-
Notifications
You must be signed in to change notification settings - Fork 7
Expand file tree
/
Copy pathauthenticator_request.go
More file actions
114 lines (99 loc) · 2.83 KB
/
authenticator_request.go
File metadata and controls
114 lines (99 loc) · 2.83 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
package diecast
import (
"fmt"
"net"
"net/http"
"net/url"
"strings"
"github.com/ghetzel/go-stockutil/httputil"
"github.com/ghetzel/go-stockutil/log"
"github.com/ghetzel/go-stockutil/sliceutil"
"github.com/ghetzel/go-stockutil/typeutil"
)
type RequestAuthenticator struct {
config *AuthenticatorConfig
remotes []string
methods []string
headers map[string]string
remoteNets map[string]*net.IPNet
}
func NewRequestAuthenticator(config *AuthenticatorConfig) (*RequestAuthenticator, error) {
var auth = &RequestAuthenticator{
config: config,
methods: sliceutil.MapString(config.O(`methods`).Strings(), func(i int, value string) string {
return strings.ToUpper(value)
}),
remotes: config.O(`remotes`).Strings(),
headers: make(map[string]string),
remoteNets: make(map[string]*net.IPNet),
}
for hdr, pattern := range config.O(`headers`).MapNative() {
auth.headers[hdr] = typeutil.String(pattern)
}
for _, remote := range auth.remotes {
if strings.Contains(remote, `/`) {
if _, ipnet, err := net.ParseCIDR(remote); err == nil {
auth.remoteNets[remote] = ipnet
} else {
return nil, fmt.Errorf("bad remote %q: %v", remote, err)
}
}
}
return auth, nil
}
func (auth *RequestAuthenticator) Name() string {
if auth.config != nil && auth.config.Name != `` {
return auth.config.Name
} else {
return `RequestAuthenticator`
}
}
func (auth *RequestAuthenticator) IsCallback(_ *url.URL) bool {
return false
}
func (auth *RequestAuthenticator) Callback(w http.ResponseWriter, req *http.Request) {
}
func (auth *RequestAuthenticator) Authenticate(w http.ResponseWriter, req *http.Request) bool {
if len(auth.methods) > 0 {
if !sliceutil.ContainsString(auth.methods, req.Method) {
httputil.RequestSetValue(req, ContextErrorKey, fmt.Sprintf("HTTP method %s is not permitted", req.Method))
return false
}
}
// if remotes are specified, one must match
if len(auth.remotes) > 0 {
if addr, _, err := net.SplitHostPort(req.RemoteAddr); err == nil && addr != `` {
for i, remote := range auth.remotes {
if addr == remote {
log.Debugf(
"[%s] request-auth: permitting address %v (in remote %d; exact match: %v)",
reqid(req),
addr,
i,
remote,
)
return true
} else if ipnet, ok := auth.remoteNets[remote]; ok && ipnet != nil {
if ip := net.ParseIP(addr); ip != nil {
if ipnet.Contains(ip) {
log.Debugf(
"[%s] request-auth: permitting address %v (in remote %d; network: %v)",
reqid(req),
addr,
i,
ipnet,
)
return true
}
}
}
}
httputil.RequestSetValue(req, ContextErrorKey, fmt.Sprintf("Address %s is not permitted", addr))
return false
} else {
httputil.RequestSetValue(req, ContextErrorKey, "Address could not be determined")
return false
}
}
return true
}