Rewriting the universe

Author: freman

.github/workflows/main.yml

@@ -0,0 +1,54 @@
+on: [push, pull_request]
+name: testify
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+        - uses: actions/checkout@v2
+        - name: golangci-lint
+          uses: golangci/golangci-lint-action@v1
+          with:
+            # Required: the version of golangci-lint is required and must be specified without patch version: we always use the latest patch version.
+            version: v1.26
+            args: -E bodyclose,misspell,gocyclo,dupl,gofmt,golint,unconvert,goimports,depguard,gocritic,funlen,interfacer
+  test:
+    strategy:
+      matrix:
+        go-version: [1.14.x]
+        platform: [ubuntu-latest, macos-latest, windows-latest]
+    runs-on: ${{ matrix.platform }}
+    steps:
+    - name: Install Go
+      if: success()
+      uses: actions/setup-go@v1
+      with:
+        go-version: ${{ matrix.go-version }}
+    - name: Checkout code
+      uses: actions/checkout@v1
+    - name: Run tests
+      run: go test -v -covermode=count 
+
+#   coverage:
+#     runs-on: ubuntu-latest
+#     steps:
+#     - name: Install Go
+#       if: success()
+#       uses: actions/setup-go@v1
+#       with:
+#         go-version: 1.14.x
+#     - name: Checkout code
+#       uses: actions/checkout@v1
+#     - name: Calc coverage 
+#       run: |
+#         export PATH=$PATH:$(go env GOPATH)/bin   
+#         go test -v -covermode=count -coverprofile=coverage.out
+#     - name: Convert coverage to lcov
+#       uses: jandelgado/gcov2lcov-action@v1.0.0
+#       with:
+#           infile: coverage.out
+#           outfile: coverage.lcov
+#     - name: Coveralls
+#       uses: coverallsapp/github-action@v1.0.1
+#       with:
+#           github-token: ${{ secrets.github_token }}
+#           path-to-lcov: coverage.lcov

.gitignore

@@ -0,0 +1,22 @@
+vendor/**
+bin/**
+.coverage/**
+.doc/**
+*TODO*
+123*
+
+# Binaries for programs and plugins
+*.exe
+*.exe~
+*.dll
+*.so
+*.dylib
+
+# Test binary, built with `go test -c`
+*.test
+
+# Output of the go coverage tool, specifically when used with LiteIDE
+*.out
+
+# Dependency directories (remove the comment below to include it)
+# vendor/

LICENSE

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2020 Shannon Wynter
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,13 @@
+# caddy-auth-forms
+
+<a href="https://github.com/freman/caddy2-reauth/actions/" target="_blank">![testify](https://github.com/freman/caddy2-reauth/workflows/testify/badge.svg?branch=master)</a>
+<a href="https://pkg.go.dev/github.com/freman/caddy2-reauth" target="_blank"><img src="https://img.shields.io/badge/godoc-reference-blue.svg"></a>
+<a href="https://caddy.community" target="_blank"><img src="https://img.shields.io/badge/community-forum-ff69b4.svg"></a>
+
+Another authentication plugin for [Caddy v2](https://github.com/caddyserver/caddy).
+
+## TODO
+
+* Tests
+* Examples
+* Readme

assets/conf/Caddyfile.json

@@ -0,0 +1,85 @@
+{
+    "logging": {
+        "logs": {
+            "default": {
+                "level": "DEBUG"
+            }
+        }
+    },
+    "apps": {
+        "http": {
+            "http_port": 9080,
+            "servers": {
+                "srv0": {
+                    "listen": [
+                        ":9080"
+                    ],
+                    "routes": [
+                        {
+                            "match": [
+                                {
+                                    "path": [
+                                        "/"
+                                    ]
+                                }
+                            ],
+                            "handle": [
+                                {
+                                    "handler": "static_response",
+                                    "status_code": 200,
+                                    "body": "hello world"
+                                }
+                            ],
+                            "terminal": true
+                        },
+                        {
+                            "handle": [
+                                {
+                                    "handler": "authentication",
+                                    "providers": {
+                                        "reauth": {
+                                            "backends": [
+                                                {
+                                                    "type": "simple",
+                                                    "credentials": {
+                                                        "username": "password"
+                                                    }
+                                                }
+                                            ],
+                                            "failure": {
+                                                "mode": "status",
+                                                "code": 403
+                                            }
+                                        }
+                                    }
+                                },
+                                {
+                                    "handler": "static_response",
+                                    "status_code": 200,
+                                    "body": "tell no-one"
+                                }
+                            ],
+                            "match": [
+                                {
+                                    "path": [
+                                        "/secret"
+                                    ]
+                                }
+                            ],
+                            "terminal": true
+                        }
+                    ],
+                    "tls_connection_policies": [
+                        {
+                            "certificate_selection": {
+                                "any_tag": [
+                                    "cert0"
+                                ]
+                            }
+                        }
+                    ]
+                }
+            }
+        }
+    }
+}

