mirror of
https://github.com/Luzifer/nginx-sso.git
synced 2024-12-20 21:01:17 +00:00
Add basic auth to simple provider
Signed-off-by: Knut Ahlers <knut@ahlers.me>
This commit is contained in:
parent
daa85d5016
commit
068ede3748
2 changed files with 34 additions and 8 deletions
|
@ -88,6 +88,8 @@ The simple auth provider consists of a static mapping between users and password
|
||||||
```yaml
|
```yaml
|
||||||
providers:
|
providers:
|
||||||
simple:
|
simple:
|
||||||
|
enable_basic_auth: false
|
||||||
|
|
||||||
# Unique username mapped to bcrypt hashed password
|
# Unique username mapped to bcrypt hashed password
|
||||||
users:
|
users:
|
||||||
luzifer: "$2a$10$FSGAF8qDWX52aBID8.WpxOyCvfSQ3JIUVFiwyd1jolb4jM3BzJmNu"
|
luzifer: "$2a$10$FSGAF8qDWX52aBID8.WpxOyCvfSQ3JIUVFiwyd1jolb4jM3BzJmNu"
|
||||||
|
@ -101,6 +103,8 @@ providers:
|
||||||
|
|
||||||
You can see how to configure the provider the example above: No surprises, just ensure you are using bcrypt hashes for the passwords, no other hash functions are supported.
|
You can see how to configure the provider the example above: No surprises, just ensure you are using bcrypt hashes for the passwords, no other hash functions are supported.
|
||||||
|
|
||||||
|
If `enable_basic_auth` is set to `true` the credentials can also be submitted through basic auth. This is useful for services whose clients does not support other types of authentication.
|
||||||
|
|
||||||
### Provider configuration: Token Auth (`token`)
|
### Provider configuration: Token Auth (`token`)
|
||||||
|
|
||||||
The token auth provider is intended to give machines access to endpoints. Users will not be able to "login" using tokens when they see the login form.
|
The token auth provider is intended to give machines access to endpoints. Users will not be able to "login" using tokens when they see the login form.
|
||||||
|
|
|
@ -14,8 +14,9 @@ func init() {
|
||||||
}
|
}
|
||||||
|
|
||||||
type authSimple struct {
|
type authSimple struct {
|
||||||
Users map[string]string `yaml:"users"`
|
EnableBasicAuth bool `yaml:"enable_basic_auth"`
|
||||||
Groups map[string][]string `yaml:"groups"`
|
Users map[string]string `yaml:"users"`
|
||||||
|
Groups map[string][]string `yaml:"groups"`
|
||||||
}
|
}
|
||||||
|
|
||||||
// AuthenticatorID needs to return an unique string to identify
|
// AuthenticatorID needs to return an unique string to identify
|
||||||
|
@ -41,6 +42,7 @@ func (a *authSimple) Configure(yamlSource []byte) error {
|
||||||
return errAuthenticatorUnconfigured
|
return errAuthenticatorUnconfigured
|
||||||
}
|
}
|
||||||
|
|
||||||
|
a.EnableBasicAuth = envelope.Providers.Simple.EnableBasicAuth
|
||||||
a.Users = envelope.Providers.Simple.Users
|
a.Users = envelope.Providers.Simple.Users
|
||||||
a.Groups = envelope.Providers.Simple.Groups
|
a.Groups = envelope.Providers.Simple.Groups
|
||||||
|
|
||||||
|
@ -52,14 +54,34 @@ func (a *authSimple) Configure(yamlSource []byte) error {
|
||||||
// If no user was detected the errNoValidUserFound needs to be
|
// If no user was detected the errNoValidUserFound needs to be
|
||||||
// returned
|
// returned
|
||||||
func (a authSimple) DetectUser(r *http.Request) (string, []string, error) {
|
func (a authSimple) DetectUser(r *http.Request) (string, []string, error) {
|
||||||
sess, err := cookieStore.Get(r, strings.Join([]string{mainCfg.Cookie.Prefix, a.AuthenticatorID()}, "-"))
|
var user string
|
||||||
if err != nil {
|
|
||||||
return "", nil, errNoValidUserFound
|
if a.EnableBasicAuth {
|
||||||
|
if basicUser, basicPass, ok := r.BasicAuth(); ok {
|
||||||
|
for u, p := range a.Users {
|
||||||
|
if u != basicUser {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
if bcrypt.CompareHashAndPassword([]byte(p), []byte(basicPass)) != nil {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
|
||||||
|
user = basicUser
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
user, ok := sess.Values["user"].(string)
|
if user == "" {
|
||||||
if !ok {
|
sess, err := cookieStore.Get(r, strings.Join([]string{mainCfg.Cookie.Prefix, a.AuthenticatorID()}, "-"))
|
||||||
return "", nil, errNoValidUserFound
|
if err != nil {
|
||||||
|
return "", nil, errNoValidUserFound
|
||||||
|
}
|
||||||
|
|
||||||
|
var ok bool
|
||||||
|
user, ok = sess.Values["user"].(string)
|
||||||
|
if !ok {
|
||||||
|
return "", nil, errNoValidUserFound
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
groups := []string{}
|
groups := []string{}
|
||||||
|
|
Loading…
Reference in a new issue