-
-
Notifications
You must be signed in to change notification settings - Fork 385
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat(server): role based authentication system (#2434)
- Parse toml configuration file, see https://github.com/qdm12/gluetun-wiki/blob/main/setup/advanced/control-server.md#authentication - Retro-compatible with existing AND documented routes, until after v3.41 release - Log a warning if an unprotected-by-default route is accessed unprotected - Authentication methods: none, apikey, basic - `genkey` command to generate API keys Co-authored-by: Joe Jose <[email protected]>
- Loading branch information
Showing
25 changed files
with
920 additions
and
10 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,66 @@ | ||
package cli | ||
|
||
import ( | ||
"crypto/rand" | ||
"flag" | ||
"fmt" | ||
) | ||
|
||
func (c *CLI) GenKey(args []string) (err error) { | ||
flagSet := flag.NewFlagSet("genkey", flag.ExitOnError) | ||
err = flagSet.Parse(args) | ||
if err != nil { | ||
return fmt.Errorf("parsing flags: %w", err) | ||
} | ||
|
||
const keyLength = 128 / 8 | ||
keyBytes := make([]byte, keyLength) | ||
|
||
_, _ = rand.Read(keyBytes) | ||
|
||
key := base58Encode(keyBytes) | ||
fmt.Println(key) | ||
|
||
return nil | ||
} | ||
|
||
func base58Encode(data []byte) string { | ||
const alphabet = "123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz" | ||
const radix = 58 | ||
|
||
zcount := 0 | ||
for zcount < len(data) && data[zcount] == 0 { | ||
zcount++ | ||
} | ||
|
||
// integer simplification of ceil(log(256)/log(58)) | ||
ceilLog256Div58 := (len(data)-zcount)*555/406 + 1 //nolint:gomnd | ||
size := zcount + ceilLog256Div58 | ||
|
||
output := make([]byte, size) | ||
|
||
high := size - 1 | ||
for _, b := range data { | ||
i := size - 1 | ||
for carry := uint32(b); i > high || carry != 0; i-- { | ||
carry += 256 * uint32(output[i]) //nolint:gomnd | ||
output[i] = byte(carry % radix) | ||
carry /= radix | ||
} | ||
high = i | ||
} | ||
|
||
// Determine the additional "zero-gap" in the output buffer | ||
additionalZeroGapEnd := zcount | ||
for additionalZeroGapEnd < size && output[additionalZeroGapEnd] == 0 { | ||
additionalZeroGapEnd++ | ||
} | ||
|
||
val := output[additionalZeroGapEnd-zcount:] | ||
size = len(val) | ||
for i := range val { | ||
output[i] = alphabet[val[i]] | ||
} | ||
|
||
return string(output[:size]) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,36 @@ | ||
package auth | ||
|
||
import ( | ||
"crypto/sha256" | ||
"crypto/subtle" | ||
"net/http" | ||
) | ||
|
||
type apiKeyMethod struct { | ||
apiKeyDigest [32]byte | ||
} | ||
|
||
func newAPIKeyMethod(apiKey string) *apiKeyMethod { | ||
return &apiKeyMethod{ | ||
apiKeyDigest: sha256.Sum256([]byte(apiKey)), | ||
} | ||
} | ||
|
||
// equal returns true if another auth checker is equal. | ||
// This is used to deduplicate checkers for a particular route. | ||
func (a *apiKeyMethod) equal(other authorizationChecker) bool { | ||
otherTokenMethod, ok := other.(*apiKeyMethod) | ||
if !ok { | ||
return false | ||
} | ||
return a.apiKeyDigest == otherTokenMethod.apiKeyDigest | ||
} | ||
|
||
func (a *apiKeyMethod) isAuthorized(_ http.Header, request *http.Request) bool { | ||
xAPIKey := request.Header.Get("X-API-Key") | ||
if xAPIKey == "" { | ||
xAPIKey = request.URL.Query().Get("api_key") | ||
} | ||
xAPIKeyDigest := sha256.Sum256([]byte(xAPIKey)) | ||
return subtle.ConstantTimeCompare(xAPIKeyDigest[:], a.apiKeyDigest[:]) == 1 | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,37 @@ | ||
package auth | ||
|
||
import ( | ||
"crypto/sha256" | ||
"crypto/subtle" | ||
"net/http" | ||
) | ||
|
||
type basicAuthMethod struct { | ||
authDigest [32]byte | ||
} | ||
|
||
func newBasicAuthMethod(username, password string) *basicAuthMethod { | ||
return &basicAuthMethod{ | ||
authDigest: sha256.Sum256([]byte(username + password)), | ||
} | ||
} | ||
|
||
// equal returns true if another auth checker is equal. | ||
// This is used to deduplicate checkers for a particular route. | ||
func (a *basicAuthMethod) equal(other authorizationChecker) bool { | ||
otherBasicMethod, ok := other.(*basicAuthMethod) | ||
if !ok { | ||
return false | ||
} | ||
return a.authDigest == otherBasicMethod.authDigest | ||
} | ||
|
||
func (a *basicAuthMethod) isAuthorized(headers http.Header, request *http.Request) bool { | ||
username, password, ok := request.BasicAuth() | ||
if !ok { | ||
headers.Set("WWW-Authenticate", `Basic realm="restricted", charset="UTF-8"`) | ||
return false | ||
} | ||
requestAuthDigest := sha256.Sum256([]byte(username + password)) | ||
return subtle.ConstantTimeCompare(a.authDigest[:], requestAuthDigest[:]) == 1 | ||
} |
Oops, something went wrong.