backend.go

@@ -0,0 +1,75 @@
+package reauth
+
+import (
+	"encoding/json"
+	"fmt"
+	"net/http"
+
+	"github.com/freman/caddy2-reauth/backends"
+	"github.com/freman/caddy2-reauth/backends/gitlabci"
+	"github.com/freman/caddy2-reauth/backends/ldap"
+	"github.com/freman/caddy2-reauth/backends/simple"
+	"github.com/freman/caddy2-reauth/backends/upstream"
+)
+
+// Backend is an authentication backend.
+type Backend struct {
+	Type   string `json:"type,omitempty"`
+	driver backends.Driver
+}
+
+// Authenticate performs authentication with an authentication provider.
+func (b *Backend) Authenticate(r *http.Request) (string, error) {
+	return b.driver.Authenticate(r)
+}
+
+// Validate checks whether an authentication provider is functional.
+func (b *Backend) Validate() error {
+	return b.driver.Validate()
+}
+
+// MarshalJSON packs configuration info JSON byte array
+func (b Backend) MarshalJSON() ([]byte, error) {
+	return json.Marshal(b.driver)
+}
+
+// UnmarshalJSON unpacks configuration into appropriate structures.
+func (b *Backend) UnmarshalJSON(data []byte) error {
+	if len(data) < 10 {
+		return fmt.Errorf("invalid configuration: %s", data)
+	}
+
+	type undecorated Backend
+	var backend undecorated
+
+	if err := json.Unmarshal(data, &backend); err != nil {
+		return fmt.Errorf("invalid reauth configuration, error: %s, config: %s", err, data)
+	}
+
+	var driver backends.Driver
+	switch backend.Type {
+	case gitlabci.BackendName:
+		driver = gitlabci.NewDriver()
+	case ldap.BackendName:
+		driver = ldap.NewDriver()
+	case simple.BackendName:
+		driver = simple.NewDriver()
+	case upstream.BackendName:
+		driver = upstream.NewDriver()
+	default:
+		return fmt.Errorf("invalid reauth configuration, error: unknown backend %q, config: %s", backend.Type, data)
+	}
+
+	if err := json.Unmarshal(data, driver); err != nil {
+		return fmt.Errorf("invalid reauth:%s configuration, error: %s, config:%s", backend.Type, err, data)
+	}
+
+	if err := driver.Validate(); err != nil {
+		return fmt.Errorf("invalid reauth:%s configuration, error: %s, config: %s", backend.Type, err, data)
+	}
+
+	b.Type = backend.Type
+	b.driver = driver
+
+	return nil
+}

backends/driver.go

@@ -0,0 +1,11 @@
+package backends
+
+import (
+	"net/http"
+)
+
+// Driver is an interface to an authentication provider.
+type Driver interface {
+	Authenticate(r *http.Request) (string, error)
+	Validate() error
+}

