mirror of
https://github.com/steveiliop56/tinyauth.git
synced 2025-10-28 12:45:47 +00:00
c10bff55de
* fix: encrypt the cookie in sessions * tests: use new auth config in tests * fix: coderabbit suggestions
441 lines
11 KiB
Go
441 lines
11 KiB
Go
package utils
|
|
|
|
import (
|
|
"bytes"
|
|
"crypto/sha256"
|
|
"encoding/base64"
|
|
"errors"
|
|
"io"
|
|
"net"
|
|
"net/url"
|
|
"os"
|
|
"regexp"
|
|
"strings"
|
|
"tinyauth/internal/types"
|
|
|
|
"github.com/traefik/paerser/parser"
|
|
"golang.org/x/crypto/hkdf"
|
|
|
|
"github.com/google/uuid"
|
|
"github.com/rs/zerolog/log"
|
|
)
|
|
|
|
// Parses a list of comma separated users in a struct
|
|
func ParseUsers(users string) (types.Users, error) {
|
|
log.Debug().Msg("Parsing users")
|
|
|
|
// Create a new users struct
|
|
var usersParsed types.Users
|
|
|
|
// Split the users by comma
|
|
userList := strings.Split(users, ",")
|
|
|
|
// Check if there are any users
|
|
if len(userList) == 0 {
|
|
return types.Users{}, errors.New("invalid user format")
|
|
}
|
|
|
|
// Loop through the users and split them by colon
|
|
for _, user := range userList {
|
|
parsed, err := ParseUser(user)
|
|
|
|
// Check if there was an error
|
|
if err != nil {
|
|
return types.Users{}, err
|
|
}
|
|
|
|
// Append the user to the users struct
|
|
usersParsed = append(usersParsed, parsed)
|
|
}
|
|
|
|
log.Debug().Msg("Parsed users")
|
|
|
|
// Return the users struct
|
|
return usersParsed, nil
|
|
}
|
|
|
|
// Get upper domain parses a hostname and returns the upper domain (e.g. sub1.sub2.domain.com -> sub2.domain.com)
|
|
func GetUpperDomain(urlSrc string) (string, error) {
|
|
// Make sure the url is valid
|
|
urlParsed, err := url.Parse(urlSrc)
|
|
|
|
// Check if there was an error
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
|
|
// Split the hostname by period
|
|
urlSplitted := strings.Split(urlParsed.Hostname(), ".")
|
|
|
|
// Get the last part of the url
|
|
urlFinal := strings.Join(urlSplitted[1:], ".")
|
|
|
|
// Return the root domain
|
|
return urlFinal, nil
|
|
}
|
|
|
|
// Reads a file and returns the contents
|
|
func ReadFile(file string) (string, error) {
|
|
// Check if the file exists
|
|
_, err := os.Stat(file)
|
|
|
|
// Check if there was an error
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
|
|
// Read the file
|
|
data, err := os.ReadFile(file)
|
|
|
|
// Check if there was an error
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
|
|
// Return the file contents
|
|
return string(data), nil
|
|
}
|
|
|
|
// Parses a file into a comma separated list of users
|
|
func ParseFileToLine(content string) string {
|
|
// Split the content by newline
|
|
lines := strings.Split(content, "\n")
|
|
|
|
// Create a list of users
|
|
users := make([]string, 0)
|
|
|
|
// Loop through the lines, trimming the whitespace and appending to the users list
|
|
for _, line := range lines {
|
|
if strings.TrimSpace(line) == "" {
|
|
continue
|
|
}
|
|
|
|
users = append(users, strings.TrimSpace(line))
|
|
}
|
|
|
|
// Return the users as a comma separated string
|
|
return strings.Join(users, ",")
|
|
}
|
|
|
|
// Get the secret from the config or file
|
|
func GetSecret(conf string, file string) string {
|
|
// If neither the config or file is set, return an empty string
|
|
if conf == "" && file == "" {
|
|
return ""
|
|
}
|
|
|
|
// If the config is set, return the config (environment variable)
|
|
if conf != "" {
|
|
return conf
|
|
}
|
|
|
|
// If the file is set, read the file
|
|
contents, err := ReadFile(file)
|
|
|
|
// Check if there was an error
|
|
if err != nil {
|
|
return ""
|
|
}
|
|
|
|
// Return the contents of the file
|
|
return ParseSecretFile(contents)
|
|
}
|
|
|
|
// Get the users from the config or file
|
|
func GetUsers(conf string, file string) (types.Users, error) {
|
|
// Create a string to store the users
|
|
var users string
|
|
|
|
// If neither the config or file is set, return an empty users struct
|
|
if conf == "" && file == "" {
|
|
return types.Users{}, nil
|
|
}
|
|
|
|
// If the config (environment) is set, append the users to the users string
|
|
