Compare commits

..

2 commits

Author SHA1 Message Date
0c133ff09d
dockerfile: enable cross build 2024-05-02 03:01:26 +02:00
e164030119
feat: add group-based access control 2024-05-02 02:53:00 +02:00
5 changed files with 51 additions and 22 deletions

View file

@ -31,7 +31,7 @@ RUN go mod download
RUN go mod verify RUN go mod verify
# Build the binary. # Build the binary.
RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -a -installsuffix cgo -ldflags="-w -s" -o /go/bin/oidc-forward-auth RUN CGO_ENABLED=0 go build -a -installsuffix cgo -ldflags="-w -s" -o /go/bin/oidc-forward-auth
# Runner # Runner
FROM scratch FROM scratch
@ -55,7 +55,7 @@ ARG VCS_REF
# Good docker practice # Good docker practice
LABEL org.opencontainers.image.created=$BUILD_DATE \ LABEL org.opencontainers.image.created=$BUILD_DATE \
org.opencontainers.image.authors="StiviiK" \ org.opencontainers.image.authors="StiviiK" \
org.opencontainers.image.source="https://github.com/StiviiK/oidc-forward-auth.git" \ org.opencontainers.image.source="https://code.thetadev.de/ThetaDev/oidc-forward-auth" \
org.opencontainers.image.revision=$VCS_REF org.opencontainers.image.revision=$VCS_REF
ENTRYPOINT ["/go/bin/oidc-forward-auth"] ENTRYPOINT ["/go/bin/oidc-forward-auth"]

View file

@ -7,6 +7,7 @@ package forwardauth
import ( import (
"context" "context"
"fmt" "fmt"
"strings"
"github.com/StiviiK/keycloak-traefik-forward-auth/pkg/options" "github.com/StiviiK/keycloak-traefik-forward-auth/pkg/options"
"github.com/StiviiK/keycloak-traefik-forward-auth/pkg/utils" "github.com/StiviiK/keycloak-traefik-forward-auth/pkg/utils"
@ -36,6 +37,7 @@ type Claims struct {
Picture string `json:"picture"` Picture string `json:"picture"`
Locale string `json:"locale"` Locale string `json:"locale"`
PreferedUsername string `json:"preferred_username"` PreferedUsername string `json:"preferred_username"`
Groups []string `json:"groups"`
} }
// Create creates a new fw auth client from our options // Create creates a new fw auth client from our options
@ -49,6 +51,9 @@ func Create(ctx context.Context, options *options.Options) (*ForwardAuth, error)
ClientID: options.ClientID, ClientID: options.ClientID,
}) })
scopes := []string{oidc.ScopeOpenID, "profile", "email"}
scopes = append(scopes, strings.Split(options.Scopes, " ")...)
return &ForwardAuth{ return &ForwardAuth{
OidcProvider: provider, OidcProvider: provider,
OAuth2Config: oauth2.Config{ OAuth2Config: oauth2.Config{
@ -60,7 +65,7 @@ func Create(ctx context.Context, options *options.Options) (*ForwardAuth, error)
Endpoint: provider.Endpoint(), Endpoint: provider.Endpoint(),
// "openid" is a required scope for OpenID Connect flows. // "openid" is a required scope for OpenID Connect flows.
Scopes: []string{oidc.ScopeOpenID, "profile", "email"}, Scopes: scopes,
}, },
OidcVefifier: verifier, OidcVefifier: verifier,
}, nil }, nil

View file

@ -27,18 +27,22 @@ func Create(fw *forwardauth.ForwardAuth, options *options.Options) *HttpHandler
func (h *HttpHandler) Entrypoint() func(http.ResponseWriter, *http.Request) { func (h *HttpHandler) Entrypoint() func(http.ResponseWriter, *http.Request) {
return func(w http.ResponseWriter, r *http.Request) { return func(w http.ResponseWriter, r *http.Request) {
uri, err := url.Parse(r.Header.Get("X-Forwarded-Uri")) uri, err := url.Parse(r.Header.Get("X-Forwarded-Uri"))
switch { host := r.Header.Get("X-Forwarded-Host")
case err != nil:
if err != nil {
http.Error(w, err.Error(), http.StatusInternalServerError) http.Error(w, err.Error(), http.StatusInternalServerError)
return return
}
case uri.Path == h.options.RedirectURL: if host == h.options.AuthDomain {
// Handles OIDC callback
if uri.Path == h.options.RedirectURL {
h.callbackHandler(w, r, uri) h.callbackHandler(w, r, uri)
return return
default:
h.rootHandler(w, r, uri)
return
} }
} }
// Handles forward auth
h.rootHandler(w, r, uri, r.URL)
}
} }

View file

@ -5,6 +5,7 @@ This code is licensed under MIT license (see LICENSE for details)
package httphandler package httphandler
import ( import (
"fmt"
"net/http" "net/http"
"net/url" "net/url"
@ -13,7 +14,7 @@ import (
) )
// RootHandler returns a handler function which handles all requests to the root // RootHandler returns a handler function which handles all requests to the root
func (root *HttpHandler) rootHandler(w http.ResponseWriter, r *http.Request, forwardedURI *url.URL) { func (root *HttpHandler) rootHandler(w http.ResponseWriter, r *http.Request, forwardedURI *url.URL, queryURI *url.URL) {
logger := logrus.WithFields(logrus.Fields{ logger := logrus.WithFields(logrus.Fields{
"SourceIP": r.Header.Get("X-Forwarded-For"), "SourceIP": r.Header.Get("X-Forwarded-For"),
"RequestTarget": root.forwardAuth.GetReturnUri(r), "RequestTarget": root.forwardAuth.GetReturnUri(r),
@ -34,6 +35,24 @@ func (root *HttpHandler) rootHandler(w http.ResponseWriter, r *http.Request, for
return return
} }
// Check group
group := queryURI.Query().Get("group")
if len(group) > 0 {
if !contains(claims.Groups, group) {
logger.Warnf("User %s not member of group %s", claims.PreferedUsername, group)
http.Error(w, fmt.Sprintf("You need to be a member of the group '%s' to access this site", group), http.StatusForbidden)
}
}
w.Header().Set("X-Forwarded-User", claims.Email) w.Header().Set("X-Forwarded-User", claims.Email)
w.WriteHeader(200) w.WriteHeader(200)
} }
func contains(s []string, e string) bool {
for _, a := range s {
if a == e {
return true
}
}
return false
}

View file

@ -18,6 +18,7 @@ type Options struct {
CookieDomain string `env:"COOKIE_DOMAIN"` CookieDomain string `env:"COOKIE_DOMAIN"`
Port int `env:"PORT" envDefault:"4181"` Port int `env:"PORT" envDefault:"4181"`
RedirectURL string `env:"REDIRECT_URL" envDefault:"/auth/resp"` RedirectURL string `env:"REDIRECT_URL" envDefault:"/auth/resp"`
Scopes string `env:"SCOPES"`
} }
// LoadOptions parses the environment vars and the options // LoadOptions parses the environment vars and the options