1
0
Fork 0
mirror of https://github.com/Luzifer/nginx-sso.git synced 2024-12-20 12:51:17 +00:00

Add basic auth to simple provider

Signed-off-by: Knut Ahlers <knut@ahlers.me>
This commit is contained in:
Knut Ahlers 2018-01-28 19:32:39 +01:00
parent daa85d5016
commit 068ede3748
Signed by: luzifer
GPG key ID: DC2729FDD34BE99E
2 changed files with 34 additions and 8 deletions

View file

@ -88,6 +88,8 @@ The simple auth provider consists of a static mapping between users and password
```yaml
providers:
simple:
enable_basic_auth: false
# Unique username mapped to bcrypt hashed password
users:
luzifer: "$2a$10$FSGAF8qDWX52aBID8.WpxOyCvfSQ3JIUVFiwyd1jolb4jM3BzJmNu"
@ -101,6 +103,8 @@ providers:
You can see how to configure the provider the example above: No surprises, just ensure you are using bcrypt hashes for the passwords, no other hash functions are supported.
If `enable_basic_auth` is set to `true` the credentials can also be submitted through basic auth. This is useful for services whose clients does not support other types of authentication.
### Provider configuration: Token Auth (`token`)
The token auth provider is intended to give machines access to endpoints. Users will not be able to "login" using tokens when they see the login form.

View file

@ -14,6 +14,7 @@ func init() {
}
type authSimple struct {
EnableBasicAuth bool `yaml:"enable_basic_auth"`
Users map[string]string `yaml:"users"`
Groups map[string][]string `yaml:"groups"`
}
@ -41,6 +42,7 @@ func (a *authSimple) Configure(yamlSource []byte) error {
return errAuthenticatorUnconfigured
}
a.EnableBasicAuth = envelope.Providers.Simple.EnableBasicAuth
a.Users = envelope.Providers.Simple.Users
a.Groups = envelope.Providers.Simple.Groups
@ -52,15 +54,35 @@ func (a *authSimple) Configure(yamlSource []byte) error {
// If no user was detected the errNoValidUserFound needs to be
// returned
func (a authSimple) DetectUser(r *http.Request) (string, []string, error) {
var user string
if a.EnableBasicAuth {
if basicUser, basicPass, ok := r.BasicAuth(); ok {
for u, p := range a.Users {
if u != basicUser {
continue
}
if bcrypt.CompareHashAndPassword([]byte(p), []byte(basicPass)) != nil {
continue
}
user = basicUser
}
}
}
if user == "" {
sess, err := cookieStore.Get(r, strings.Join([]string{mainCfg.Cookie.Prefix, a.AuthenticatorID()}, "-"))
if err != nil {
return "", nil, errNoValidUserFound
}
user, ok := sess.Values["user"].(string)
var ok bool
user, ok = sess.Values["user"].(string)
if !ok {
return "", nil, errNoValidUserFound
}
}
groups := []string{}
for group, users := range a.Groups {