if conf != "" {
|
|
log.Debug().Msg("Using users from config")
|
|
users += conf
|
|
}
|
|
|
|
// If the file is set, read the file and append the users to the users string
|
|
if file != "" {
|
|
// Read the file
|
|
contents, err := ReadFile(file)
|
|
|
|
// If there isn't an error we can append the users to the users string
|
|
if err == nil {
|
|
log.Debug().Msg("Using users from file")
|
|
|
|
// Append the users to the users string
|
|
if users != "" {
|
|
users += ","
|
|
}
|
|
|
|
// Parse the file contents into a comma separated list of users
|
|
users += ParseFileToLine(contents)
|
|
}
|
|
}
|
|
|
|
// Return the parsed users
|
|
return ParseUsers(users)
|
|
}
|
|
|
|
// Parse the headers in a map[string]string format
|
|
func ParseHeaders(headers []string) map[string]string {
|
|
// Create a map to store the headers
|
|
headerMap := make(map[string]string)
|
|
|
|
// Loop through the headers
|
|
for _, header := range headers {
|
|
split := strings.SplitN(header, "=", 2)
|
|
if len(split) != 2 {
|
|
log.Warn().Str("header", header).Msg("Invalid header format, skipping")
|
|
continue
|
|
}
|
|
key := SanitizeHeader(strings.TrimSpace(split[0]))
|
|
value := SanitizeHeader(strings.TrimSpace(split[1]))
|
|
headerMap[key] = value
|
|
}
|
|
|
|
// Return the header map
|
|
return headerMap
|
|
}
|
|
|
|
// Get labels parses a map of labels into a struct with only the needed labels
|
|
func GetLabels(labels map[string]string) (types.Labels, error) {
|
|
// Create a new labels struct
|
|
var labelsParsed types.Labels
|
|
|
|
// Decode the labels into the labels struct
|
|
err := parser.Decode(labels, &labelsParsed, "tinyauth", "tinyauth.users", "tinyauth.allowed", "tinyauth.headers", "tinyauth.domain", "tinyauth.basic", "tinyauth.oauth", "tinyauth.ip")
|
|
|
|
// Check if there was an error
|
|
if err != nil {
|
|
log.Error().Err(err).Msg("Error parsing labels")
|
|
return types.Labels{}, err
|
|
}
|
|
|
|
// Return the labels struct
|
|
return labelsParsed, nil
|
|
}
|
|
|
|
// Check if any of the OAuth providers are configured based on the client id and secret
|
|
func OAuthConfigured(config types.Config) bool {
|
|
return (config.GithubClientId != "" && config.GithubClientSecret != "") || (config.GoogleClientId != "" && config.GoogleClientSecret != "") || (config.GenericClientId != "" && config.GenericClientSecret != "")
|
|
}
|
|
|
|
// Filter helper function
|
|
func Filter[T any](slice []T, test func(T) bool) (res []T) {
|
|
for _, value := range slice {
|
|
if test(value) {
|
|
res = append(res, value)
|
|
}
|
|
}
|
|
return res
|
|
}
|
|
|
|
// Parse user
|
|
func ParseUser(user string) (types.User, error) {
|
|
// Check if the user is escaped
|
|
if strings.Contains(user, "$$") {
|
|
user = strings.ReplaceAll(user, "$$", "$")
|
|
}
|
|
|
|
// Split the user by colon
|
|
userSplit := strings.Split(user, ":")
|
|
|
|
// Check if the user is in the correct format
|
|
if len(userSplit) < 2 || len(userSplit) > 3 {
|
|
return types.User{}, errors.New("invalid user format")
|
|
}
|
|
|
|
// Check for empty strings
|
|
for _, userPart := range userSplit {
|
|
if strings.TrimSpace(userPart) == "" {
|
|
return types.User{}, errors.New("invalid user format")
|
|
}
|
|
}
|
|
|
|
// Check if the user has a totp secret
|
|
if len(userSplit) == 2 {
|
|
return types.User{
|
|
Username: strings.TrimSpace(userSplit[0]),
|
|
Password: strings.TrimSpace(userSplit[1]),
|
|
}, nil
|
|
}
|
|
|
|
// Return the user struct
|
|
return types.User{
|
|
Username: strings.TrimSpace(userSplit[0]),
|
|
Password: strings.TrimSpace(userSplit[1]),
|
|
TotpSecret: strings.TrimSpace(userSplit[2]),
|
|
}, nil
|
|
}
|
|
|
|
// Parse secret file
|
|
func ParseSecretFile(contents string) string {
|
|
// Split to lines
|
|
lines := strings.Split(contents, "\n")
|
|
|
|
// Loop through the lines
|
|
for _, line := range lines {
|
|
// Check if the line is empty
|
|
if strings.TrimSpace(line) == "" {
|
|
continue
|
|
}
|
|
|
|
// Return the line
|
|
return strings.TrimSpace(line)
|
|
}
|
|
|
|
// Return an empty string
|
|
return ""
|
|
}
|
|
|
|
// Check if a string matches a regex or a whitelist
