-
Notifications
You must be signed in to change notification settings - Fork 3
Expand file tree
/
Copy pathhandler.go
More file actions
132 lines (116 loc) · 2.92 KB
/
handler.go
File metadata and controls
132 lines (116 loc) · 2.92 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
package authenticator
import (
"encoding/base64"
"fmt"
"log"
"net/http"
"os/user"
"runtime"
"strings"
"github.com/alexbrainman/sspi"
"github.com/alexbrainman/sspi/ntlm"
)
var (
contexts map[string]*ntlm.ServerContext
serverCreds *sspi.Credentials
)
func init() {
contexts = make(map[string]*ntlm.ServerContext)
var err error
serverCreds, err = ntlm.AcquireServerCredentials()
if err != nil {
panic(err)
}
}
func initiateNTLM(w http.ResponseWriter) {
w.Header().Set("WWW-Authenticate", "NTLM")
http.Error(w, "Authorization required", http.StatusUnauthorized)
return
}
func authenticate(c *ntlm.ServerContext, authenticate []byte) (u *user.User, err error) {
defer c.Release()
err = c.Update(authenticate)
if err != nil {
return
}
runtime.LockOSThread()
defer runtime.UnlockOSThread()
err = c.ImpersonateUser()
if err != nil {
return
}
defer c.RevertToSelf()
u, err = user.Current()
return
}
func authorize(u *user.User, r *http.Request) bool {
fmt.Println(u.Uid+" ("+u.Username+") wants ", r.URL.String())
return true
}
func sendChallenge(negotiate []byte, w http.ResponseWriter, r *http.Request) {
sc, ch, err := ntlm.NewServerContext(serverCreds, negotiate)
if err != nil {
http.Error(w, "NTLM error: "+err.Error(), http.StatusInternalServerError)
return
}
contexts[r.RemoteAddr] = sc
w.Header().Set("WWW-Authenticate", "NTLM "+base64.StdEncoding.EncodeToString(ch))
http.Error(w, "Respond to challenge", http.StatusUnauthorized)
return
}
// Authenticator authenticates the current request using NTLM
func Authenticator(next http.Handler) http.Handler {
fn := func(w http.ResponseWriter, r *http.Request) {
var err error
auth := r.Header.Get("Authorization")
if auth == "" || (len(strings.SplitN(auth, " ", 2)) < 2) {
initiateNTLM(w)
return
}
parts := strings.SplitN(auth, " ", 2)
authType := parts[0]
if authType != "NTLM" {
initiateNTLM(w)
return
}
var authPayload []byte
authPayload, err = base64.StdEncoding.DecodeString(parts[1])
context, ok := contexts[r.RemoteAddr]
if !ok {
sendChallenge(authPayload, w, r)
return
}
defer delete(contexts, r.RemoteAddr)
var u *user.User
u, err = authenticate(context, authPayload)
if err != nil {
log.Println("auth error:", err)
http.Error(w, err.Error(), http.StatusUnauthorized)
return
}
if !authorize(u, r) {
http.Error(w, u.Username+" is not authorized to do that", http.StatusUnauthorized)
}
w.Write([]byte("You are authenticated as " + u.Username + "\r\n"))
next.ServeHTTP(w, r)
}
return http.HandlerFunc(fn)
}
/*
package main
import (
"log"
"net/http"
"github.com/justinas/alice"
"github.com/nycmonkey/authenticator"
)
func main() {
mw := alice.New(authenticator.Authenticator)
log.Println("starting service on :8080")
log.Fatalln(http.ListenAndServe(":8080", mw.ThenFunc(getHandler)))
}
func getHandler(w http.ResponseWriter, r *http.Request) {
w.Write([]byte("Success"))
return
}
*/