backends/gitlabci/auth.go

@@ -0,0 +1,134 @@
+/*
+ * The MIT License (MIT)
+ *
+ * Copyright (c) 2017 Shannon Wynter
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+package gitlabci
+
+import (
+	"crypto/tls"
+	"errors"
+	"fmt"
+	"net/http"
+	"time"
+
+	"github.com/freman/caddy2-reauth/backends"
+	"github.com/freman/caddy2-reauth/jsontypes"
+)
+
+// Interface guard
+var _ backends.Driver = (*GitlabCI)(nil)
+
+// BackendName name
+const BackendName = "gitlabci"
+
+const defaultTimeout = time.Minute
+const defaultUsername = "gitlab-ci-token"
+
+// GitlabCI backend provides authentication against gitlab paths, primarily to make
+// it easier to dynamically authenticate the gitlab-ci against gitlab permitting
+// testing access to otherwise private resources without storing credentials in
+// gitlab or gitlab-ci.yml
+//
+// Authenticating against this backend should be done with the project path as
+// the username and the token as the password.
+//
+// Example: docker login docker.example.com -u "$CI_PROJECT_PATH" -p "$CI_BUILD_TOKEN"
+type GitlabCI struct {
+	URL                *jsontypes.URL     `json:"url,omitempty"`
+	Timeout            jsontypes.Duration `json:"timeout,omitempty"`
+	Username           string             `json:"username,omitempty"`
+	InsecureSkipVerify bool               `json:"insecure_skip_verify,omitempty"`
+}
+
+// NewDriver returns a GitlabCI instance with some defaults
+func NewDriver() *GitlabCI {
+	return &GitlabCI{
+		Timeout:  jsontypes.Duration{Duration: defaultTimeout},
+		Username: defaultUsername,
+	}
+}
+
+// Validate that this module is ready to go
+func (h GitlabCI) Validate() error {
+	if h.Username == "" {
+		return errors.New("username is a required option")
+	}
+
+	if h.Timeout.Duration <= 0 {
+		return errors.New("timeout must be greater than 0")
+	}
+
+	if h.URL == nil {
+		return errors.New("url to auth against is a required parameter")
+	}
+
+	return nil
+}
+
+func noRedirectsPolicy(req *http.Request, via []*http.Request) error {
+	return errors.New("follow redirects disabled")
+}
+
+// Authenticate fulfils the backend interface
+func (h GitlabCI) Authenticate(r *http.Request) (string, error) {
+	un, pw, k := r.BasicAuth()
+	if !k {
+		return "", nil
+	}
+
+	repo, err := h.URL.Parse(un + ".git/info/refs?service=git-upload-pack")
+	if err != nil {
+		return "", fmt.Errorf("unable to parse repo path: %v", err)
+	}
+
+	c := &http.Client{
+		Timeout:       h.Timeout.Duration,
+		CheckRedirect: noRedirectsPolicy,
+	}
+
+	if repo.Scheme == "https" && h.InsecureSkipVerify {
+		c.Transport = &http.Transport{
+			TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+		}
+	}
+
+	req, err := http.NewRequest("GET", repo.String(), nil)
+	if err != nil {
+		return "", err
+	}
+
+	req.SetBasicAuth(h.Username, pw)
+
+	resp, err := c.Do(req)
+	if err != nil {
+		return "", err
+	}
+
+	resp.Body.Close()
+
+	if resp.StatusCode != 200 {
+		return "", fmt.Errorf("unexpected status code from gitlabci: %d (%s)", resp.StatusCode, resp.Status)
+	}
+
+	return un, nil
+}