|
|
func CheckWhitelist(whitelist string, str string) bool {
|
|
// Check if the whitelist is empty
|
|
if len(strings.TrimSpace(whitelist)) == 0 {
|
|
return true
|
|
}
|
|
|
|
// Check if the whitelist is a regex
|
|
if strings.HasPrefix(whitelist, "/") && strings.HasSuffix(whitelist, "/") {
|
|
// Create regex
|
|
re, err := regexp.Compile(whitelist[1 : len(whitelist)-1])
|
|
|
|
// Check if there was an error
|
|
if err != nil {
|
|
log.Error().Err(err).Msg("Error compiling regex")
|
|
return false
|
|
}
|
|
|
|
// Check if the string matches the regex
|
|
if re.MatchString(str) {
|
|
return true
|
|
}
|
|
}
|
|
|
|
// Split the whitelist by comma
|
|
whitelistSplit := strings.Split(whitelist, ",")
|
|
|
|
// Loop through the whitelist
|
|
for _, item := range whitelistSplit {
|
|
// Check if the item matches with the string
|
|
if strings.TrimSpace(item) == str {
|
|
return true
|
|
}
|
|
}
|
|
|
|
// Return false if no match was found
|
|
return false
|
|
}
|
|
|
|
// Capitalize just the first letter of a string
|
|
func Capitalize(str string) string {
|
|
if len(str) == 0 {
|
|
return ""
|
|
}
|
|
return strings.ToUpper(string([]rune(str)[0])) + string([]rune(str)[1:])
|
|
}
|
|
|
|
// Sanitize header removes all control characters from a string
|
|
func SanitizeHeader(header string) string {
|
|
return strings.Map(func(r rune) rune {
|
|
// Allow only printable ASCII characters (32-126) and safe whitespace (space, tab)
|
|
if r == ' ' || r == '\t' || (r >= 32 && r <= 126) {
|
|
return r
|
|
}
|
|
return -1
|
|
}, header)
|
|
}
|
|
|
|
// Generate a static identifier from a string
|
|
func GenerateIdentifier(str string) string {
|
|
// Create a new UUID
|
|
uuid := uuid.NewSHA1(uuid.NameSpaceURL, []byte(str))
|
|
|
|
// Convert the UUID to a string
|
|
uuidString := uuid.String()
|
|
|
|
// Show the UUID
|
|
log.Debug().Str("uuid", uuidString).Msg("Generated UUID")
|
|
|
|
// Convert the UUID to a string
|
|
return strings.Split(uuidString, "-")[0]
|
|
}
|
|
|
|
// Get a basic auth header from a username and password
|
|
func GetBasicAuth(username string, password string) string {
|
|
// Create the auth string
|
|
auth := username + ":" + password
|
|
|
|
// Encode the auth string to base64
|
|
return base64.StdEncoding.EncodeToString([]byte(auth))
|
|
}
|
|
|
|
// Check if an IP is contained in a CIDR range/matches a single IP
|
|
func FilterIP(filter string, ip string) (bool, error) {
|
|
// Convert the check IP to an IP instance
|
|
ipAddr := net.ParseIP(ip)
|
|
|
|
// Check if the filter is a CIDR range
|
|
if strings.Contains(filter, "/") {
|
|
// Parse the CIDR range
|
|
_, cidr, err := net.ParseCIDR(filter)
|
|
|
|
// Check if there was an error
|
|
if err != nil {
|
|
return false, err
|
|
}
|
|
|
|
// Check if the IP is in the CIDR range
|
|
return cidr.Contains(ipAddr), nil
|
|
}
|
|
|
|
// Parse the filter as a single IP
|
|
ipFilter := net.ParseIP(filter)
|
|
|
|
// Check if the IP is valid
|
|
if ipFilter == nil {
|
|
return false, errors.New("invalid IP address in filter")
|
|
}
|
|
|
|
// Check if the IP matches the filter
|
|
if ipFilter.Equal(ipAddr) {
|
|
return true, nil
|
|
}
|
|
|
|
// If the filter is not a CIDR range or a single IP, return false
|
|
return false, nil
|
|
}
|
|
|
|
func DeriveKey(secret string, info string) (string, error) {
|
|
// Create hashing function
|
|
hash := sha256.New
|
|
|
|
// Create a new key using the secret and info
|
|
hkdf := hkdf.New(hash, []byte(secret), nil, []byte(info)) // I am not using a salt because I just want two different keys from one secret, maybe bad practice
|
|
|
|
// Create a new key
|
|
key := make([]byte, 24)
|
|
|
|
// Read the key from the HKDF
|
|
_, err := io.ReadFull(hkdf, key)
|
|
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
|
|
// Verify the key is not empty
|
|
if bytes.Equal(key, make([]byte, 24)) {
|
|
return "", errors.New("derived key is empty")
|
|
}
|
|
|
|
// Encode the key to base64
|
|
encodedKey := base64.StdEncoding.EncodeToString(key)
|
|
|
|
// Return the key as a base64 encoded string
|
|
return encodedKey, nil
|
|
}
|