2015-10-10 21:26:47 +02:00
|
|
|
package main
|
|
|
|
|
|
|
|
import (
|
|
|
|
"bufio"
|
|
|
|
"encoding/base64"
|
2015-10-12 03:36:27 +02:00
|
|
|
"log"
|
2015-10-10 21:26:47 +02:00
|
|
|
"net/http"
|
|
|
|
"os"
|
|
|
|
"strings"
|
|
|
|
|
|
|
|
"golang.org/x/crypto/scrypt"
|
|
|
|
)
|
|
|
|
|
|
|
|
const (
|
|
|
|
authPrefix = "Linx "
|
|
|
|
scryptSalt = "linx-server"
|
|
|
|
scryptN = 16384
|
|
|
|
scryptr = 8
|
|
|
|
scryptp = 1
|
|
|
|
scryptKeyLen = 32
|
|
|
|
)
|
|
|
|
|
|
|
|
type AuthOptions struct {
|
|
|
|
AuthFile string
|
|
|
|
UnauthMethods []string
|
|
|
|
}
|
|
|
|
|
2015-10-12 02:43:31 +02:00
|
|
|
type auth struct {
|
2015-10-10 21:26:47 +02:00
|
|
|
successHandler http.Handler
|
|
|
|
failureHandler http.Handler
|
2015-10-12 03:36:27 +02:00
|
|
|
authKeys []string
|
2015-10-10 21:26:47 +02:00
|
|
|
o AuthOptions
|
|
|
|
}
|
|
|
|
|
2015-10-12 03:36:27 +02:00
|
|
|
func checkAuth(authKeys []string, decodedAuth []byte) (result bool, err error) {
|
2015-10-10 21:26:47 +02:00
|
|
|
checkKey, err := scrypt.Key([]byte(decodedAuth), []byte(scryptSalt), scryptN, scryptr, scryptp, scryptKeyLen)
|
|
|
|
if err != nil {
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
encodedKey := base64.StdEncoding.EncodeToString(checkKey)
|
2015-10-12 03:36:27 +02:00
|
|
|
for _, v := range authKeys {
|
|
|
|
if encodedKey == v {
|
2015-10-10 21:26:47 +02:00
|
|
|
result = true
|
|
|
|
return
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
result = false
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2015-10-12 02:43:31 +02:00
|
|
|
func (a auth) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
2015-10-10 21:26:47 +02:00
|
|
|
if sliceContains(a.o.UnauthMethods, r.Method) {
|
|
|
|
// allow unauthenticated methods
|
|
|
|
a.successHandler.ServeHTTP(w, r)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
authHeader := r.Header.Get("Authorization")
|
|
|
|
if !strings.HasPrefix(authHeader, authPrefix) {
|
|
|
|
a.failureHandler.ServeHTTP(w, r)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
decodedAuth, err := base64.StdEncoding.DecodeString(authHeader[len(authPrefix):])
|
|
|
|
if err != nil {
|
|
|
|
a.failureHandler.ServeHTTP(w, r)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2015-10-12 03:36:27 +02:00
|
|
|
result, err := checkAuth(a.authKeys, decodedAuth)
|
2015-10-10 21:26:47 +02:00
|
|
|
if err != nil || !result {
|
|
|
|
a.failureHandler.ServeHTTP(w, r)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
a.successHandler.ServeHTTP(w, r)
|
|
|
|
}
|
|
|
|
|
|
|
|
func UploadAuth(o AuthOptions) func(http.Handler) http.Handler {
|
2015-10-12 03:36:27 +02:00
|
|
|
var authKeys []string
|
|
|
|
|
|
|
|
f, err := os.Open(o.AuthFile)
|
|
|
|
if err != nil {
|
|
|
|
log.Fatal("Failed to open authfile: ", err)
|
|
|
|
}
|
|
|
|
defer f.Close()
|
|
|
|
|
|
|
|
scanner := bufio.NewScanner(f)
|
|
|
|
for scanner.Scan() {
|
|
|
|
authKeys = append(authKeys, scanner.Text())
|
|
|
|
}
|
|
|
|
|
|
|
|
err = scanner.Err()
|
|
|
|
if err != nil {
|
|
|
|
log.Fatal("Scanner error while reading authfile: ", err)
|
|
|
|
}
|
|
|
|
|
2015-10-10 21:26:47 +02:00
|
|
|
fn := func(h http.Handler) http.Handler {
|
2015-10-12 02:43:31 +02:00
|
|
|
return auth{
|
2015-10-10 21:26:47 +02:00
|
|
|
successHandler: h,
|
|
|
|
failureHandler: http.HandlerFunc(badAuthorizationHandler),
|
2015-10-12 03:36:27 +02:00
|
|
|
authKeys: authKeys,
|
2015-10-10 21:26:47 +02:00
|
|
|
o: o,
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return fn
|
|
|
|
}
|
|
|
|
|
|
|
|
func badAuthorizationHandler(w http.ResponseWriter, r *http.Request) {
|
|
|
|
w.WriteHeader(http.StatusUnauthorized)
|
|
|
|
http.Error(w, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized)
|
|
|
|
}
|
|
|
|
|
|
|
|
func sliceContains(slice []string, s string) bool {
|
|
|
|
for _, v := range slice {
|
|
|
|
if s == v {
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return false
|
|
|
|
}
|