backends/ldap/auth.go

@@ -0,0 +1,233 @@
+/*
+ * The MIT License (MIT)
+ *
+ * Copyright (c) 2018 Tamás Gulácsi
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+package ldap
+
+import (
+	"crypto/tls"
+	"errors"
+	"fmt"
+	"net"
+	"net/http"
+	"strings"
+	"time"
+
+	"github.com/freman/caddy2-reauth/backends"
+	"github.com/freman/caddy2-reauth/jsontypes"
+
+	ldp "github.com/go-ldap/ldap/v3"
+)
+
+// Interface guard
+var _ backends.Driver = (*LDAP)(nil)
+
+// BackendName name
+const BackendName = "ldap"
+
+const defaultPoolSize = 10
+const defaultTimeout = time.Minute
+const defaultFilter = "(&(objectClass=user)(sAMAccountName=%s))"
+
+// LDAP backend provides authentication against LDAP paths, for example for Microsoft AD.
+type LDAP struct {
+	URL                *jsontypes.URL     `json:"url,omitempty"`
+	BaseDN             string             `json:"base_dn,omitempty"`
+	FilterDN           string             `json:"filter_dn,omitempty"`
+	PrincipalSuffix    string             `json:"principal_suffix,omitempty"`
+	BindDN             string             `json:"bind_dn,omitempty"`
+	BindPassword       string             `json:"bind_password,omitempty"`
+	TLS                bool               `json:"tls,omitempty"`
+	InsecureSkipVerify bool               `json:"insecure_skip_verify,omitempty"`
+	Timeout            jsontypes.Duration `json:"timeout,omitempty"`
+	ConnectionPoolSize int                `json:"connection_pool_size,omitempty"`
+
+	pool chan ldp.Client
+}
+
+// NewDriver returns a LDAP instance with some defaults
+func NewDriver() *LDAP {
+	return &LDAP{
+		Timeout:            jsontypes.Duration{Duration: defaultTimeout},
+		ConnectionPoolSize: defaultPoolSize,
+		FilterDN:           defaultFilter,
+	}
+}
+
+// Validate that this module is ready to go
+func (h *LDAP) Validate() error {
+	var missing []string
+	if h.URL == nil {
+		missing = append(missing, "URL")
+	}
+
+	if h.BindDN == "" {
+		missing = append(missing, "BindDN")
+	}
+
+	if h.BindPassword == "" {
+		missing = append(missing, "BindPassword")
+	}
+
+	if h.BaseDN == "" {
+		missing = append(missing, "BaseDN")
+	}
+
+	if n := len(missing); n > 0 {
+		var s string
+		if n > 1 {
+			s = "s"
+		}
+		return errors.New("missing the following required parameter" + s + ": " + strings.Join(missing, ", "))
+	}
+
+	if h.Timeout.Duration <= 0 {
+		return errors.New("timeout must be greater than 0")
+	}
+
+	if h.ConnectionPoolSize <= 0 {
+		return errors.New("connection pool size must be greater than 0")
+	}
+
+	h.pool = make(chan ldp.Client, h.ConnectionPoolSize)
+
+	c, err := h.getConnection()
+	if err != nil {
+		return err
+	}
+	h.stashConnection(c)
+
+	return nil
+}
+
+// Authenticate fulfils the backend interface
+func (h *LDAP) Authenticate(r *http.Request) (string, error) {
+	un, pw, k := r.BasicAuth()
+	if !k {
+		return "", nil
+	}
+
+	c, err := h.getConnection()
+	if err != nil {
+		return "", err
+	}
+	defer h.stashConnection(c)
+
+	// Search for the given username
+	searchRequest := ldp.NewSearchRequest(
+		h.BaseDN,
+		ldp.ScopeWholeSubtree, ldp.NeverDerefAliases, 0, int(h.Timeout.Duration/time.Second), false,
+		fmt.Sprintf(h.FilterDN, un+h.PrincipalSuffix),
+		[]string{"dn"},
+		nil,
+	)
+
+	sr, err := c.Search(searchRequest)
+	if err != nil {
+		return "", fmt.Errorf("search under %q for %q: %v", h.BaseDN, fmt.Sprintf(h.FilterDN, un+h.PrincipalSuffix), err)
+	}
+
+	if len(sr.Entries) == 0 {
+		return "", nil
+	}
+
+	if len(sr.Entries) > 1 {
+		return "", errors.New("too many entries returned")
+	}
+
+	userDN := sr.Entries[0].DN
+
+	// Bind as the user to verify their password
+	err = c.Bind(userDN, pw)
+	if err != nil {
+		if ldp.IsErrorWithCode(err, ldp.LDAPResultInvalidCredentials) {
+			return "", nil
+		}
+		return "", fmt.Errorf("bind with %q: %v", userDN, err)
+	}
+
+	return userDN, nil
+}
+
+func (h *LDAP) getConnection() (ldp.Client, error) {
+	var c ldp.Client
+	select {
+	case c = <-h.pool:
+		if err := c.Bind(h.BindDN, h.BindPassword); err == nil {
+			return c, nil
+		}
+		c.Close()
+	default:
+	}
+
+	host, port, _ := net.SplitHostPort(h.URL.Host)
+
+	ldaps := port == "636" || port == "3269" || h.URL.Scheme == "ldaps"
+	if h.URL.Scheme == "ldap" {
+		ldaps = false
+	}
+	if port == "" || port == "0" {
+		port = "389"
+		if ldaps {
+			port = "636"
+		}
+	}
+
+	hostPort := fmt.Sprintf("%s:%s", host, port)
+
+	var err error
+	if ldaps {
+		c, err = ldp.DialTLS("tcp", hostPort, &tls.Config{InsecureSkipVerify: h.InsecureSkipVerify})
+	} else {
+		c, err = ldp.Dial("tcp", hostPort)
+	}
+
+	if err != nil {
+		return nil, fmt.Errorf("connect to %q: %v", hostPort, err)
+	}
+
+	// Technically it's not impossible to run tls over ssl... just excessive
+	if h.TLS {
+		if err = c.StartTLS(&tls.Config{InsecureSkipVerify: h.InsecureSkipVerify}); err != nil {
+			c.Close()
+			return nil, fmt.Errorf("StartTLS: %v", err)
+		}
+	}
+
+	if err := c.Bind(h.BindDN, h.BindPassword); err != nil {
+		c.Close()
+		return nil, fmt.Errorf("bind with %q: %v", h.BindDN, err)
+	}
+
+	return c, nil
+}
+
+func (h *LDAP) stashConnection(c ldp.Client) {
+	select {
+	case h.pool <- c:
+		return
+	default:
+		c.Close()
+		return
+	}
+}

