fallback with ACLs
|
||||
router, recorder = setupProxyController(t, nil)
|
||||
|
||||
req, err = http.NewRequest("GET", "/api/auth/envoy", nil)
|
||||
assert.NilError(t, err)
|
||||
|
||||
req.Header.Set("x-forwarded-host", "whoami.example.com")
|
||||
req.Header.Set("x-forwarded-proto", "http")
|
||||
req.Header.Set("x-forwarded-uri", "/allow")
|
||||
|
||||
router.ServeHTTP(recorder, req)
|
||||
assert.Equal(t, recorder.Code, http.StatusOK)
|
||||
|
||||
// Test envoy (ext_authz) with empty path
|
||||
router, recorder = setupProxyController(t, nil)
|
||||
|
||||
req, err = http.NewRequest("GET", "/api/auth/envoy", nil)
|
||||
assert.NilError(t, err)
|
||||
|
||||
req.Host = "whoami.example.com"
|
||||
req.Header.Set("x-forwarded-proto", "http")
|
||||
|
||||
router.ServeHTTP(recorder, req)
|
||||
assert.Equal(t, recorder.Code, http.StatusUnauthorized)
|
||||
|
||||
// Ensure forward_auth fallback works with path (should ignore)
|
||||
router, recorder = setupProxyController(t, nil)
|
||||
|
||||
req, err = http.NewRequest("GET", "/api/auth/traefik?path=/allow", nil)
|
||||
assert.NilError(t, err)
|
||||
|
||||
req.Header.Set("x-forwarded-proto", "http")
|
||||
req.Header.Set("x-forwarded-host", "whoami.example.com")
|
||||
req.Header.Set("x-forwarded-uri", "/allow")
|
||||
|
||||
router.ServeHTTP(recorder, req)
|
||||
assert.Equal(t, recorder.Code, http.StatusOK)
|
||||
assert.Equal(t, 401, recorder.Code)
|
||||
}
|
||||
|
||||
@@ -182,17 +182,13 @@ func (m *ContextMiddleware) Middleware() gin.HandlerFunc {
|
||||
|
||||
user := m.auth.GetLocalUser(basic.Username)
|
||||
|
||||
if user.TotpSecret != "" {
|
||||
tlog.App.Debug().Msg("User with TOTP not allowed to login via basic auth")
|
||||
return
|
||||
}
|
||||
|
||||
c.Set("context", &config.UserContext{
|
||||
Username: user.Username,
|
||||
Name: utils.Capitalize(user.Username),
|
||||
Email: utils.CompileUserEmail(user.Username, m.config.CookieDomain),
|
||||
Provider: "local",
|
||||
IsLoggedIn: true,
|
||||
TotpEnabled: user.TotpSecret != "",
|
||||
IsBasicAuth: true,
|
||||
})
|
||||
c.Next()
|
||||
|
||||
@@ -352,7 +352,7 @@ func (service *OIDCService) ValidateGrantType(grantType string) error {
|
||||
return nil
|
||||
}
|
||||
|
||||
func (service *OIDCService) GetCodeEntry(c *gin.Context, codeHash string, clientId string) (repository.OidcCode, error) {
|
||||
func (service *OIDCService) GetCodeEntry(c *gin.Context, codeHash string) (repository.OidcCode, error) {
|
||||
oidcCode, err := service.queries.GetOidcCode(c, codeHash)
|
||||
|
||||
if err != nil {
|
||||
@@ -374,10 +374,6 @@ func (service *OIDCService) GetCodeEntry(c *gin.Context, codeHash string, client
|
||||
return repository.OidcCode{}, ErrCodeExpired
|
||||
}
|
||||
|
||||
if oidcCode.ClientID != clientId {
|
||||
return repository.OidcCode{}, ErrInvalidClient
|
||||
}
|
||||
|
||||
return oidcCode, nil
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user