dockerfile: enable cross build

feat: add group-based access control
2024-05-02 03:01:26 +02:00 · 2024-05-02 02:53:00 +02:00
5 changed files with 51 additions and 22 deletions
--- a/4
+++ b/4
@ -31,7 +31,7 @@ RUN go mod download
 RUN go mod verify

 # Build the binary.
-RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -a -installsuffix cgo -ldflags="-w -s" -o /go/bin/oidc-forward-auth
+RUN CGO_ENABLED=0 go build -a -installsuffix cgo -ldflags="-w -s" -o /go/bin/oidc-forward-auth

 # Runner
 FROM scratch
@ -55,7 +55,7 @@ ARG VCS_REF
 # Good docker practice
 LABEL org.opencontainers.image.created=$BUILD_DATE \
      org.opencontainers.image.authors="StiviiK" \
-      org.opencontainers.image.source="https://github.com/StiviiK/oidc-forward-auth.git" \
+      org.opencontainers.image.source="https://code.thetadev.de/ThetaDev/oidc-forward-auth" \
      org.opencontainers.image.revision=$VCS_REF

 ENTRYPOINT ["/go/bin/oidc-forward-auth"]
--- a/pkg/forwardauth/forwardauth.go
+++ b/pkg/forwardauth/forwardauth.go
@ -7,6 +7,7 @@ package forwardauth
 import (
 	"context"
 	"fmt"
+	"strings"

 	"github.com/StiviiK/keycloak-traefik-forward-auth/pkg/options"
 	"github.com/StiviiK/keycloak-traefik-forward-auth/pkg/utils"
@ -28,14 +29,15 @@ type Claims struct {
 	IssuedAt   utils.Time `json:"iat"`
 	Expiration utils.Time `json:"exp"`

-	Name             string `json:"name"`
-	GivenName        string `json:"given_name"`
-	FamilyName       string `json:"family_name"`
-	Email            string `json:"email"`
-	VerifiedMail     bool   `json:"email_verified"`
-	Picture          string `json:"picture"`
-	Locale           string `json:"locale"`
-	PreferedUsername string `json:"preferred_username"`
+	Name             string   `json:"name"`
+	GivenName        string   `json:"given_name"`
+	FamilyName       string   `json:"family_name"`
+	Email            string   `json:"email"`
+	VerifiedMail     bool     `json:"email_verified"`
+	Picture          string   `json:"picture"`
+	Locale           string   `json:"locale"`
+	PreferedUsername string   `json:"preferred_username"`
+	Groups           []string `json:"groups"`
 }

 // Create creates a new fw auth client from our options
@ -49,6 +51,9 @@ func Create(ctx context.Context, options *options.Options) (*ForwardAuth, error)
 		ClientID: options.ClientID,
 	})

+	scopes := []string{oidc.ScopeOpenID, "profile", "email"}
+	scopes = append(scopes, strings.Split(options.Scopes, " ")...)
+
 	return &ForwardAuth{
 		OidcProvider: provider,
 		OAuth2Config: oauth2.Config{
@ -60,7 +65,7 @@ func Create(ctx context.Context, options *options.Options) (*ForwardAuth, error)
 			Endpoint: provider.Endpoint(),

 			// "openid" is a required scope for OpenID Connect flows.
-			Scopes: []string{oidc.ScopeOpenID, "profile", "email"},
+			Scopes: scopes,
 		},
 		OidcVefifier: verifier,
 	}, nil
--- a/pkg/httphandler/handler.go
+++ b/pkg/httphandler/handler.go
@ -27,18 +27,22 @@ func Create(fw *forwardauth.ForwardAuth, options *options.Options) *HttpHandler
 func (h *HttpHandler) Entrypoint() func(http.ResponseWriter, *http.Request) {
 	return func(w http.ResponseWriter, r *http.Request) {
 		uri, err := url.Parse(r.Header.Get("X-Forwarded-Uri"))
-		switch {
-		case err != nil:
+		host := r.Header.Get("X-Forwarded-Host")
+
+		if err != nil {
 			http.Error(w, err.Error(), http.StatusInternalServerError)
 			return
-
-		case uri.Path == h.options.RedirectURL:
-			h.callbackHandler(w, r, uri)
-			return
-
-		default:
-			h.rootHandler(w, r, uri)
-			return
 		}
+
+		if host == h.options.AuthDomain {
+			// Handles OIDC callback
+			if uri.Path == h.options.RedirectURL {
+				h.callbackHandler(w, r, uri)
+				return
+			}
+		}
+
+		// Handles forward auth
+		h.rootHandler(w, r, uri, r.URL)
 	}
 }
--- a/pkg/httphandler/root.go
+++ b/pkg/httphandler/root.go
@ -5,6 +5,7 @@ This code is licensed under MIT license (see LICENSE for details)
 package httphandler

 import (
+	"fmt"
 	"net/http"
 	"net/url"

@ -13,7 +14,7 @@ import (
 )

 // RootHandler returns a handler function which handles all requests to the root
-func (root *HttpHandler) rootHandler(w http.ResponseWriter, r *http.Request, forwardedURI *url.URL) {
+func (root *HttpHandler) rootHandler(w http.ResponseWriter, r *http.Request, forwardedURI *url.URL, queryURI *url.URL) {
 	logger := logrus.WithFields(logrus.Fields{
 		"SourceIP":      r.Header.Get("X-Forwarded-For"),
 		"RequestTarget": root.forwardAuth.GetReturnUri(r),
@ -34,6 +35,24 @@ func (root *HttpHandler) rootHandler(w http.ResponseWriter, r *http.Request, for
 		return
 	}

+	// Check group
+	group := queryURI.Query().Get("group")
+	if len(group) > 0 {
+		if !contains(claims.Groups, group) {
+			logger.Warnf("User %s not member of group %s", claims.PreferedUsername, group)
+			http.Error(w, fmt.Sprintf("You need to be a member of the group '%s' to access this site", group), http.StatusForbidden)
+		}
+	}
+
 	w.Header().Set("X-Forwarded-User", claims.Email)
 	w.WriteHeader(200)
 }
+
+func contains(s []string, e string) bool {
+	for _, a := range s {
+		if a == e {
+			return true
+		}
+	}
+	return false
+}
--- a/pkg/options/options.go
+++ b/pkg/options/options.go
@ -18,6 +18,7 @@ type Options struct {
 	CookieDomain string `env:"COOKIE_DOMAIN"`
 	Port         int    `env:"PORT" envDefault:"4181"`
 	RedirectURL  string `env:"REDIRECT_URL" envDefault:"/auth/resp"`
+	Scopes       string `env:"SCOPES"`
 }

 // LoadOptions parses the environment vars and the options
Author	SHA1	Message	Date
ThetaDev	0c133ff09d	dockerfile: enable cross build	2024-05-02 03:01:26 +02:00
ThetaDev	e164030119	feat: add group-based access control	2024-05-02 02:53:00 +02:00