backends/simple/auth.go

@@ -0,0 +1,80 @@
+/*
+ * The MIT License (MIT)
+ *
+ * Copyright (c) 2017 Shannon Wynter
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+package simple
+
+import (
+	"net/http"
+
+	"github.com/freman/caddy2-reauth/backends"
+	"golang.org/x/crypto/bcrypt"
+)
+
+// Interface guard
+var _ backends.Driver = (*Simple)(nil)
+
+// BackendName name
+const BackendName = "simple"
+
+// Simple is the simplest backend for authentication, a name:password map
+type Simple struct {
+	UseBcrypt   bool              `json:"use_bcrypt,omitempty"`
+	Credentials map[string]string `json:"credentials,omitempty"`
+}
+
+// NewDriver returns a new instance of Simple with some defaults
+func NewDriver() *Simple {
+	return &Simple{
+		Credentials: map[string]string{},
+	}
+}
+
+// Validate verifies that this module is functional with the given configuration
+func (h Simple) Validate() error {
+	return nil
+}
+
+// Authenticate fulfils the backend interface
+func (h Simple) Authenticate(r *http.Request) (string, error) {
+	un, pw, k := r.BasicAuth()
+	if !k {
+		return "", nil
+	}
+
+	if p, found := h.Credentials[un]; found {
+		if h.UseBcrypt {
+			if bcrypt.CompareHashAndPassword([]byte(p), []byte(pw)) == nil {
+				return un, nil
+			}
+
+			return "", nil
+		}
+
+		if p == pw {
+			return un, nil
+		}
+	}
+
+	return "", nil
+}

backends/upstream/auth.go

@@ -0,0 +1,162 @@
+/*
+ * The MIT License (MIT)
+ *
+ * Copyright (c) 2017 Shannon Wynter
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+package upstream
+
+import (
+	"crypto/tls"
+	"errors"
+	"net/http"
+	"time"
+
+	"github.com/freman/caddy2-reauth/backends"
+	"github.com/freman/caddy2-reauth/jsontypes"
+)
+
+// Interface guard
+var _ backends.Driver = (*Upstream)(nil)
+
+// BackendName name
+const BackendName = "upstream"
+
+const defaultTimeout = time.Minute
+
+// Upstream backend provides authentication against an upstream http server.
+// If the upstream request returns a http 200 status code then the user
+// is considered logged in.
+type Upstream struct {
+	URL                *jsontypes.URL     `json:"url,omitempty"`
+	Timeout            jsontypes.Duration `json:"timeout,omitempty"`
+	InsecureSkipVerify bool               `json:"insecure_skip_verify,omitempty"`
+	FollowRedirects    bool               `json:"follow_redirects,omitempty"`
+	PassCookies        bool               `json:"pass_cookies,omitempty"`
+	Match              *jsontypes.Regexp  `json:"match,omitempty"`
+
+	Forward struct {
+		URL     bool     `json:"url,omitempty"`
+		Method  bool     `json:"method,omitempty"`
+		IP      bool     `json:"ip,omitempty"`
+		Headers []string `json:"headers,omitempty"`
+	} `json:"forward"`
+}
+
+func noRedirectsPolicy(req *http.Request, via []*http.Request) error {
+	return errors.New("follow redirects disabled")
+}
+
+// NewDriver returns a new instance of Upstream with some defaults
+func NewDriver() *Upstream {
+	return &Upstream{
+		Timeout: jsontypes.Duration{Duration: defaultTimeout},
+	}
+}
+
+// Validate verifies that this module is functional with the given configuration
+func (h Upstream) Validate() error {
+	if h.URL == nil {
+		return errors.New("url to auth against is a required parameter")
+	}
+
+	if h.Timeout.Duration <= 0 {
+		return errors.New("timeout must be greater than 0")
+	}
+
+	return nil
+}
+
+// Authenticate fulfils the backend interface
+func (h Upstream) Authenticate(r *http.Request) (string, error) {
+	un, pw, k := r.BasicAuth()
+	if !(k || h.PassCookies) {
+		return "", nil
+	}
+
+	c := &http.Client{
+		Timeout: h.Timeout.Duration,
+	}
+
+	if !h.FollowRedirects {
+		c.CheckRedirect = noRedirectsPolicy
+	}
+
+	if h.URL.Scheme == "https" && h.InsecureSkipVerify {
+		c.Transport = &http.Transport{
+			TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+		}
+	}
+
+	req, err := http.NewRequest("GET", h.URL.String(), nil)
+	if err != nil {
+		return "", err
+	}
+
+	if k {
+		req.SetBasicAuth(un, pw)
+	}
+
+	h.copyRequest(r, req)
+
+	resp, err := c.Do(req)
+	if err != nil {
+		return "", err
+	}
+
+	resp.Body.Close()
+
+	if resp.StatusCode != 200 {
+		return "", nil
+	}
+
+	if h.Match != nil && h.Match.MatchString(resp.Request.URL.String()) {
+		return "", nil
+	}
+
+	return un, nil
+}
+
+func (h Upstream) copyRequest(org *http.Request, req *http.Request) {
+	if h.PassCookies {
+		for _, c := range org.Cookies() {
+			req.AddCookie(c)
+		}
+	}
+
+	if h.Forward.URL {
+		req.Header.Add("X-Auth-URL", org.RequestURI)
+	}
+
+	if h.Forward.Method {
+		req.Header.Add("X-Auth-Method", org.Method)
+	}
+
+	if h.Forward.IP {
+		req.Header.Add("X-Auth-IP", org.RemoteAddr)
+	}
+
+	for _, header := range h.Forward.Headers {
+		if tmp := org.Header.Get(header); tmp != "" {
+			req.Header.Add("X-Auth-Header-"+header, tmp)
+		}
+	}
+}

