1
0
Fork 0
mirror of https://github.com/Luzifer/nginx-sso.git synced 2024-12-20 21:01:17 +00:00

Add basic auth to simple provider

Signed-off-by: Knut Ahlers <knut@ahlers.me>
This commit is contained in:
Knut Ahlers 2018-01-28 19:32:39 +01:00
parent daa85d5016
commit 068ede3748
Signed by: luzifer
GPG key ID: DC2729FDD34BE99E
2 changed files with 34 additions and 8 deletions

View file

@ -88,6 +88,8 @@ The simple auth provider consists of a static mapping between users and password
```yaml ```yaml
providers: providers:
simple: simple:
enable_basic_auth: false
# Unique username mapped to bcrypt hashed password # Unique username mapped to bcrypt hashed password
users: users:
luzifer: "$2a$10$FSGAF8qDWX52aBID8.WpxOyCvfSQ3JIUVFiwyd1jolb4jM3BzJmNu" luzifer: "$2a$10$FSGAF8qDWX52aBID8.WpxOyCvfSQ3JIUVFiwyd1jolb4jM3BzJmNu"
@ -101,6 +103,8 @@ providers:
You can see how to configure the provider the example above: No surprises, just ensure you are using bcrypt hashes for the passwords, no other hash functions are supported. You can see how to configure the provider the example above: No surprises, just ensure you are using bcrypt hashes for the passwords, no other hash functions are supported.
If `enable_basic_auth` is set to `true` the credentials can also be submitted through basic auth. This is useful for services whose clients does not support other types of authentication.
### Provider configuration: Token Auth (`token`) ### Provider configuration: Token Auth (`token`)
The token auth provider is intended to give machines access to endpoints. Users will not be able to "login" using tokens when they see the login form. The token auth provider is intended to give machines access to endpoints. Users will not be able to "login" using tokens when they see the login form.

View file

@ -14,8 +14,9 @@ func init() {
} }
type authSimple struct { type authSimple struct {
Users map[string]string `yaml:"users"` EnableBasicAuth bool `yaml:"enable_basic_auth"`
Groups map[string][]string `yaml:"groups"` Users map[string]string `yaml:"users"`
Groups map[string][]string `yaml:"groups"`
} }
// AuthenticatorID needs to return an unique string to identify // AuthenticatorID needs to return an unique string to identify
@ -41,6 +42,7 @@ func (a *authSimple) Configure(yamlSource []byte) error {
return errAuthenticatorUnconfigured return errAuthenticatorUnconfigured
} }
a.EnableBasicAuth = envelope.Providers.Simple.EnableBasicAuth
a.Users = envelope.Providers.Simple.Users a.Users = envelope.Providers.Simple.Users
a.Groups = envelope.Providers.Simple.Groups a.Groups = envelope.Providers.Simple.Groups
@ -52,14 +54,34 @@ func (a *authSimple) Configure(yamlSource []byte) error {
// If no user was detected the errNoValidUserFound needs to be // If no user was detected the errNoValidUserFound needs to be
// returned // returned
func (a authSimple) DetectUser(r *http.Request) (string, []string, error) { func (a authSimple) DetectUser(r *http.Request) (string, []string, error) {
sess, err := cookieStore.Get(r, strings.Join([]string{mainCfg.Cookie.Prefix, a.AuthenticatorID()}, "-")) var user string
if err != nil {
return "", nil, errNoValidUserFound if a.EnableBasicAuth {
if basicUser, basicPass, ok := r.BasicAuth(); ok {
for u, p := range a.Users {
if u != basicUser {
continue
}
if bcrypt.CompareHashAndPassword([]byte(p), []byte(basicPass)) != nil {
continue
}
user = basicUser
}
}
} }
user, ok := sess.Values["user"].(string) if user == "" {
if !ok { sess, err := cookieStore.Get(r, strings.Join([]string{mainCfg.Cookie.Prefix, a.AuthenticatorID()}, "-"))
return "", nil, errNoValidUserFound if err != nil {
return "", nil, errNoValidUserFound
}
var ok bool
user, ok = sess.Values["user"].(string)
if !ok {
return "", nil, errNoValidUserFound
}
} }
groups := []string{} groups := []string{}