feat: new openid connect authentication layer

2024-04-12 16:41:11 +02:00
parent bb5796ab8c
commit de70fa89f7
42 changed files with 2155 additions and 62 deletions
--- a/internal/proxy/director/layer/authn/layer.go
+++ b/internal/proxy/director/layer/authn/layer.go
@ -0,0 +1,103 @@
+package authn
+
+import (
+	"net/http"
+
+	"forge.cadoles.com/Cadoles/go-proxy"
+	"forge.cadoles.com/Cadoles/go-proxy/wildcard"
+	"forge.cadoles.com/cadoles/bouncer/internal/proxy/director"
+	"forge.cadoles.com/cadoles/bouncer/internal/store"
+	"github.com/pkg/errors"
+	"gitlab.com/wpetit/goweb/logger"
+)
+
+type Layer struct {
+	layerType store.LayerType
+	auth      Authenticator
+}
+
+func (l *Layer) Middleware(layer *store.Layer) proxy.Middleware {
+	return func(next http.Handler) http.Handler {
+		fn := func(w http.ResponseWriter, r *http.Request) {
+			ctx := r.Context()
+
+			options, err := fromStoreOptions(layer.Options)
+			if err != nil {
+				logger.Error(ctx, "could not parse layer options", logger.E(errors.WithStack(err)))
+				http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
+
+				return
+			}
+
+			if preAuth, ok := l.auth.(PreAuthentication); ok {
+				if err := preAuth.PreAuthentication(w, r, layer); err != nil {
+					if errors.Is(err, ErrSkipRequest) {
+						return
+					}
+
+					logger.Error(ctx, "could not execute pre-auth hook", logger.E(errors.WithStack(err)))
+					http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
+
+					return
+				}
+			}
+
+			matches := wildcard.MatchAny(r.URL.String(), options.MatchURLs...)
+			if !matches {
+				next.ServeHTTP(w, r)
+
+				return
+			}
+
+			user, err := l.auth.Authenticate(w, r, layer)
+			if err != nil {
+				if errors.Is(err, ErrSkipRequest) {
+					return
+				}
+
+				logger.Error(ctx, "could not authenticate user", logger.E(errors.WithStack(err)))
+				http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
+
+				return
+			}
+
+			if err := l.injectHeaders(r, options, user); err != nil {
+				logger.Error(ctx, "could not inject headers", logger.E(errors.WithStack(err)))
+				http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
+
+				return
+			}
+
+			if postAuth, ok := l.auth.(PostAuthentication); ok {
+				if err := postAuth.PostAuthentication(w, r, layer, user); err != nil {
+					if errors.Is(err, ErrSkipRequest) {
+						return
+					}
+
+					logger.Error(ctx, "could not execute post-auth hook", logger.E(errors.WithStack(err)))
+					http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
+
+					return
+				}
+			}
+
+			next.ServeHTTP(w, r)
+		}
+
+		return http.HandlerFunc(fn)
+	}
+}
+
+// LayerType implements director.MiddlewareLayer
+func (l *Layer) LayerType() store.LayerType {
+	return l.layerType
+}
+
+func NewLayer(layerType store.LayerType, auth Authenticator) *Layer {
+	return &Layer{
+		layerType: layerType,
+		auth:      auth,
+	}
+}
+
+var _ director.MiddlewareLayer = &Layer{}