failure.go

@@ -0,0 +1,75 @@
+package reauth
+
+import (
+	"encoding/json"
+	"fmt"
+	"net/http"
+
+	"github.com/freman/caddy2-reauth/failures"
+	"github.com/freman/caddy2-reauth/failures/basic"
+	"github.com/freman/caddy2-reauth/failures/redirect"
+	"github.com/freman/caddy2-reauth/failures/status"
+)
+
+// Failure is a failure mode
+type Failure struct {
+	Mode   string `json:"mode,omitempty"`
+	driver failures.Driver
+}
+
+// Handle handles the failure mode.
+func (f *Failure) Handle(w http.ResponseWriter, r *http.Request) error {
+	return f.driver.Handle(w, r)
+}
+
+// Validate checks whether an failure mode is functional.
+func (f *Failure) Validate() error {
+	if f.driver == nil {
+		f.Mode = status.FailureMode
+		f.driver = status.NewDriver()
+	}
+	return f.driver.Validate()
+}
+
+// MarshalJSON packs configuration info JSON byte array
+func (f Failure) MarshalJSON() ([]byte, error) {
+	return json.Marshal(f.driver)
+}
+
+// UnmarshalJSON unpacks configuration into appropriate structures.
+func (f *Failure) UnmarshalJSON(data []byte) error {
+	if len(data) < 10 {
+		return fmt.Errorf("invalid configuration: %s", data)
+	}
+
+	type undecorated Failure
+	var failure undecorated
+
+	if err := json.Unmarshal(data, &failure); err != nil {
+		return fmt.Errorf("invalid reauth configuration, error: %s, config: %s", err, data)
+	}
+
+	var driver failures.Driver
+	switch failure.Mode {
+	case basic.FailureMode:
+		driver = basic.NewDriver()
+	case redirect.FailureMode:
+		driver = redirect.NewDriver()
+	case status.FailureMode:
+		driver = status.NewDriver()
+	default:
+		return fmt.Errorf("invalid reauth configuration, error: unknown failure mode %q, config: %s", failure.Mode, data)
+	}
+
+	if err := json.Unmarshal(data, driver); err != nil {
+		return fmt.Errorf("invalid reauth:%s configuration, error: %s, config:%s", failure.Mode, err, data)
+	}
+
+	if err := driver.Validate(); err != nil {
+		return fmt.Errorf("invalid reauth:%s configuration, error: %s, config: %s", failure.Mode, err, data)
+	}
+
+	f.Mode = failure.Mode
+	f.driver = driver
+	return nil
+}

failures/basic/failure.go

@@ -0,0 +1,41 @@
+package basic
+
+import (
+	"net/http"
+
+	"github.com/freman/caddy2-reauth/failures"
+)
+
+type Basic struct {
+	Realm string `json:"realm,omitempty"`
+}
+
+// FailureMode name
+const FailureMode = "httpbasic"
+
+// Interface guard
+var _ failures.Driver = (*Basic)(nil)
+
+// NewDriver returns an instance of Basic
+func NewDriver() *Basic {
+	return &Basic{}
+}
+
+// Validate verifies that this module is functional with the given configuration
+func (h Basic) Validate() error {
+	return nil
+}
+
+// Handle the failure
+func (h Basic) Handle(w http.ResponseWriter, r *http.Request) error {
+	realm := r.Host
+
+	if h.Realm != "" {
+		realm = h.Realm
+	}
+
+	w.Header().Add("WWW-Authenticate", `Basic realm="`+realm+`"`)
+	w.WriteHeader(http.StatusUnauthorized)
+
+	return nil
+}

failures/driver.go

@@ -0,0 +1,9 @@
+package failures
+
+import "net/http"
+
+// Driver is an interface to an failure provider.
+type Driver interface {
+	Handle(w http.ResponseWriter, r *http.Request) error
+	Validate() error
+}

failures/redirect/failure.go

@@ -0,0 +1,62 @@
+package redirect
+
+import (
+	"errors"
+	"net/http"
+	"net/url"
+	"strings"
+
+	"github.com/freman/caddy2-reauth/failures"
+	"github.com/freman/caddy2-reauth/jsontypes"
+)
+
+// FailureMode name
+const FailureMode = "redirect"
+
+const defaultRedirectCode = 303
+
+// Interface guard
+var _ failures.Driver = (*Redirect)(nil)
+
+type Redirect struct {
+	URL  *jsontypes.URL `json:"url,omitempty"`
+	Code int            `json:"code,omitempty"`
+}
+
+// NewDriver returns a new instance of Redirect
+func NewDriver() *Redirect {
+	return &Redirect{
+		Code: defaultRedirectCode,
+	}
+}
+
+// Validate verifies that this module is functional with the given configuration
+func (h Redirect) Validate() error {
+	if h.URL == nil {
+		return errors.New("url to redirect to is a required parameter")
+	}
+
+	return nil
+}
+
+// Handle the error
+func (h Redirect) Handle(w http.ResponseWriter, r *http.Request) error {
+	uri := r.URL
+	uri.Host = ""
+	uri.Scheme = ""
+
+	// Handle redirection back to hosts that aren't the auth server.
+	if h.URL.Host != "" && h.URL.Host != r.Host {
+		uri.Host = r.Host
+		uri.Scheme = "http"
+		if r.TLS != nil || strings.EqualFold(r.Header.Get("X-Forwarded-Proto"), "https") {
+			uri.Scheme = "https"
+		}
+	}
+
+	redirect := strings.Replace(h.URL.String(), "{uri}", url.QueryEscape(uri.String()), -1)
+	w.Header().Add("Location", redirect)
+	http.Redirect(w, r, redirect, h.Code)
+
+	return nil
+}

failures/status/failure.go

@@ -0,0 +1,38 @@
+package status
+
+import (
+	"net/http"
+
+	"github.com/freman/caddy2-reauth/failures"
+)
+
+// FailureMode name
+const FailureMode = "status"
+
+const defaultCode = http.StatusForbidden
+
+// Interface guard
+var _ failures.Driver = (*Status)(nil)
+
+// Status simply returns a http status code
+type Status struct {
+	Code int `json:"code,omitempty"`
+}
+
+// NewDriver returns an instance of Status with some configured defaults
+func NewDriver() *Status {
+	return &Status{
+		Code: defaultCode,
+	}
+}
+
+// Validate verifies that this module is functional with the given configuration
+func (h Status) Validate() error {
+	return nil
+}
+
+// Handle the failure
+func (h Status) Handle(w http.ResponseWriter, r *http.Request) error {
+	w.WriteHeader(h.Code)
+	return nil
+}

go.mod

@@ -0,0 +1,10 @@
+module github.com/freman/caddy2-reauth
+
+go 1.14
+
+require (
+	github.com/caddyserver/caddy/v2 v2.0.0
+	github.com/go-ldap/ldap/v3 v3.1.10
+	go.uber.org/zap v1.15.0
+	golang.org/x/crypto v0.0.0-20200510223506-06a226fb4e37
+)

go.sum

@@ -0,0 +1,27 @@
+package jsontypes
+
+import (
+	"encoding/json"
+	"time"
+)
+
+type Duration struct {
+	time.Duration
+}
+
+func (d *Duration) UnmarshalJSON(data []byte) error {
+	var s string
+	if err := json.Unmarshal(data, &s); err != nil {
+		return err
+	}
+	return d.Unmarshal(s)
+}
+
+func (d *Duration) Unmarshal(s string) (err error) {
+	d.Duration, err = time.ParseDuration(s)
+	return
+}
+
+func (d Duration) MarshalJSON() ([]byte, error) {
+	return json.Marshal(d.Duration.String())
+}

jsontypes/duration.go

@@ -0,0 +1,28 @@
+package jsontypes
+
+import (
+	"encoding/json"
+	"regexp"
+)
+
+type Regexp struct {
+	*regexp.Regexp
+}
+
+func (r *Regexp) UnmarshalJSON(data []byte) error {
+	var s string
+	err := json.Unmarshal(data, &s)
+	if err != nil {
+		return err
+	}
+	return r.Unmarshal(s)
+}
+
+func (r *Regexp) Unmarshal(s string) (err error) {
+	r.Regexp, err = regexp.Compile(s)
+	return
+}
+
+func (r *Regexp) MarshalJSON() ([]byte, error) {
+	return json.Marshal(r.Regexp.String())
+}

jsontypes/regexp.go

@@ -0,0 +1,28 @@
+package jsontypes
+
+import (
+	"encoding/json"
+	"net/url"
+)
+
+type URL struct {
+	*url.URL
+}
+
+func (u URL) MarshalJSON() ([]byte, error) {
+	return json.Marshal(u.URL.String())
+}
+
+func (u *URL) UnmarshalJSON(data []byte) error {
+	var s string
+	err := json.Unmarshal(data, &s)
+	if err != nil {
+		return err
+	}
+	return u.Unmarshal(s)
+}
+
+func (u *URL) Unmarshal(s string) (err error) {
+	u.URL, err = url.Parse(s)
+	return
+}

jsontypes/url.go

@@ -0,0 +1,79 @@
+package reauth
+
+import (
+	"fmt"
+	"net/http"
+
+	"github.com/caddyserver/caddy/v2"
+	"github.com/caddyserver/caddy/v2/modules/caddyhttp/caddyauth"
+	"go.uber.org/zap"
+)
+
+func init() {
+	caddy.RegisterModule(Reauth{})
+}
+
+// Reauth module
+type Reauth struct {
+	Backends []Backend `json:"backends,omitempty"`
+	Failure  Failure   `json:"failure,omitempty"`
+
+	logger *zap.Logger
+}
+
+// CaddyModule returns the Caddy module information.
+func (Reauth) CaddyModule() caddy.ModuleInfo {
+	return caddy.ModuleInfo{
+		ID:  "http.authentication.providers.reauth",
+		New: func() caddy.Module { return new(Reauth) },
+	}
+}
+
+// Provision implements caddy.Provisioner.
+func (r *Reauth) Provision(ctx caddy.Context) error {
+	r.logger = ctx.Logger(r)
+	r.logger.Info("provisioning plugin instance")
+	return nil
+}
+
+// Validate implements caddy.Validator.
+func (r Reauth) Validate() error {
+	for i, be := range r.Backends {
+		if err := be.Validate(); err != nil {
+			return fmt.Errorf("backends[%d] (%s) failed validation: %s", i, be.Type, err)
+		}
+	}
+
+	if err := r.Failure.Validate(); err != nil {
+		return fmt.Errorf("failure mode %s failed validation: %s", r.Failure.Mode, err)
+	}
+
+	return nil
+}
+
+// Authenticate the request
+func (r Reauth) Authenticate(w http.ResponseWriter, req *http.Request) (caddyauth.User, bool, error) {
+	for _, b := range r.Backends {
+		user, err := b.Authenticate(req)
+		if err != nil {
+			return caddyauth.User{}, false, err
+		}
+		if user != "" {
+			return caddyauth.User{
+				ID: user,
+				Metadata: map[string]string{
+					"reauth_backend": b.Type,
+				},
+			}, true, nil
+		}
+	}
+
+	return caddyauth.User{}, false, r.Failure.Handle(w, req)
+}
+
+// Interface guards
+var (
+	_ caddy.Provisioner       = (*Reauth)(nil)
+	_ caddy.Validator         = (*Reauth)(nil)
+	_ caddyauth.Authenticator = (*Reauth)(nil)
+)